Kevin Willock (IGSN Security) wrote:
Hi there, excuse my ignorance, but I am curious to know how MITM
applications bypass SSL encryption? Do you need to buy a CA signed cert
for the MITM machine? How does the spoofing process actually work?
Thanks
Kevin Willock
Basically what happens when a browser wants to access an HTTPS site
through a proxy is that the browser opens a TCP connection to the proxy,
and then issues the following request:
CONNECT target:port HTTP/1.0\r\n
[optional: headers\r\n]
\r\n
Normally, the proxy will then, if the request is authorized, open up a
TCP connection to target, on the port requested, send the following
response to the browser:
HTTP/1.0 OK\r\n
\r\n
And then it sits back and simply copies what it reads from the browser
to the server, and copies what it reads from the server back to the
browser. i.e. it is a dumb copier, and plays no real security role.
What happens in an HTTPS MITM app is that instead of opening a
connection to target:port, it sends back the "200 Ok" as expected by the
browser, and then waits for the browser to start negotiating the SSL
connection with "target:port".
Rather than simply relaying the packets back and forth, it performs the
negotiation itself, so that the proxy can see and modify the cleartext
traffic, and then negotiates another SSL connection with the target
server, to deliver the requests and receive the responses.
So, what does the browser see when this happens?
Typically, the MITM proxy has a static self-signed cert that it uses for
all connections. This means that the certificate is created by the MITM
programmer, signed by himself, with a server name that will never match
whatever the browser is expecting.
As a result, the browser flags this as a security error, and pops up a
dialog box warning the user that the server they are trying to
communicate may be bogus/hacked/etc. Which is exactly right. If this is
what you are expecting, because you are operating the MITM, simply go
ahead and accept the warning, and continue as normal.
So, how can one prevent this warning from popping up?
Well, one problem is that the name in the cert does not match the name
of the website that the browser is expecting. Solution, find a MITM
proxy that generates certificates on the fly for each web site that it
intercepts. AtStake proxy does this, I believe, but most of the others
do not.
Next problem is that the Certificate Authority that signed the "web site
cert" is not recognised by the browser. Easy solution, import the
signing cert into your browser.
Other possible error flagged is that the dates are wrong, and the cert
is not valid. Solution: When generating the cert, simply make sure it is
valid for a long time, e.g. 10 years ;-)
So, after all this rambling, the short answer is that, No, you don't
need a cert signed by a known CA.
Hope this helps,
Regards
Rogan
P.S. You may also want to read the following post made a couple of years
ago.
<http://www.securityfocus.com/archive/107/355415/2004-02-20/2004-02-26/0>
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
