Re: MITM Proxies

[Rogan Dawes <discard () dawes za net>]

Kevin Willock (IGSN Security) wrote:
> Hi there, excuse my ignorance, but I am curious to know how MITM 
> applications bypass SSL encryption? Do you need to buy a CA signed cert 
> for the MITM machine? How does the spoofing process actually work?
>
> Thanks
>
> Kevin Willock

Basically what happens when a browser wants to access an HTTPS site 
through a proxy is that the browser opens a TCP connection to the proxy, 
and then issues the following request:

CONNECT target:port HTTP/1.0\r\n
[optional: headers\r\n]
\r\n

Normally, the proxy will then, if the request is authorized, open up a 
TCP connection to target, on the port requested, send the following 
response to the browser:

HTTP/1.0 OK\r\n
\r\n

And then it sits back and simply copies what it reads from the browser 
to the server, and copies what it reads from the server back to the 
browser. i.e. it is a dumb copier, and plays no real security role.

What happens in an HTTPS MITM app is that instead of opening a 
connection to target:port, it sends back the "200 Ok" as expected by the 
browser, and then waits for the browser to start negotiating the SSL 
connection with "target:port".

Rather than simply relaying the packets back and forth, it performs the 
negotiation itself, so that the proxy can see and modify the cleartext 
traffic, and then negotiates another SSL connection with the target 
server, to deliver the requests and receive the responses.

So, what does the browser see when this happens?

Typically, the MITM proxy has a static self-signed cert that it uses for 
all connections. This means that the certificate is created by the MITM 
programmer, signed by himself, with a server name that will never match 
whatever the browser is expecting.

As a result, the browser flags this as a security error, and pops up a 
dialog box warning the user that the server they are trying to 
communicate may be bogus/hacked/etc. Which is exactly right. If this is 
what you are expecting, because you are operating the MITM, simply go 
ahead and accept the warning, and continue as normal.

So, how can one prevent this warning from popping up?

Well, one problem is that the name in the cert does not match the name 
of the website that the browser is expecting. Solution, find a MITM 
proxy that generates certificates on the fly for each web site that it 
intercepts. AtStake proxy does this, I believe, but most of the others 
do not.

Next problem is that the Certificate Authority that signed the "web site 
cert" is not recognised by the browser. Easy solution, import the 
signing cert into your browser.


Other possible error flagged is that the dates are wrong, and the cert 
is not valid. Solution: When generating the cert, simply make sure it is 
valid for a long time, e.g. 10 years ;-)

So, after all this rambling, the short answer is that, No, you don't 
need a cert signed by a known CA.

Hope this helps,

Regards

Rogan

P.S. You may also want to read the following post made a couple of years 
ago.
<http://www.securityfocus.com/archive/107/355415/2004-02-20/2004-02-26/0>

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------