Links

Ben Laurie blathering


Can Phorm Intercept SSL?

Someone asked me to comment on a thread over at BadPhorm on SSL interception.

In short, the question is: can someone in Phorm’s position decrypt SSL somehow? The fear is driven by the existence of appliances that do just this. But these appliances need to do one of two special things to work.

The first possibility is where the appliance is deployed in a corporate network to monitor traffic going from browsers inside the corporation to SSL servers outside. In this case, what you do is you have the SSL appliance act as a CA, and you install its CA certificate in each browser’s store of trusted CAs. Then when the appliance sees an SSL request go past it quickly creates (some would say “forges”) a certificate for the server the request is destined for and instead of routing the connection on to the real server, instead answers it itself, using the newly created certificate. Because the browser trusts the appliance’s CA this all looks perfectly fine and it will proceed without a warning. The appliance then creates an outgoing connection to the real server and acts as a proxy between the browser and server, thus getting access to the plaintext of the interaction.

I’d note in passing that in Netronome’s diagram they show a “trust relationship” between the webserver and the SSL appliance. This is not correct. There need be no relationship at all between the webserver and the appliance – indeed it would be fair to say that many a webserver operator would view what the appliance is doing as downright sneaky. Or dishonest, even.

But, in any case, inside the corporation this behaviour seems fair enough to me – they’re paying for the browser, the machine it runs on, the network connection and the employee’s time. I guess they have a right to see the data.

Could Phorm do this? Well, they could try to persuade anyone stupid enough to install a CA certificate of theirs in their browser, and then yes, indeed, this trick would work for them. More of the story: don’t install such certificates. Note that last time I looked if you wanted to register to do online returns for VAT you had to install one of these things. Oops!

Or, they could get certified as a CA and get automatically installed in everyone’s browser. I’m pretty sure, however, that such a use of a CA key would find them in breach of the conditions attached to their certification.

So, in short, Phorm can only do this to people who don’t understand what’s going on – i.e. 99% of Internet users. But not me.

The second scenario is to deploy the SSL interception appliance at the webserver end of the network (at least, this is how its usually done), and have it sniff incoming connections to the webserver. However, to break these connections it needs to have a copy of the webserver’s private key. I’m reasonably confident that the vast majority of webserver operators will not be handing over their private keys to Phorm, so even “99%” users are safe from this attack.

By the way, if you want to see this one in action, then you can: the excellent network sniffer, Wireshark, can do it. Full instructions can be found here. No need to buy an expensive appliance.

6 Comments

  1. -I think some of the IM intercept tools (from symantec and others) have to do CA subversion too, otherwise they can’t sanitise IM conversations made over HTTPS. Again, they are enterprise toys that are designed to secure IM without banning it; pushing out a custom CA is something the enterprises can do. They also have to subvert DNS behind the firewall, so an nslookup of(talk.google.com) gets routed to their service, so there really is no way to bypass their filters. Whoever came up with the product clearly doesnt believe in XMPP as an app to app protocol.

    Comment by Steve Loughran — 27 Apr 2008 @ 15:38

  2. Hell Ben, this is a follow up to a comment I made on the badphorm.co.uk forum. The original poster suggested it might be an idea to copy comments here.

    I summarised this blog posting for another forum member. I interpreted your answer in a nutshell as meaning there is not a practical method for Phorm to profile SSL traffic. However I note your caveat about user’s being likely to misinterpret certificate warnings and click anything.

    I suggested your concern about the tax office system may be in error. I think it’s a personal identification certificate they want you to install, it’s not a new root CA.

    Regards

    PhormalWarning

    Comment by PhormalWarning — 27 Apr 2008 @ 19:38

  3. […] Laurie has been writing terrific posts on the Phorm/BT abomination. His latest, which you can read here, discusses the issue of how Phorm could, in theory, inspect the contents of HTTPS […]

    Pingback by Phorm and SSL « Identity Blogger — 28 Apr 2008 @ 16:49

  4. […] recently read an excellent article by Ben Laurie that proposes methods that evil companies like Phorm could use to intercept SSL […]

    Pingback by The prattlings of Steve Crook » Blog Archive » Who do I trust? — 8 May 2008 @ 16:33

  5. http://groups.google.com/group/mozilla.dev.tech.crypto/browse_thread/thread/9c0cc829204487bf?pli=1

    Comment by NoPhormFodder — 28 Dec 2008 @ 18:41

  6. The [B] “SSL Inspection” [/B] appliance URL has changed. The address for the PDF specification sheet is
    http://www.ssl-inspector.com/files/file/SSL%20Inspector%20Appliance%20Data%20Sheet%20(5-08).pdf

    0.5Mb PDF

    Comment by Badphormula — 6 May 2009 @ 20:44

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress