A workplace installs custom certificates on personal devices, can this be used to decrypt HTTPS traffic?...
Can you force honesty by using the Speak with Dead and Zone of Truth spells together?
I can't produce songs
Why is the change of basis formula counter-intuitive? [See details]
What does 丫 mean? 丫是什么意思?
i2c bus hangs in master RPi access to MSP430G uC ~1 in 1000 accesses
Delete free apps from Play Store library
Mounting TV on a weird wall that has some material between the drywall and stud
Is there any word for a place full of confusion?
Trying to understand entropy as a novice in thermodynamics
Caught masturbating at work
One-one communication
What is the role of と after a noun when it doesn't appear to count or list anything?
The Nth Gryphon Number
What are the main differences between the original Stargate SG-1 and the Final Cut edition?
The test team as an enemy of development? And how can this be avoided?
Was Kant an Intuitionist about mathematical objects?
malloc in main() or malloc in another function: allocating memory for a struct and its members
Does the Mueller report show a conspiracy between Russia and the Trump Campaign?
Why not send Voyager 3 and 4 following up the paths taken by Voyager 1 and 2 to re-transmit signals of later as they fly away from Earth?
How do living politicians protect their readily obtainable signatures from misuse?
Tannaka duality for semisimple groups
My mentor says to set image to Fine instead of RAW — how is this different from JPG?
What does the writing on Poe's helmet say?
Resize vertical bars (absolute-value symbols)
A workplace installs custom certificates on personal devices, can this be used to decrypt HTTPS traffic? [duplicate]
Announcing the arrival of Valued Associate #679: Cesar Manara
Planned maintenance scheduled April 23, 2019 at 23:30 UTC (7:30pm US/Eastern)How can my employer be a man-in-the-middle when I connect to Gmail?Corporate computers have own corporation's cert as trusted CA; should I consider all traffic compromised?Is it possible for corporation to intercept and decrypt SSL/TLS traffic?ECDHE_RSA and gmailWhy not use client certificates for premaster key generationIt is possible to decrypt HTTPS traffic when a man in the middle proxy is already in place?Details of TLS certificate verificationUnderstanding SSL man-in-the-middle and its limitationsDoubts about tls handshakeDecrypt TLS trafficStorage of certificates and keys in hardware security modules (Use-case TLS)Publishing a private key used for HTTPS certificates, is it ever OK?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}
This question already has an answer here:
How can my employer be a man-in-the-middle when I connect to Gmail? [duplicate]
5 answers
So another engineer buddy of mine and I were having a drink the other night. He mentioned that you're allowed to use personal devices on the office wifi, but that they install a custom certificate so they can MITM your traffic.
Neither of us are security experts, but I know a little bit about the HTTP/TLS handshake protocol to question whether this is the case.
As far as I understand it (please forgive me if I butcher it):
Client-Server initiate handshake, and exchange certificate from signing authority + public key + random string.
Public key is used to decrypt a random string of characters, which is fed into a hashing algorithm and reveals a private key.
Private key is used to decrypt the traffic that follows
We were reading this article, about how companies sometimes install certificates to decrypt outgoing traffic.
If the blog-post case is true, then how does this work? Would they get the private key using their trusted-root all uses certificate? Assuming that works, that covers the windows use-case, but what about other platforms like OSX/iOS, linux, BSD etc.?
Are there other approaches that I'm not considering, where a certificate install could be used to MitM?
tls certificates
asked Mar 25 at 23:06
Scuba SteveScuba Steve
1667
marked as duplicate by Dmitry Grigoryev, schroeder♦ Mar 26 at 9:17
This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.
|
show 6 more comments
This question already has an answer here:
How can my employer be a man-in-the-middle when I connect to Gmail? [duplicate]
5 answers
So another engineer buddy of mine and I were having a drink the other night. He mentioned that you're allowed to use personal devices on the office wifi, but that they install a custom certificate so they can MITM your traffic.
Neither of us are security experts, but I know a little bit about the HTTP/TLS handshake protocol to question whether this is the case.
As far as I understand it (please forgive me if I butcher it):
Client-Server initiate handshake, and exchange certificate from signing authority + public key + random string.
Public key is used to decrypt a random string of characters, which is fed into a hashing algorithm and reveals a private key.
Private key is used to decrypt the traffic that follows
We were reading this article, about how companies sometimes install certificates to decrypt outgoing traffic.
If the blog-post case is true, then how does this work? Would they get the private key using their trusted-root all uses certificate? Assuming that works, that covers the windows use-case, but what about other platforms like OSX/iOS, linux, BSD etc.?
Are there other approaches that I'm not considering, where a certificate install could be used to MitM?
tls certificates
asked Mar 25 at 23:06
Scuba SteveScuba Steve
1667
marked as duplicate by Dmitry Grigoryev, schroeder♦ Mar 26 at 9:17
This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.
What certificates did he install? Was it a root CA certificate? It could have just been a certificate to authenticate the radius server which is used to authorize access to the wifi. Different certificates do different tasks.
– Daisetsu
Mar 25 at 23:09
2
Oh, I see. Yes that is possible and it's not rare. They're called TLS interception proxies.
– Daisetsu
Mar 25 at 23:15
1
tlseminar.github.io/tls-interception look at the section titled "How SSL/TLS interception works"
– Daisetsu
Mar 25 at 23:20
1
It's important to distinguish between two major classes of certificates, CA certificates (used to identify servers to you) and client certificates (used to identify you to the corporate network).
– chrylis
Mar 26 at 3:33
1
There are at least 3 reasons why a WiFi might require a CA to be installed, you would check in detail why: a) as the users client authentication, b) as a trusted Radius Server certificate for Enterprise-WPA or VPN, c) as a fake root CA for MitM. The later one is however pretty risky on personal devices as it might endanger them outside company use.
– eckes
Mar 26 at 5:08
|
show 6 more comments
This question already has an answer here:
How can my employer be a man-in-the-middle when I connect to Gmail? [duplicate]
5 answers
So another engineer buddy of mine and I were having a drink the other night. He mentioned that you're allowed to use personal devices on the office wifi, but that they install a custom certificate so they can MITM your traffic.
Neither of us are security experts, but I know a little bit about the HTTP/TLS handshake protocol to question whether this is the case.
As far as I understand it (please forgive me if I butcher it):
Client-Server initiate handshake, and exchange certificate from signing authority + public key + random string.
Public key is used to decrypt a random string of characters, which is fed into a hashing algorithm and reveals a private key.
Private key is used to decrypt the traffic that follows
We were reading this article, about how companies sometimes install certificates to decrypt outgoing traffic.
If the blog-post case is true, then how does this work? Would they get the private key using their trusted-root all uses certificate? Assuming that works, that covers the windows use-case, but what about other platforms like OSX/iOS, linux, BSD etc.?
Are there other approaches that I'm not considering, where a certificate install could be used to MitM?
tls certificates
asked Mar 25 at 23:06
Scuba SteveScuba Steve
1667
This question already has an answer here:
How can my employer be a man-in-the-middle when I connect to Gmail? [duplicate]
5 answers
So another engineer buddy of mine and I were having a drink the other night. He mentioned that you're allowed to use personal devices on the office wifi, but that they install a custom certificate so they can MITM your traffic.
Neither of us are security experts, but I know a little bit about the HTTP/TLS handshake protocol to question whether this is the case.
As far as I understand it (please forgive me if I butcher it):
Client-Server initiate handshake, and exchange certificate from signing authority + public key + random string.
Public key is used to decrypt a random string of characters, which is fed into a hashing algorithm and reveals a private key.
Private key is used to decrypt the traffic that follows
We were reading this article, about how companies sometimes install certificates to decrypt outgoing traffic.
If the blog-post case is true, then how does this work? Would they get the private key using their trusted-root all uses certificate? Assuming that works, that covers the windows use-case, but what about other platforms like OSX/iOS, linux, BSD etc.?
Are there other approaches that I'm not considering, where a certificate install could be used to MitM?
This question already has an answer here:
How can my employer be a man-in-the-middle when I connect to Gmail? [duplicate]
5 answers
tls certificates
tls certificates
asked Mar 25 at 23:06
Scuba SteveScuba Steve
1667
asked Mar 25 at 23:06
Scuba SteveScuba Steve
1667
asked Mar 25 at 23:06
Scuba SteveScuba Steve
1667
asked Mar 25 at 23:06
Scuba SteveScuba Steve
1667
asked Mar 25 at 23:06
Scuba SteveScuba Steve
1667
1667
marked as duplicate by Dmitry Grigoryev, schroeder♦ Mar 26 at 9:17
This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.
marked as duplicate by Dmitry Grigoryev, schroeder♦ Mar 26 at 9:17
This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.
What certificates did he install? Was it a root CA certificate? It could have just been a certificate to authenticate the radius server which is used to authorize access to the wifi. Different certificates do different tasks.
– Daisetsu
Mar 25 at 23:09
2
Oh, I see. Yes that is possible and it's not rare. They're called TLS interception proxies.
– Daisetsu
Mar 25 at 23:15
1
tlseminar.github.io/tls-interception look at the section titled "How SSL/TLS interception works"
– Daisetsu
Mar 25 at 23:20
1
It's important to distinguish between two major classes of certificates, CA certificates (used to identify servers to you) and client certificates (used to identify you to the corporate network).
– chrylis
Mar 26 at 3:33
1
There are at least 3 reasons why a WiFi might require a CA to be installed, you would check in detail why: a) as the users client authentication, b) as a trusted Radius Server certificate for Enterprise-WPA or VPN, c) as a fake root CA for MitM. The later one is however pretty risky on personal devices as it might endanger them outside company use.
– eckes
Mar 26 at 5:08
|
show 6 more comments
What certificates did he install? Was it a root CA certificate? It could have just been a certificate to authenticate the radius server which is used to authorize access to the wifi. Different certificates do different tasks.
– Daisetsu
Mar 25 at 23:09
2
Oh, I see. Yes that is possible and it's not rare. They're called TLS interception proxies.
– Daisetsu
Mar 25 at 23:15
1
tlseminar.github.io/tls-interception look at the section titled "How SSL/TLS interception works"
– Daisetsu
Mar 25 at 23:20
1
It's important to distinguish between two major classes of certificates, CA certificates (used to identify servers to you) and client certificates (used to identify you to the corporate network).
– chrylis
Mar 26 at 3:33
1
There are at least 3 reasons why a WiFi might require a CA to be installed, you would check in detail why: a) as the users client authentication, b) as a trusted Radius Server certificate for Enterprise-WPA or VPN, c) as a fake root CA for MitM. The later one is however pretty risky on personal devices as it might endanger them outside company use.
– eckes
Mar 26 at 5:08
What certificates did he install? Was it a root CA certificate? It could have just been a certificate to authenticate the radius server which is used to authorize access to the wifi. Different certificates do different tasks.
– Daisetsu
Mar 25 at 23:09
What certificates did he install? Was it a root CA certificate? It could have just been a certificate to authenticate the radius server which is used to authorize access to the wifi. Different certificates do different tasks.
– Daisetsu
Mar 25 at 23:09
2
2
Oh, I see. Yes that is possible and it's not rare. They're called TLS interception proxies.
– Daisetsu
Mar 25 at 23:15
Oh, I see. Yes that is possible and it's not rare. They're called TLS interception proxies.
– Daisetsu
Mar 25 at 23:15
1
1
tlseminar.github.io/tls-interception look at the section titled "How SSL/TLS interception works"
– Daisetsu
Mar 25 at 23:20
tlseminar.github.io/tls-interception look at the section titled "How SSL/TLS interception works"
– Daisetsu
Mar 25 at 23:20
1
1
It's important to distinguish between two major classes of certificates, CA certificates (used to identify servers to you) and client certificates (used to identify you to the corporate network).
– chrylis
Mar 26 at 3:33
It's important to distinguish between two major classes of certificates, CA certificates (used to identify servers to you) and client certificates (used to identify you to the corporate network).
– chrylis
Mar 26 at 3:33
1
1
There are at least 3 reasons why a WiFi might require a CA to be installed, you would check in detail why: a) as the users client authentication, b) as a trusted Radius Server certificate for Enterprise-WPA or VPN, c) as a fake root CA for MitM. The later one is however pretty risky on personal devices as it might endanger them outside company use.
– eckes
Mar 26 at 5:08
There are at least 3 reasons why a WiFi might require a CA to be installed, you would check in detail why: a) as the users client authentication, b) as a trusted Radius Server certificate for Enterprise-WPA or VPN, c) as a fake root CA for MitM. The later one is however pretty risky on personal devices as it might endanger them outside company use.
– eckes
Mar 26 at 5:08
|
show 6 more comments
1 Answer
1
active
oldest
votes
Yes, they can MitM the traffic this way, using an internal certificate authority. There are two primary ways in which the MitM can work.
The first is to simply turn the edge gateway into a proxy, whereby TLS connections are made from the gateway to the server, and the gateway then generates server certificates on the fly from an internal CA in order to impersonate the remote server. Your system trusts the CA, so it trusts the server certificate.
The second is a slightly different take on the first. The gateway proxies the traffic similarly to the first method, except it only advertises static RSA cipher suites to the remote server. The reason for doing this is performance. With a static RSA key exchange (i.e. not Diffie-Hellman) the gateway can split the handshake as before in order to provide the client with a certificate generated via the internal CA, but instead of decrypting the content on the gateway and then re-encrypting it before proxying, it simply passes the same session key between the client and server. This way the gateway only has to decrypt the traffic once, using the captured session key, and never needs to re-encrypt it in order to proxy the traffic between client and server. This trick no longer works in TLS 1.3 as static RSA key exchange was removed.
Generally speaking this kind of TLS inspection is fairly commonplace in large organisations, particularly financials. Deploying it on BYOD devices is somewhat common, although you should consider the privacy and security implications that might arise from installing your company's internal CA certificate on your device. You need to ask yourself whether you trust that your IT security team is likely to be able to protect the signing keys, because if not then your device is liable to be MitM'ed by an attacker.
answered Mar 25 at 23:19
PolynomialPolynomial
102k36249342
" You need to ask yourself whether you trust that your IT security team is likely to be able to protect the signing keys." Yes exactly, I had the same thought myself.
– Scuba Steve
Mar 25 at 23:21
15
As an aside, I once assessed a TLS inspection gateway product which re-signed all HTTPS connections using the internal CA, even if the remote certificate was invalid. This allowed for a particularly effective phishing campaign in which we impersonated the company intranet and had our phishing domain automagically signed by the company CA. I suggest that you check for this vulnerability yourself by trying to visit a site which you know has an invalid (e.g. expired, or incorrect domain) certificate and seeing if the connection succeeds.
– Polynomial
Mar 25 at 23:23
Amazing! I feel like pen-testing is a missed calling.
– Scuba Steve
Mar 25 at 23:30
2
FWIW even if 1.3 would allow static-RSA, it changes the key derivation to include the whole handshake (not just premaster+nonces) and MITM couldn't make those equal. This is similar to rfc7627 which fixes 'triple handshake' for 1.2, except that is optional and so MITM can force it off.
– dave_thompson_085
Mar 25 at 23:53
add a comment |
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Yes, they can MitM the traffic this way, using an internal certificate authority. There are two primary ways in which the MitM can work.
The first is to simply turn the edge gateway into a proxy, whereby TLS connections are made from the gateway to the server, and the gateway then generates server certificates on the fly from an internal CA in order to impersonate the remote server. Your system trusts the CA, so it trusts the server certificate.
The second is a slightly different take on the first. The gateway proxies the traffic similarly to the first method, except it only advertises static RSA cipher suites to the remote server. The reason for doing this is performance. With a static RSA key exchange (i.e. not Diffie-Hellman) the gateway can split the handshake as before in order to provide the client with a certificate generated via the internal CA, but instead of decrypting the content on the gateway and then re-encrypting it before proxying, it simply passes the same session key between the client and server. This way the gateway only has to decrypt the traffic once, using the captured session key, and never needs to re-encrypt it in order to proxy the traffic between client and server. This trick no longer works in TLS 1.3 as static RSA key exchange was removed.
Generally speaking this kind of TLS inspection is fairly commonplace in large organisations, particularly financials. Deploying it on BYOD devices is somewhat common, although you should consider the privacy and security implications that might arise from installing your company's internal CA certificate on your device. You need to ask yourself whether you trust that your IT security team is likely to be able to protect the signing keys, because if not then your device is liable to be MitM'ed by an attacker.
answered Mar 25 at 23:19
PolynomialPolynomial
102k36249342
" You need to ask yourself whether you trust that your IT security team is likely to be able to protect the signing keys." Yes exactly, I had the same thought myself.
– Scuba Steve
Mar 25 at 23:21
15
As an aside, I once assessed a TLS inspection gateway product which re-signed all HTTPS connections using the internal CA, even if the remote certificate was invalid. This allowed for a particularly effective phishing campaign in which we impersonated the company intranet and had our phishing domain automagically signed by the company CA. I suggest that you check for this vulnerability yourself by trying to visit a site which you know has an invalid (e.g. expired, or incorrect domain) certificate and seeing if the connection succeeds.
– Polynomial
Mar 25 at 23:23
Amazing! I feel like pen-testing is a missed calling.
– Scuba Steve
Mar 25 at 23:30
2
FWIW even if 1.3 would allow static-RSA, it changes the key derivation to include the whole handshake (not just premaster+nonces) and MITM couldn't make those equal. This is similar to rfc7627 which fixes 'triple handshake' for 1.2, except that is optional and so MITM can force it off.
– dave_thompson_085
Mar 25 at 23:53
add a comment |
Yes, they can MitM the traffic this way, using an internal certificate authority. There are two primary ways in which the MitM can work.
The first is to simply turn the edge gateway into a proxy, whereby TLS connections are made from the gateway to the server, and the gateway then generates server certificates on the fly from an internal CA in order to impersonate the remote server. Your system trusts the CA, so it trusts the server certificate.
The second is a slightly different take on the first. The gateway proxies the traffic similarly to the first method, except it only advertises static RSA cipher suites to the remote server. The reason for doing this is performance. With a static RSA key exchange (i.e. not Diffie-Hellman) the gateway can split the handshake as before in order to provide the client with a certificate generated via the internal CA, but instead of decrypting the content on the gateway and then re-encrypting it before proxying, it simply passes the same session key between the client and server. This way the gateway only has to decrypt the traffic once, using the captured session key, and never needs to re-encrypt it in order to proxy the traffic between client and server. This trick no longer works in TLS 1.3 as static RSA key exchange was removed.
Generally speaking this kind of TLS inspection is fairly commonplace in large organisations, particularly financials. Deploying it on BYOD devices is somewhat common, although you should consider the privacy and security implications that might arise from installing your company's internal CA certificate on your device. You need to ask yourself whether you trust that your IT security team is likely to be able to protect the signing keys, because if not then your device is liable to be MitM'ed by an attacker.
answered Mar 25 at 23:19
PolynomialPolynomial
102k36249342
" You need to ask yourself whether you trust that your IT security team is likely to be able to protect the signing keys." Yes exactly, I had the same thought myself.
– Scuba Steve
Mar 25 at 23:21
15
As an aside, I once assessed a TLS inspection gateway product which re-signed all HTTPS connections using the internal CA, even if the remote certificate was invalid. This allowed for a particularly effective phishing campaign in which we impersonated the company intranet and had our phishing domain automagically signed by the company CA. I suggest that you check for this vulnerability yourself by trying to visit a site which you know has an invalid (e.g. expired, or incorrect domain) certificate and seeing if the connection succeeds.
– Polynomial
Mar 25 at 23:23
Amazing! I feel like pen-testing is a missed calling.
– Scuba Steve
Mar 25 at 23:30
2
FWIW even if 1.3 would allow static-RSA, it changes the key derivation to include the whole handshake (not just premaster+nonces) and MITM couldn't make those equal. This is similar to rfc7627 which fixes 'triple handshake' for 1.2, except that is optional and so MITM can force it off.
– dave_thompson_085
Mar 25 at 23:53
add a comment |
Yes, they can MitM the traffic this way, using an internal certificate authority. There are two primary ways in which the MitM can work.
The first is to simply turn the edge gateway into a proxy, whereby TLS connections are made from the gateway to the server, and the gateway then generates server certificates on the fly from an internal CA in order to impersonate the remote server. Your system trusts the CA, so it trusts the server certificate.
The second is a slightly different take on the first. The gateway proxies the traffic similarly to the first method, except it only advertises static RSA cipher suites to the remote server. The reason for doing this is performance. With a static RSA key exchange (i.e. not Diffie-Hellman) the gateway can split the handshake as before in order to provide the client with a certificate generated via the internal CA, but instead of decrypting the content on the gateway and then re-encrypting it before proxying, it simply passes the same session key between the client and server. This way the gateway only has to decrypt the traffic once, using the captured session key, and never needs to re-encrypt it in order to proxy the traffic between client and server. This trick no longer works in TLS 1.3 as static RSA key exchange was removed.
Generally speaking this kind of TLS inspection is fairly commonplace in large organisations, particularly financials. Deploying it on BYOD devices is somewhat common, although you should consider the privacy and security implications that might arise from installing your company's internal CA certificate on your device. You need to ask yourself whether you trust that your IT security team is likely to be able to protect the signing keys, because if not then your device is liable to be MitM'ed by an attacker.
answered Mar 25 at 23:19
PolynomialPolynomial
102k36249342
Yes, they can MitM the traffic this way, using an internal certificate authority. There are two primary ways in which the MitM can work.
The first is to simply turn the edge gateway into a proxy, whereby TLS connections are made from the gateway to the server, and the gateway then generates server certificates on the fly from an internal CA in order to impersonate the remote server. Your system trusts the CA, so it trusts the server certificate.
The second is a slightly different take on the first. The gateway proxies the traffic similarly to the first method, except it only advertises static RSA cipher suites to the remote server. The reason for doing this is performance. With a static RSA key exchange (i.e. not Diffie-Hellman) the gateway can split the handshake as before in order to provide the client with a certificate generated via the internal CA, but instead of decrypting the content on the gateway and then re-encrypting it before proxying, it simply passes the same session key between the client and server. This way the gateway only has to decrypt the traffic once, using the captured session key, and never needs to re-encrypt it in order to proxy the traffic between client and server. This trick no longer works in TLS 1.3 as static RSA key exchange was removed.
Generally speaking this kind of TLS inspection is fairly commonplace in large organisations, particularly financials. Deploying it on BYOD devices is somewhat common, although you should consider the privacy and security implications that might arise from installing your company's internal CA certificate on your device. You need to ask yourself whether you trust that your IT security team is likely to be able to protect the signing keys, because if not then your device is liable to be MitM'ed by an attacker.
answered Mar 25 at 23:19
PolynomialPolynomial
102k36249342
answered Mar 25 at 23:19
PolynomialPolynomial
102k36249342
answered Mar 25 at 23:19
PolynomialPolynomial
102k36249342
answered Mar 25 at 23:19
PolynomialPolynomial
102k36249342
102k36249342
" You need to ask yourself whether you trust that your IT security team is likely to be able to protect the signing keys." Yes exactly, I had the same thought myself.
– Scuba Steve
Mar 25 at 23:21
15
As an aside, I once assessed a TLS inspection gateway product which re-signed all HTTPS connections using the internal CA, even if the remote certificate was invalid. This allowed for a particularly effective phishing campaign in which we impersonated the company intranet and had our phishing domain automagically signed by the company CA. I suggest that you check for this vulnerability yourself by trying to visit a site which you know has an invalid (e.g. expired, or incorrect domain) certificate and seeing if the connection succeeds.
– Polynomial
Mar 25 at 23:23
Amazing! I feel like pen-testing is a missed calling.
– Scuba Steve
Mar 25 at 23:30
2
FWIW even if 1.3 would allow static-RSA, it changes the key derivation to include the whole handshake (not just premaster+nonces) and MITM couldn't make those equal. This is similar to rfc7627 which fixes 'triple handshake' for 1.2, except that is optional and so MITM can force it off.
– dave_thompson_085
Mar 25 at 23:53
add a comment |
" You need to ask yourself whether you trust that your IT security team is likely to be able to protect the signing keys." Yes exactly, I had the same thought myself.
– Scuba Steve
Mar 25 at 23:21
15
As an aside, I once assessed a TLS inspection gateway product which re-signed all HTTPS connections using the internal CA, even if the remote certificate was invalid. This allowed for a particularly effective phishing campaign in which we impersonated the company intranet and had our phishing domain automagically signed by the company CA. I suggest that you check for this vulnerability yourself by trying to visit a site which you know has an invalid (e.g. expired, or incorrect domain) certificate and seeing if the connection succeeds.
– Polynomial
Mar 25 at 23:23
Amazing! I feel like pen-testing is a missed calling.
– Scuba Steve
Mar 25 at 23:30
2
FWIW even if 1.3 would allow static-RSA, it changes the key derivation to include the whole handshake (not just premaster+nonces) and MITM couldn't make those equal. This is similar to rfc7627 which fixes 'triple handshake' for 1.2, except that is optional and so MITM can force it off.
– dave_thompson_085
Mar 25 at 23:53
" You need to ask yourself whether you trust that your IT security team is likely to be able to protect the signing keys." Yes exactly, I had the same thought myself.
– Scuba Steve
Mar 25 at 23:21
" You need to ask yourself whether you trust that your IT security team is likely to be able to protect the signing keys." Yes exactly, I had the same thought myself.
– Scuba Steve
Mar 25 at 23:21
15
15
As an aside, I once assessed a TLS inspection gateway product which re-signed all HTTPS connections using the internal CA, even if the remote certificate was invalid. This allowed for a particularly effective phishing campaign in which we impersonated the company intranet and had our phishing domain automagically signed by the company CA. I suggest that you check for this vulnerability yourself by trying to visit a site which you know has an invalid (e.g. expired, or incorrect domain) certificate and seeing if the connection succeeds.
– Polynomial
Mar 25 at 23:23
As an aside, I once assessed a TLS inspection gateway product which re-signed all HTTPS connections using the internal CA, even if the remote certificate was invalid. This allowed for a particularly effective phishing campaign in which we impersonated the company intranet and had our phishing domain automagically signed by the company CA. I suggest that you check for this vulnerability yourself by trying to visit a site which you know has an invalid (e.g. expired, or incorrect domain) certificate and seeing if the connection succeeds.
– Polynomial
Mar 25 at 23:23
Amazing! I feel like pen-testing is a missed calling.
– Scuba Steve
Mar 25 at 23:30
Amazing! I feel like pen-testing is a missed calling.
– Scuba Steve
Mar 25 at 23:30
2
2
FWIW even if 1.3 would allow static-RSA, it changes the key derivation to include the whole handshake (not just premaster+nonces) and MITM couldn't make those equal. This is similar to rfc7627 which fixes 'triple handshake' for 1.2, except that is optional and so MITM can force it off.
– dave_thompson_085
Mar 25 at 23:53
FWIW even if 1.3 would allow static-RSA, it changes the key derivation to include the whole handshake (not just premaster+nonces) and MITM couldn't make those equal. This is similar to rfc7627 which fixes 'triple handshake' for 1.2, except that is optional and so MITM can force it off.
– dave_thompson_085
Mar 25 at 23:53
add a comment |
What certificates did he install? Was it a root CA certificate? It could have just been a certificate to authenticate the radius server which is used to authorize access to the wifi. Different certificates do different tasks.
– Daisetsu
Mar 25 at 23:09
2
Oh, I see. Yes that is possible and it's not rare. They're called TLS interception proxies.
– Daisetsu
Mar 25 at 23:15
1
tlseminar.github.io/tls-interception look at the section titled "How SSL/TLS interception works"
– Daisetsu
Mar 25 at 23:20
1
It's important to distinguish between two major classes of certificates, CA certificates (used to identify servers to you) and client certificates (used to identify you to the corporate network).
– chrylis
Mar 26 at 3:33
1
There are at least 3 reasons why a WiFi might require a CA to be installed, you would check in detail why: a) as the users client authentication, b) as a trusted Radius Server certificate for Enterprise-WPA or VPN, c) as a fake root CA for MitM. The later one is however pretty risky on personal devices as it might endanger them outside company use.
– eckes
Mar 26 at 5:08