[johnpaulett]

It sounds like Amazon is a effectively a man-in-the-middle.

Hopefully the device-to-Amazon connection is secured by Amazon, but I can not find any details.

The privacy implications of all SSL traffic being decrypted on AWS are a bit scary.

I am guessing the end user will never see broken SSL certificate warnings (as you would expect in a regular browser), since Amazon can add a "Amazon MITM" root CA certificate to the browser.

[srdev]

If Amazon does, in fact, act as a MITM, then that's a deal-breaker as far as I'm concerned.

Edit: The more I think about it, the more I think it is likely that they are just passing along the connection. SSL is designed to prevent MITM attacks. They would have to provide their own certificate which would cause browser warnings. They could write their browser to ignore certificate problems for Amazon certificates, but that strikes me as a pretty gaping hole.

[raganwald]

What you say is very true, however when you say that SSL prevents MITM attacks, you are assuming that “their browser” always lives entirely within the device.

If their browser has code operating on the device and in the cloud, then their browser won't generate certificate warnings because there isn’t a man-in-the-middle between their browser and the site, there’s a man-in-the-middle between the device in your hands and the site.

It would be insecure against Amazon snooping or modifying the communication, but still generate the appropriate warnings about bad certificates.

I think the answer is, run “off-cloud” when you want privacy from Amazon.

[srdev]

Yes, I hadn't considered that possibility. The picture in my mind was some sort of hybrid operation where some of the work was offloaded, in which case you would still have to properly support device-to-site SSL links.

So I guess the issue of privacy still remains up in the air. I was hoping to be an early adopter of this, but I think I'll wait to see how the SSL via Silk situation pans out before putting down cash.

[mikeash]

They're providing their own browser, so there's nothing that says this technique would have to trigger browser warnings.

It could easily work by having the connection between EC2 and the remote site be managed over SSL normally. EC2 then rejiggers the traffic, encrypts it over SSL with Amazon's certificate to send it to the device, and includes a little blob of data saying, "we got this from site X, whose certificate is Y". Amazon's browser could verify that but trust EC2 not to screw with the data. End result: no warnings, and your data is safe from everyone except Amazon. Which is not great, but neither is it hugely insecure.