• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1272
  • Last Modified:

ssl interception?!

Hi,

I have a question regarding SSL encryption.  I was listening to a podcast that claimed it was  possible to use a technology to "decrypt" or interrupt the SSL process to gain access to the communication.  

I think it was explained that someplace in between the client the the destination server a technology interrupts the public key cryptology hand shaking process.

Can anyone tell me what the name of this technology is?  If this is true then SSL is not really an acceptable technology for credit card data/pii data communications especially when an employee is overseas.

Can anyone confirm and name this technology with a link....

0
NYGiantsFan
Asked:
NYGiantsFan
  • 9
  • 9
2 Solutions
 
Dave HoweSoftware and Hardware EngineerCommented:
Yes, it is possible to do this.

There are three circumstances where this is possible, and all require some co-operation from either the server or the client.

first, if you have access to the server's private key, you can use wireshark to decrypt Internet Explorer (but not firefox) traffic. this is not a practical attack against a bank, as they would not supply you with their server's private key.

second, there is an ssl interception technology that relies on *not* intercepting ssl - I know that sounds like a contradiction in terms, but bear with me. Many sites start out with an insecure page -  a http page - which then performs a login securely. SSLstrip relies on that behaviour, and rewrites the insecure page "on the fly" to cause the "secure login" to go to the relay, rather than the bank site - the relay then completes the loop with the bank, and performs the login by proxy. sslrelay is available here:

http://www.thoughtcrime.org/software/sslstrip/

and the requirement for a practical attack is that you do not directly enter an https url into your browser before logging in, and do not verify where your browser is going after login - so it relies on inattention from the user.

Finally, there are ssl intercepting proxies, which can be transparent - what these do is intercept the real https request, and reply with a faked certificate (containing the same fields as the real certificate, but their own CA details, public key and signature) then act as a regular proxy only over https. The requirement for this is that the client accept (either directly or by having had a copy of the CA key added to their keystore) the altered certificate. Ironport do a commercial product for this, and there are a few modules for Squid proxy that can do it also.
0
 
NYGiantsFanAuthor Commented:
Ok, so the client would need to accept a certificate that was not from the original server.  This would be the give away?  My concern is of employees who are sent to theoretical country of Atlantis.  They check into a hotel in Atlantis and use the internet service offered by the same.  However, Atlantis Intell has a SSL interecepting proxy inbetween.  Thus all communication that employee would have, would be compromised.  

The employee would be able to tell that an SSL proxy has been used by details of the certificate.  Is that correct?  However, I am guessing it is possible for the SSL intercepting proxy to create nearly impossible to ID forgeries.  

Do corpoate SSL interception enterprise solutions exist?



Would you say that is correct?

It seems that SSL is a really unsecure technology.
0
 
Dave HoweSoftware and Hardware EngineerCommented:
yes, the client would need to accept the certificate, and that would be the give away, unless the attacker could persuade (or force, in the case of a government) an accepted commercial CA to issue it a intermediate CA certificate, so that the certificates it forges are automatically accepted.

Yes, corporate SSL interception proxies exist, and the ironport web appliance is an example

Explaining why this doesn't mean ssl is insecure requires that you first understand how a browser decides if a ssl certificate is "valid" or not.

In ssl terms, a certificate *must* be signed by another certificate - the very very top level certificates (those of CAs) are signed by themselves.

each browser has a list of which certificates are to be considered valid - the root store. in internet explorer, you can reach this by going to the internet options page, content tab, and looking for the "certificates" button.

a certificate is considered valid if it either
a) is in the certificate store or
b) is signed by a chain of certificates, the top one of which is in the certificate store.

now, corporate solutions get around this by forcing out the certificate (using domain policy or scripting) to each machine on the network. then, when the proxy fakes a certificate, it is checked against this force-installed CA, and is considered valid. A random attacker however can't force you to install a CA certificate for him, so you would normally get difficult-to-dismiss certificate validity errors.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
NYGiantsFanAuthor Commented:
so, an employee in atlantis who has no idea what he is doing and just accepts any certificate, is a major weakness in the system.

This is very interesting. Thank you for your response.

0
 
Dave HoweSoftware and Hardware EngineerCommented:
 Yes, its the key weakness to the system - technically, its perfect; if all URLs are entered correctly as HTTPS, and if no user ever accepts an uncertified certificate, and if no certified certificates are ever issued which are not legitimate, then it is 100% secure.

  Unfortunately, site providers like to make as much of their site http as possible - as its cheaper in cpu and bandwidth; users tend to hit buttons that make annoying messages go away irrespective of if that compromises security, and CAs can't be relied on to act in favour of security if it compromises profit.

  In your case, you have more control; they are your users, you can train them and if required, replace their browser with a custom app that checks the certificate against a reference copy (instead of relying on the CA) and doesn't permit override of any discrepancy, and you can preload the url as https rather than going via a http page.
0
 
NYGiantsFanAuthor Commented:
Dave, thank you for your assistance with this.  I get the run around from certain  types telling me this information is classified or that I am not technically sound in my understanding.  Your information makes me more confident in myself.  Thank you again.

I wish I could train overseas people on this, however management, with 3 credits FORTRAN 20 years ago is sure that I don't know what I am talking about.
0
 
Dave HoweSoftware and Hardware EngineerCommented:
Such is life. On the whole, SSL is secure - however, its like saying that, on the whole, fire is safe - in a controlled environment, where everyone concerned is paying attention, and is aware of the consequences of their actions, you have nothing to worry about. However, environmental factors, user inattention (and lets be frank here, stupidity - many will hit *any* button that makes an error go away, often without reading it, as it is "getting in the way") can lead to failure.

The classic demonstration application here would be webscarab; http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project

you will get a fairly clear warning *every* time you access a https site via the webscarab proxy - there is no real way to turn that off without first hacking the code - but in addition, it will happily log every transaction you make, https or not. its a very handy diagnostic tool - and I use it frequently for that - but equally, if someone is stupid enough to ignore the warning and go ahead and use the website anyhow, you will have their login username and password, right in clear text, in the log.
0
 
NYGiantsFanAuthor Commented:
Part of the problem is that a certain organization uses self signed certificates, thus "this certificate looks wrong message" is clicked through.  So the employees just click through any warning message that comes up regarding the certificate not being correct.

So the employees are trained to ignore messed up certificates.

0
 
Dave HoweSoftware and Hardware EngineerCommented:
cool. so why not take advantage of that for a demonstration?

Do you have access to the dns or dhcp servers? if so, impose a pac (wpad) file to the network to redirect traffic via webscarab, have your boss access some secure site with a username and password, then show him the webscarab log with his username and password in plain sight....
0
 
NYGiantsFanAuthor Commented:
No, they took my SA credentials away when I pointed out that hackers had penetrated the high tech first generation firewall.  



0
 
Dave HoweSoftware and Hardware EngineerCommented:
so - the correct solution to someone pointing out their systems have been compromised is to take away the ability of that person to see the logs?

I take it you are distributing your CV widely to get away from the inevitable train wreck?
0
 
NYGiantsFanAuthor Commented:
Just the tip of the iceberg.  I am going to do some reading on Webscarab when I get some free time.

I am working on getting out.

Thanks again for your help.  
0
 
NYGiantsFanAuthor Commented:
Dave,

One last question, what message does a user see when he/she uses https and the Webscarab tool is used?

Do you have a blog or website on the internet?

Thanks for you again.
0
 
Dave HoweSoftware and Hardware EngineerCommented:
the webscarab tool presents its own certificate, clearly labelled as "webscarab",in place of the correct one for the target site.

and no, I don't blog; I forum, I nntp, but not blog :)
0
 
NYGiantsFanAuthor Commented:
so the certificate says webscarab, so it doesn't seem too difficult to modifiy this application to create certificates names on the fly such as "thefakecert.yourwebsitename.com"
0
 
Dave HoweSoftware and Hardware EngineerCommented:
yup. and in fact, the corporate equivalents visit the target site, copy the certificate, change the public key to their own, then digitally sign that with their own CA certificate (which means, if you have pushed out that cert to all workstations, the process is completely transparent and gives no errors at all)

the restriction in webscarab is deliberate - it isn't meant to be a hacking tool, it is meant to be a diagnostic tool used with the full consent of everyone concerned.
0
 
NYGiantsFanAuthor Commented:
Dave, do you have a way to reach you privately?

0
 
Dave HoweSoftware and Hardware EngineerCommented:
you can always email me on DaveHowe.Pentest(at)googlemail.com
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 9
  • 9
Tackle projects and never again get stuck behind a technical roadblock.
Join Now