5

Proxy servers often inspect HTTPS packets. They decrypt client's HTTPS traffic, inspect them, encrypt them again and send it to destination server.

The proxy server injects its own CA certificate to client's PC to snoop their encrypted internet traffic. So basically there is no point left to send/receive packets over secured sockets because in anyway they will be decrypted and read in the middle.

It also means that that proxy server can perform Man-In-The-Middle attacks and invade privacy of clients.

How can this be prevented and block that proxy server to inject those certificates to client's PCs?

Basically I want that proxy server to become useless each time I send/receive HTTPS traffic. That injected certificate is the key hole for that proxy.

Jeroen
  • 5,813
  • 2
  • 19
  • 26
defalt
  • 6,451
  • 2
  • 24
  • 38
  • You need to ask yourself whether the risks of doing this outweigh the risks of it happening. You are almost certainly at least breaking your Ts&Cs and AUP. If this is your employer, you open yourself up to dismissal for gross misconduct. In some countries (USA in particular), you are probably even breaking the law (bypassing legitimate security). – Julian Knight Sep 11 '16 at 10:05

4 Answers4

3

The only thing I can think of is to create an SSH tunnel through the proxy server. Some proxies might allow this, others don't. So this is not a solution for all type of proxy servers.

For example:

  1. Configure the SSH daemon to run on TCP port 443 and perform a reload the service.

  2. Configure Putty to use a session to your home machine or VPS. Make sure to use 443 as the port.

    Configure a Putty Session

  3. Configure Putty to connect using the proxy server, it is required to know these settings.

    Putty proxy settings

  4. Now configure a Tunnel, this is required to route all your internet traffic through the tunnel. Let's use port 8080 to bind to your local machine. Make sure the radio buttons look like the image below and click "Add".

    SSH Tunnel Configuration

Now configure your browser to use the local proxy server that is listening on TCP/8080. All HTTP traffic will now be forwarded through the tunnel, bypassing the inspection. However, they might see that SSH traffic is being transmitted.

NOTE: In cases where group policies are enforced and the proxy server settings cannot be modified, it is recommended to download (or bring a USB stick) a portable version of Firefox.

Jeroen
  • 5,813
  • 2
  • 19
  • 26
  • Be very careful that you don't fall foul of the acceptable use, Ts&Cs, etc. Because this is likely banned behaviour and may even be considered illegal in some territories. – Julian Knight Sep 11 '16 at 10:10
2

A client does not blindly trust a CA send within TLS connection. It trusts only the root CA stored locally and any certificate/CA has to be directly or indirectly issued by these trusted CA. That means it will not work if a proxy just creates a new certificate and sends its own root CA together with the certificate. Instead this proxy CA has to be explicitly installed into the browser/OS.

Thus while you cannot make a proxy to not intercept and modify the TLS connection this modification will be detected immediately and the connection will be stopped before any data are transferred. Only if you explicitly trust the proxy by importing the proxy CA the TLS interception is possible.

If you instead ask how to bypass the SSL interception in the proxy or how to bypass the proxy at all - question which ask how to bypass existing security policies are off-topic here.

Steffen Ullrich
  • 190,458
  • 29
  • 381
  • 434
  • Is it possible for proxy server to capture that certificate which is meant to be for client and then send it to client after reading the decryption keys? Destination server sending encryption/decryption keys->proxy->proxy capturing keys->proxy reading keys for snooping->now sending to client..Is this possible? – defalt Sep 11 '16 at 09:45
  • Unless a destination uses Certificate Pinning, sadly your browser will indeed assume that a valid certificate is valid and will not raise any alarms. Assuming a decent security system that is properly configured. – Julian Knight Sep 11 '16 at 10:08
  • @user334283: the proxy cannot just take the original certificate. The handshake will fail because the proxy will be unable to proof that it owns the original certificate because it has no access to its private key. I really recommend that you study [How does SSL/TLS work](http://security.stackexchange.com/questions/20803/how-does-ssl-tls-work) to understand why MITM will be detected by the client. – Steffen Ullrich Sep 11 '16 at 10:16
  • @JulianKnight: I have no idea what you refer to but if you explicitly import the proxy CA as trusted into the browser all browsers will disable certificate pinning if the certificate is signed by the explicitly added CA. – Steffen Ullrich Sep 11 '16 at 10:20
  • Are you sure on that? My understanding of certificate pinning was that the site essentially says 'never accept any other certificate for this site'\* - even if the cert is otherwise valid (signed by a CA the browser believes is valid), it's still rejected. \*may be a list of certs, to allow for e.g. certs expiring. – SomeoneSomewhereSupportsMonica Sep 11 '16 at 11:01
  • @SomeoneSomewhere: yes I'm sure. See also http://security.stackexchange.com/a/104891/37315 or http://security.stackexchange.com/questions/129266/is-ssl-interception-possible-without-disabling-public-key-pinning-on-the-client/129290#129290 or just try it. – Steffen Ullrich Sep 11 '16 at 12:06
  • @user334283: I think you are missing some very basic concepts. Again, please study [How does SSL/TLS work](http://security.stackexchange.com/questions/20803/how-does-ssl-tls-work) first because it makes no sense to explain all this here again. And/or read [wikipedia: Root Certificate](https://en.wikipedia.org/wiki/Root_certificate) – Steffen Ullrich Sep 12 '16 at 03:41
  • @SteffenUllrich HTTP Public Key Pinning and HSTS are not the same thing. – SomeoneSomewhereSupportsMonica Sep 12 '16 at 06:46
  • @SomeoneSomewhere: I know and I never claimed that they are the same. If you refer to the two links I gave you: both are taking about pinning (HPKP) even though one is talking about HSTS too. – Steffen Ullrich Sep 12 '16 at 08:22
  • @user334283: this question is far away from your original one. Please don't ask new questions in the comments. You might ask a new question but unless you make it really clear which part of the existing posts you don't understand you could expect it to be closed quickly because of duplicate question. – Steffen Ullrich Sep 12 '16 at 09:03
2

Don't try to bypass the security put in place by the owner of the network.

Instead, don't use that network. If, for example, you have decent mobile coverage and a good data plan, use that when you need to do something that the network owner doesn't allow.

Julian Knight
  • 7,102
  • 18
  • 23
1

That certificate only gets into your OS/browser if you (or someone else) manually accept it, or load it in (e.g. as a Group Policy). It's not as simple as the server 'injecting' it.

Be wary of PCs where another person has, or has had, admin access.

If a big red warning comes up saying someone might be trying to intercept your traffic... don't just click 'continue'.

SomeoneSomewhereSupportsMonica
  • 360
  • 1
  • 6
  • Most of the PPPoE connections are designed in such a way that the client won't be given internet access unless it accepts the certificate. Management in offices and campus use it for monitoring HTTPS web service. Is there anyway to delete that certificate after accepting it for internet access? – defalt Sep 11 '16 at 09:39
  • No, then you lose internet access. You'd need to either a) Use another internet connection, or b) use another layer of encryption (e.g. a VPN or SSH tunnel) so that they strip the outer layer, but still don't get any useful data. – SomeoneSomewhereSupportsMonica Sep 11 '16 at 09:45
  • Okay! That make sense. So that's how VPN is able to bypass firewall filtering. – defalt Sep 11 '16 at 10:44