I want to thank Jeff (our Director of Marketing and Emerging Technology) for testing ForceField and writing such detailed reviews. You can thank him by visiting his personal blog at: http://haumanadao.com/
That being said, let’s move on to the third part of this series.
When Jeff agreed to test ForceField and document his experience for our blog, he also ran a packet capture using wireshark to determine if we could see exactly what was happening with this. That’s how I ended up with this last part of the review. I am the packet capture analyzer!
NOTE: Clicking on each image will bring up the full 100% view.
In the first packet captured, upon opening the browser, there is a SYN connection to Zonelabs IP at: 208.185.174.65 that is encrypted.
First Packet Capture
A SYN packet is the beginning of a handshake between two computers. Obviously, ForceField is logging in at ZoneLabs for some reason. Just what reason we don’t know. But the second packet confirms the handshake with an SYN/ACK or acknowledgement that Zonelabs has received the first SYN packet and sets a sequence number for the communication between the two.
For those of you who are not knowledgeable in the reading of packets or do not understand the SYN/ACK packets, as I teach in our PC Security courses, (shameless plug, I know!), the SYN/ACK packets are used to establish a connection with another device - usually two computers. The SYN packet sends a sequence number (to synchronize) of the digital packet and behaves much like a knock on the other computers door. Sort of like saying, “Hello? are you there?”
The ACK packet is returned by the other device in acknowledgement of the knock or attempt to establish communications. Like saying, “Yea! I’m here! Let’s talk!” The sequence number establishes the connection between the two by identifying the packets. Much like a ticket number. If the packets become broken up, the sequence number helps the communicating devices put them back together for a full message.
So, here is the image of the ACK packet in Wireshark:
ACK Packet from Zonelabs
The Flag showing SYN: Set, means that the synchronization number has been set along with the Acknowledgment. This entire process is called the “handshake.”
In case you are wondering if I’m pulling your leg about the IP address belonging to Zonelabs, let me put that theory to rest right now.
WhatIsMyIPAddress.com Results
After the initial handshake and establishing the connection between the browser (or Jeff’s Computer) and Zonelabs, there is another secured handshake initiated.
SSL Handshake with Zonelabs
After a few more back and forths with handshakes and agreeing on the cipher strength, Jeff’s PC starts sending encrypted data back to ZoneLabs in two packets. Packet 12 and Packet 13.
Encrypted Data Being Sent to ZoneLabs
Just what information was sent, we don’t know. But there was definitely information being transferred. And there were a few more packets exchanged identical to the one shown above.
Now, the information shown in the next image, shows that on packet 22, there was another acknowledgement packet sent from ZoneLabs to Jeff’s PC. I circled the flags to show you that the reset flag nor the fin (finish) flag was set which means that Zonelabs was staying connected to Jeff’s PC. If it were disconnecting, the FIN flag would have been set.
Flags show Zonelabs still connected
You will then notice that the packet capture acknowledges that there is now a clone of the browser as is evidenced by the yellow lines in the capture above.
During the time of the capture and Jeff’s surfing, TrendMicro updated and Zonelabs updated ForceField. Jeff also surfed Google, did a few searches, and checked his e-mail. All the packets captured showed the connection to Jeff’s PC in the background to these sites for updates, the e-mail check and the IP packets to Google. I never found a disconnect from ZoneLabs initial connect in any of the packets captured.
There is one flaw in our research however. Jeff shut off the Packet Capture before closing his browser so we could not see the disconnect from Zonelabs.
I suspect that if he would have closed his browser, forcing the cloned ForceField one to close, that we would’ve seen a disconnect packet. But being a novice to this kind of research and to packets, Jeff is off the hook.
Our take here at MICE is that if you insist on using ForceField for the safety it provides, you are sacrificing your privacy. Under the guises of security and protection, I believe ForceField is Big Brother in disguise. Another wolf in sheeps clothing.
And my take is that I’m going to donate to OpenSource (FireFox) to continue their development of a free, non-big brother browser!
Do you enjoy this blog? Then buy me a coffee or send me a tip! May I suggest $3 for a Venti (extra-large) cup of Starbucks Carmel Macchiato? You can also choose any amount you wish.
Recent Comments