SSL Interception

LinuxGeek · 10-16-2007, 04:38 AM

Hi,
I'm currently looking into intercepting SSL traffic at our company to prevent data leakage and to protect against malware / botnets that use HTTPs to communicate with their command center. I came across WebWasher in the following blog post and was wondering if there was an open source solution that would give me similar results:

http://jonsnetwork.com/2007/04/how-t...ork-podcast-1/

Basically what it does is as follows:

* intercepts and deciphers the SSL connection while it's outgoing
* inspect the unencrypted traffic. If it's okay, it regenerates an SSL connection to the target system
* to keep it transparent to users, it generates a certificate with the CN of the target site and signs it with the organization's CA which is trusted by user's web browsers.

Any ideas? Thanks.

win32sux · 10-16-2007, 05:07 AM

You can configure Squid to act as an HTTPS man-in-the-middle using the https_port option. What kind of inspection are you wanting to do on the unencrypted traffic? I myself am actually looking-forward to learning how to have DansGuardian do content-filtering when using Squid like this.

ledow · 10-16-2007, 07:38 AM

MMmm... this isn't as easy as it sounds at first.

Yes, you can filter all things to use "your" SSL certificate but this will break quite a lot of things that like to use SSL certificates - basically anything that properly verifies the certificate chain - some browsers will go ape at tricks like this, and some secure update mechanisms etc. will stop working. Not to mention that lots of things use SSL as a "wrapper" around their usual communications, so you may find that a lot of stuff like some VPN's, update tools, etc. will just freak out at such shenanigans.

Additionally, that's a LOT of CPU overhead on the middle-man server.

Much easier and simpler is to block SSL connections entirely - this means layer-7 packet classifiers etc. and a black/whitelist of sites that are "allowed". That way anything that tries to use SSL to connect anywhere will be blocked unless you've specifically allowed the source/destination/user to do so. That stops your "information leakage" problem without leaving yourself liable to all sorts of problems that come from trying to proxy secure traffic.

Not to mention that it's a highly-suspect policy to routinely intercept and read all secure communications, whether the users are warned or not.

slimm609 · 10-16-2007, 08:49 AM

If i may add some advice as i just got done demoing the webwasher along with many other product that do SSL.

The current products that do SSL interception good are Ironport S650, Webwasher, and Bluecoat SG. With that said they all run about $25-$30K each.

The cert does not uses the all the information from the target site. You have to put a trusted Cert on the box. I have an entire 20 page report that i did on all the different products for work. I will try and scrub the report of company info and share it with everyone.

LinuxGeek · 10-17-2007, 08:49 AM

Thanks for all your replies. slimm609, it would be great if you could share your report with us.

farslayer · 10-17-2007, 09:21 AM

The Bluecoat quote I received yesterday was $7,000.00 for the Appliance. But we are a small environment and licensing is user based so that cost could increase rather rapidly. Just didn't want anyone to think that $25K was always the starting point for these appliances.

That being said I would LOVE to see that report you put together slimm609, as I am preparing to purchase one of these units in the very near future.

DeleGate as a Man-In-The-Middle proxy
http://www.delegate.org/delegate/mitm/

Don't know how you would use this to fill your requirements either, let us know if you get something worked out.. it is open source.

slimm609 · 10-17-2007, 10:45 AM

I have the report to post but i dont have anywhere to upload it to.

unSpawn · 10-17-2007, 03:30 PM

If its properly anonymised you could put it on any free file sharing site?

slimm609 · 10-17-2007, 09:41 PM

i will try and post the report at some point tomorrow.

slimm609 · 10-23-2007, 11:44 AM

Sorry it took so long

http://www.mytempdir.com/2046044

farslayer · 10-23-2007, 04:32 PM

Thanks!!

Reading through it now..

nomb · 10-24-2007, 09:38 AM

Thanks for that report. I don't have a need right now for that however, I may in the future. Either way it is good information. So thanks.

nomb

LinuxGeek · 01-03-2008, 12:21 PM

For anyone still interested in the thread, you may find Whitetrash - http://whitetrash.sourceforge.net/ - interesting as well

OTIM · 01-05-2008, 10:08 PM

hello all

I found this thread very interesting but i am somehow confused, perhaps someone can explain.
Doesn't SSL use asymmetric encryption? This means that the client uses the the server's public key to encrypt and data can only be decrypted with the server's private public. Is is possible to decrypt without the private key?

Thank you

later: hmm it seems that only the authentication is done with public/private keys, the data transfer is encrypted using symmetric encryption - the shared secret