Wednesday, December 3, 2008

All Your HTTPS Packets Are Belong To Us

Occasionally, I have to work on a restricted network, whether I'm connected via VPN to a remote desktop, or directly to a network.

I'm also in the position, at times, when I need to retrieve something from my company e-mail account, and for whatever reason (productivity drain or virus infections from pointy haired users) the network proxy automatically blocks access to any sites with the word "mail" in their domain name.

One of the easiest ways to get around this is to just use HTTPS, because all your traffic to the remote server is immediately encrypted before it is sent on the network. Only the remote server can decrypt your packets, and if anyone intercepts them, then they look like garbage. The information in your encrypted packets includes the domain name of the server, because with HTTP 1.1 the domain name is sent as an HTTP header. So the automatic proxy filter is out of luck, and I am free to access my e-mail account. (Proxies could of course block by IP address, but that just causes a mess.)

It turns out that some network proxies will automatically generate fake SSL certificates for every secure site that you access. (This is probably old news to network administrators.) The certificates look legit, they include the correct name of the site, but the issuing authority is the proxy device on the network. I can't say that this is shocking to me, I always knew it was possible, I just hadn't encountered it in the real world.

I suppose that normally the network administrator would have installed the proper root certificate on every machine on the network, but in my case I pulled up a site with a certificate that matched the site I was accessing, but was issued from an authority that I don't trust (i.e. the network proxy). Hmm...

Any normal user wouldn't have understood what was going on, but I was immediately suspicious that my machine had been compromised by some virus, or that the remote site had been compromised for phishing purposes. I'm glad that neither situation was true, but I'm left yet again with my confidential information compromised in the name of security.

Think that your credit card number, SSN, personal information, etc. is safe because your using a secure connection. Think again. The network administration team is reading everything that you send to the secure site. The classic man-in-the-middle attack. As always, the weakest link in the chain will be a human being, and now more human beings have access to your information.

It's a brave new world.

No comments: