Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register

Quick Links


Categories

In this Discussion

Provider can see what customers is doing on vps? - Page 3
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Provider can see what customers is doing on vps?

13»

Comments

  • bsdguybsdguy Member

    @deadbeef said:

    @bsdguy said:
    ...

    You're saying that hosting providers have 0-day access to crypto exploits? :D Unless we're in the "they can do anything" zone, which is a conclusion and not an argument, SSL does what it should.

    No, I am saying that there have been MITM attacks with ssl and that there is plenty evidence, in part even of the perpetrators themselves.

    And I'm saying that one doesn't need 0-days to do that. openssl and even the protocol itself is a rich source of attack vectors. One example is the '\0' bug that allowed fake certs for arbitrary entities (boiling down to CA's verifying in domain order (reverse) but clients (using openssl et al) check in 0..n order (forward) till '\0' which led to e.g. 'google.com\0blabla.it' being considered OK by the CA (as blabla.it was indeed owned by requester) but OK for google.com by client (who only saw 'google.com\0'))

    And I'm saying that there are many other problem with CAs - for which we have evidence.

  • corbpiecorbpie Member

    I can see what im doing on my vps

  • sinsin Member

    @m3gf said:

    @stefeman said:
    What are the justification moments when the host can/should/must check client's VPS? Will any LET host spy on my porn collection?

    They will definitely spy on you porn collection, they will even give you a free recurring promo to let you keep doing this.

    I wish, then all my hosting would be free.

  • raindog308raindog308 Administrator, Veteran

    bsdguy said: openssl

    "You know, HeartBleed can't even be considered the worst OpenSSL bug..."

  • rincewindrincewind Member

    deadbeef said: You're saying that hosting providers have 0-day access to crypto exploits? :D Unless we're in the "they can do anything" zone, which is a conclusion and not an argument, SSL does what it should.

    No need for 0-days. BlueCoat is a commercially-available DPI proxy that intercepts HTTPS and is used by ISPs, schools, and some governments to monitor their network. It captures certificate requests and MITM's itself in between.

    Sources:
    http://surveillance.rsf.org/en/blue-coat-2/

    http://bluecoat.force.com/knowledgebase/articles/Solution/Intercepting-SSL-traffic-based-on-authentication-credentials

    They had a recent issue with TLS 1.3 changes in the Chromium browser: https://bugs.chromium.org/p/chromium/issues/detail?id=694593

    Thanked by 1Yura
  • rm_rm_ IPv6 Advocate, Veteran

    rincewind said: It captures certificate requests and MITM's itself in between.

    You still need to have the BlueCoat certificate installed as trusted on all clients (schools and governments can and do ensure this via group policies in Windows), else this will show a broken cert error instead of the website. Nope, no magic miracle MITM devices for SSL.

    Thanked by 2raindog308 vimalware
  • bitswitchbitswitch Member

    @rm_ said:
    You still need to have the BlueCoat certificate installed as trusted on all clients (schools and governments can and do ensure this via group policies in Windows), else this will show a broken cert error instead of the website. Nope, no magic miracle MITM devices for SSL.

    Excellent point. I am not sure why @rincewind did not state this in his comment as that is quite a crucial fact and if left out, the claim is misleading.

  • WebProjectWebProject Host Rep, Veteran

    For any decent provider I can see no reason to access customer data on VPS, different matter if police has a court order and required data for investigation purpose

Sign In or Register to comment.