[TriLUG] Semi-OT: Detecting HTTPS inspection? Does that compromise SSH?

Chris Merrill chris at webperformance.com
Mon Jun 2 16:31:57 EDT 2014 

On 6/2/2014 4:08 PM, Brian wrote:
> Reading that I've done so far suggests that HTTPS inspection is achieved via a MITM attack; doing so
> without detection involves various manoeuvres involving CAs and such.  So my browser could be
> quietly accepting the MITM-ed HTTPS sessions if IT has already told it to accept the different cert.

Installing individual certificates would be one way. Our product does something similar to
record the HTTP messages on a secure channel for testing purposes.  It does it by installing a
CA certificate (with the  user's permission) into their browser(s).  It then acts as a proxy
to the browser and for each host the tester browses to, it generates a new server cert which is
signed with the CACert that we created. That key is used on the proxy side of the client-to-proxy
connection, while our product communicates securely with the host using a separate secured
connection.  Our traffic recorder is the MITM.

(in case you're wondering, the CACert is generated locally and uniquely for that specific user,
so neither we nor other users of the software can compromise their traffic without first gaining
access to the generated private key for the CACert).


> Seems like a MITM attack could also be used with an SSH session, but I don't know enough about it to
> feel certain.  What I've done so far is verify that my client does see the correct RSA fingerprint
> of the intended server.  Is that enough for me to feel confident in the security of my SSH tunneled
> traffic from our IT department's prying eyes?

I'm no security expert, but it seems that they would need to install a CACert on your
machine, like my above example, in order to execute a MITM without your client complaining
about the certificate used to encrypt the session.  Well, that or leverage an existing
security flaw.

I'll be interested to hear what someone with actual security knowledge has to say.

Chris



-- 
------------------------------------------------------------------------ -
Chris Merrill                           |  Web Performance, Inc.
chris at webperformance.com                |  http://webperformance.com
919-433-1762                            |  919-845-7601

Web Performance: Website Load Testing Software & Services
------------------------------------------------------------------------ -

More information about the TriLUG mailing list