Solved

ssl interception?!

Posted on 2009-04-08
18
1,153 Views
Last Modified: 2012-05-06
Hi,

I have a question regarding SSL encryption.  I was listening to a podcast that claimed it was  possible to use a technology to "decrypt" or interrupt the SSL process to gain access to the communication.  

I think it was explained that someplace in between the client the the destination server a technology interrupts the public key cryptology hand shaking process.

Can anyone tell me what the name of this technology is?  If this is true then SSL is not really an acceptable technology for credit card data/pii data communications especially when an employee is overseas.

Can anyone confirm and name this technology with a link....

0
Comment
Question by:NYGiantsFan
  • 9
  • 9
18 Comments
 
LVL 33

Accepted Solution

by:
Dave Howe earned 500 total points
Comment Utility
Yes, it is possible to do this.

There are three circumstances where this is possible, and all require some co-operation from either the server or the client.

first, if you have access to the server's private key, you can use wireshark to decrypt Internet Explorer (but not firefox) traffic. this is not a practical attack against a bank, as they would not supply you with their server's private key.

second, there is an ssl interception technology that relies on *not* intercepting ssl - I know that sounds like a contradiction in terms, but bear with me. Many sites start out with an insecure page -  a http page - which then performs a login securely. SSLstrip relies on that behaviour, and rewrites the insecure page "on the fly" to cause the "secure login" to go to the relay, rather than the bank site - the relay then completes the loop with the bank, and performs the login by proxy. sslrelay is available here:

http://www.thoughtcrime.org/software/sslstrip/

and the requirement for a practical attack is that you do not directly enter an https url into your browser before logging in, and do not verify where your browser is going after login - so it relies on inattention from the user.

Finally, there are ssl intercepting proxies, which can be transparent - what these do is intercept the real https request, and reply with a faked certificate (containing the same fields as the real certificate, but their own CA details, public key and signature) then act as a regular proxy only over https. The requirement for this is that the client accept (either directly or by having had a copy of the CA key added to their keystore) the altered certificate. Ironport do a commercial product for this, and there are a few modules for Squid proxy that can do it also.
0
 

Author Comment

by:NYGiantsFan
Comment Utility
Ok, so the client would need to accept a certificate that was not from the original server.  This would be the give away?  My concern is of employees who are sent to theoretical country of Atlantis.  They check into a hotel in Atlantis and use the internet service offered by the same.  However, Atlantis Intell has a SSL interecepting proxy inbetween.  Thus all communication that employee would have, would be compromised.  

The employee would be able to tell that an SSL proxy has been used by details of the certificate.  Is that correct?  However, I am guessing it is possible for the SSL intercepting proxy to create nearly impossible to ID forgeries.  

Do corpoate SSL interception enterprise solutions exist?



Would you say that is correct?

It seems that SSL is a really unsecure technology.
0
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 500 total points
Comment Utility
yes, the client would need to accept the certificate, and that would be the give away, unless the attacker could persuade (or force, in the case of a government) an accepted commercial CA to issue it a intermediate CA certificate, so that the certificates it forges are automatically accepted.

Yes, corporate SSL interception proxies exist, and the ironport web appliance is an example

Explaining why this doesn't mean ssl is insecure requires that you first understand how a browser decides if a ssl certificate is "valid" or not.

In ssl terms, a certificate *must* be signed by another certificate - the very very top level certificates (those of CAs) are signed by themselves.

each browser has a list of which certificates are to be considered valid - the root store. in internet explorer, you can reach this by going to the internet options page, content tab, and looking for the "certificates" button.

a certificate is considered valid if it either
a) is in the certificate store or
b) is signed by a chain of certificates, the top one of which is in the certificate store.

now, corporate solutions get around this by forcing out the certificate (using domain policy or scripting) to each machine on the network. then, when the proxy fakes a certificate, it is checked against this force-installed CA, and is considered valid. A random attacker however can't force you to install a CA certificate for him, so you would normally get difficult-to-dismiss certificate validity errors.
0
 

Author Comment

by:NYGiantsFan
Comment Utility
so, an employee in atlantis who has no idea what he is doing and just accepts any certificate, is a major weakness in the system.

This is very interesting. Thank you for your response.

0
 
LVL 33

Expert Comment

by:Dave Howe
Comment Utility
 Yes, its the key weakness to the system - technically, its perfect; if all URLs are entered correctly as HTTPS, and if no user ever accepts an uncertified certificate, and if no certified certificates are ever issued which are not legitimate, then it is 100% secure.

  Unfortunately, site providers like to make as much of their site http as possible - as its cheaper in cpu and bandwidth; users tend to hit buttons that make annoying messages go away irrespective of if that compromises security, and CAs can't be relied on to act in favour of security if it compromises profit.

  In your case, you have more control; they are your users, you can train them and if required, replace their browser with a custom app that checks the certificate against a reference copy (instead of relying on the CA) and doesn't permit override of any discrepancy, and you can preload the url as https rather than going via a http page.
0
 

Author Comment

by:NYGiantsFan
Comment Utility
Dave, thank you for your assistance with this.  I get the run around from certain  types telling me this information is classified or that I am not technically sound in my understanding.  Your information makes me more confident in myself.  Thank you again.

I wish I could train overseas people on this, however management, with 3 credits FORTRAN 20 years ago is sure that I don't know what I am talking about.
0
 
LVL 33

Expert Comment

by:Dave Howe
Comment Utility
Such is life. On the whole, SSL is secure - however, its like saying that, on the whole, fire is safe - in a controlled environment, where everyone concerned is paying attention, and is aware of the consequences of their actions, you have nothing to worry about. However, environmental factors, user inattention (and lets be frank here, stupidity - many will hit *any* button that makes an error go away, often without reading it, as it is "getting in the way") can lead to failure.

The classic demonstration application here would be webscarab; http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project

you will get a fairly clear warning *every* time you access a https site via the webscarab proxy - there is no real way to turn that off without first hacking the code - but in addition, it will happily log every transaction you make, https or not. its a very handy diagnostic tool - and I use it frequently for that - but equally, if someone is stupid enough to ignore the warning and go ahead and use the website anyhow, you will have their login username and password, right in clear text, in the log.
0
 

Author Comment

by:NYGiantsFan
Comment Utility
Part of the problem is that a certain organization uses self signed certificates, thus "this certificate looks wrong message" is clicked through.  So the employees just click through any warning message that comes up regarding the certificate not being correct.

So the employees are trained to ignore messed up certificates.

0
 
LVL 33

Expert Comment

by:Dave Howe
Comment Utility
cool. so why not take advantage of that for a demonstration?

Do you have access to the dns or dhcp servers? if so, impose a pac (wpad) file to the network to redirect traffic via webscarab, have your boss access some secure site with a username and password, then show him the webscarab log with his username and password in plain sight....
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 

Author Comment

by:NYGiantsFan
Comment Utility
No, they took my SA credentials away when I pointed out that hackers had penetrated the high tech first generation firewall.  



0
 
LVL 33

Expert Comment

by:Dave Howe
Comment Utility
so - the correct solution to someone pointing out their systems have been compromised is to take away the ability of that person to see the logs?

I take it you are distributing your CV widely to get away from the inevitable train wreck?
0
 

Author Comment

by:NYGiantsFan
Comment Utility
Just the tip of the iceberg.  I am going to do some reading on Webscarab when I get some free time.

I am working on getting out.

Thanks again for your help.  
0
 

Author Comment

by:NYGiantsFan
Comment Utility
Dave,

One last question, what message does a user see when he/she uses https and the Webscarab tool is used?

Do you have a blog or website on the internet?

Thanks for you again.
0
 
LVL 33

Expert Comment

by:Dave Howe
Comment Utility
the webscarab tool presents its own certificate, clearly labelled as "webscarab",in place of the correct one for the target site.

and no, I don't blog; I forum, I nntp, but not blog :)
0
 

Author Comment

by:NYGiantsFan
Comment Utility
so the certificate says webscarab, so it doesn't seem too difficult to modifiy this application to create certificates names on the fly such as "thefakecert.yourwebsitename.com"
0
 
LVL 33

Expert Comment

by:Dave Howe
Comment Utility
yup. and in fact, the corporate equivalents visit the target site, copy the certificate, change the public key to their own, then digitally sign that with their own CA certificate (which means, if you have pushed out that cert to all workstations, the process is completely transparent and gives no errors at all)

the restriction in webscarab is deliberate - it isn't meant to be a hacking tool, it is meant to be a diagnostic tool used with the full consent of everyone concerned.
0
 

Author Comment

by:NYGiantsFan
Comment Utility
Dave, do you have a way to reach you privately?

0
 
LVL 33

Expert Comment

by:Dave Howe
Comment Utility
you can always email me on DaveHowe.Pentest(at)googlemail.com
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

A few customers have recently asked my thoughts on Password Managers.  As Security is a big part of our industry I was initially very hesitant and sceptical about giving a program all of my secret passwords.  But as I was getting asked about them mo…
There are many reasons malware will stay around and continue to grow as a business.  The biggest reason is the expanding customer base.  More than 40% of people who are infected with ransomware, pay the ransom.  That makes ransomware a multi-million…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now