Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Netcat through Squid HTTP Proxy

from [Rogan Dawes] Network Security [Permanent Link]
Subject: Re: Netcat through Squid HTTP Proxy
Date: Wed, 18 May 2005 17:01:44 +0200 
Joachim Schipper wrote:

On Tue, May 17, 2005 at 03:34:16PM +0200, Christoph Puppe wrote:


Henderson, Dennis K. schrieb:



It seems like he was looking for information on how to prevent this.


The most thorough way to prevent proxy abuses, that use the CONNECT
feature to simulate valid HTTPS traffic, is breaking up all this
connections, decrypted and have them scrutinized with your normal content
security tool. The Proxy acts like a man in the middle attacker, it get's
the HTTPS connection, produces a certificate that matches the site beeing
requested and presents this to the client. The client agrees on a
session-key with the proxy and starts sending requests. The proxy pipes
this requests through some logic to determine if this is an OK request,
most firewalls and CS-Tools will do this for you. Then the proxy opens a
new connection to the site requested, checks the certificate and sends the
requests. The results are processed likewise.


The problem, of course, being that this makes verification of the remote
end of the connection impossible as well as compromising privacy for the
parties behind the firewall.

So this will also make HTTPS less useful for the user. There is a trade
off here...

Joachim


This does not necessarily prevent the user from verifying the remote end of the connection. If the MITM makes sure to only re-generate and sign certificates that are already valid, using the MITM's CA key, then the user can determine if the original certificate was valid also.

i.e.
WebServer provides a valid cert, signed, etc. The MITM generates a new certificate with the same information, and signs it with its own trusted cert. The user knows that the cert is OK.

WebServer provides a cert signed by an untrusted CA, the MITM recreates the cert with the same information, but signs it with its own untrusted cert. The user is prompted to accept the cert, exactly as they would have othewise.

The only REAL flaw with this approach is the lack of support for client side certs . . . . (and the privacy compromise on the MITM host, of course, but we assume that this decision has already been made in favour of content-security . . . .)

Regards,

Rogan

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Port 9090 WServer??, Anders Thulin
Next by Date:  Re: penetrating web-based authentication if you know one of the usernames, L. Walker
Previous by Thread:  Re: Netcat through Squid HTTP Proxy, Joachim Schipper
Next by Thread:  RE: Port 9090 WServer??, Beauford, Jason
Indexes:  [Date] [Thread] [Top] [All Lists]