Phorm

Nicholas Bohm ukcrypto at chiark.greenend.org.uk
Tue, 18 Mar 2008 09:36:40 +0000 

James Firth <james.firth@daltonfirth.co.uk> has made the following 
comments which he has agreed to my sharing with the list:

...

I fully stand by the points made in your letter.

I would like to take this opportunity to comment on Phorm’s 
characteristically weak response: that Phorm will not look at websites 
that require password authentication in order to access.

This will be a technically challenge, if not impossible to achieve. 
Also, if it is possible, we then enter the territory of Yossarian and 
Orr: you need to intercept and analyze each transmission in order to 
classify said transmission as a transmission that must not be 
intercepted and analyzed.  Seemingly one cannot get around the fact that 
transmissions must not be intercepted without first gaining the consent 
of both parties.

The technological argument is rather simple.

Consider an arbitrary website that uses a password protection mechanism 
but does not use SSL or any other transport-layer security to protect 
content.

A password is required to open a “session”.  A session is essentially a 
bond between a given web browser and a web server, and this bond or 
session can remain valid for an extended period of up to several years, 
even though the browsing activity may cease for extended periods of time.

The Phorm equipment will be tasked not just with identifying password 
protection mechanisms; it will also have to characterise each and every 
mechanism used to maintain a session in order to ignore the remainder of 
the session.

There are a wide variety of mechanisms in use today, many proprietary, 
and no single identifiable method that can be used to distinguish 
protected content from open content.  Note that often “open” sessions 
(not password protected) are used on regular websites to track a 
visitor’s progress through the site, and return visits from users.

...

Nicholas
-- 
Salkyns, Great Canfield, Takeley,
Bishop's Stortford CM22 6SX, UK

Phone  01279 870285    (+44 1279 870285)
Mobile  07715 419728    (+44 7715 419728)

PGP public key ID: 0x899DD7FF.  Fingerprint:
5248 1320 B42E 84FC 1E8B  A9E6 0912 AE66 899D D7FF