Odi's astoundingly incomplete notes
New entries | CodeSSL Proxying
Yesterday I was at a customer's office. It's a rather large organization and they are posing a lot of restrictions on the internet access from within their offices. Naturally you have to go through a proxy to reach the internet with a web browser. Their network denies IMAP access. So I wanted to access my corporate email account through the webmail interface. The webmail uses https (SSL) of course. So I loaded up the login page and was prompted by a certificate warning. That is not normal. To save money, our webmail site uses a certificate signed by our private corporate certificate authority (CA) for which I have installed the root certificate. So there should not be a warning. So what could be the problem?
Inspection of the presented certificate quickly revealed the explanation. The certificate that I had received was not the one from our webmail server. Instead it was one crafted by the customer's proxy server and signed with their private corporate CA! Of course I don't have their root certificate installed (why should I trust them?).
Cheeky bastard! What this proxy is doing is spying on me! It is the perfect man-in-the-middle. It establishes an SSL tunnel between itself and our webmail server secured by the certificate of our webmail server. So it obtains all data in clear text. Then it uses a second tunnel between itself and my browser using the crafted certificate that claims to be from our webmail server. Of course this is exactly what certificates are meant to prevent in the first place! Their whole point is to ensure that the other end really is who it claims.
To make the situation completely absurd, they are probably doing this for security reasons. Whose security? Their own of course. So employees can not bypass content filtering by using SSL. Of course employees get their CA certificate preinstalled and fully trusted on corporate computers. So they won't even notice that they are spied upon. Even if they did not install that, users are so used to clicking away certificate warnings, that nobody would even bother. That's mostly caused by so many badly configured webservers on the net. Admins that don't know that you need a certificate for each subdomain and configure virtual hosting to deliver the right certificate for the right subdomain. And multi-domain certificates are not that common.
I should note that this is only possible because they are using a signature from a private CA. Any public CA would verify that the domain name belongs to the organization that wants to obtain a certificate for it. So you can not buy a certificate for www.odi.ch - only I can. Also obtaining public certificates would be a timely and expensive procedure, of course.
Inspection of the presented certificate quickly revealed the explanation. The certificate that I had received was not the one from our webmail server. Instead it was one crafted by the customer's proxy server and signed with their private corporate CA! Of course I don't have their root certificate installed (why should I trust them?).
Cheeky bastard! What this proxy is doing is spying on me! It is the perfect man-in-the-middle. It establishes an SSL tunnel between itself and our webmail server secured by the certificate of our webmail server. So it obtains all data in clear text. Then it uses a second tunnel between itself and my browser using the crafted certificate that claims to be from our webmail server. Of course this is exactly what certificates are meant to prevent in the first place! Their whole point is to ensure that the other end really is who it claims.
To make the situation completely absurd, they are probably doing this for security reasons. Whose security? Their own of course. So employees can not bypass content filtering by using SSL. Of course employees get their CA certificate preinstalled and fully trusted on corporate computers. So they won't even notice that they are spied upon. Even if they did not install that, users are so used to clicking away certificate warnings, that nobody would even bother. That's mostly caused by so many badly configured webservers on the net. Admins that don't know that you need a certificate for each subdomain and configure virtual hosting to deliver the right certificate for the right subdomain. And multi-domain certificates are not that common.
I should note that this is only possible because they are using a signature from a private CA. Any public CA would verify that the domain name belongs to the organization that wants to obtain a certificate for it. So you can not buy a certificate for www.odi.ch - only I can. Also obtaining public certificates would be a timely and expensive procedure, of course.
Good luck I'm using Firefox that I have installed myself - no surprise certificates in it! But I'm a software developer, not sure if everyone behind corporate firewalls has the luxury to install a browser of their own preference.
Also if my box came with Firefox pre-installed I would have probably been vulnerable just as any other employee