Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Corporate firewalls as man-in-middle to decrypt SSL traffic
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Off the Wall
View previous topic :: View next topic  
Author Message
Bones McCracker
Veteran
Veteran


Joined: 14 Mar 2006
Posts: 1569
Location: U.S.A.

PostPosted: Thu Nov 15, 2012 3:22 am    Post subject: Corporate firewalls as man-in-middle to decrypt SSL traffic Reply with quote

Corporate firewalls are beginning to systematically use what is in fact a man-in-the-middle attack to decrypt inbound and outbound SSL-encrypted traffic.
Quote:
The Palo Alto Networks NGFW uses a certificate-copying mechanism to open up TLS 1.1 sessions (TLS 1.2 for outbound is not yet supported but the process negotiates down to TLS 1.1) that basically works like a corporate-operated man-in-the-middle attack. Keyword-based detection based on source-code extensions, for example, can be on the alert for an escaping intellectual property, though the Palo Alto NGFW is not said to represent full-featured data-loss prevention.

http://www.networkworld.com/news/2012/111412-ssl-decryption-264265.html
_________________
"The accumulation of all power, legislative, executive, and judiciary in the same hands...may justly be pronounced the very definition of tyranny."
--James Madison, Federalist 46
Back to top
View user's profile Send private message
ratmonkey
n00b
n00b


Joined: 13 Aug 2006
Posts: 15

PostPosted: Thu Nov 15, 2012 3:36 am    Post subject: Reply with quote

Mixed feeling on this. On one hand if my employer did this and warned everyone it was coming, I wouldn't worry much about it since I don't use my work account for anything but business. On the other hand, If the technology exists, how long till my ISP is doing the same thing on my personal connection?
Back to top
View user's profile Send private message
Boris27
Guru
Guru


Joined: 05 Nov 2003
Posts: 562
Location: Almelo, The Netherlands

PostPosted: Thu Nov 15, 2012 8:45 am    Post subject: Reply with quote

I don't like it. However, until we all start using SSL observatory (which a corporation might ban), we can't find these attacks.

The stupid thing is, a programmer who wants to sneak code out of the company would probably not even use SSL. You could set up an SSH host and note down its host fingerprint. Or he could just encrypt the contents (winzip even allows you to do that) and send that file via SSL. So it probably will not even work.
_________________
we are microsoft, lower your firewalls and surrender your pc's. we will add your biological and technological distinctiveness to our own. your culture will adapt and service us. resistance is futile.
Back to top
View user's profile Send private message
Dr.Willy
Guru
Guru


Joined: 15 Jul 2007
Posts: 352
Location: NRW, Germany

PostPosted: Thu Nov 15, 2012 10:33 am    Post subject: Reply with quote

Boris27 wrote:
The stupid thing is, a programmer who wants to sneak code out of the company would probably not even use SSL. You could set up an SSH host and note down its host fingerprint. Or he could just encrypt the contents (winzip even allows you to do that) and send that file via SSL. So it probably will not even work.

Or he could just use a fucking pendrive.
Back to top
View user's profile Send private message
erm67
Tux's lil' helper
Tux's lil' helper


Joined: 01 Nov 2005
Posts: 130
Location: somewhere in Berlusconia.

PostPosted: Thu Nov 15, 2012 11:29 am    Post subject: Reply with quote

I had some experience with such a corporate firewall doing man-in-the-middle, but it easy to notice that your ssl connection was intercepted just reading the certificate .....
It is possible to go through using a cipher not supported by the firewall but the connection shows up in the logs and the admin can also block all non supported cryptography, basically that is what happened when all people in our office started using them :-)
It is easy to fool such a firewall if not configured to let through only connections that can be intercepted. Of course, if you have the possibility, an ssh connection to an external host can be the best method to pierce it. Only problem is the traffic generated browsing internet over it, the admin started questioning how could we make all that ssh traffic doing normal sysadm activity ....
_________________
Truck!!
A posse ad esse non valet consequentia
Πάντα ῥεῖ
Back to top
View user's profile Send private message
pjp
Administrator
Administrator


Joined: 16 Apr 2002
Posts: 16116
Location: Colorado

PostPosted: Thu Nov 15, 2012 4:26 pm    Post subject: Reply with quote

PGP.

With keystroke logging on corporate laptops, you can't truly hide what you're sending out. But for personal stuff, PGP.

Of course, then they'll know you're a terrorist, etc. :twisted:
_________________
lolgov. 'cause where we're going, you don't have civil liberties.

In Loving Memory
1787 - 2008
Back to top
View user's profile Send private message
wswartzendruber
Veteran
Veteran


Joined: 23 Mar 2004
Posts: 1227
Location: Jefferson, USA

PostPosted: Thu Nov 15, 2012 4:34 pm    Post subject: Reply with quote

Hold on a sec. How do you just decrypt SSL?
Back to top
View user's profile Send private message
Bones McCracker
Veteran
Veteran


Joined: 14 Mar 2006
Posts: 1569
Location: U.S.A.

PostPosted: Thu Nov 15, 2012 5:00 pm    Post subject: Reply with quote

wswartzendruber wrote:
Hold on a sec. How do you just decrypt SSL?

They public keys are freely available and used to decrypt inbound traffic, and the session key is transmitted to the client during ssl connection negotiation.

If you have control of the network (are already legitimately handling all traffic), it's easy. If you don't, then a true man-in-the-middle attack involves spoofing the destination (or gateway) address on the client side, and spoofing the client (or router) address on the internet side.
_________________
"The accumulation of all power, legislative, executive, and judiciary in the same hands...may justly be pronounced the very definition of tyranny."
--James Madison, Federalist 46
Back to top
View user's profile Send private message
wswartzendruber
Veteran
Veteran


Joined: 23 Mar 2004
Posts: 1227
Location: Jefferson, USA

PostPosted: Thu Nov 15, 2012 7:06 pm    Post subject: Reply with quote

Public keys are used to decrypt traffic? That's done for signing, not encryption.
Back to top
View user's profile Send private message
erm67
Tux's lil' helper
Tux's lil' helper


Joined: 01 Nov 2005
Posts: 130
Location: somewhere in Berlusconia.

PostPosted: Thu Nov 15, 2012 7:13 pm    Post subject: Reply with quote

wswartzendruber wrote:
Hold on a sec. How do you just decrypt SSL?

You don't decrypt it actually, the firewall just snoops the traffic using regular keys :-)

user<==>firewall<==>server

all keys necessarily go through the firewall, the firewall actually owns all the keys :-) It intercepts the initial key exchange between client and server.
_________________
Truck!!
A posse ad esse non valet consequentia
Πάντα ῥεῖ
Back to top
View user's profile Send private message
BonezTheGoon
Bodhisattva
Bodhisattva


Joined: 14 Jun 2002
Posts: 1375
Location: Albuquerque, NM -- birthplace of Microsoft and Gentoo

PostPosted: Thu Nov 15, 2012 8:41 pm    Post subject: Reply with quote

The reason this is becoming common-place is due to several malware exploits that communicate outbound through SSL and so intrusion detection systems have a hard time identifying the threat.
_________________
mcgruff wrote:
I can't promise to be civil.


pjp wrote:
The greater evil is voting for the "lesser evil."
Back to top
View user's profile Send private message
Bones McCracker
Veteran
Veteran


Joined: 14 Mar 2006
Posts: 1569
Location: U.S.A.

PostPosted: Thu Nov 15, 2012 11:28 pm    Post subject: Reply with quote

I prefer network steganography for my dirty work. Nobody stops my oversized, payload-bearing icmp packets (or even know that they can have a payload). :twisted:
_________________
"The accumulation of all power, legislative, executive, and judiciary in the same hands...may justly be pronounced the very definition of tyranny."
--James Madison, Federalist 46
Back to top
View user's profile Send private message
BonezTheGoon
Bodhisattva
Bodhisattva


Joined: 14 Jun 2002
Posts: 1375
Location: Albuquerque, NM -- birthplace of Microsoft and Gentoo

PostPosted: Sat Nov 17, 2012 1:56 pm    Post subject: Reply with quote

I'm sure that you are correct for the hugely vast majority, but I assure you that your statement of "nobody" is wholly incorrect.
_________________
mcgruff wrote:
I can't promise to be civil.


pjp wrote:
The greater evil is voting for the "lesser evil."
Back to top
View user's profile Send private message
wswartzendruber
Veteran
Veteran


Joined: 23 Mar 2004
Posts: 1227
Location: Jefferson, USA

PostPosted: Sat Nov 17, 2012 7:16 pm    Post subject: Reply with quote

BoneKracker wrote:
I prefer network steganography for my dirty work. Nobody stops my oversized, payload-bearing icmp packets (or even know that they can have a payload). :twisted:

Huh. I wonder if that works through NAT64.
Back to top
View user's profile Send private message
Crooksey
Apprentice
Apprentice


Joined: 26 Apr 2006
Posts: 239
Location: Vatican City

PostPosted: Thu Nov 22, 2012 12:55 pm    Post subject: Reply with quote

BoneKracker wrote:
I prefer network steganography for my dirty work. Nobody stops my oversized, payload-bearing icmp packets (or even know that they can have a payload). :twisted:


:twisted:
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Off the Wall All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum