[GTALUG] Decrypting and Re-encrypting Network Traffic
porquet at gmail.com
porquet at gmail.com
Wed Sep 11 12:21:07 EDT 2019
Offered as a point of information... I believe the Saudi government uses
these technologies to keep their web halal...
https://www.sandvine.com/government-customers
On Wed, 11 Sep 2019 at 11:44, D. Hugh Redelmeier via talk <talk at gtalug.org>
wrote:
> | From: Mike via talk <talk at gtalug.org>
>
> | A TLS/SSL Man In The Middle (MITM) requires your browser to negotiate
> | TLS with the MITM, and the MITM goes out onto the Internet to
> | (separately) negotiate TLS with the site you are trying to connect to.
>
> Right.
>
> Your browser must be fooled into thinking that the MITM is the site
> you are trying to commect to.
>
> Lets call the site your are trying to get to "goal.ca".
>
> The DNS must provide the browser with the MTM's IP address when
> resolving "goal.ca" OR the MTM must intercept all traffic for the real
> goal.ca. I'd guess that interception is more likely to be successful.
>
> | However, this means that the MITM needs to provide you a public
> | certificate for which it is in possession of the private key.
>
> And that cert must claim to be for goal.ca.
>
> | Presumably this is not a certificate whose authenticity can be traced
> | to a top-level Certificate Authority (CA) that your browser trusts.
>
> Right. Any CA that would issue a cert for goal.ca to someone not
> associated with goal.ca would find their root certs kicked out of
> every browser (it has happened).
>
> | That should be your detection method.
>
> In other words, such a cert could not be validated. (Validation happens
> through a chain of certificates terminating in a root (self-signed) cert
> already known to the browser (seeded by the browser vendor or previously
> added by the user).
>
> | Otherwise, if you're dealing
> | with a large, corporate MITM (cough, Zscaler, cough), they might be
> | generating / issuing MITM certs on the fly from their issuing CA cert
> | which may actually trace to a top-level public CA.
>
> Wait: is that possible? Why are those CAs not expelled by the browser
> "vendors"?
>
> I must have misunderstood something.
>
> In <https://en.wikipedia.org/wiki/Zscaler#SSL_traffic_considerations>
>
> "... and assuming that the user has pre-installed a company root cert
> ..."
>
> DON'T DO THAT. At least not unless you understand the consequences.
>
> PS: even when successfully using end-to-end TLS, traffic analysis
> gives away a lot of the game. A VPN would reduce but not eliminate
> that leakage. Few of us realize how effective traffic analysis can
> be.
> ---
> Post to this mailing list talk at gtalug.org
> Unsubscribe from this mailing list
> https://gtalug.org/mailman/listinfo/talk
>
--
William Porquet, M.A. ‡ mailto:william at 2038.org ‡ http://www.2038.org/
"It is only with the heart one can see clearly; what is essential is
invisible to the eye." - (The Fox) "The Little Prince"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gtalug.org/pipermail/talk/attachments/20190911/79741eff/attachment.html>
More information about the talk
mailing list