22

I found there are some companies claim that they offer service that can eliminate SSL/TLS blind spot, such as Blue Coat and Gigamon. Are they talking about some way of decipher the https content (breaking the encrypting algorithms) or just man-in-the-middle attack ? If it is a MITM proxy, can I simply detect it by checking the CA of the certificate installed on my browser?

My question is about whether there is way to monitor https traffic without MITM attack and whether it is possible for MITM proxy to dupe users by showing certificates with real CAs (DigiCert, Comodo) so I cannot just tell the difference by looking at the CA.

Peter Li
  • 321
  • 1
  • 2
  • 4
  • 6
    Dupe (or near) of http://security.stackexchange.com/questions/2914/can-my-company-see-what-https-sites-i-went-to http://security.stackexchange.com/questions/7323/is-my-company-tracking-me http://security.stackexchange.com/questions/8145/does-https-prevent-man-in-the-middle-attacks-by-proxy-server http://security.stackexchange.com/questions/14676/how-do-i-check-that-i-have-a-direct-ssl-connection-to-a-website – dave_thompson_085 Oct 03 '15 at 01:01
  • 2
    I do not think it is a dupe of any of those. This is asking how it is possible for products to remove the TLS blind spot. If you really understand TLS, perhaps there's enough information in the other questions to answer this question, but if you really understood TLS, you wouldn't be asking the question in the first place. – Neil Smithline Oct 04 '15 at 03:00
  • 1
    Them that owns the computer, owns the connection. Yes, for information infiltration/exfiltration and malware prevention, it is common to install a certificate and scan https traffic for content in company networks. – Fiasco Labs Oct 04 '15 at 04:49
  • The phone company owns the phone lines and exchange, but wiretapping is still an offence. – Ed Randall Oct 11 '17 at 18:16

6 Answers6

35

Installing a root certificate on users browsers, and conducting a MiTM attack on employees is unfortunately a standard practice at many companies.

There's a few ways you can detect this.

  1. One way is looking for a root CA cert installed on your computer and see if you don't recognize one of the CAs. This of course requires an in-depth knowledge of what real root CAs are, and what fake MitM proxy providers are.

  2. Another is simply looking at the certificate an https websites generates and examine who it's signed by. The cert of all https sites will be signed by the company providing the MiTM attack proxy.

  3. A third way is to install Firefox, preferably a version that doesn't install and runs as a standalone. Firefox doesn't use the system provided certs, but uses its own certs. You can get this from http://portableapps.com/ If you then get a security warning about a self signed certificate, you're being MiTMed by your company.

Steve Sether
  • 21,480
  • 8
  • 50
  • 76
  • 15
    Just to clarify: Using Firefox will not enable you to browse securely if your company is intercepting all SSL connections. It will give you a warning letting you know that this is going on but your only choices then are not to surf or to accept the company signed certificate anyway. – Chris Oct 02 '15 at 19:04
  • 3
    The number of root certificates installed by default is so large that there are many I wouldn't recognize. So seeing one that I don't recognize doesn't tell me a lot. – kasperd Oct 03 '15 at 08:31
  • @kasperd You're right. Answer edited to reflect this. – Steve Sether Oct 03 '15 at 19:59
  • 2
    And what if you work at one of the large companies that issue certificates? – Dan Dascalescu Oct 04 '15 at 05:02
  • 2
    I don't have a particular problem that they are doing this, I'm having a problem that they didn't tell me. – Maarten Bodewes Oct 04 '15 at 06:02
  • @MaartenBodewes - why should it be a problem for an employer to be taking appropriate (and legally required) steps to try to control the flow of data in/out of their network without enumerating them all explicitly? Or... is there an issue with what they've done with the data they collected that affects you? – James Snell Oct 04 '15 at 09:08
  • 3
    @JamesSnell I doubt there are laws requiring an employer to break the security of SSL protected sites. And I am guessing a lot of those SSL protected sites do not approve of such attacks against the security they put in place. – kasperd Oct 04 '15 at 12:18
  • @kasperd - I think you'll find there are laws and rules applying to specific sectors in a number of territories which do necessitate such measures, just because you don't know what they are does not mean they don't exist or that it is not prudent for an employer to be able to see everything that enters/leaves their network. – James Snell Oct 04 '15 at 17:09
  • @JamesSnell I find it more likely that there are laws which prohibit performing mitm attacks on https connections. But I don't know of any specific laws in that regard either. – kasperd Oct 04 '15 at 19:21
  • 1
    @JamesSnell I believe it's incumbent upon you to show evidence of such laws rather than just assuming they exist or having others try to find them. If you make a factual claim, you need to provide evidence of its truth. – Steve Sether Oct 05 '15 at 15:18
  • @DanDascalescu I doubt that CAs will issue certificates signed with the CA key for internal purposes. This would require storing the root certificate in the proxy server so that they could sign certificates on the fly. Seems very risky when all you need to do is set a domain policy installing your custom internal CA on all your employee machines. – Chris Oct 22 '15 at 12:47
  • @Chris: what about BYOD environments where the corporation doesn't control the machines? – Dan Dascalescu Oct 23 '15 at 21:51
  • @DanDascalescu They will still filter all traffic through their proxy and present you with their self-signed certificates. You either accept them or you don't use SSL. – Chris Oct 25 '15 at 20:05
  • Note that to have reasonable certainty of which pages an employee has visited or which pages you are visiting online, you don't need a MITM or decryption. SSL/TLS leak information about your request (eg, size of request/response, sequence of request, server name, ...) which can be matched against a database of fingerprints. So although the page can't be decrypted, an attacker can reasonably guess which pages you are visiting, which are your preferences, and so on. This article: http://rabexc.org/posts/guessing-tls-pages goes into great length to explain the approach. – rabexc Jul 11 '17 at 15:32
  • @rabexc While I'm sure you can get a decent idea of which pages someone visited, I'd also put this capability currently far beyond the abilities of the corporate world. It'd require a large database to be maintained of multiple website signatures. That could certainly be done with some initial, and continuing effort for a law enforcement or intelligence organization. I'd put this in the realm of "traffic analysis" – Steve Sether Jul 12 '17 at 17:16
  • @SteveSether I would be really surprised if this was outside the realm of a corporation. If you read the post, putting together a working prototype took just a couple days of coding. The crawling can be done on demand based on SNI certificates, so you don't need to crawl the whole web ahead of time. The fingerprint and information per page is a few tens of bytes. 500 Gb of uncompressed / naive input, I believe would allow at ~10 Billion pages. Like with antivirus or antispam companies, I'd be surprised if there weren't companies selling these sort of indexes already, or lookup APIs. – rabexc Jul 13 '17 at 18:10
  • @rabexc I think you're going to run into some large problems when a site is behind a login page, like much of the web is today. Facebook, for instance. I also think going from distinguishing a few pages you visited from one another is a lot different than different than the general case. I'm sure any well funded organization could do this, and come up with something out of it. I just doubt the effort involved and return gained would be of much interest to anyone but an intelligence, law enforcement, of government entity. – Steve Sether Jul 19 '17 at 21:00
  • @SteveSether yes, this won't work with gmail, facebook, or google. But the mortgages page on my bank is the ~same authenticated or not. It's easy to tell I'm looking for a mortgage. The same is true for many forums or video sites. It is also cheap to pay unskilled workers to register on the topmost web sites at any time after capturing the traffic. Or I could pay someone in a trial to crawl probable pages and compute fingerprints to try to track down which pages you visited. No more expensive than what antivirus companies do at scale, or investigators do in private, imho. – rabexc Aug 04 '17 at 00:53
7

It's pretty clear that they aren't able to decrypt any encrypted traffic for which they're not in possession of encryption key. They are more likely doing it like mitmproxy does; They might deploy their root certificate to all clients of a company by group policies for example, and are then able to replace all certificates of web servers,... on their own because they are now considered a trusted CA (Certificate Authority) in all web clients.

This would allow them to decrypt all connections which are encrypted based on any certificate in the certificate chain issued by their own root CA. This technique is also used by some anti virus software.

This won't work with symmetric encryption with a PSK (Phase-Shift Keying), of course.

TildalWave
  • 10,801
  • 11
  • 45
  • 84
davidb
  • 4,285
  • 3
  • 19
  • 31
  • How can I tell whether the certificate is the original one sent by the target server or generated by the MITM proxy ? If I find the issuer of the certificate is a common CA, does it mean I am using the original certificate not the fake one ? My concern is that if those vendors can somehow generate certificates dynamically to match the CA used by original certificate then I wont be able to tell any difference. – Peter Li Oct 02 '15 at 16:58
  • You shold compare the list of trusted CAs with the list of CAs trusted by default. If you didn't install the additional CAs (if there is one/some) then it's likely somebody is trying to decrypt your encrypted traffic. – davidb Oct 02 '15 at 17:04
  • Don't you mean some virus software, not *anti* virus software? – jpmc26 Oct 03 '15 at 02:26
  • No I dont there are some anti virus softwares that add their own certificates to monitor incoming network traffic that is encrypted. – davidb Oct 03 '15 at 09:19
  • In some contexts PSK is Phase Shift Keying, but in TLS it is **Pre-Shared Key**. Although TLS has long had it as an option, as of 2015 it wasn't ever used by browsers, or most other HTTPS; it might have been for some other things like LDAPS or SNMPS, and definitely was and is for IPsec and WiFi (which of course aren't SSL/TLS). TLS 1.3 in 2018 modified the former PSK to replace the former session resumption capapbility, so now it is becoming common -- but that PSK comes from a cert-based handshake, subject to snooper-root MITM. – dave_thompson_085 Sep 09 '19 at 01:40
5

Blue Coat: How to Gain Visibility and Control of Encrypted SSL Web Sessions :

Because a proxy is an active device (i.e., it terminates traffic), it acts as both the server to the client, and the client to the server. Thus, it has a native understanding of both the user and the application. For many organizations, users will only connect to the Internet via a proxy – because of the control it affords an enterprise. Because a proxy terminates connections, it offers a critically important control point for policy, performance, and protection of all Web-enabled user and application interactions.

Blue Coat SG is the leading secure proxy appliance, offering enterprises “the power of the proxy” in a broad range of sizes. Blue Coat extends that leadership by offering SSL proxy functionality on its market-leading proxy appliance.

Whereas takes an other approach -decryption: ( Giamon: SSL Decryption: Uncovering The New Infrastructure Blind Spot)

The offloading of SSL decryption also eliminates the need to have multiple decryption licenses for multiple tools. After all, a security appliance with integrated SSL decryption, for example, does not benefit other tools, such as application performance monitoring. Gigamon can supply decrypted traffic to multiple tools simultaneously, maximizing the overall efficiency, security, and performance of the infrastructure. An associated benefit of this approach is that the private keys can now be securely uploaded to just the visibility infrastructure instead of sharing it with multiple tools.

It also delivers to IT and security administrators the right level of visibility into traffic, including SSL-encrypted segments that are at the heart of today’s cloud infrastructures.

GigaSMART decrypts the packets and sends the traffic to multiple out-of-band tools, including intrusion detection (IDS), data loss prevention, and application performance monitoring for analysis.

  • So BLUE Coat is using a MITM proxy. However, for GigaSMART, how can they decrpyt the traffic ? They are talking about uploaded private keys. This is a little too hard to believe. – Peter Li Oct 03 '15 at 07:21
3

So there are 4 common vulnerabilities in SSL that immediately come to mind:

  1. Install a root certificate on your computer that allows the interceptor to be an SSL authority and create forged SSL certificates. This requires them to have administrative access to your computer, even still the SSL fingerprints will be different.
  2. Do a MITM attack on non-SSL sites then use SSL Stripping when connecting to SSL sites. HSTS (Strict Transport Security) can help mitigate this by caching for a period of time that the site uses a secure connection (and not allowing insecure connections for this period of time).
  3. Where the SSL configuration is improperly set-up, this can be seen by running the site through an SSL Labs test and noting the vulnerabilities. This can include using weak ciphers, weak key exchange or using outdated SSL protocols instead of going through TLS.
  4. The hashing algorithm on the certificate also plays a major part in keep SSLs secure, hence why Chrome is phasing out SHA1.
mjsa
  • 266
  • 1
  • 5
  • 1
    I'm not sure `4 key vulnerabilities` are the right words. None of them are really vulnerabilities in SSL. Perhaps `4 weak spots to SSL encrypted web traffic` would be better? Not really sure. – Neil Smithline Oct 02 '15 at 18:17
  • Edited it a little bit now. :) – mjsa Oct 02 '15 at 18:24
2

No, noone can break 2048-RSA certificates yet that are commonly used - not enough computing power.

However your browser can be tricked via another (fake) certificate. It's very similar to how Fiddle works to view encrypted traffic (Fiddle is a network activity analyzer)

  1. First Fiddler creates & installs a trusted root certificate.

  2. You browse https://www.googole.com

  3. Fiddler creates a (fake) certificate for Google and signs it with the certificate from step 1.

  4. Fiddler intercepts all traffic from you to google and back (and the portion of the traffic between you and Fiddler is signed with the fake certificate). Your browser is duped into thinking the fake certificate is OK and you suspect nothing.

A neat trick.

However you can easily smell a rat if you look at the signing authority of the site's certificate and seeing that it's not one of the recognized brands (Thawte, VeriSign, etc)

  • 2
    For the Fiddler case, it is not designed to perform a MITM attack. Is it difficult to generate certificate dynamically with the matching CA as the real certificate (Thawte, VeriSign, etc)? If so ,it wont be so easy to smell a rat. – Peter Li Oct 03 '15 at 10:45
  • 1
    @PeterLi Indeed, if you sign your CA certificates yourself, you can just as easily claim to be Thawte, VeriSign, et. al. So it may be necessary to check the *fingerprints* of these root certs against the original fingerprints obtained e.g. from [here](https://www.thawte.com/roots/), but *not* via the compromised system (as it might modify such pages to reflect the fake fingerprint)! – Hagen von Eitzen Oct 04 '15 at 10:16
  • What happens if they replace those Thawte, VeriSign, etc certificates? can they? – JorgeeFG Oct 18 '17 at 16:48
2

Also bear in mind that nextgen Security Appliances like those from Palo Alto and Huawei USG firewalls, have this functionality baked-in. This is ostensibly to deal with the "blind spot" in which because outbound SSL is typically allowed, can be used by employees to circumvent security (shocking I know). By decrypting the SSL, appliance can perform application-based filtering,

gb5757870
  • 195
  • 1
  • 1
  • 11