when you're building this web page and
you go the content and banner across
the top and a banner across the bottom
ads down the side
content is being fetched from different
servers to fill in all the chunks of
that page you might be asked for example
and if your isp can replace one of these
with the ISPs and server then they've
essentially kicked out this ad network
from the process so that ad network
thinks that they're serving up and out
the I the isp is replacing that with
their own out which means the and that
was kind of paying for something which
they're not getting it also means that
the isp is getting the benefit of this
very popular page for exactly this might
be the CNN from page for example and
this ISP ad is now being inserted there
in place and so everybody is going to
see CNN web page
they're getting the app that the ISPs insert it going so surely that
Pope few people's noses out of joint it
yes whoohoo yes it will and it with it's
something that's yeah I i guess it's not
really considered good practice but
something that does happen
the problem
the lot of the original protocols used
for the web is that they're completely
insecure
so then either confidential so all the
data that you're transferring can be
seen observed by anybody who happens to
be in the able to sit in the network and
see that they're completely
unauthenticated
even if you encrypt all the data so that
nobody can sell tell what it is that as
it's being transmitted and received and
you might not have any idea that you're
sending it to the right person receiving
it from the right person so that does
no authentication either
and as a result of this
it's possible to do a whole variety of
attacks on traditional web protocols
where you can intercept communications
for example and maybe insert bad data
into that that sequence of exchanges or
you could the redirect somebody to a
different website and they thought they
were getting too because there's no the
essential to the person who's making the
communication the person who's running
the web browser has no way to check that
they're actually getting it from the
real side that they thought and TLS kind
of fixes a lot of that by providing
means both to encrypt the data in the
communication but also provide the means to
authenticate the sender and receiver so
that you can tell that you're actually
getting it the website you thought you
were getting it from
I remember doing a video where we looked
at how a website isn't just what you get
from one page is made up of all sorts of
things so does not further complicating
that complicates things in the sense
that when you get the original page the
original page will
so the first place to go to the URL you
go to will have some kind of base page
and then you'll fetch the data from that
web server and your web browser will
start rendering our data and putting it
up on the screen for you and it will
then be filling in holes in our data
which have references to other objects
on the web so they might be simple
images they might be complex subpages
there might be adverts from an
advertising so I don't we all saw all
sorts of things that are necessary to
fill in the gaps in that base page and
because of that sort of complexity of
that structure you end up relying on a
lot of other servers all doing the right
thing and all behaving appropriately and
those servers or networks which are not
the network to which were initially
connected
you might be fetching data from all over
the planet in order to build that the
page
that's going to be rendered and because
of that just because of that complexity
and diversity that becomes a lot of
weaklings a lot of potential
the weak links in that if you use TLS to
encrypt all those connections you've got
a better chance and authenticate all
those connections
you got a better chance that data you're
getting is the data you intended to get
another data that somebody who was in
the middle of those networks inserted
you've got the symbol for web browser
let's go old school yeah this is your
web browser and you got the first server
that you go to have no imagination today
sever.com
so you're going to make a connection to
that server to send a request and you're
going to get some page that comes back
and then you might have more requests to
go to that server
you might have requests to go to other
servers out there
as a result that's the set of
connections is one and then you might
have a bunch of other requests that all
get sent out to a bunch of different
networks possibly multiple to the same
then you have a bunch of things come
back and images come back and has come
back and this is what happens is the
page is slowly slowly they built
if you look at a web page where I know
this hasn't been fully thought through
or maybe you're accessing from a network
that's a bit slower than normal you
might see this happening so as the page
renders things move around a bit because
it's a bit of being filled in as the
responses come back for the different
servers causing everything else to jump
event of it
the problem is that any of these
connections and these are all using HTTP
then there's no way for the browser to
verify the data that's coming back here
is actually coming from this server they
could be coming from somebody else instead
and there's nothing inherently that
stops that being the case there's a bit of
work that needs to be done for this
attack to happen if this guy just starts
any bad data to the browser the browser
is not expecting in the browser will just bin
it and nothing happened about the
operating system just bin it but if
this guy happens to be able to observe
this initial request going out
it might be able to observe enough of
the information out in order to be able
to insert data before the response comes
back from the real server for example
which could significantly confuse things
so this is the sort of attack that will
happen if you've got an isp doing this
kind of thing for example so your
network provider chooses to try and
insert data onto the web pages you're
visiting then instead of you getting the
data that comes back
the server what happens is this is all
going through the ISPs network is
simplistic to say we just ask a server
for stuff because there are all sorts of
computers in the way on them
yeah so leave these packets that are
flowing to make the request and the
packets of the flowing to come back the
response each of those packets can be
manipulated and interfered with in some
way and so what can happen is that the
the package come through here and then
the isp redirect those packets to the
isp server and then you see these
responses coming back for you nice piece
over and there was no way for the
originator of the request to tell that
was what they expected to happen at
least in the default case and set the
HTTP if you have a tts which means that
you're using the protocol called TLS
then what happens is that there's an
initial connection setup that happens
and so the isp tries to redirect these
connections down there then there will
be an exchange that takes place before
the request is sent
which means that this computer here will
attempt to authenticate that computer
there and it will say no no that's not
the right one that's not what I expect
to https is basically HTT P being
carried on top of layered over TLS which
is then led over tcp normally speaking
HTTP is layered on top of TCP/IP all the way down
then what happens is with HTTPS is if
I'm going to
example.com I expect to get the right
and back for yet so if that was what
roughly speaking you have an exchange of
certificates so the connection is made
and then past the initial negotiation
that happens is that this server
presents information to the client
saying this is all the information that
i could only have if I had access to
this certificate
so go and check it against a certificate
and the client will say okay so I need
to go to find it's certificate to check it
against there's actually a hierarchy
that will sort of bubble back up to the
top
so you're you're so that might be down
here and your client trying to access
that and they may have to check against
multiple points to keep checking that
has been signed with the right
certificate to get back up to the top
and at the top that certificate will be
something is actually embedded inside
the browser and so the client can then
check against that which is already has
and it's already it doesn't have to rely
on anything
network to get that it's got that built
in and if that checks out then it knows
that this sequence of signatures has
been validated at every step
and so it can trust this server to be
the server that he claims to be the
fundamental thing behind all that is the
idea that this server can only respond
currently provide that information if it
has access to this secret and that
secret has been signed by another secret
and so you go back up the chain of the
secret signing of the secret signing on
the secrets to get to what you already
knew at that point you there then you
can be certain of that chain is not
infinitely it's a trust thing isn't it
based upon somebody you know you trust -
they trust who they trust it is yeah and
and ultimately get back to what thats
built into the browser itself
one of the things that happens then it
becomes a big deal when another entity
is allowed to put another certificate
inside the browser so you have a bunch
of these that are embedded in the
browser for these root certificates and
if you got one of those root
certificates it means you can sign other
people certificates and they can sign
other people certificates and so you
can end up if you let you know
did you sign the wrong certificates
for somebody they can go and create
stuff which they will say okay -
when they should I think we touched on
this briefly when we did a superfish
video tom scott but what's happening now with this ISP then also what's
happening for example is you can have
this other service called let's encrypt
it started when you can get your own
certificates relatively lightweight
fashion from this which is a good thing
in many ways because it means it's
easier for you to do this
on the other hand one of the things they
have to do in order to make that service
really viable was get their root
certificate embedded in all these
browsers and so that means that these
certificates no longer pop up and throw
an exception so we don't know where this
one comes from
it's about it you have a you have a
problem a similar problem in it without
involving let's encrypt where you just
have people doing what i call
self-signed certificates so the
certificate that gets checked
essentially doesn't have this hierarchy
it's just a significant onto itself and
so the browser
look at that it goes well this is signed
by itself essentially so it was signed
by the same entity that issued the
certificate which means that on the one
hand this is going to be an encrypted
connection so it's all gonna be fine and
it checks out as far as i know
on the other hand I haven't been able to
ask anybody else to verify this for me
so it's still just you claim to be
whoever you claim to be
and I've got another way of checking
that out which is why lot of browsers
increasingly browsers will start to
chant at you and say this is a
self-signed certificate
do you really want to trust this watch
your back yeah because there's no
there's no external validation that
actually the identity is done that
really is the entity who says that they
say they're so you can have this sort of
thing happening
you can actually have this kind of
attack wait not quite yet attack where
the browser is trying to get to the
server
the ISP servers used to intercept that
can happen with TLS as well because you
can essentially have the connection gets
routed down to the isp server and then
the isp server will manufacturers
certificate with which to claim
ownership of the address of the name
that the client is trying to access and
if it presents that back and the client
believes for example in self-signed
certificates all the isp controls enough
of the chain of trust that they can
produce a certificate for the ice that
the client browser will trust then at
that point
this server to all intents and purposes
even on HTTPS connection appears to be
the right server
so one piece of advice for your humble
user out there who's got all this
happening behind the scenes
what would it be a humble user out there
shields up on your browser right listen
to the warnings
so if you've got different things near
padlocks are not being closed and they
should be or the deposit in red we got a
warning pop up saying this is a self
certificate, are you really sure?
don't just click yes and accept
everything all right it's trying to the
system is trying to tell you something
unfortunately a lot of the time it's
telling you something which is
irrelevant or is telling you something
you can do nothing about
so it's either visit the site with don't
visit the site but it is actually trying
to tell you something and you should pay
attention to it
you might just get in the habit of
looking yeah yeah whatever
you shouldn't really do that if you really
care then you pay attention to that and
you
we don't go through when it systems
warning that something you don't go
through that
the problem is that a lot of the time as
warnings or rather irrelevant or you can
do nothing about it other than stop
whatever you're doing which is often
not acceptable to people is it is a way
you could circumvent any of those
problems are in private browsing if you
that private browsing stop it attempts
to stop information leaking between
browsing sessions but fundamentally
private browsing or not you're going to
the website and it's the wrong website
and it's got malware on it then your
browser is still going to get owned. alright, or you know if you type in your bank
details and you type them into the wrong
website then you still type them into
the wrong website
private browsing doesn't help with that
along with his state and the operations
around it and this can represent the
other paddle so we got two objects world
on your everyday physical experience
let's get the google glass in there
there it is
i think i'd be tempted to position it a
bit further along the line here
