Search This Blog

07 February 2016

SSL interception - Man in the middle attack

How to check visually for the security of a site we are visiting
When we open a site the address bar of the browser shows if the connection is secure (SSL). Usually there is a green padlock. If we click on it we can get detailed information of the SSL certificate that is used by the web site. If the SSL is an Extended Verification Certificate there is also an additional area that is green next to the padlock to get a quick visual indication that the site uses an EV certificate.
If we are using a connection that is passing through a proxy it can intercept the connection and start the communication with the site we request on our behalf, read all of the contents, resign it with a forged certificate and send it to us. Normally the browser won’t accept that certificate, because it has not been signed by the proper CA. But if someone has access to the machine we are using, he may have installed an additional CA in the browser and that CA is the one that is used to sign the forged certificate and it is trusted by our browser(it got installed in our browser by that person) and we would see a green padlock in the browser’s address bar. But there is no way that we would see the additional green area in the browser address field. If we know that a domain is using an EV Certificate, this can be used as a quick visual check to alert us that there is something wrong with the certificate.






Comparing the certificate fingerprint.
To verify that the certificate that a site is presenting is the actual certificate that was issued to that domain we need to check the certificate fingerprint. We can do that if for example we access the same site from another location/network which we know is secure and take the certificate fingerprint and compare it with the one we get from the other location/network, or we can use a site like 

which can provide us with the fingerprint.
In the browser we can click on the padlock (in the address bar) and select to see more information for the used certificate:



 In that window we can select to see the certificate and find out what the fingerprint is:




No comments:

Post a Comment