Spectrum ISP SSL/TLS Interception Bug
27 points
2 days ago
| 3 comments
| andrewgazelka.notion.site
| HN
J0nL
1 day ago
[-]
This and similar issues have been an ongoing issue with Spectrum going back to before Congress felt the need to call them (along with the other telcos) out for failing to secure their networks. I've noticed handshake issues at one time or another with webpages, DoH and dnscrypt, and VPN with TLS over UDP on a non-stand port.

During one particularly annoying episode where it effectively became a DOS I had my router log all dropped packets and then rebooted it. Immediately after reconnecting it drops a few incoming martians and invalid packets as if they were still expecting an active connection where there shouldn't have been any. The IPs were mostly upstream endpoints or gateways but at least once it was from a residential IP instead.

Between the weird arbitrary nature of the SSL/TLS handshake issues and the possible spoofing from upstream gateways I get the impression this is much more than just a bug.

reply
ycombiredd
1 day ago
[-]
Is it naive of me to ask why it is being just casually accepted that a major ISP is mitm'ing TLS traffic?
reply
server_man3000
1 day ago
[-]
They are also probably collecting DNS records from millions of customers too or inspecting SNI on TLS handshakes to know what sites each customer is visiting.

ECH and DOH people!

reply
gruez
1 day ago
[-]
None of that requires messing with the connection though. You can't draw just passively observe and get the same info.
reply
eqvinox
1 day ago
[-]
> "Encrypted Client Hello (ECH) - Enabled, limited effect"

Not sure what TFA means with this, reads like ECH doesn't help

Coincidentally, this article's webpage breaks copy & paste in its tables for presumed reasons of being "cutesy" with table click behavior. Can people please stop doing idiotic shit like this?

reply
kmbfjr
1 day ago
[-]
They most certainly are. Large ISPs use Nokia Deepfield or Kentik for network monitoring, observability and user metrics. Both work due to volumes of metadata from net flows and DNS.

My gut tells me the broken intercept is a Nokia product.

reply
schwag09
1 day ago
[-]
This is correct, it's even open source: https://github.com/deepfield/dnsflow.
reply
euroderf
1 day ago
[-]
OT: Letter-spacing horrible. Backslash: SSL\TLS.
reply