Crossbear - crossbear@pki.net.in.tum.de

Also see https://pki.net.in.tum.de.

Recent updates:

• As of Firefox 29, the add-on bar has been removed. Crossbear uses this bar as a quick way to access settings and activate or deactivate the Protector and Hunter functionality. If you want this quick access, we recommend to install the following add-on, which restores the add-on bar: https://addons.mozilla.org/en-US/firefox/addon/the-addon-bar/

• As of Crossbear 1.5.21, we have removed support for Convergence as it does not seem to be supported any more. A decision has been made to use our own notary infrastructure instead. This transition will be transparent.

Supported systems:

• Windows: probably all versions from Windows XP onwards
• Linux: probably all mainstream distributions

Quick start: download crossbear.xpi. On Windows, just drag & drop it into Firefox. On Linux, open Firefox and go to "Add-ons". Choose "install add-on from file".

Team: Ralph Holz Jan Seeger

Former team members: Vedat Levi Alev Phillip Dowling Oliver Gasser Thomas Riedmaier (the original coder)

Licensing: Crossbear code is GPLv3 - see notice contained in every source file. However, some components we redistribute (e.g. Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 7 - blame Oracle for the length of the name) are protected by other licenses (in the given example, Oracle's "Oracle Binary Code License Agreement for the Java SE Platform Products" (again, blame Oracle for the length of the name). See the appropriate source code files - the corresponding license is stored in the respective directory.

Good day. Let us introduce ourselves: we are researchers at Technische Universität München, Germany.

This is Crossbear, a tool for tracing Men-in-the-middle trying to eavesdrop and interfere with an HTTPs connection. Crossbear's purpose is to collect data to a) find out whether such Men-in-the-middle exist and b) where in the network they are located. It uses two methods. The first is a comparison of certificate chains from several points in the network, including a warning to the user when a different certificate chain is seen. In this respect, it is very similar to Perspectives or Convergence. The second method, however, is more important. It consists of creating Hunting Tasks which are then sent out to Crossbear clients around the world. Each Hunting Task is a request to traceroute to the indicated SSL server. The idea is that by correlating results from different vantage points it may be possible to derive where in the network the attacker is located.

If you have further questions, have a look at our talks (slides) and a brief introductory video from 28C3.

Slides: https://pki.net.in.tum.de/node/4 Video: https://www.youtube.com/watch?v=bOyavGIou-w

Crossbear comes as a Firefox plugin.

PRIVACY STATEMENT - YOU WANT TO READ THIS

Your data is sent encrypted to our servers at Technische Universität München, Germany. WE DO NOT SHARE IT WITH ANYONE ELSE AND USE IT ONLY FOR THE PURPOSE OF CLASSIFYING MEN-IN-THE-MIDDLE. WE DO OUR BEST TO KEEP THE SERVERS SECURE AND PREVENT DATA LEAKAGE TO ATTACKERS.

We store the following data:

• Source: IP address of requesting client and AS, because we need it to trace the man-in-the-middle. We resolve to an AS in order to find other clients in the same AS which might work as hunters.
• Certificate chains: as seen by clients and hunters.
• Traceroutes: from requesting client and from hunting tasks.
• Timestamps: when a request was made and a certain certificate chain seen

We do not store any other information. Not your name, nothing about your browser.

During the test period of Crossbear, your data will be stored on the servers IN PLAIN. We will change when this Crossbear goes live. Bear in mind, however, that in order to be useful, the Crossbear server will always need to be able to access recent data like certificate chains. It is part of its functionality.

Yes, that does mean we know which sites some client (with a certain IP) has accessed. If you don't want us to know about which sites you are visiting, deactivate Crossbear (and surf privately for that time).

In fact, we encourage you to use Crossbear only when you suspect your current connection to the Internet might be eavesdropped on and you want the assurance that Crossbear can provide. At any other time, it is wise (and will hurt our work only very little), if you deactivate Crossbear.

Let us repeat this: our goal is to trace men-in-the-middle, not users. We want to gather hard data. If you want to help us with this, you are very welcome. We want to publish attacks that we learn about, and we can only do this with your help. However, if you feel you don't want to participate in the hunting, but still want some reassurance, we can recommend Perspectives (http://perspectives-project.org/).

If you have any questions, please do contact us. Our e-mail address is indicates at the top of this document.