Security Basics mailing list archives
Re: Question on appliances that do "decryption" of SSL
From: Paul Johnston <paul.johnston () pentest co uk>
Date: Tue, 26 Apr 2011 10:34:15 +0100
Hi, It's the second option you mention.
- The device presents a certificate that is "valid" to the browser/client and then transparently proxies on to the "real" site.
The clients have to install a certificate from the device as a root CA. When a client connects to the proxy, it issues a request like this: CONNECT ssl.site.com:443 The proxy now knows the CN the client is expecting, so it generates a certificate signed by its own root CA, and returns this. As far as the client knows, this is valid. It also makes an SSL connection itself to the target, allowing it to proxy the connection and read the encrypted traffic. If you want to play around with this, Burp Suite can do it. There's some further info it their docs.
Am I missing some other method? This would be easy enough to circumvent by removing your "organization" as a trusted CA from your browser... I'd think also this could introdzce concerns where an invalid certificate is being used on the "real" site, though obviously the MITM device could relay this back tot he client with a bit of intelligence I suppose.
Usually you'd lock down your clients so they couldn't fiddle with browser settings. In any case, if they did, they'd see a certificate warning, but the device would still be able to eavesdrop. As for the real site having an invalid cert, I think the proxy should warn you - but I know Burp Suite doesn't. Perhaps that's ok for Burp as it's only intended as a testing tool. Paul -- Pentest - When a tick in the box is not enough Paul Johnston - IT Security Consultant / Tiger SST Pentest Limited - ISO 9001 (cert 16055) / ISO 27001 (cert 558982) Office: +44 (0) 161 233 0100 Mobile: +44 (0) 7817 219 072 Email policy: http://www.pentest.co.uk/legal.shtml#emailpolicy Registered Number: 4217114 England & Wales Registered Office: 26a The Downs, Altrincham, Cheshire, WA14 2PU, UK ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Question on appliances that do "decryption" of SSL Ray Van Dolson (Apr 25)
- RE: Question on appliances that do "decryption" of SSL David Gillett (Apr 26)
- Re: Question on appliances that do "decryption" of SSL Edd Burgess (Apr 26)
- Re: Question on appliances that do "decryption" of SSL DaKahuna (Apr 27)
- Re: Question on appliances that do "decryption" of SSL Edd Burgess (Apr 26)
- Re: Question on appliances that do "decryption" of SSL Paul Johnston (Apr 26)
- <Possible follow-ups>
- Re: Question on appliances that do "decryption" of SSL kaarthik rm (Apr 27)
- RE: Question on appliances that do "decryption" of SSL David Gillett (Apr 26)