I'm pretty sure I've thought this through correctly but I could be wrong. Background question: unless you are using VPN, your ISP can do a "man-in-the-middle" attack right? If you are using a VPN, then the VPN vendor can do the "man-in-the-middle" attack (MITM), so essentially you are trading your trust of your ISP for your trust of your VPN vendor.

Now with that out of the way, my main question is: is the MITM attack unique for just the session you are having or can they steal your passwords for your online accounts? Specifically, how does OneDrive encrypt your files? If there's a MITM attack can your ISP/VPN vendor read all the files (and/or download them) from OneDrive until you change your password? Or just one time, while you are logged in to their servers and online? My intuition says it's "onetime" since I bet Microsoft uses a temporary password every time you boot up? A trusted certificate stored somewhere on your hard drive to enable HTTPS. But equally plausible, just IMO not as likely, is that Microsoft is simply using your Outlook password for the encryption certificate every time you need to access OneDrive? In which case, once your ISP can figure out your password via a MITM attack, they can read your OneDrive files at their leisure, without you having to be online?

I say this since I don't trust companies to do right every time, it's just not feasible. Recently I discovered an Android rootkit installed on our phone by one of the employees of one of the Big Three US carriers. Fortunately they were not able, insofar as I can tell, to steal any significant money (maybe a small $25 or so charge that I often overlook since I charge so much stuff). The phone was turned over to them by my partner and the employee, who at the time struck me as shady, installed the rootkit and I only found out about it later by chance.

On Thursday, August 3, 2023 at 6:58:05 PM UTC-4, RayLopez99 wrote:

Change title from "impossible" to "possible" but that's obvious.

Thanks in advance to any answers. I would ask the security group but it's not as active as this group.

On 8/3/2023 6:58 PM, RayLopez99 wrote:
> I'm pretty sure I've thought this through correctly but I could be wrong. Background question: unless you are using VPN, your ISP can do a "man-in-the-middle" attack right? If you are using a VPN, then the VPN vendor can do the "man-in-the-middle" attack (MITM), so essentially you are trading your trust of your ISP for your trust of your VPN vendor.
>
> Now with that out of the way, my main question is: is the MITM attack unique for just the session you are having or can they steal your passwords for your online accounts? Specifically, how does OneDrive encrypt your files? If there's a MITM attack can your ISP/VPN vendor read all the files (and/or download them) from OneDrive until you change your password? Or just one time, while you are logged in to their servers and online? My intuition says it's "onetime" since I bet Microsoft uses a temporary password every time you boot up? A trusted certificate stored somewhere on your hard drive to enable HTTPS. But equally plausible, just IMO not as likely, is that Microsoft is simply using your Outlook password for the encryption certificate every time you need to access OneDrive? In which case, once your ISP can figure out your password via a MITM attack, they can read your OneDrive files at their leisure, without you having to be online?
>
> I say this since I don't trust companies to do right every time, it's just not feasible. Recently I discovered an Android rootkit installed on our phone by one of the employees of one of the Big Three US carriers. Fortunately they were not able, insofar as I can tell, to steal any significant money (maybe a small $25 or so charge that I often overlook since I charge so much stuff). The phone was turned over to them by my partner and the employee, who at the time struck me as shady, installed the rootkit and I only found out about it later by chance.
>

I suppose an employee could automate a MITM system, and sift through the results
looking for "good stuff". My ISP has multiple 100Gbit/sec connections to the next
level of switching (a device in Toronto). That represents a firehose of data,
with 3 million customers involved.

AFAIK, using MITM gives you the keys to the castle. Unless connections
are protected via some secondary method.

An example of a secondary method, is to use 7Z to compress and encrypt
a file, before upload to OneDrive. Only you know the original password,
and all the MITM monkey business in the world, will not crack your password
selection at your end. This assumes a long password, so whatever salting method
is used, won't be an issue.

A security group sounds like a better place for a question like this.

A small ISP, with very few staff, offers the best opportunity for the "Evil Tech" to
do business. When there are a larger number of employees, there are
more risks involved.

But generally speaking, I don't see a reason to rely purely on the Cloud
single method of protection, whatever it is. The recent track record of
Microsoft, isn't that good.

Paul

On Thursday, August 3, 2023 at 9:40:04 PM UTC-4, Paul wrote:
> On 8/3/2023 6:58 PM, RayLopez99 wrote:
> > I'm pretty sure I've thought this through correctly but I could be wrong. Background question: unless you are using VPN, your ISP can do a "man-in-the-middle" attack right? If you are using a VPN, then the VPN vendor can do the "man-in-the-middle" attack (MITM), so essentially you are trading your trust of your ISP for your trust of your VPN vendor.
> >
> > Now with that out of the way, my main question is: is the MITM attack unique for just the session you are having or can they steal your passwords for your online accounts? Specifically, how does OneDrive encrypt your files? If there's a MITM attack can your ISP/VPN vendor read all the files (and/or download them) from OneDrive until you change your password? Or just one time, while you are logged in to their servers and online? My intuition says it's "onetime" since I bet Microsoft uses a temporary password every time you boot up? A trusted certificate stored somewhere on your hard drive to enable HTTPS. But equally plausible, just IMO not as likely, is that Microsoft is simply using your Outlook password for the encryption certificate every time you need to access OneDrive? In which case, once your ISP can figure out your password via a MITM attack, they can read your OneDrive files at their leisure, without you having to be online?
> >
> > I say this since I don't trust companies to do right every time, it's just not feasible. Recently I discovered an Android rootkit installed on our phone by one of the employees of one of the Big Three US carriers. Fortunately they were not able, insofar as I can tell, to steal any significant money (maybe a small $25 or so charge that I often overlook since I charge so much stuff). The phone was turned over to them by my partner and the employee, who at the time struck me as shady, installed the rootkit and I only found out about it later by chance.
> >
> I suppose an employee could automate a MITM system, and sift through the results
> looking for "good stuff". My ISP has multiple 100Gbit/sec connections to the next
> level of switching (a device in Toronto). That represents a firehose of data,
> with 3 million customers involved.
>
> AFAIK, using MITM gives you the keys to the castle. Unless connections
> are protected via some secondary method.
>
> An example of a secondary method, is to use 7Z to compress and encrypt
> a file, before upload to OneDrive. Only you know the original password,
> and all the MITM monkey business in the world, will not crack your password
> selection at your end. This assumes a long password, so whatever salting method
> is used, won't be an issue.
>
> A security group sounds like a better place for a question like this.
>
> A small ISP, with very few staff, offers the best opportunity for the "Evil Tech" to
> do business. When there are a larger number of employees, there are
> more risks involved.
>
> But generally speaking, I don't see a reason to rely purely on the Cloud
> single method of protection, whatever it is. The recent track record of
> Microsoft, isn't that good.
>
> Paul

Thanks Paul. I do password encrypt using 7Z some sensitive information in files that I store in the cloud (I also use besides Microsoft, the service iDrive which is reasonably prices).

Since I'm posting from a hotel at the moment, the "small ISP" is a factor since I forgot to use Mullvad VPN when logging onto the internet from the hotel gateway. That said, this hotel is so clueless I doubt there's a savvy evil rogue employee looking to steal guest passwords. But since it's in a tony neighborhood maybe? Rich people are often not tech savvy.

So I guess, to prevent MITM attacks, on occasion you should change your password? Since if the rogue employee has the "keys to the castle", then they have my Microsoft Outlook/Onedrive and Gmail and Yahoo and all my passwords? But I think some of these passwords are stored in my browser which I would hope gives some level of security, however, using WireShark or whatnot I guess with enough effort they can figure out what is your password (even if encrypted) since it probably goes out at the same point in any data stream and you can figure that out from Wireshark (unless my hypothesis about encryption being "session specific" is correct) and then duplicate this on their end, once you are not online.

Maybe for this reason it's recommended you change your password every few months?

As for security groups, last one I checked was full of spam and the usual B..S. about staying safe from viruses using XYZ product.

Ray Lopez

On Saturday, August 5, 2023 at 1:32:45 AM UTC-4, RayLopez99 wrote:
> Maybe for this reason it's recommended you change your password every few months?
>
> As for security groups, last one I checked was full of spam and the usual B.S. about staying safe from viruses using XYZ product.
>
> Ray Lopez

As best I can infer, Microsoft OneDrive uses a HTTPS session key based on your password I suppose, which might be the salt of the session key. It uses a public/private key encryption.
However, the public key is signed by a "trusted source certificate" that is stored in either your browser or within Windows. The trick in Man-In-The-Middle (MITM) attacks is to substitute this "trusted source" certificate with another "trusted source" certificate to gain access to both the private and public keys. Apparently some anti-viruses that reside in Windows actually do this substitution as well, with the permission of the user, to check for malware and the like for any data being transmitted by HTTPS. From an answer below also ISPs store such 'trusted source' certificates used to substitute for other 'trusted source' certificates.

Therefore, the ref 5) answer below claims that any ISP can "spoof" the "trusted certificate" for any public key and thus gain Man-In-The-Middle (MITM) status. key passage: "Your web browser or operating system has over 500 trusted certificates installed in it. This means that you implicitly trust any website whose certificate has been signed by this certificate."

How would a hotel or ISP do this? Well, insofar as I can infer, it would be to install such a "trusted certificate" in your hard drive and/or browser.. For the hotel, it would be such as when you click on the "Agree to Terms" sign-in form, or, for an ISP, when you first register as a customer, and/or such a certificate is installed when you become a customer of the ISP.

As Paul says, for a large hotel to do this for the purpose of a MITM attack would be quite risky due to the large number of potential snitches. For a mom-and-pop hotel? Maybe not as risky, though arguably a mom-and-pop hotel would not have the technical expertise nor the clientele to either pull this off or make it worthwhile (i.e., who cares about the winos and bums who stay at the mom-and-pop flophouse? Hardly worth spying on).

RL

1) https://learn.microsoft.com/en-us/purview/data-encryption-in-odb-and-spo - OneDrive for business is "session" encrypted, each time, and each file, has it's own AES encryption key.

2) https://support.microsoft.com/en-us/office/how-onedrive-safeguards-your-data-in-the-cloud-23c6ea94-3608-48d7-8bf0-80e142edd1e1

When data transits into the service from clients, and between datacenters, it's protected using transport layer security (TLS) encryption. We only permit secure access. We won't allow authenticated connections over HTTP, but instead redirect to HTTPS.

3) https://eric-diehl.com/does-https-prevent-man-in-the-middle-attacks/

The current model of trust of Internet employs hundreds of CAs. This brittle model allows to set-up lawful or unlawful man in the middle attacks.

4) https://security.stackexchange.com/questions/6290/how-is-it-possible-that-people-observing-an-https-connection-being-established-w - session key enabled that is only known between Microsoft server and Microsoft user, not by man-in-the-middle, MOST OF THE TIME

But see 5): The fact is an ISP (or the equipment installed by the NSA in the ISP) can intercept and MITM attack an SSL connection and they can do it quite easily actually.

5)
https://security.stackexchange.com/questions/6290/how-is-it-possible-that-people-observing-an-https-connection-being-established-w

A lot of the answers already provided are overlooking the interception capability of the ISP or NSA. Take a look at Room 641A in the AT&T datacenter. There are an estimated 10 to 20 such facilities that have been installed throughout the United States. Also take a look at the One Wilshire building where 260 ISP's connections converge into one building. That location is a prime location for an interception facility.

The fact is an ISP (or the equipment installed by the NSA in the ISP) can intercept and MITM attack an SSL connection and they can do it quite easily actually.

Your web browser or operating system has over 500 trusted certificates installed in it. This means that you implicitly trust any website whose certificate has been signed by this certificate.
The NSA via secret FISA court order can force any Certificate Authority operating in the United States to give them their root certificate. The court order includes a special non disclosure clause which forces the CA to keep their mouth shut under penalty of jail time if they speak out about it. They may not even need to do this however, they only need to convince the browser vendors to accept one NSA owned certificate as trusted in the browser.
As your traffic passes through the ISP they swap out the website's true public key with the NSA's own public key signed by the compromised certificate authority thus performing the MITM attack.
Your web browser accepts this false certificate as trusted and you communicate the symmetric encryption key for the exchange back to the NSA/ISP who keep a copy of it and also pass the same key onto the website.
Your session with the website is decrypted in real-time with the compromised symmetric key.
The decrypted data is sent via fibre optic line to the NSA's headquarters and data center in the basement of Fort Meade. This scans the data for hundreds or thousands of keywords that may indicate various types of threats. Any keywords are red-flagged for an analyst to view and prioritize further action if any. The final data is sent to one of the NSA's data storage facilities in the US. The new storage facility is the Utah datacenter which is likely online already as it was scheduled to be online at the end of last month.
Here's a diagram from nsawatch.org:

On Tuesday, August 8, 2023 at 2:14:16 AM UTC-4, RayLopez99 wrote:
> But see 5): The fact is an ISP (or the equipment installed by the NSA in the ISP) can intercept and MITM attack an SSL connection and they can do it quite easily actually.
>
> 5)
> https://security.stackexchange.com/questions/6290/how-is-it-possible-that-people-observing-an-https-connection-being-established-w
>
> A lot of the answers already provided are overlooking the interception capability of the ISP or NSA. Take a look at Room 641A in the AT&T datacenter.. There are an estimated 10 to 20 such facilities that have been installed throughout the United States. Also take a look at the One Wilshire building where 260 ISP's connections converge into one building. That location is a prime location for an interception facility.
>
> The fact is an ISP (or the equipment installed by the NSA in the ISP) can intercept and MITM attack an SSL connection and they can do it quite easily actually.
>
> Your web browser or operating system has over 500 trusted certificates installed in it. This means that you implicitly trust any website whose certificate has been signed by this certificate.
> Here's a diagram from nsawatch.org:

You can see what "trusted certificates" reside on your hard drive and/or browser by typing in the MS-DOS Command Prompt: "certmgr.msc" which brings up Microsoft Management Console "Certificates" and doing so, I found hundreds of such 'trusted certificates' on my system, pretty unsettling.

Apparently "DigiCert" is a big player with these certificates. From Wikipedia: "DigiCert, Inc. is a global digital security company and a provider of digital trust [1] headquartered in Lehi, Utah, with over a dozen global offices in various countries including: Australia, Belgium, Bermuda, Ireland, Japan, India, Germany, France, Netherlands, South Africa, Switzerland and United Kingdom.[2] As a certificate authority (CA) and trusted third party, DigiCert provides the public key infrastructure (PKI) and validation required for issuing digital certificates or TLS/SSL certificates. These certificates are used to verify and authenticate the identities of organizations and domains and to protect the privacy and data integrity of users’ digital interactions with web browsers, email clients, documents, software programs, apps, networks and connected IoT devices."

Personally I don't trust this company but I am in no position to do anything about it.

RL