Security Basics mailing list archives

Re: Preventing tunnels through HTTPS proxies

From: Mariusz Kruk <kruk () epsilon eu org>
Date: Wed, 17 Jun 2009 16:32:24 +0200

On Wed, 2009-06-17 at 12:48 +1200, Michal Ludvig wrote:

I wonder how to prevent these abuses? Clearly the traffic pattern for a
VPN will be distinguishable from a genuine HTTPS traffic - but how to
detect it? Alternatively playing a man-in-the-middle on the proxy,
decrypting all the traffic, inspecting that it's indeed HTTP and
encrypting back with a key signed by a private CA that all the desktops
in the corporation would trust may be another option. Any other ideas?


You know, of course, that HTTPS was made so such tampering would be made
impossible, right? How would you want to re-encrypt the traffic _with
original server's private key_? It's not only the matter of trusting the
CA, but also the matter of the stuff in SSL certificate matching the
actual server parameters.

It would, in fact, be enough to learn that it was a VPN traffic
afterwards, we don't necessarily need to kill the tunnel in realtime
(although it would be nice). Since this kind of proxy abuse is forbidden
by the company IT policy the trespasser's managers would deal with it at
the HR level anyway. However net ops will have to provide some evidence.


In general, such thing is kinda impossible. Even if (and I'm too lazy to
look up the SSL handshake procedure) you were able to distinguish SSL
traffic from other data, there is always the simple possibility of just
connecting thru SSL-ed link and pumping your data in there instead of
just CONNECT-ing to a dumb non-SSL proxy. (and I wouldn't be too sure
that those proxies aren't working that way).
How can you tell HTTP traffic over SSL connection from any other
protocol over that SSL connection? You can't - that's the whole purpose
of using cryptography here.

-- 
\.\.\.\.\.\.\.\.\.\.\.\.\.\ Hi, my name is Any Key. Please don't hit me!
.\.Kruk () epsilon eu org.\.\. 
\.http://epsilon.eu.org/\.\ 
.\.\.\.\.\.\.\.\.\.\.\.\.\. 


------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most 
concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain 
a laser like insight into what is covered on the exam, with zero fluff! 

http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
------------------------------------------------------------------------

Current thread:

Preventing tunnels through HTTPS proxies Michal Ludvig (Jun 17)
- Re: Preventing tunnels through HTTPS proxies Mariusz Kruk (Jun 17)
  - RE: Preventing tunnels through HTTPS proxies Erik Soosalu (Jun 17)
    - Re: Preventing tunnels through HTTPS proxies Morgan Reed (Jun 18)
    - RE: Preventing tunnels through HTTPS proxies Erik Soosalu (Jun 18)
    - RE: Preventing tunnels through HTTPS proxies Mariusz Kruk (Jun 19)
- Re: Preventing tunnels through HTTPS proxies Jared Curtis (Jun 17)
  - RE: Preventing tunnels through HTTPS proxies Ken Kousky (Jun 18)
- Re: Preventing tunnels through HTTPS proxies Aarón Mizrachi (Jun 17)
  - Message not available
    - Re: Preventing tunnels through HTTPS proxies Aarón Mizrachi (Jun 18)
- Re: Preventing tunnels through HTTPS proxies William Warren (Jun 17)