2

I have a slight misunderstanding in the way TLS works. I know that I can use Burpsuite Proxy to intercept HTTPS traffic coming from my browser. How is this possible when the server is going to see the proxy as the browser, therefore any handshake and cryptography stuff will happen there right and my browser will just be receiving and sending traffic with no knowledge of this?

I guess the more definitive question I'm asking is, how does using Burpsuite without a self-signed certificate break the TLS connection and how does the self certificate fix this?

Felipe Warrener-Iglesias
  • 123
  • 1
  • 5
  • In MiTM , the real Https handshake will happen between the proxy and the server. To the client end, Burpsuite can simply play some tricks like SSLstrip. In the case of enterprise, the IT can push an internal trusted certificate and chain to prevent browser pop up any warning. – mootmoot Aug 17 '18 at 12:01
  • For Burp to work properly you need to install the certificate in your root certificate store. You can only intercept your own traffic, because other people will not install your certificate. – PortSwigger Aug 17 '18 at 13:37

2 Answers2

5

Say you want to access SomeService's homepage through an HTTPS proxy. You start by making a connection between you and your proxy. Then your proxy makes a connection between itself and SomeService. Your proxy is the man in the middle, but that's okay because you are aware of this and you want this.

Your proxy will have no trouble communicating with SomeService (it's just a regular HTTPS connection with no MitM), but your browser will have trouble communicating with the proxy. That's because you typed in "https://www.SomeService.com" in your browser, and instead getting an answer from SomeService, you got an answer from your proxy.

Your browser knows something is wrong, because it expected a certificate signed by someone it trusts that was given to SomeService, but instead it got a certificate signed by Burpsuite (which isn't trusted by default) saying "this is totally SomeService.com". Your browser will then show you an error, saying it has no idea who signed this certificate and that you're probably being spied on.

The solution is to install a root certificate from Burpsuite. When you install it, you're saying that you trust any certificate signed by Burpsuite, which allows it to intercept your traffic without raising any alarms.

Burak
  • 186
  • 1
4

When you don't attack traffic using MITM, TLS works like this:

Client <===========> Server

When you attack traffic using MITM, you get a third party to intercept and proxy communication

Client <=====> Proxy <======> Server

Security is negotiated separetly between client <==> proxy and proxy <==> server. A proxy will keep two connections open: one with the client and one with the server. This is typically used by AV vendors, malware, and enterprise filtering products. If a client trusts proxy's certificate then a browser most likely will not highlight the fact that you are speaking to a proxy instead of a real server. You will see a green bar in a browser to say communication is encrypted. If you click on the certificate you will see the proxy certificate, instead of the real server sertificate. Obviously this doesn't work if certificate pinning is involved.

If the client doesn't trust proxy certificate (which is usually the case unless you specifically install proxy cert in your Trusted Certificate storage) then you will see a certificate error.

There are a few posts online that talk about Burp, for example this one:

Burp CA certificate - Since Burp breaks SSL connections between your browser and servers, your browser will by default show a warning message if you visit an HTTPS site via Burp Proxy. This is because the browser does not recognize Burp's SSL certificate, and infers that your traffic may be being intercepted by a third-party attacker. To use Burp effectively with SSL connections, you really need to install Burp's Certificate Authority master certificate in your browser, so that it trusts the certificates generated by Burp.

oleksii
  • 1,046
  • 1
  • 9
  • 19