Introduction
The following series of posts represent the completion of a university research project and a compilation of what has been said at INSA de Lyon the 26 of April 2012. You can find the slides here. I highly encourage you to read these posts while browsing through the presentation.
I am not responsible whatsoever of the use or misuse of the information hereafter. Be wise.
Authors
- CASTRO Rodrigo
- COQUET Matthieu
- SAUVAGNAT Xavier
Motivations
Is the Internet safe ? That’s the question my mates and I asked ourselves at the beginning of the project. With the exponential growth of the Internet, checking our bank’s account balance, buying all kinds of stuff online, sending and receiving private and confidential mails and letting everyone know we’ve just woken up on the wrong side of the bed on social sites, has become a day-to-day activity. We retain control of our information through security codes, passwords, credit card numbers, and many other ways of securing accounts. Information is power, information is money. What if we lost control of our information ? It would certainly be a tragedy. Fortunately, the Internet is as safe as it can be. Protocols have been designed to protect our beloved information from the bad guys.
HTTPS
One of those protocols is the well known https protocol. It behaves pretty much the same as its younger brother the insecure http protocol, except for the information being encrypted between the server (web browser) and the remote secure server. The browser checks whether the site is who it says it is by the means of a digitally signed certificate, granted by a respected and trusted certificate authority. Thereby, in order to use the secure https protocol we must trust both the certificate authority and the web browser.
Encrypting the data effectively suppresses Man in the middle and Eavesdropping attacks. However, every system has its weakness.
The weak links in the chain of secure https are not the remote server nor the communications channel itself, as hacking sites such as google, or facebook, or amazon would be outrageously complicated. Decrypting the data sent through https would also be complicated, except if you had access to a super computer, and even then it would take some time to “crack the code”. In the other hand, both the user and the web browser are easier to crack.
Getting information out of the user can be achieved with the means of social engineering techniques which are out of scope of this research and thus uninteresting. Web browsers present a technological challenge and are thus the main subject of study of our research. We needed to further reduce the scope of our research. By consensus, we decided to work with Mozilla Firefox under Windows OS.
Coming up next : Formgrabbers.