4

A number of solutions are available for tunnelling IP over Websockets to masquerade a VPN as browser traffic. How well are these connections isolated though? Specifically, if the browser happens to run on a host behind a corporate gateway that is set up to MitM all TLS traffic, will the gateway have the means to decrypt the tunneled connection?

AFAICS there is no suite of standards to consult as there is for IPSec, hence the lack of specificity in the question.

CaffeineAddiction
  • 7,517
  • 2
  • 20
  • 40
phg
  • 141
  • 2

2 Answers2

0

Websockets make use of https certs the same way all other secure webtraffic does. Thus if you have a corporate proxy between you and the internet, it is very possible that a corporate certificate has been installed on your company computer. This would allow the company to MitM all of your web traffic including websockets.

It is possible to encrypt the content of the websockets themselves, however, the code you linked is simply relying on the encryption of HTTPS itself.

  • You should expect that your corporate admin can see your traffic clear text.
  • You should also expect that since a LARGE amount of traffic is flowing through a websocket to a specific domain that it will be flagged as an anomaly and investigated with more scrutiny than most other connections.
  • Even if the your corporate admin do not understand what the traffic is, it will most likely trip the corporate IDS as a malware command and control gateway.
CaffeineAddiction
  • 7,517
  • 2
  • 20
  • 40
  • It would be trivially easy to run a ssh socks proxy through this websocket VPN to encrypt the traffic such that it could not be decrypted by your corporate admin, however, they would be able to see the ssh handshake at the start of the connection and thus know for sure that something shady is going on. Infact, it is very very common for IDS systems to look for SSH type communication over non-standard protocols (WS, ICMP, DNS). Your traffic would most likely be flagged. – CaffeineAddiction Aug 23 '21 at 15:51
-1

Well, basically you now have VPN over untrusted connection. This should be fine, if VPN is implemented to deal with that (example that you list does not appear to be though).

If VPN correctly encrypts the data, then only entities in possession of keys (that would be you and your VPN peer) should be able to decrypt it.

domen
  • 1,040
  • 10
  • 21
  • This is incorrect. OP is using a WSS tunnel which falls prey to the same MitM attacks HTTPS does. Bluecoat can and will decrypt this traffic. – CaffeineAddiction Aug 23 '21 at 15:59
  • I'm struggling here. Which part is incorrect? – domen Aug 24 '21 at 21:58
  • The only part that is correct is that its a VPN over untrusted connections. VPN just means its a Virtual Private Network, it does NOT mean that its encrypted. The encryption in this case comes from the HTTPS traffic being encrypted, which is entirely negated by a MitM Proxy with a registered cert on his company computer. – CaffeineAddiction Aug 24 '21 at 22:29
  • I agree with what you say, so I'm struggling to see where I was wrong. Maybe my wording is off/unclear? – domen Aug 25 '21 at 09:25
  • "This should be fine" is the issue. As this VPN does not seem to encrypt anything, but rely on HTTPS, any MitM targetting the connection (like the corporate proxy) will be able to read/change anything on this "VPN." – ThoriumBR Sep 22 '21 at 17:13