Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 1 May 2015 14:36:52 -0700
From: Dean Pierce <>
Subject: Re: On sanctioned MITMs

My understanding was that one of the "features" of hushmail is that
it's in Canada, so somewhat less beholden to US law enforcement.
Piping all the data through Cloudflare in San Francisco seems to not
only open them up for National Security Letters, but it 100% guarantee
that all the data is crossing an international border, making the
traffic fair game to a number of government intelligence agencies.  Of
course Hushmail has been considered fully compromised since 2007, so
maybe none of this matters.  It also fails pretty miserably on the
EFF's "Secure Messaging Scorecard" :

  - DEAN

On Fri, May 1, 2015 at 1:10 PM, Kurt Seifried <> wrote:
> On 05/01/2015 01:15 PM, mancha wrote:
>> Though Hushmail email credentials, for example, can't be sniffed in the
>> segment connecting the client to CloudFlare, they are available to
>> CloudFlare's infrastucture. Moreoever, there is no way for the client to
>> verify that the segment connecting CloudFlare to the destination server
>> is similarly encrypted (i.e. it might be in the clear as would be the
>> case when using CloudFlare's "Flexible SSL" product).
>> Hushmail's CloudFlare usage serves as an example that brings me to my
>> general point.
>> How should the security community view this growing use of sanctioned
>> MITM in light of the ever-increasing amount of sensitive content sent
>> over SSL/TLS encrypted channels (e.g. email, electronic banking, medical
>> records, etc.)?
> This is me speaking personally:
> This is nothing new. Front end load balancers that handle SSL/TLS and
> then do HTTP on the backend have been around for decades. This is simply
> outsourcing it to a trusted (hopefully, because I use them!) party
> rather than doing it in house.
> We have had outsourcing of far more sensitive things for literally
> centuries, e.g. legal and accounting firms, my lawyer and accountant
> both have literally all my personal info and could easily destroy me
> financially if they wanted to. But they don't because we have contracts,
> and more importantly contract enforcement in the form of a civil legal
> system (as does most of the world). The same applies for CloudFlare,
> Google (my email), and so on.
> So in my opinion this is really nothing new, like any outsourced
> activity pick your partners carefully.
> This is me speaking on behalf of the Cloud Security Alliance:
> Make your partners/vendors/etc. fill out at least the self attestation
> level of STARS, which is free:
> If they refuse to do so that might be a good hint as to how secure they
> really are.
>> --mancha
> --
> Kurt Seifried -- Red Hat -- Product Security -- Cloud
> PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.