Stuck in the middle with you
September 12, 2015 3:56 PM Subscribe
I'm looking for resources/explanations of how to tell if someone is intercepting my SSL traffic.
I keep hearing stories that many corporate IT departments are employing tools that allow for intercepting internet traffic, even via SSL. Is there a way to tell if this is happening? It seems like the kind of thing that could be accidentally on without IT even knowing. I use HTTPS everywhere in firefox and have SSL observatory on, but have never seen a warning or error from it. If my IT department/ISP/Government changed a root cert on my PC, is that enough to allow MITM? Is there a way to analyze/validate those certs? If I have to accept a cert on my phone to get on wifi, can I inspect anything about it to know how it is being used? If I have control of a webserver, can I run some sort of end-to-end test?
I think I understand basic concepts of how SSL works, but as multiple hacks have shown, it only takes one blind spot to bring down the entire show.
Assume I am comfortable with Windows and linux cmdlines and am not afraid of reading technotes/whitepapers/etc. I have local admin, but group policy overrides some stuff. I'm struggling with how to even find these resources.
This is mostly a curiosity thing. I get that my employer owns and operates their network however they see fit, and I shouldn't be using it for anything personal if I don't want them to see it.
I keep hearing stories that many corporate IT departments are employing tools that allow for intercepting internet traffic, even via SSL. Is there a way to tell if this is happening? It seems like the kind of thing that could be accidentally on without IT even knowing. I use HTTPS everywhere in firefox and have SSL observatory on, but have never seen a warning or error from it. If my IT department/ISP/Government changed a root cert on my PC, is that enough to allow MITM? Is there a way to analyze/validate those certs? If I have to accept a cert on my phone to get on wifi, can I inspect anything about it to know how it is being used? If I have control of a webserver, can I run some sort of end-to-end test?
I think I understand basic concepts of how SSL works, but as multiple hacks have shown, it only takes one blind spot to bring down the entire show.
Assume I am comfortable with Windows and linux cmdlines and am not afraid of reading technotes/whitepapers/etc. I have local admin, but group policy overrides some stuff. I'm struggling with how to even find these resources.
This is mostly a curiosity thing. I get that my employer owns and operates their network however they see fit, and I shouldn't be using it for anything personal if I don't want them to see it.
The easy way is to just download a fresh browser or run it off a thumb drive. You'd then see immediately because going to, say, https://encrypted.google.com/ would bring up scary warning messages in any modern browser.
Those warnings are disabled, though, in browsers that have a private key installed, specifically to allow MITM'ing by corporate/government networks. This is a legitimate thing, because the company wants to know what sites you are visiting, to prevent botnets from phoning home, exfiltration of sensitive data, etc. However, there is no way that I know of to conceal that a private certificate is installed, so you'd be able to to follow bfranklin's instructions.
posted by wnissen at 4:51 PM on September 12, 2015 [1 favorite]
Those warnings are disabled, though, in browsers that have a private key installed, specifically to allow MITM'ing by corporate/government networks. This is a legitimate thing, because the company wants to know what sites you are visiting, to prevent botnets from phoning home, exfiltration of sensitive data, etc. However, there is no way that I know of to conceal that a private certificate is installed, so you'd be able to to follow bfranklin's instructions.
posted by wnissen at 4:51 PM on September 12, 2015 [1 favorite]
I believe the HTTPS everywhere browser extension uses the SSL Observatory data to warn about some MITM attacks, though I've never witnessed such a warning in my own browser. Some browsers implement some form of Certificate pinning though it isn't currently in widespread use, and would likely only detect issues for a small subset of sites (e.g. google.com sites in Chrome, for instance).
As bfranklin mentioned, the most foolproof way to check is to look at the details of the certificates for the sites you visit, and if there is a MITM there, you'll see a different chain than you would on a normal network. Unfortunately, this tends to be a very manual process currently.
posted by Aleyn at 5:04 PM on September 12, 2015
As bfranklin mentioned, the most foolproof way to check is to look at the details of the certificates for the sites you visit, and if there is a MITM there, you'll see a different chain than you would on a normal network. Unfortunately, this tends to be a very manual process currently.
posted by Aleyn at 5:04 PM on September 12, 2015
My work man in the middle ssl and its apparent because the certificate for all sites is from my employer
posted by TheAdamist at 5:20 PM on September 12, 2015
posted by TheAdamist at 5:20 PM on September 12, 2015
If they've been really slack with their MITM implementation, your browser will fail to warn you when you visit a site that uses a self-signed cert. Here's a test page for that case.
posted by flabdablet at 6:28 PM on September 12, 2015
posted by flabdablet at 6:28 PM on September 12, 2015
The reason this ought to matter to your corporate overlords, by the way, is that it makes spearphishing attacks against people in your workplace way, way easier to pull off.
posted by flabdablet at 6:32 PM on September 12, 2015
posted by flabdablet at 6:32 PM on September 12, 2015
This site is helpful: https://www.grc.com/fingerprints.htm
posted by LoveHam at 7:51 PM on September 12, 2015 [1 favorite]
posted by LoveHam at 7:51 PM on September 12, 2015 [1 favorite]
Best answer: An easy rule-of-thumb verification is to go to a few sites that you know use different CAs in real life, and check to make sure that they are still being shown by your computer to have different CAs.
For instance: Metafilter's certificate comes from "COMODO", which is an entirely different trust root from Google's certificate (at encrypted.google.com) which rolls up to "GeoTrust". They don't, and barring a change in vendor from one site or the other never should, point to the same root certificate.
This is not a 100% guarantee, but most common MITM schemes involve the installation of a single or a handful of bogus root CAs, and when they are in use and your traffic is being snooped, all sites will appear to have certificates that roll up to the same (bogus) root. Typically that root has a company name on it, but I've also seen it done with a fake-but-plausible-looking name, which is shady as hell. But anytime you start to see all SSL traffic from a bunch of sites all roll up to the same root, you know something is amiss.
If you want a reliable check, you need to validate the fingerprints, but then you get into a whole discussion about how to securely validate fingerprints over an insecure connection... it's not a trivial problem. (You can use a site like GRC's, but you'd need to start off with GRC's fingerprint offline somewhere, in order to trust the list of fingerprints it's giving you for other sites...) But it's a quick check that you can do if you suspect for some reason that a computer has been tampered with by a individual or corporate admin, rather than the NSA or Unit 61398.
posted by Kadin2048 at 2:06 PM on September 13, 2015 [2 favorites]
For instance: Metafilter's certificate comes from "COMODO", which is an entirely different trust root from Google's certificate (at encrypted.google.com) which rolls up to "GeoTrust". They don't, and barring a change in vendor from one site or the other never should, point to the same root certificate.
This is not a 100% guarantee, but most common MITM schemes involve the installation of a single or a handful of bogus root CAs, and when they are in use and your traffic is being snooped, all sites will appear to have certificates that roll up to the same (bogus) root. Typically that root has a company name on it, but I've also seen it done with a fake-but-plausible-looking name, which is shady as hell. But anytime you start to see all SSL traffic from a bunch of sites all roll up to the same root, you know something is amiss.
If you want a reliable check, you need to validate the fingerprints, but then you get into a whole discussion about how to securely validate fingerprints over an insecure connection... it's not a trivial problem. (You can use a site like GRC's, but you'd need to start off with GRC's fingerprint offline somewhere, in order to trust the list of fingerprints it's giving you for other sites...) But it's a quick check that you can do if you suspect for some reason that a computer has been tampered with by a individual or corporate admin, rather than the NSA or Unit 61398.
posted by Kadin2048 at 2:06 PM on September 13, 2015 [2 favorites]
Response by poster: wow, I didn't realize it was this simple. Are these analysis tools available on iOS or android?
posted by stobor at 8:32 AM on September 14, 2015
posted by stobor at 8:32 AM on September 14, 2015
Looking at that GRC Research site, I see there is an even simpler way. Chrome and Firefox (not IE) will not show the big green verified name "Gibson Research Corporation [US]" to the left of the URL on a spoofed connection, even with private certificates installed.
As far as iOS, apparently you can't do it from Safari, but there's an app for that. No personal experience.
posted by wnissen at 10:33 PM on September 16, 2015
As far as iOS, apparently you can't do it from Safari, but there's an app for that. No personal experience.
posted by wnissen at 10:33 PM on September 16, 2015
« Older How do I become a data scientist? | Should I preemptively tell a new employer about a... Newer »
This thread is closed to new comments.
posted by bfranklin at 4:09 PM on September 12, 2015 [9 favorites]