US DoD, Brit ISP BT reverse proxies can be abused to frisk internal systems – researcher Minor blunders in reverse web proxies can result in critical security vulnerabilities on internal networks, the infosec world was warned this week. James Kettle of PortSwigger, the biz behind the popular Burp Suite, has taken the lid off an “almost invisible attack surface” he argues has been largely “overlooked for years.” …
The interception system is related to CleanFeed, which was built by BT in the mid-2000s to block access to images and videos of children being sexually abused. This technology was repurposed to target pirates illegally sharing movies, music, software and other copyrighted stuff.
A government-mandated, country-wide man-in-the-middle attack. Who could have ever imagined it might be a security and privacy problem?
But it's not, not really.
If you want security, you never do plain HTTP.
And that thing can't fake HTTPS no matter what it does, without flagging up browser warnings and making you perfectly aware it's in place.
It's like saying "Who would imagine that leaving all your doors and windows open might be a security problem?" Just about everyone.
I'm more surprised that they think that such a reverse proxy is in any way a good way of catching people doing anything. Hell, you can't wipe your nose on the Internet without going via an SSL secured-by-default website (e.g. Google). And with Let'sEncrypt, self-signed certs and other free certs it literally costs nothing to avoid.
If you are doing illegal things, and have anywhere near half a brain, you don't log onto your home Wifi and just connect straight out to HTTP websites to do it, surely?
The government is already on the verge of demanding all encryption have a back door to allow snooping, though.
It's really just a matter of claiming pedophiles are using https to bypass filters designed to block child abuse images. The Mail will love it, and few MPs will dare to protest for fear of being denounced as supporting child abuse.
"Have a look at the SSL Visibilty [sic] Appliances for those who think https is inviolate."
Blow that - they are just one MitM method. If you want to really get to grips with what you can do to SSL, using software that you *can* get access to, then get hold of Squid and investigate "SSL bump".
At home I have a THINGS VLAN (and another one called SEWER for things that I trust even less than an IP camera). I really must get around to putting things like my Samsung telly through SSL bump to see what is going on. It may verify its other end's CA but given the quality of the rest of its programming - I doubt it. I do watch its connectivity when I'm bored. It port scans its LAN occasionally and chats a lot to AWS, no doubt for my benefit.
Um, the title says reverse proxy, but the substance of the article describes something different: a transparent proxy.
A reverse proxy is, from a Client PoV, an origin server, in that it *is* the hostname and IP address of the requested URL. It doesn't involve intercepting anything, because it's precisely where the traffic is routed. The proxy part is merely that it delegates the request to a backend server.
The reverse proxy is when you ring a company and get the receptionist to put you through to an extension. BT's proxy is a spooks' wiretap on the line.
Did he by any chance dare to type ../../../ anywhere?
https://www.theregister.co.uk/2005/10/11/tsunami_hacker_followup/
Oh what short memories we have as an industry, TPTB may feel that current sentences are not enough of a deterrent.
Not sure there's any deception involved. BTs use of filters for inappropriate content has been well documented. They publicised it rather than tried to be deceptive about it.
Though I take your point. Tangling communications makes things more difficult. Which was the point of Scott's original quote iirc.
Speaking as a non IT industry professional, I do get the impression that if a Proxy is all Cleanfeed is, then circumventing it is trivial to say the least.
I would imagine that anyone willing to look at kiddy porn will certainly have the motivation and, after a simple Google search, the knowledge to bypass it in 30 seconds.
Why even bother running it unless for other nefarious government-mandated purposes?
I've known about ISP reverse proxies for ages.
Im shocked to find that an astonishing number of tech folk are unaware of them.
They stick out like a sore cock when you do DNS diagnostics or try and access sites with invalid domains
Especially on mobile networks.
Its also how ISPs are able to deliver their custom 404 messages etc.
Fortunately, they are pretty easy to identify and circumvent using some tunnelling and encryption.
I keep saying this here but...DNSCrypt and an SSH tunnel to an ISP you can 'trust' is a winner every time.
I JUST REALLY DON'T UNDERSTAND WHY OUR STATE DOESN'T SUPPORT WHITE HACKING?!
WHY AREN'T HUGE FUNDS BEING SPONSORED FOR DIGITAL HYGIENE AND PROGRAMMING LESSONS IN SCHOOLS????!!
America is a really backward country in terms of IT security, compared to Russia, which intervenes every election!
Why the hell do we have a proxy and VPN so expensive, and people are afraid of it like fire?! Why can't you just use it for your own safety? Corny you will not be tracked by criminals.
Isn't that true?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
