Can a VPN carry out a Man-In-The-Middle Attack?

If the reader needs to ask this question, then I’d suggest that the question should first be translated into a similar question, which the reader more-probably needs the answer to:

‘Can software which claims to be a VPN, intercept the user’s data or carry out a MITM attack?’ A way in which some software can attack its user is by misleading him or her, about what its nature is. In order to assess this question quickly, I’d ask two more questions about the software:

  • We know that Windows, Mac and Linux computers have a large variety of installed libraries, that make up the core of how each O/S works, which under Windows are .DLL-Files, and which under Linux consist finally of .SO-Files. Does this software replace any of those existing libraries with its own versions?
  • Does this software install anything, such as Browser Extensions, which may change the way the browser behaves?

If the answer to either of these two questions was ‘Yes’, then in fact, this software has an opportunity to perform a MITM.

If the answer to both questions was firmly ‘No’, then the possibility is more likely, that this software really is ‘just a VPN’, in which case it should not be able to perform a MITM.


 

Why? Because, as long as we are connecting to a Website the URL of which begins with ‘httpS://’, and not ‘http://’, what a healthy browser will do is to encrypt its traffic to and from the site, using a public key, for which only the intended site has the private key, needed for decrypting the exchanged data. This is already being done by mainstream browsers, on the assumption that one or more of the connecting pieces of the Internet are insecure or untrustworthy. In the case where a link in this chain actually performs its own encryption, well that’s just another insecure link according to the way data is secured.

Data can be encrypted more than once, and, assuming that different encryption keys are being used each time, taking data which was already encrypted, and encrypting it again, does not by itself compromise the security of the data. The resulting stream just needs to be decrypted twice again, each time using the appropriate keys, each of which is held by a different party, to translate the data back into its clear-text form, in this case finally on the Web-server.

Therefore, VPN software operating as it should, ends up passing through any data that has been encrypted using a shared secret between the browser and the server, as though this data just consisted of random bytes. But, a VPN will add a layer of encryption to it. It can also be said conversely, that, given the encryption of the VPN, the browser adds its layer of encryption.

But what of software that confuses its users into installing special browser extensions, or library-overrides? Well, such software could have as its special behaviour, to cause the client to bypass its own encryption, only applying whatever encryption the so-called VPN may apply, and also doing what any client could do, which is, to connect to the server using encryption that exists between the VPN and the server, as a proxy. A computer which has been modified in this way is essentially hacked.

Dirk

 

Browsing Android Files using Bluetooth

One of the casual uses of Bluetooth under Android, is just to pair devices with our Android (host) device, so that specific apps can use the paired (slave) device. This includes BT-headphones, and many other devices.

But then a slightly more advanced use for BT under Android could be, that we actually send files to a paired Android device. It’s casually possible to take two Android tablets, or a tablet and a phone, and to pair those with each other. After that, the way to ‘push’ a file to the paired device, from the originating device, is to open whichever app displays files – such as for example, the Gallery app, if users still have that installed, or a suitable file-manager app – and to tap on ‘Share’, and then select ‘Bluetooth’ as what to share the file to. Doing this should open a list of paired devices, one of which should be suitable to receive a pushed file in this way.

But then, some people would like to take Bluetooth file-sharing up another level. We can pair our Android device – such as our phone – with a Bluetooth-equipped, Linux computer, which may be a bit tricky in itself, because the GUI we usually use for that assumes some legacy form of pairing. But eventually, we can set up a pairing as described. What I need to do is select the option in my Linux-BT-pairing GUI, which requires me to enter the pass-code into the Linux-GUI, which my Android device next displays…

And then, a question which many users find asking themselves is, ‘Why can’t I obtain FTP-like browsing capability, from my Linux-computer, over the files on the phone? Am I not giving the correct commands, from my Linux-computer?’

Chances are high, that any user who wishes to do this, is already giving the correct commands from his or her Linux-computer…

(Updated 06/03/2018, 20h45 … )

Continue reading Browsing Android Files using Bluetooth

A Note On Playing Back Commercially-Recorded Blu-rays

Just as it was with DVDs, when movies first started to be distributed in that format, commercially-recorded Blu-ray disks today use an encryption system, which is sometimes referred to as ‘content scrambling’, to prevent people from making unauthorized copies. It’s actually named ‘aacs’.

Experts already know about this, but I’m putting this in layman’s terms for anybody who might not.

Basically, Blu-ray playback-devices have a hidden store of public keys, which the users are not allowed to access, and this time, the company is able to update that store of keys via the Internet, because most Blu-ray players today are also online devices.

Unlike how it is with Blu-rays, the content-scrambling system of DVDs was famously hacked. This means that Linux computers are well-able to play back Movie-DVDs. OTOH, the ability to play back commercial Blu-rays, is mainly unsuccessful on Linux computers, or on any other unauthorized devices, because the content-scrambling which gets used – was never hacked. As long as the encryption continues to work, Linux users and pirates will not be able to play back or rip Blu-rays.

As it stands, the company is able to revoke public keys which it was once using.

This is a shame, because some Linux users might only be wanting to view Blu-ray movies which they purchased and paid for. But the main fear of the industry remains, that as a platform, a Linux computer is more susceptible to an unauthorized copy being made of anything, which that Linux computer would also be able to perform authorized playback of.

Therefore, when I gave instructions on how people can record Blu-rays privately, my assumption was that we would not be using any encryption. I don’t see encryption as being important in any way, for home-movies which people might shoot. But, the Blu-ray folder must nevertheless contain a sub-folder named ‘CERTIFICATES’. In the example I wrote about, this sub-folder will simply remain empty.

Further, the mere use of the Blu-ray (single-layer) disk, as a step-up from DVD+Rs, where a Blu-ray can store up to 25GB of pure data instead of 4.7GB, is unfettered for Linux users to use as they wish. All we need is an external Blu-ray burner, and we’re all set to burn pure data. But as soon as we want to burn something using ‘UDF’, which is the approved file-system of Blu-ray players, the level of difficulty already increases, even though no encryption has been used yet.

(Updated 09/19/2017 : )

Continue reading A Note On Playing Back Commercially-Recorded Blu-rays

K-9 Mail is the way to go!

In this earlier posting, I had started to document, how under Android, I had been using the email-client “Kaiten”, which years ago, when I had started using it, was a paid-for alternative to the program “K-9″, in return for which I had expected regular updates.

But as it happened, Kaiten has stopped receiving support, while K-9 continued to receive the updates.

One of the features sorely lacking in Kaiten, was PGP/MIME support. Kaiten was limited to signing or encrypting emails using Inline Signatures, while the modern way to go about it is using PGP/MIME. Also, I’ve been receiving emails, which have also progressed to being signed with PGP/MIME, which Kaiten could not interpret.

And so just this morning, I made the switch on some of my Android devices, to K-9, which has PGP/MIME Support.

When using K-9, one no longer uses the companion app ‘APG’, but rather the companion app “OpenKeyChain“, to perform the cryptography.

Because K-9 actually accepts the configuration files exported by Kaiten, the switch was easy to carry out.

Dirk