Native support proxy

Antibiotic · Jun 12, 2024, 5:39 PM

Hello, could be someone have info about any hardware( mini pc or routers) , native implementation of polar proxy, sslproxy, mitmproxy. The reason to make decrypt and encrypt traffic but without of installation and settings headache?

Gertjan · Jun 13, 2024, 8:50 AM

@Antibiotic

Proxing is always a software solution.
Proxing is always hard ... as there is much to learn. Normally, learning shouldn't hurt your head.

@Antibiotic said in Native support proxy:

The reason to make decrypt and encrypt traffic

Even the big 3 letter agencies have a hard time doing this.

Antibiotic · Jun 13, 2024, 11:24 AM

@Gertjan I don't think so. 3 big letters Agency have a root servers on them territory. No reason make decrypting.That why , they do not want to delegate servers to international control.

Gertjan · Jun 13, 2024, 12:00 PM

@Antibiotic said in Native support proxy:

Agency have a root servers on them territory

Because the TLS connection made from one device to another is based on some common set of info ?
Hummm.
If you have some time left, see what Youtube can tell you about TLS - the ones from Computerphile are great.
Ones of the videos mentions the computer power that is needed to brake 'simple' 2048 bit based TLS. So not an issue in our live time.

Or do you mean that the CIA and NSA are also CAs now ?

Antibiotic · Jun 13, 2024, 1:54 PM

@Gertjan
The NSA could and probably already has gone -- using a USA PATRIOT Act demand letter, or other similar legislative tool -- to all the major CAs in the United States (e.g. VeriSign, GeoTrust, etc.) and demanded that they remit their private root keys to "No Such Agency", "for purposes of 'national security'".

Of course, all such requests must (per PATRIOT Act law) be kept secret, and the CAs must lie to the public about their having complied with the request, or the chief executive officers of the CAs (and any of their underlings involved) are subject to long prison terms (with the trial, if any, conducted in camera in secret courts).

None of the above is unfounded speculation; it is based on well-known U.S. laws, which two successive U.S. administrations (Bush and Obama) have refused to change in any meaningful way, and in view of the Snowden revelations it would be extremely foolish to assume that this scenario hasn't already happened.

So yes -- the simple answer is, "the NSA doesn't need to do anything special to set up a root CA; because it can easily impersonate any of the existing (American) ones, at will".

Antibiotic · Jun 13, 2024, 12:20 PM

@Gertjan
No. In addition to the obvious government Root CAs in your trust stores; the NSA is a spy agency and as such has likely already stolen the private keys of several other CAs. If they are devious, they'd steal the private keys of other government CAs for potential false flag operations.

Additionally, unless every operating system and browser explicitly locks their updates to a specific CA or certificate only, they could use any Root CA they own or control to add a new anonymous CA (e.g. Issuer: Voldemort) to a trust store so that future back-tracing goes precisely nowhere.

Gertjan · Jun 13, 2024, 1:54 PM

@Antibiotic

I'm not talking about certificat signing, the whole 'trusted' identity thing, used by web sites etc.
The subject was proxies, and how a you can set up a MITM setup so the proxy can do its thing.

Here in Europe, we create secure connections all the time, and no body told me that they needed to be compatible with the "PATRIOT Act law"

But I get it, the solution about using proxies is always the same : 'they' know how to, but they don't want to share the info - and now we know why.

Antibiotic · Jun 15, 2024, 5:56 PM

@Gertjan BTW found one)))
https://github.com/sonertari/UTMFW?tab=readme-ov-file

https://www.stamus-networks.com/pr/13-june-2024