8

Many companies use a network proxy in order to intercept web-based traffic for example.

I have some questions about their functioning:

1) I've never seen SSL warning in company. I doubt that they install trusted certificates from their proxy into the OS (because browsers may use different certificates store, Firefox has it's own for example). So how does they intercept traffic without browser warning?

2) Supposing that they install the proxy certificate into each host. If a host wants to go to "https://google.com", the hostname into the certificate will be that of the proxy , not google. So in any case, a SSL warning should appear. Does they generate certificates (with google hostname for example) signed by the trusted certificate proxy ?

tgogos
  • 193
  • 1
  • 1
  • 8
Duke Nukem
  • 687
  • 3
  • 9
  • 20
  • 3
    `I doubt that they install trusted certificates from their proxy into the OS` Actually, many do. Microsoft itself provides the ability to let administrators easily push custom certificates onto machines joined to the company's domain. Custom certificates can also be incorporated in to the company's standard OS deployment image. – tlng05 Aug 08 '16 at 16:25

2 Answers2

8

I've never seen SSL warning in company

Did you verify that SSL interception is done at all? See How do I check that I have a direct SSL connection to a website?.

So how does they intercept trafic without browser warning?

A SSL intercepting proxy creates a SSL connection between the proxy and the original target server and another SSL connection between the proxy and the client. The latter connection will use a certificate signed by the proxy CA. Insofar it is a classic SSL man in the middle attack and the only difference between the attack and the "legal" interception is that the client system has explicitly trusted the proxy CA and thus it will also trust the certificates signed with the proxy CA.

I doubt that they install trusted certificates from their proxy into the OS (because browsers may use different certificates store, Firefox has it's own for example).

If you have different CA stores for the different browsers you would need to import the proxy CA into all of these.

If a host wants to go to "https://google.com", the hostname into the certificate will be that of the proxy , not google

No. The subject of the certificate will be the original hostname (i.e. google.com). But this certificate will be signed by the proxy CA and not the original CA. And since the client trusts the proxy CA and the hostname matches the certificate no warnings will occur.

Community
  • 1
Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • Thanks for the explanation. However that point is unclear for me : _No. The subject of the certificate will be the original hostname (i.e. google.com)_ . The subject of the certificate can't be the original hostname (i.e. google.com) because the client will get the certificate from the proxy, so with the proxy hostname in the subject right? – Duke Nukem Aug 08 '16 at 21:30
  • 1
    @DukeNukem: The subject of the certificate must match the URL. The URL does not change if you use a proxy (i.e. HTTP proxy or SOCKS proxy in the browser settings). Thus the subject of the certificate must match the original hostname, i.e. the one in the URL. – Steffen Ullrich Aug 09 '16 at 04:40
  • _in the browser settings_ - A lot of company do not change proxy in browser settings. They just add certificates into store and place their proxy into the network (the proxy is on the same host as the gateway). So the subject of the certificate will not match the URL...Even that, no warning displayed. – Duke Nukem Aug 09 '16 at 08:24
  • @DukeNukem: if there is no explicit proxy but a transparent proxy the URL still shows the original target and that's what counts when validating the certificate. The proxy will build the new proxy certificate based on the original certificate in this case so that the subject still matches. Apart from that - did you check that SSL interception is done at all? – Steffen Ullrich Aug 09 '16 at 10:09
  • Ulltich Ok that's what I thought. For each request, the proxy will build and send a new certificate with the corresponding hostname in the subject. Do you know if that situation is common? Apart from that, yes I checked SSL interception. – Duke Nukem Aug 09 '16 at 12:49
  • @DukeNukem: Yes, this situation is common. This is how it works with all products doing SSL interception and probably every enterprise level firewall today offers this feature. Even squid proxy can do it. So yes, it is common. – Steffen Ullrich Aug 09 '16 at 13:44
1

The actual implementation of a Proxy can vary from organization to organization. In implementations where the company's cert gets imported to each host to remove SSL errors, you're likely talking about Deep Packet Inspection. Next Gen Firewalls (like Palo Alto) support this but again, this is only if they are doing packet inspection.

A Proxy Server doesn't need to do SSL decryption, they just pass the request (and encrypted content) along without performing any analytics on the payload. This generally won't generate SSL warnings.

HashHazard
  • 5,105
  • 1
  • 17
  • 29