Who can eavesdrop on a user's HTTP traffic?

security networking http

Solution 1:

Easy - just follow the cable from your PC to the server.

This is maybe specific to Austria, but it probably looks similar all over the world.

let's assume we've got an DSL user:

  • PC -> Ethernet -> Modem

Anybody with access to the local infrastructure can sniff the traffic

  • Modem -> 2-wire-Copper -> DSLAM

Anybody with access to the copper infrastructure and equipment which is able to decode the data can eavesdrop. Most of this wiring is relatively unprotected and easy to access if you know where to look, but to actually decode the data you'd probably need some very specific equipment.

  • DSLAM -> ISP infrastructure -> ISP core routers

Most DSLAMs are connected via Fibre to some sort of Fibre Ring/MAN to routers of the ISP.

There have been stories in Germany where supposedly three-letter-agencies from the U.S. of A eavesdropped on traffic of a Metropolitan Area Network. There are off-the-shelf devices which can do this, you just need the right budget, intent and knowledge of the local infrastructure.

  • ISP core routers -> BGP -> Target AS

Given that the destination server is not in the same Autonomous System as the user is, the traffic has to be sent over the "Internet". If you're going over the Internet, to use a quote from Snatch, "All Bets Are Off". There are so many nooks and crannies were a malicious operators could attach themselves, that you're best assuming that all your traffic is going to be read.

The DHS (or maybe some other agency) actively eavesdropped on backbone infrastructure in the USA on this level.

  • Target AS Border router -> ISP infrastructure -> Housing Center

See above.

  • Housing Center Router -> Switches -> Server

This is how quite a few sites were already attacked. Ethernet offers no protection for hosts which are in the same (V)LAN/broadcast domain, so any host can try ARP spoofing/poisoning to impersonate another server. This means that all traffic for a given server can be tunneled through a machine in the same (V)LAN.

Solution 2:

On a switched LAN (like most Ethernet networks), you can use ARP cache poisoning to, in many cases, eavesedrop on such traffic. Basically, you can fake the client computer out and make it think that your eavesdropping station is the router off the LAN.

On shared-media LANs-- i.e. non-switched, like wireless Ethernet w/o encryption or w/ broken encryption-- you don't even need to do that. Just listen!

At the ISP, and the ISP's ISP, and the ISP's ISP's ISP... etc, an attacker would only need to sniff the traffic. Any point in the path the traffic flows thru is subject to potential eavesdropping. There are LANs in between there, too, so there's always the possibility of eavesdropping by ARP cache poisoning, etc.

Finally, at the far end there will be another LAN, just as susceptible to eavesdropping as the source LAN.

J. Random idiot who knows your IP address isn't going to be eavesdropping on your traffic without hacking something along the way, or diverting the traffic flow from its normal path to them.

Yeah-- cleartext is bad.

Related

Why is a 19" rackable box only 17" wide?
OSX how to show apache status in terminal?
How do I determine if my Linux box has been infiltrated?
Delete all sub-directories except one
Locating large files (> 100 MB) in /home/ for 'cleaning'
What happens if two local systems download the same resource on same port?
To use cable management arms or not
Netcat (nc) traditional package for RHEL 6.x?
Email from our server tagged as junk by Hotmail Smartscreen unable to inform Hotmail that it is legitimate
Import RDP file into Microsoft Remote Desktop Connection Manager 2.7
Is anyone using an SNMP and/or WMI poller to push custom metrics to Amazon CloudWatch, and if so how?
apparmor: same profile for multiple apps