Enterprise firewalls are man-in-the-middling HTTPS sessions like crazy, and weakening security

interesting, I didn’t know this. do you have a RFC or similar documentation at hand? I thought I had a rather good encryption stuff overview, but was obviously wrong : )

1 Like

I may be wrong as well, so it is on me to provide evidence. Be back in a few.

1 Like

Interesting. I asked, in part, because I’ve been futzing with my own little paranoia-box setup; and since some of the devices and programs that I distrust aren’t quite terrible enough to just spew plaintext anymore(and since I want to do ad-blocking and such on the server side when my phone VPNs in, rather than doing it on pitifully limited and battery constrained hardware with software that is fairly hostile to advanced configuration); this is going to involve MiTM-ing of some of my own traffic; but it would be a really, really, ugly irony if I ended up with a setup that takes SSL situations that should make me run away screaming; and quietly rewrites them to look precisely as respectable as every other SSL connection rewritten by my MiTM.

Insecurity is bad enough; but when your ‘security’ mechanisms cause it; that just stings.

2 Likes

Okay, I am both right and wrong. Fancy that, security is hard :slight_smile:

http://nginx.org/en/docs/http/configuring_https_servers.html

The bundle doesn’t explicitly contain weak ciphers, but is concatenated with certs that can.

2 Likes

I still don’t exactly get it. yes, the cert can be of different - and more or less unsecure - signature types (RSA,DSA, the funny EC stuff I never was able to wrap my head around) but this is “only” used for the KEX.

maybe we’re using “cipher” differently? within the TLS world for me a cipher is the symmetric encryption used after the handshake was completed successfully and client and server negotiated the connection parameters.


eta: and this is the server-side of the deal. so with a weak cert the connection frominternal client to MitM box can be b0rken, but this does not influence the internet side of the connection (MitM box as TLS client to the real server)

1 Like

Exchange, yes. But the initial exchange negotioates the next cipher.

1 Like

Oh, Cory. You really kicked a hornet’s nest here.

There’s nothing new or shocking here. There’s even a nice and boring name for this: SSL bridging.

I’ve typically seen this used for reverse proxy applications – in other words to protect resources in your intranet or DMZ that are exposed to the intranet from outside attackers but there’s no technical reason it can’t be used for forward proxy as well. I personally think it’s pretty insidious to use this for forward proxies versus reverse proxies (with a reverse proxy it has a legitimate purpose for DoS protection by being able to inspect payloads). However, when you’re on an Enterprise network, you’re playing by their rules. Expecting any sort of privacy is laughable.

I completely agree with @japhroaig’s assessment that the surefire way to cure insomnia is to start talking about certificates.

It’s kind of funny – by day I develop enterprise software and I frequently hear about how hard it is to get certificates configured and why can’t I do anything to “make it easier.” One thing I do to explain why is much like when a reporter asked Lyndon Johnson why troops were in Vietnam and he pulled out his penis to the reporter and said, “this is why”, I pull out my impressively sized 2" thick copy of “Windows Server 2003 PKI and Certificate Security” book, slap it on the table, and say “this is why.”

I have to explain that PKI is its own discipline and no two well-done implementations are likely to be identical. All I can do is tell you what my certificate requirements are but it’s up to you (or hopefully your security person) to make it a reality. I also have to explain having a poorly implemented PKI is perhaps worse than not having one at all because you’re going to think you’re secure when you’re actually not versus knowing you’re not secure from the get-go and acting accordingly.

I’ve been working with PKI stuff for over a decade now and I certainly wouldn’t consider myself an expert. I understand how it works, why it works the way it does, how to set up and configure it, and how to break it. I would also not want to put myself in the position as being “the guy that sets up your company’s PKI”. It’s a esoteric and fast moving discipline that’s completely mired in technical details and minutiae.

4 Likes

3 Likes

And to think some were sad I took a brief hiatus. I am back, and as obtuse and surlier than ever.

4 Likes

Count me among those who were sad. I’m glad to see you back again.

6 Likes

Eleventy?[quote=“ficuswhisperer, post:47, topic:94634”]
I pull out my impressively sized
[/quote]

Was hoping for a different followup…

4 Likes

This topic was automatically closed after 5 days. New replies are no longer allowed.