SSL and the man in the middle

[SethInMI 146]

I read a story today that surprised me, about how foreign govs were using specialized networking equipment to spy on https secured/encrypted web traffic, the same equipment that some companies use to monitor employees secure traffic.

I feel naive now, but I didn't know that was possible. After some reading, I know it's called the man in the middle problem, and essentially if you can control the network between say my computer and my bank's computer, then for encryption purposes you can pretend to me that you are the bank, and to the bank that you are me, all while decrypting and reading and saving all the information.

So some questions:

1. Does anyone's company do this?
2. Did anyone else not know this was possible?
3. For the IT folks, how can I tell if I am on a connection where this is happening?

Say I am in a foreign country, or on a network of a company, and I want to make sure that a MITM setup is not occurring. I thought using an EV site (the ones with the green site name next to the https) would do it, but now I am not sure. I realize that it matters whether or not I am using "my" computer or phone or tablet, or one provided by the company or hotel or web cafe, because I guess extra trusted certificates could be installed on the provided one, which make a MITM easier or possible.

I thought if I was really concerned I could save a hex dump of the public key before I travelled and spot check it to the key shown in the browser, but now I don't even know about that. MITM is kinda scary for someone who though that good encryption can protect privacy.

It's flare not flair, brakes not breaks, bridle not bridal, "could NOT care less" not "could care less".

[ryoder 1,400]

Old news.
It is even a standard option in commercial proxy products.
Here is a McAfee doc on doing it with their products: http://www.mcafee.com/us/resources/technology-blueprints/tb-inspecting-encrypted-web-traffic.pdf
BTW a McAfee proxy is just a Linux box with proprietary software running as an application.
In setting up a McAfee proxy, the "transparent SSL" option *is* a MITM attack.

Wikipedia page on transparent proxies: http://en.wikipedia.org/wiki/Proxy_server#Transparent_proxy
Note the section on detection.

The SSL certificate structure is a joke;
The only thing it does reliably is move money from gullible companies to Certificate Authorities.

"There are only three things of value: younger women, faster airplanes, and bigger crocodiles" - Arthur Jones.

[Arvoitus 1]

I did it at work once, as I had to help debug some https related code and I had to setup some proxy to do this to capture the traffic coming from the phone I was working with. However it as long enough time ago (>1.5 years) that I've already forgotten the proxy software I used do this with it. However the the company I used to work for did this at a much larger scale.

Your rights end where my feelings begin.

[SethInMI 146]

One interesting thing I read was that Google Chrome has built into itself the certificates for *.google.com, so if you are using Chrome with https to any google site, including gmail, it should be resistant to a MITM attack, as it does not use a CA.

It's flare not flair, brakes not breaks, bridle not bridal, "could NOT care less" not "could care less".

[FlyingRhenquest 1]

Yeah, most of the companies I've worked for install their own certificates on their desktops, so you won't notice it happening. Sometimes their IT department is completely inept and will let their certificate expire or something. You can open a list of certificates somewhere and view them, but I forget if this is an OS service or a browser service. Anyone on that list could execute a man in the middle attack, assuming they could get your network traffic routed through computers they control.

I've used Jmeter to automate web service testing, and Jmeter has a proxy you can install that can execute a man in the middle attack on yourself. This is a feature when it comes to web service test automation. You can record, modify and replay the traffic between your system and the server. You'd be stunned how many programmers only validate their data on the client side. Since Jmeter doesn't use any client side code, it ignores those attempts to prevent invalid data from being passed to the server. The general assumption that if a company developed a piece of software, the software must be safe is a VERY bad assumption. In general, companies have NO idea how to design and develop software.

So to recap:

1. Always assume your traffic at work is monitored by the company, even if you're using SSL.

2. Don't blindly trust that any of the software you're using is bug free or safe. It's probably not.

I'm trying to teach myself how to set things on fire with my mind. Hey... is it hot in here?

[ryoder 1,400]

I was working at a large Fortune 500 company, and sat in a seminar put on by a rep from McAfee. It was this rep who laid out the fact the "transparent SSL" mode was a flat out MITM attack, and the proxy could even forge SSL certs.

The company had a mass of draconian inspection enabled on the employees web traffic...BUT...SSL traffic was doing HTTP CONNECT tunneling, i.e. the encrypted traffic was being proxied verbatim, with no decryption.

The reason? The companies lawyers were worried about the legal issues involving snooping on encrypted traffic, and didn't want to open that can of worms.

"There are only three things of value: younger women, faster airplanes, and bigger crocodiles" - Arthur Jones.

[SethInMI 146]

I think if I checked the certificate chain it should show something fishy. I attached the image of the certificate chain for mail.live.com, unless the company or government used a cert that faked Verisign it would be easy to tell that it was a different CA that was behind the cert.

I have a trusted cert from my company on my laptop, but it has my company's name in it, so I could tell if it was used as the CA for a MITM by checking the path (I think).

It's all very interesting to me. I guess I will have to break down and get a stackoverflow account, and ask some questions there, as those guys seem to be more interested in this sort of thing than skydivers...

It's flare not flair, brakes not breaks, bridle not bridal, "could NOT care less" not "could care less".

[theonlyski 3]

If you're in a foreign country that you suspect may be monitoring you, you can try using VPN's (NOT a PPTP VPN!) with as high of a cypher as you can handle and a very complex PSK and certificate (two factor).

That'll slow them down a little. Fact of the matter is, no matter what you're trying to hide, somehow they can get to it with enough time and resources.

"I may be a dirty pirate hooker...but I'm not about to go stand on the corner." iluvtofly
DPH -7, TDS 578, Muff 5153, SCR 14890
I'm an asshole, and I approve this message