Full Disclosure mailing list archives
Re: SSL Filtering
From: Brian Hatch <full-disclosure () ifokr org>
Date: Fri, 17 Oct 2003 13:24:44 -0700
Is there a way to detect if this MITM is being performed?The one method I'm familiar with for how to accomplish this with SSL involves installing keys for a company CA in the users' browsers. (The SSL MITM box resigns the keys, and as long as the key is trusted by the user, no dire error messages occur.) If you were paying attention, you could check that the signing CA had changed.
Acording to the PDF, yes, this is what happens. Client browsers must have the MITM's cert listed as a trusted CA, and at that point the MITM box can create keys on the fly, sign with it's cert, and you'd never know what hit you. So, the only way to determine you were being MITM'd by this is by checking the certificate that was used. (Clicking the lock icon, etc.) If you go to a bunch of different unrelated sites and they're all signed by the same cert, you probably know the culprit and can remove that cert from your trusted CA list if you wanted. Then you'd get cert warnings all the time though. You could get around their inspection by running things like HTTPTunnel with SSL inside it. You could do this HTTPTunnel over SSL inside a MITM'd SSL too. However regardless how you do it, with the MITM they should be smart enough to catch the HTTPTunnel-style traffic. -- Brian Hatch I have no cognitive Systems and powers. It's amazing Security Engineer that I'm respirating. http://www.ifokr.org/bri/ --bree Every message PGP signed
Attachment:
_bin
Description:
Current thread:
- SSL Filtering Jason Sloderbeck (Oct 16)
- Re: SSL Filtering - OFFTOPIC Kurt Seifried (Oct 16)
- Re: SSL Filtering Shawn McMahon (Oct 17)
- <Possible follow-ups>
- Re: SSL Filtering John Sec (Oct 17)
- Re: SSL Filtering Blue Boar (Oct 17)
- Re: SSL Filtering Brian Hatch (Oct 17)
- Re: SSL Filtering Blue Boar (Oct 17)