[GTALUG] Decrypting and Re-encrypting Network Traffic
D. Hugh Redelmeier
hugh at mimosa.com
Wed Sep 11 11:44:14 EDT 2019
| From: Mike via talk <talk at gtalug.org>
| A TLS/SSL Man In The Middle (MITM) requires your browser to negotiate
| TLS with the MITM, and the MITM goes out onto the Internet to
| (separately) negotiate TLS with the site you are trying to connect to.
Right.
Your browser must be fooled into thinking that the MITM is the site
you are trying to commect to.
Lets call the site your are trying to get to "goal.ca".
The DNS must provide the browser with the MTM's IP address when
resolving "goal.ca" OR the MTM must intercept all traffic for the real
goal.ca. I'd guess that interception is more likely to be successful.
| However, this means that the MITM needs to provide you a public
| certificate for which it is in possession of the private key.
And that cert must claim to be for goal.ca.
| Presumably this is not a certificate whose authenticity can be traced
| to a top-level Certificate Authority (CA) that your browser trusts.
Right. Any CA that would issue a cert for goal.ca to someone not
associated with goal.ca would find their root certs kicked out of
every browser (it has happened).
| That should be your detection method.
In other words, such a cert could not be validated. (Validation happens
through a chain of certificates terminating in a root (self-signed) cert
already known to the browser (seeded by the browser vendor or previously
added by the user).
| Otherwise, if you're dealing
| with a large, corporate MITM (cough, Zscaler, cough), they might be
| generating / issuing MITM certs on the fly from their issuing CA cert
| which may actually trace to a top-level public CA.
Wait: is that possible? Why are those CAs not expelled by the browser
"vendors"?
I must have misunderstood something.
In <https://en.wikipedia.org/wiki/Zscaler#SSL_traffic_considerations>
"... and assuming that the user has pre-installed a company root cert
..."
DON'T DO THAT. At least not unless you understand the consequences.
PS: even when successfully using end-to-end TLS, traffic analysis
gives away a lot of the game. A VPN would reduce but not eliminate
that leakage. Few of us realize how effective traffic analysis can
be.
More information about the talk
mailing list