Cyberoam fixes flaw threatening Tor users
Tor users should be relieved to learn that the flaw found in Cyberoam’s deep packet inspection device has been fixed. The Tor Project publicized the flaw when they reported a user in Jordan “seeing a fake certificate for torproject.org.” In order to scan users’ connections, Cyberoam would direct the user’s browser to recognize Cyberoam’s trusted CA so that the browser can issue fake certificates for sites using HTTPS, like torproject.org. Although Tor considers that to be “the only legitimate way to” set up a DPI device, they discovered a problem with Cyberoam’s implementation. After some research, Tor learned that all Cyberoam Deep Packet Inspection (DPI) devices share the same CA certificate. Because all the devices used the same certificate–and therefore the same private key–it is possible to intercept data coming from one Cyberoam device by using another Cyberoam device. This flaw makes it possible for someone to intercept a Tor user’s connection if it relies on a fake Cyberoam certificate. This is precisely what happened to the user in Jordan. An anonymous user later divulged the private key in the comments section of Tor’s blog post on the matter.
Tor made this announcement one week ago, and Cyberoam reports that an over the air (OTA) hotfix was put into effect yesterday. According to Cyberoam:
[the fix] forcefully generated unique keys for all the remaining appliances. This means that every Cyberoam UTM appliance now has a unique CA thus protecting the customers even if the private key is exposed willfully or by accident.
Cyberoam, in their post, also alludes to feeling singled out by Tor. They recognize the “critical nature” of the situation, but resent the spotlight being placed on them as opposed to “other companies who also use a universal CA for [their] devices” as well.
Referring to these other companies that use default CA’s, Cyberoam states, “we think that the industry needs to react to this on an urgent basis so that a deeper crisis is averted.” Although Tor can provide some measure of anonymity and protection while browsing, this event highlights that are still risks of surveillance.