Skip to main content
Welcome guest. | Register | Login | Post

Satellite proxy breaking SSL?

14 replies [Last post]
libervisco's picture
Offline
Joined: 2006-05-04

I am using a hybrid connection, as some might know, for my browsing and downloading. I use an EDGE modem for upload and a satellite for higher speed download. For the latter the proxy is being used, located in Luxembourg, where Astra is.

What happens is this. I send requests through my EDGE modem through my local ISP which then, thanks to a proxy, sends this request to the satellite ISP. The satellite ISP then takes the page or file that I requested and sends it back to me via satellite. The scheme is drawn on this image.

So now I'm wondering what happens to the SSL encryption in this process. Could the data get unencrypted somehow after it goes through the proxy ISP or do they keep the encryption safe?

In any way, the address bar on encrypted pages is yellow and the lock is displayed properly so firefox doesn't indicate any breakages in encryption, which is why I haven't been alarmed so far.

What do you think?

tbuitenh's picture
Offline
Joined: 2005-12-21
I think the SSL encrypted

I think the SSL encrypted data is simply routed through the proxy, which can't decrypt it. If you were using an unencrypted http connection, they could also do caching, but that's a different kind of proxy. Also I think a SatADSL proxy will combine multiple packets into one maximum sized one for efficiency... however there is no need to decrypt the contents of the packets to do that since the sender and destination addresses are not encrypted.

I don't know too much about networking, so you might want a second opinion.

libervisco's picture
Offline
Joined: 2006-05-04
I see. That does make

I see. That does make sense. I was also asking a bit about that on IRC, #linux on freenode to be specific, and one guy there says I should read an SSL FAQ to understand how it works and that "yes, it is safe".

Later I searched a bit and came to an SSL FAQ somewhere where it said that if it is a SOCKS proxy it can let the data through unchanged and that some HTTP proxies can be compatible with SSL as well. My proxy seems to support both. I have a choice of HTTP or SOCKS proxies when I select one through which to connect. For example for Xchat I use http and for programs which don't support proxying I wrap them with tsocks (hence using SOCK proxy).

Anyway, after giving it some thought I was thinking, why would SatADSL providers like Astra provide a service which advertises as a way to speed up your browsing and downloads and yet not properly support SSL. It would be absurd for them not to support it and if they didn't someone would probably be shouting about it for long. While SatADSL users may be a minority, there is still enough of them (heh if there weren't I probably wouldn't face speed limits when downloading too much, they're there because there are a lot of other people connected and downloading).

So even by that logic alone I'm thinking it should all be safe.

Thanks

free-zombie's picture
Offline
Joined: 2006-03-08
It should be safe, yes, but

It should be safe, yes, but it needn't be. SSL is helpless against a man-in-the-middle attack, which anyone on the right network could successfully pull off via ARP spoofing. The proxy, however, is by definition a man in the middle, which makes it easy for your ISP to spy on your encrypted conversations if they, le Service de Renseignement de l'Etat or the SOA really want to.

But if we assume that you are being trusted and your ISP are good guys, then yes, it's just as safe as usual, which doesn't mean it's unbreakable.

tbuitenh's picture
Offline
Joined: 2005-12-21
SSL is only vulnerable to a

SSL is only vulnerable to a man in the middle attack if you're connecting to a server with a self-signed certificate, right? It seems sane to at least trust the CA...

free-zombie's picture
Offline
Joined: 2006-03-08
If you know which key there

If you know which key there *should* be, then man-in-the-middle attacks can be detected. The server having a CA certificate only helps if you know that the server has a CA certificate.

tbuitenh's picture
Offline
Joined: 2005-12-21
I don't know about the

I don't know about the behavior of other software that uses SSL, but firefox will warn you if you encounter a server with a certificate that was not signed by a known CA. The public keys of the CAs are distributed along with firefox (right?) so the only real opportunity to start an attack is when you download FF the first time.

One shouldn't trust servers with self-signed certificates with anything of value, and be very alarmed when such certificates change.

Anyway, SSL isn't any more or less broken by receiving data from a satellite instead of through a wire.

supermike's picture
Offline
Joined: 2006-02-17
Warning About SSL and VPN Over Satellite Internet

I have a warning about using SSL and VPN over satellite Internet. I read this on the Internet by a satellite hobbyist who really knows his stuff. I wish I had the link. After giving what he said a lot of thought, it made a lot of sense.

If you read the fine print on satellite Internet connections, they tell you that VPN is not supported and not recommended. Also, you'll occasionally find that some HTTPS or SSL connections fail or timeout. Okay, so why does this occur?

Well, the Internet runs on TCP and UDP. (I know it's called TCP/IP, however.) TCP is like a solid connection -- a phonecall. UDP is like a telegram that is broken up and goes through random routes to a destination, then is reassembled on the other end, and handed to you. TCP is efficient in some cases, while UDP is efficient in others. In the old days of ARPANET, the US Dept. of Defense used this system because they wanted a means of communication that would work even if a host went down under the pretense of an attack against the USA.

The way satellite Internet works, however, is that the router receives TCP and UDP packets from your workstation, but then breaks up the TCP packets into UDP packets with special encoding. This is because the satellite may get interrupted temporarily by cloud cover or some other factor and needs an almost solid way to reach you on Earth. When the UDP packets are sent to the satellite, they are then beamed back down to earth to what is called a NOC (Network Operations Center). The NOC then reads the UDP packets, assembles them in the right order, hopes these are all there, finds the TCP packets hidden inside the UDP packets, reassembles them as TCP, and sends them on their merry way on the real-live Internet.

Well, TCP was not really meant for something like that to happen to it. Many hosts have timeouts on the TCP protocol and will only permit it to wait so long before it disconnects.

Now, your web browser uses TCP to web browse. Most of the time on satellite Internet you have no problem. This is because the packets are relatively small and usually don't contain encryption (which like triples and quadruples their size), and can be sent back efficiently.

The problem comes up when encryption is used. Relatively small encryption is SSL used in HTTPS secure web browsing. However, very complex encryption is VPN encryption. Both increase the packet size dramatically, or the number of packets. This puts the NOC into overdrive because it has to grab all your TCP tunneled through UDP, put it back together, and send it off as TCP. It has to tip-toe around your encryption of these packets and not disturb that.

Unfortunately most satellite NOCs around the world have proven to not be very efficient at handling encrypted TCP reassembly once received in tunneled UDP form. Thus, HTTPS is spotty and great for like one or two page form submission, but not heavy duty use. Also, VPN is most often going to disconnect within 10 minutes.

This is one reason why I stopped using satellite Internet.

The other reason why I stopped using it was the man-in-the-middle kinds of attacks that can occur, where someone else on Earth can pretend to be me and receive my responses back instead of me.

So why does TV work so well with satellite Internet? The reason is because it uses a form of communication that's much like UDP and less like TCP. It also caches bits ahead of time by about 15 seconds so that it can ask for packets again if it's missing them. When it's missing them for too long, it uses up that 15 second buffer and has to pause your TV for 15 seconds to rebuild that cache again, then start your TV again. On rainy days you may actually see this happen. Because it's TV, you might not even notice or care. But when it's a dropped Internet connection, you notice it.

libervisco's picture
Offline
Joined: 2006-05-04
So I suppose there is a

So I suppose there is a chance most SSL and HTTPS stuff would still be assembled correctly. If the data coming in is encrypted the middle man can't read it, so the middle man stuff can be harmful only when unencrypted data flies around.

The thing is, I don't have a choice here. I can't drop satellite connection because that would leave me with the EDGE connection alone which is much slower and much more expensive.

I have 512kbps download via satellite and I use EDGE for upload only, mostly, and EDGE is only about 120kbps or so.

Anyway, thanks for a nice detailed explanation of the process.

supermike's picture
Offline
Joined: 2006-02-17
3G

News update: If you were in the USA, you could get on board with a brand new thing that Sprint is pushing out. We used it at our office and were amazed. They have an affordable Blackberry phone that has wireless high-speed Internet at 600K to 800K over the new 3G network (introduced by Japan) and which is spreading across the USA and even into some rural communities. If 3G is coming to America, then perhaps it's coming to a country near you as well.

Offline
Joined: 2006-03-28
That 3G-stuff is also

That 3G-stuff is also pretty popular here in HK. Commercials show things like video-conferencing and stuff like that with your phone.
Sounds pretty cool, although I'm not sure if I'd need that. ;-)

free-zombie's picture
Offline
Joined: 2006-03-08
the relevant wikipedia
"the relevant wikipedia article" wrote:

A boost was given to 3G mobile networks in Europe when the European Union council suggested that the 3G operators should cover 80% of the European national populations by the end of 2005.

I'd never heard of it.

dylunio's picture
Offline
Joined: 2005-12-20
reply
free-zombie wrote:
"the relevant wikipedia article" wrote:

A boost was given to 3G mobile networks in Europe when the European Union council suggested that the 3G operators should cover 80% of the European national populations by the end of 2005.

I'd never heard of it.

It has been well known here in the UK for a few years, ever since our Government sold licences for use of the network to the phone companies, there was a great controvancy at the time that the millions this raised went to clear national debt, not the healthservice.

libervisco's picture
Offline
Joined: 2006-05-04
Well, isn't that 3G stuff

Well, isn't that 3G stuff actually UMTS and HDSPA? Some providers here are advertising it as the fastest internet (more than 1Mbps) for laptops and mobiles etc.

Offline
Joined: 2006-03-28