Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Question on appliances that do "decryption" of SSL

From: Paul Johnston <paul.johnston () pentest co uk>
Date: Tue, 26 Apr 2011 10:34:15 +0100
Hi,

It's the second option you mention.


- The device presents a certificate that is "valid" to the
browser/client and then transparently proxies on to the "real" site.


The clients have to install a certificate from the device as a root CA.
When a client connects to the proxy, it issues a request like this:

CONNECT ssl.site.com:443

The proxy now knows the CN the client is expecting, so it generates a
certificate signed by its own root CA, and returns this. As far as the
client knows, this is valid. It also makes an SSL connection itself to
the target, allowing it to proxy the connection and read the encrypted
traffic.

If you want to play around with this, Burp Suite can do it.  There's
some further info it their docs.


Am I missing some other method?  This would be easy enough to
circumvent by removing your "organization" as a trusted CA from your
browser... I'd think also this could introdzce concerns where an
invalid certificate is being used on the "real" site, though obviously
the MITM device could relay this back tot he client with a bit of
intelligence I suppose.


Usually you'd lock down your clients so they couldn't fiddle with
browser settings. In any case, if they did, they'd see a certificate
warning, but the device would still be able to eavesdrop. As for the
real site having an invalid cert, I think the proxy should warn you -
but I know Burp Suite doesn't. Perhaps that's ok for Burp as it's only
intended as a testing tool.

Paul

-- 
Pentest - When a tick in the box is not enough

Paul Johnston - IT Security Consultant / Tiger SST
Pentest Limited - ISO 9001 (cert 16055) / ISO 27001 (cert 558982)

Office: +44 (0) 161 233 0100
Mobile: +44 (0) 7817 219 072

Email policy: http://www.pentest.co.uk/legal.shtml#emailpolicy
Registered Number: 4217114 England & Wales
Registered Office: 26a The Downs, Altrincham, Cheshire, WA14 2PU, UK

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: