Division Zero (Div0). Copyright © 2011-2018

All rights reserved.

From Russia with Love

21 May 2016

In the world of cyber, and in the scope of imposed concept of security, two mundane vulnerabilities have been looming around for years. Nobody seemed to care much about them, partly because many parties actually did benefit of having them available, in the sense of social cohesion it was good for the economy that some part of the users remain vulnerable. E.g. it is required that large mass of the users are vulnerable for advertising, since we all need that cash don’t we. Yet there are barely any human, ethical or social grounds to justify holding some vulnerable, that having been said. Why then do we still have DNS hijacking and coffee shop attack in wild?


One of the most recent browser newcomer, Yandex browser, did a bold move in that sense. They did target both of these inherent and essential vulnerabilities and made the move to practically eliminate them in their recent browser release. What?  — somebody might ask. How can someone to eliminate our Wi-Fi router Advertisement, Paywall and Spoofing page, and indeed the controlled namespace?


That new browser includes two crucial and essential security features, custom DNS resolver and encrypted DNS protocol, as well as innovative, yet spooky, transparent encrypting of non-encrypted plaintext http requests. Both of these are bold moves, yet they both bear a good load of weight in the footprint of the invasion to the users’ actions, but hopefully for the good and not in order to break in.


Having a proprietary DNS resolver implemented in the client application, using a specific DNS resolver cluster will inevitably bring about good load of security. As all the resolvers are known and in control of the same entity, surely yes, but when things go bad, this can also become a reverse in the terms of the effect to users privacy. However same applies to malware scanners, OS-imposed critical silent updates, etc. The core question is to whom one grants such an omnipotent power and force? Surely in the world of cybersecurity that question is more relevant today as ever.


Furthermore, the most classic and perhaps the oldest one of the vulnerabilities, the plaintext HTTP traffic, remains an open issue for most of the implementations. Because nobody cares, anything important and you have certificate installed in any way — many lamely think. However in the real life things are not so. Many and many unencrypted, yet highly important, content is transferred daily over coffee shop Wi-Fi or campus networks. Let alone hotels, hostels and who knows what kind of establishments. Since now, nobody really took the step to even try to protect vulnerable users from these, instead of just proclaiming and shouting aloud, “set up your certificates!” Well, not all people do, for a reason or another. This new Yandex browser will make also a strange move in here — custom encrypted proxy for unencrypted traffic on unprotected wireless networks. Whooa! What?


Yes, you heard right. The browser will re-route your plain-text HTTP traffic trough its own proprietary encrypted tunnel to a distant exit node from where it’s sent to the destination. This effectively blocks any and all local coffee-shop attacks, as plain text HTTP is suddenly not any more plaintext HTTP. All this done transparently for the user and for the application. Well mostly. users will see slight indication what their unprotected Wi-Fi connection has been “enhanced” in order for it to me more secure than before. Oh my goodness!


The end result of the custom Wi-Fi protection is awesome, yet terrifying and horrible breach of users privacy. It depends on which side of the coin one looks at, and again, to whom one grants the master key. Personally I would at the moment trust more for Yandex proxy than Google or Apple, for example. Even a crowded Tor exit node can be more dirty than this. But, that’s a matter of personal choice, of course.


Whatever one thinks about these bold moves, they are sure to change the functionalities in the coming generation of browsers and in the way the users security is taken care of. As noted earlier, the question in the cybersecurity is becoming more and more relevant in the sense of “who governs”, and as people are eager to change their leaders rather swiftly, more and more innovative solutions can be expected to be introduced in the future, for the benefit of people rather than to secure the status quo of an eroding state.


Share on Facebook
Share on Twitter
Please reload


September 5, 2017

Please reload

Please reload

RSS Feed