how to tell if an ssl interception/proxy is being used?

Hi,
I am curious, is it possible to tell if a network you are on is able to replace the SSL cert in some type of proxy intercept.  Away must exist.

NYGiantsFanAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

tty2Commented:
"A Man in the Middle" attack? Yes, it is possible.
But there are defenses against this attack. Such as exchange with public keys via trusted channel and others.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
NYGiantsFanAuthor Commented:
I am not on a trusted connection.  I am on a network.  I want to see if it has been implemented

.  
0
tty2Commented:
Connect with other side in alternative way (phone, sms,...) and check the fingerprint of their public key.
0
Redefining Cyber Security w/ AI & Machine Learning

The implications of AI and machine learning in cyber security are massive and constantly growing, creating both efficiencies and new challenges across the board. Join our webinar on Sept. 21st to learn more about leveraging AI and machine learning to protect your business.

AbhisekSanyalCommented:
Hi,
  As tty2 said, this would be a MITM attack and examining the SSL cert that is being offered by the site will tell you.
  Just to add some more information -
  It is possible that a tool may replace the SSL cert, but your browser would usually warn you about this
- It may warn you stating that the SSL cert in question belongs to a different domain then you are actually visiting (it could belong to the domain of the tool in question)
- It may warn you that the SSL cert in question is a self-signed certificate. This is assuming that even you browse different SSL cites, the tool generates SSL certs for these sites internally, self-signs it and pushes it to you.

  So, if you look very carefully at the SSL cert and the browser errors and warnings, it can help you to determine this case.
  However, if you have disabled warnings and errors from being displayed by the browser, then that you will have to check the actual SSL certificate.
  Hope that helps
0
NYGiantsFanAuthor Commented:
I have heard about technologies that make it impossible to determine on the users side within certain networks to be unable to tell if the SSL cert has been replaced wtih a man in the middle certificate.  The ability to verify in the browser is interrupted, appearing to be a solid connection.

I really don't understand how you can verify this on the outside either.  Please explain.  

In theory, it is possible to have a network in which all SSL connection are broken, intercepted and the reencrypted.  The users browser has been tampered with, so they cannot tell the difference.

Do any good white papers exist on this.  I am just curious.  

I read about an Application firewall which claims to do this.  I am curious if the end user would ever be able to detect this.



0
NYGiantsFanAuthor Commented:
Please ignore the previous posting. I really need my coffe.  I cannot seem to edit it.



I have heard about technologies that make it impossible to determine on the users side within certain networks if the SSL cert has been replaced wtih a man in the middle certificate.  The ability to verify in the browser is interrupted, appearing to be a solid connection.

I really don't understand how you can verify this on the outside either.  Please explain.  

In theory, it is possible to have a network in which all SSL connection are broken, intercepted and the reencrypted.  The users browser has been tampered with, so they cannot tell the difference.

Do any good white papers exist on this.  I am just curious.  

I read about an Application firewall which claims to do this.  I am curious if the end user would ever be able to detect this and if so how.  I understand the basics of public key cryptology, however with a man in the middle when the hand shake is broken and the browser tampered with what can one do?
0
ParanormasticCryptographic EngineerCommented:
Typical corporate warm-fuzzy SSL interception you can just check the gold lock and see what CA issued the cert in question.  If your session is being intercepted then it will stick out that it is from your company's CA and not a public CA.  Another way is to use a different browser (e.g. Firefox, Safari, or Opera, but in this case Chrome will not do you any good since it uses the same cert store as IE) - since that browser was not installed by your IT group then they did not put their own trusted root into your certificate store.  Or if they did, you could keep it in one browser and take it out of another.  When you get SSL interception then a warning will pop up that the cert is not trusted and there's your automatic check for you.


However, you are probably talking about the malicious version of the warm fuzzy method described above.  Once the SSL request leaves the client's computer, it is encrypted by the server's private key - normally this private key is only on the server and anyone in the middle would have to use their own cert and hope you're a sucker to trust it for the interception to be successful (similar to corporate model, without the established trust).  However, if someone has the server's private key then you're pretty much out of luck for detecting it as the session can be replayed to the actual server (or just served by the malicious host) since it is using the appropriate private key to sign the response.  

This is extreme and rare, but it can happen.  Once the key compromise has been reported to issuing company, then they will report the attack to the company (e.g. Verisign, Comodo, etc.) that issued the cert and that company would revoke the cert.  When your client checks again for the validity a little while later, a revocation notice will appear in the browser - these should never ever be accepted under any circumstance (outside of a test lab testing this kind of scenario).

This is why protecting the private key for web servers, CA servers, or anything that needs to have a cert should tightly secured, such as on an HSM, which unfortunately is not always the case.  PCI DSS is making things better for the credit card industry by making this a requirement, but it will be a few years until this threat becomes of higher concern to the general public before proper security will make it to the rest of the SSL world.
0
NYGiantsFanAuthor Commented:
Thank you for your thoughts on this.  
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Encryption

From novice to tech pro — start learning today.