how to tell if an ssl interception/proxy is being used?

Hi,
I am curious, is it possible to tell if a network you are on is able to replace the SSL cert in some type of proxy intercept.  Away must exist.

NYGiantsFanAsked:
Who is Participating?
 
tty2Connect With a Mentor Commented:
"A Man in the Middle" attack? Yes, it is possible.
But there are defenses against this attack. Such as exchange with public keys via trusted channel and others.
0
 
NYGiantsFanAuthor Commented:
I am not on a trusted connection.  I am on a network.  I want to see if it has been implemented

.  
0
 
tty2Commented:
Connect with other side in alternative way (phone, sms,...) and check the fingerprint of their public key.
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
AbhisekSanyalConnect With a Mentor Commented:
Hi,
  As tty2 said, this would be a MITM attack and examining the SSL cert that is being offered by the site will tell you.
  Just to add some more information -
  It is possible that a tool may replace the SSL cert, but your browser would usually warn you about this
- It may warn you stating that the SSL cert in question belongs to a different domain then you are actually visiting (it could belong to the domain of the tool in question)
- It may warn you that the SSL cert in question is a self-signed certificate. This is assuming that even you browse different SSL cites, the tool generates SSL certs for these sites internally, self-signs it and pushes it to you.

  So, if you look very carefully at the SSL cert and the browser errors and warnings, it can help you to determine this case.
  However, if you have disabled warnings and errors from being displayed by the browser, then that you will have to check the actual SSL certificate.
  Hope that helps
0
 
NYGiantsFanAuthor Commented:
I have heard about technologies that make it impossible to determine on the users side within certain networks to be unable to tell if the SSL cert has been replaced wtih a man in the middle certificate.  The ability to verify in the browser is interrupted, appearing to be a solid connection.

I really don't understand how you can verify this on the outside either.  Please explain.  

In theory, it is possible to have a network in which all SSL connection are broken, intercepted and the reencrypted.  The users browser has been tampered with, so they cannot tell the difference.

Do any good white papers exist on this.  I am just curious.  

I read about an Application firewall which claims to do this.  I am curious if the end user would ever be able to detect this.



0
 
NYGiantsFanAuthor Commented:
Please ignore the previous posting. I really need my coffe.  I cannot seem to edit it.



I have heard about technologies that make it impossible to determine on the users side within certain networks if the SSL cert has been replaced wtih a man in the middle certificate.  The ability to verify in the browser is interrupted, appearing to be a solid connection.

I really don't understand how you can verify this on the outside either.  Please explain.  

In theory, it is possible to have a network in which all SSL connection are broken, intercepted and the reencrypted.  The users browser has been tampered with, so they cannot tell the difference.

Do any good white papers exist on this.  I am just curious.  

I read about an Application firewall which claims to do this.  I am curious if the end user would ever be able to detect this and if so how.  I understand the basics of public key cryptology, however with a man in the middle when the hand shake is broken and the browser tampered with what can one do?
0
 
ParanormasticConnect With a Mentor Cryptographic EngineerCommented:
Typical corporate warm-fuzzy SSL interception you can just check the gold lock and see what CA issued the cert in question.  If your session is being intercepted then it will stick out that it is from your company's CA and not a public CA.  Another way is to use a different browser (e.g. Firefox, Safari, or Opera, but in this case Chrome will not do you any good since it uses the same cert store as IE) - since that browser was not installed by your IT group then they did not put their own trusted root into your certificate store.  Or if they did, you could keep it in one browser and take it out of another.  When you get SSL interception then a warning will pop up that the cert is not trusted and there's your automatic check for you.


However, you are probably talking about the malicious version of the warm fuzzy method described above.  Once the SSL request leaves the client's computer, it is encrypted by the server's private key - normally this private key is only on the server and anyone in the middle would have to use their own cert and hope you're a sucker to trust it for the interception to be successful (similar to corporate model, without the established trust).  However, if someone has the server's private key then you're pretty much out of luck for detecting it as the session can be replayed to the actual server (or just served by the malicious host) since it is using the appropriate private key to sign the response.  

This is extreme and rare, but it can happen.  Once the key compromise has been reported to issuing company, then they will report the attack to the company (e.g. Verisign, Comodo, etc.) that issued the cert and that company would revoke the cert.  When your client checks again for the validity a little while later, a revocation notice will appear in the browser - these should never ever be accepted under any circumstance (outside of a test lab testing this kind of scenario).

This is why protecting the private key for web servers, CA servers, or anything that needs to have a cert should tightly secured, such as on an HSM, which unfortunately is not always the case.  PCI DSS is making things better for the credit card industry by making this a requirement, but it will be a few years until this threat becomes of higher concern to the general public before proper security will make it to the rest of the SSL world.
0
 
NYGiantsFanAuthor Commented:
Thank you for your thoughts on this.  
0
All Courses

From novice to tech pro — start learning today.