How to mitigate credential disclosure in man in the middle attack

Question

I have the followin scenario and looking for a secure solution.

There is a web application, hosted on IIS. The connection is established over TLS 1.2 and is encrypted.

So the steps are

Client connects to the server over ssl
Client sends the username and password (as well xsrf token)
The server authenticates the user and creates an encrypted cookie that will go back and forth.

Assume that we are in a corporate environment were all communication occurs via a proxy server (for example when using SSL Inspection). If the inspector is compromised (quite probable based on this) then the user is vulnurable to credential theft.

I read about the crypto binding solution, but this only secures us from the MITM to not be able to keep the connection alive after the client has stopped creating traffic.

Is there a way to secure the user's passwords when ssl has been compromised this way?

score 11 · Accepted Answer · answered Feb 21 '20 at 10:16

11

The Secure Remote Password (SRP) protocol can be used to send credentials over an unencrypted network.

You could also require SSL/TLS client authentication which will prevent the proxy from being able to establish a connection to the web server.

answered Feb 21 '20 at 10:16

Irfan434

719
5
7

1

Excellent answer. It sent me to a journey over PAKES, SRP and Opaque. Cheers. – Athanasios Kataras Feb 21 '20 at 10:40

How to mitigate credential disclosure in man in the middle attack

1 Answers1