4

I am asking about systems like: Bluecoat ProxySG

I saw some relevant answers here: Can my company see what HTTPS sites I went to?

It explains how employers can do it using root certificates, but does not explain how can governments or ISPs so it. I understood that you need admin access to a computer to add the fake certificate to the computer trust store.

Does that mean that ProxySG uses a trojan/hacking mechanism to access a victim's computer before employing the fake certificate man in the middle attack? Are there any details to how they install this certificate?

Community
  • 1
aszahran
  • 151
  • 5

5 Answers5

8

How does Blucoat Proxy allow governments to decrypt SSL?

It does not allow governments to decrypt any kind of SSL traffic on any network. BlueCoat is used inside companies (and inside government organizations) to inspect their own incoming and outgoing SSL traffic for malware, data leakage etc. The necessary proxy certificates to do transparent SSL inspection are officially installed on the systems. If these are not installed then users get a warning.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • This is not what bluecoat advertises here: https://www.bluecoat.com/products-and-solutions/government-solutions - They mention "Encrypted Traffic Management (SSL)" as one of their gov solutions.. – aszahran Mar 11 '16 at 08:46
  • 9
    @aszahran From the linked page, it looks like they are selling their solution to government agencies for internal use, rather than for widespread SSL monitoring of the general public. Think DVLA/DMV rather than FBI/GCHQ – Matthew Mar 11 '16 at 08:50
  • @Matthew Where in the page did you understand this? Do they say it explicitly somewhere? – aszahran Mar 12 '16 at 18:34
  • 1
    Just read the page: "You are challenged with defending your Mission Critical Applications" - defending, rather than monitoring others. The rest talks about protecting your workers. That's not the kind of threat that monitoring the public defends against – Matthew Mar 12 '16 at 18:37
  • 2
    This answer is misleading. Blue Coat products are use inside companies, and also it seems on public networks: https://citizenlab.org/2013/07/planet-blue-coat-redux/ – Erwan Legrand Mar 14 '16 at 09:30
  • @ErwanLegrand - please see my latest comment to your answer for a detailed explanation. – TTT Mar 14 '16 at 14:17
2

Blue Coat Proxy SG is just a proxy. It does not include malware.

What Blue Coat's Proxy SG and other similar solutions does is a MITM attack on encrypted traffic. It decrypts incoming traffic does whatever it is configured to do with the decrypted information and then encrypts the data again before forwarding it. This is pretty simple. (I know, I with others wrote a MITM proxy about ten years ago.)

Once you have the MITM proxy, it must be placed in the right location. There is evidence of Blue Coat products in public networks: https://citizenlab.org/2013/07/planet-blue-coat-redux/

Once you have the MITM proxy in the right place, what is required to perform a MITM attack is a trusted certificate. Browsers trust a large number of root certificates. They also trust intermediate CA certificates signed by these root certificates. Thus, this is a matter of acquiring such a certificate and loading it into a monitoring device. Any CA certificate which is trusted by browsers will do. The larger the number of CAs trusted by the browser, the lower the security. (Whether the monitoring device is sold by Blue Coat or not is irrelevant here.)

Certificates can be bought. They can also be obtained from a broken CA. (Look for the Comodo and DigiNotar hack stories). Also, according to the EFF, 54 states control CA which are trusted by browsers: https://www.eff.org/files/countries-with-cas.txt

You might find these links relevant:

(The MITM device in which the certificate was loaded in the first case might or might not be from Blue Coat. This is not known.)

Also, users tend to ignore security warnings. A trusted certificate is not required if it can be predicted that the victim will ignore the security prompt: https://www.eff.org/deeplinks/2011/05/syrian-man-middle-against-facebook

Another possibility is to exploit a vulnerability or to bribe an insider to acquire the server's private key.

Countermeasures have been developed to block these attacks, such as certificate pining (Chrome does this for a few large domains) and Certificate Transparency: https://www.certificate-transparency.org/

The Perspectives project designed as system in which a higher number of trusted third parties translates into better security. (Compare with the PKI model where the higher the number of trusted third parties, the lower the security.)

Malware used to compromise a target's computer is an entirely different threat. SSL/TLS is does not offer any protection to the victim in this case. This is what the NSA did to attack Tor users.

Erwan Legrand
  • 401
  • 2
  • 13
  • 2
    This answer is incorrect in its current form. You are answering how a government *could* decrypt SSL if they wanted to. This question asks specifically how a government can use Bluecoat Proxy SG to decrypt SSL traffic. The correct answer, as Steffen stated, is they can't. – TTT Mar 11 '16 at 14:55
  • @TTT, any facts to substantiate your claim? – Erwan Legrand Mar 14 '16 at 09:26
  • There's nothing to substantiate. I think you're simply misunderstanding the original question. You're talking about how to use a proxy device to perform a MITM attack. If you can get a CA to give up a root cert and an ISP to allow you to to install your device inline then of course you can perform a MITM. As you pointed out, the brand of device doesn't matter. But that isn't what this question is asking. This question is asking if the Bluecoat device has special technology such as tricking the client into installing fake certificates, so that you don't have to do the things you mentioned. – TTT Mar 14 '16 at 14:14
  • @TTT Got it! You do not read the question in the same way that I do. It seems to me the OP believes a hack might be required because he thinks the browser (and the CA it trusts by default) to be trustworthy. – Erwan Legrand Mar 14 '16 at 16:47
  • Bluecoat proxies' SSL inspection depends on a CA certificate in the client. The cacerts file lists many CA's, who do you trust? Your government? – bbaassssiiee Mar 14 '16 at 23:12
  • @bbaassssiiee If you trust your browser in its default configuration, you are actually trusting the governments of 54 countries. (According to the EFF. I've added the link above.) – Erwan Legrand Mar 15 '16 at 10:20
  • Trust can change after elections. – bbaassssiiee Mar 15 '16 at 14:18
0

Depending on the law in your country, yes your company can read your SSL traffic.

They don't need to hack anything. On a windows environment they just need to define a policy that every computer in the AD will have the company certificate as a trusted root certificate. As your company is providing you the computer they have all the rights to do anything they want on it, as long as it is not against your country law.

Sharnt
  • 1
  • 1
    My question was about how can governments do it, not companies. I edited my question to make it clear. – aszahran Mar 11 '16 at 08:41
0

There are two ways as far as I can see, a Government can Decrypt HTTPS traffic. Again, these are just speculations. In both of the below, the BlueCoat device can be used as the proxy, but it is not a requirement at all(the proxy used is rather irrelevent).

One is to plant the Certificate of the Proxy on the Client Machine. This requires the government to hack into the Client's device first. there is no mechanism in the Bluecoat device to do this hacking. it is also possible to just ship the Client's device with the certificate already installed in it, if the Government can force the OS or Laptop Vendors to do it.

Other(more likely senario) is to have the Private Key on the Proxy, so that it can decrypt incoming traffic. this requires the government to force an organisation to give them the private key(remember Lavabit?)

JOW
  • 2,319
  • 2
  • 16
  • 24
0

In order to impersonate a host in a TLS connection you need a certificate from a trusted certificate authority. Any trusted certificate authority. Not necessarily the one who created the original certificate. When you look at the list of certificate authorities most operating systems and web browsers trust out of the box (the firefox list, for example), you will notice that the list is quite long and even includes some government entities.

In order to MITM on connections, a government agency only needs to compromise one of them. In some countries, some government agencies have the right to force any domestic company to comply with their requests and simultaneously put a gag order on them to forbid them from admitting that they do.

Philipp
  • 48,867
  • 8
  • 127
  • 157