There’s a reason why CNET, Techdirt, and Slate didn’t make much noise when it was revealed that the NSA or Britain’s GCHQ may be using a “man in the middle” attack by impersonating Google. With so many revelations about the spy agencies in recent weeks, this could easily be skipped. It’s to the point that even publications with that sort of clout aren’t able to get much of a rise out of people.
We’re simply tired of hearing the evils of the NSA.
Unfortunately, it’s a huge deal. It means that they aren’t just finding ways to collect data on citizens through standard processes. It means they’re getting into the business of using notorious hacker techniques that are even further down the road of legality than any of their other alleged surveillance techniques.
A MITM attack is one where a rogue site is used to be the middle man between a user and an online organization. For example, they could pretend to represent a bank, get the user’s login information, then act as that bank on behalf of the user. The user logs in through the MITM which transmits the action to the bank. When the bank responds, the MITM then sends the response through to the user.
It’s a way to rob people, but we can assume that the NSA isn’t robbing people… yet. For now, they’re simply using the attack to gather as much information about their targets as possible. It could be financial data, communications, or just about anything depending on who they’re pretending to be.
Google denies any such attacks have taken place on their system, but how could they really know? The idea of a MITM attack is that it happens without either party knowing. If the NSA or GCHQ is successful, nobody knows. That’s the point.
“There have been rumors of the NSA and others using those kinds of MITM attacks,” Mike Masnick writes on Techdirt, “but to have it confirmed that they’re doing them against the likes of Google… is a big deal — and something I would imagine does not make [Google] particularly happy.”
Google, nor any company, would want to be represented to their users by someone else. The fact that it’s the US or UK governments doesn’t make it any better. In fact, recent events would likely make it a worst case scenario for a company like Google. They are already in the spotlight over their involvement with PRISM. An earlier statements by Eric Schmidt points to a fundamental problem, saying that it’s in the “nature of our society”.
This information doesn’t make it any more comforting.