-1

http://qosmos.com/products/protocol-support/ state they are able to identify "Video, URL, date, duration, frame rate, +30 other metadata" for Youtube traffic. Duration, Frame Rate and date seems possible. But how do they identify the URL since it is going to be encrypted?

psy
  • 115
  • this looks like a question for the vendor, and you're assuming that the stream is encrypted – schroeder Jan 25 '18 at 21:25
  • Are you sure they aren't expecting you to install a local certificate? The characteristics they could simply be fields they extract from the http when the target is youtube.. – Ángel Jan 26 '18 at 00:14
  • @Ángel Read the URL provided. It mentions that it involves DPI, which does not involve a MITM. – forest Jan 26 '18 at 04:36
  • @forest but for orgs to perform DPI on data, they require the cert to be installed. The fact the vendor uses the term "DPI" means to me that the stream has to be unencrypted, which means installed certs at some point. – schroeder Jan 26 '18 at 09:56
  • DPI can also involve things like reading the DNS requests, and IIRC, YouTube has a huge number of subdomains for their CDN. But you're right, DPI for an encrypted connection may require a cert to be installed to avoid browser warnings. – forest Jan 26 '18 at 14:11
  • I don't quite get why the downvote. I am interested in security but I am a novice. I was interested in DPI after attending a seminar and was reading about it and looking for various vendors and what they do. Installing a certificate makes it very easy. In that case, they would decrypt everything. My question is how would they identify it assuming no certificate is installed. – psy Jan 26 '18 at 17:06
  • @forest, With many orgs allowing BYOD, I don't think installing certificates is feasible. – psy Jan 26 '18 at 17:08
  • frame rate and resolution go together to produce a bit rate, and there's only so many combos. Each video is also a certain length, and while there may be a few video of exactly the same size, most will have a unique number of total bytes. once you know the video, other meta is available from the API. – dandavis Jan 26 '18 at 20:03

1 Answers1

2

In the case of youtube I have doubts that they can decrypt the Quic protocol or even the SSL, I think is what youtube uses right now. The rest of parameters of rate could be deduce a bit, but I think the information that they provide is not updated with reality. In fact you can send them an email of a pcap file with your prefer youtube video and ask them :D

camp0
  • 2,172
  • 1
  • 10
  • 10
  • This does not answer the question about being able to identify the URL.PLEASE make sure your answers directly answer the question! They do not need to decrypt SSL if they are doing DPI on unencrypted streams as is often the case in corporate environments. – schroeder Jan 26 '18 at 11:40