1

I just read this about the security about Basic Authentication over SSL: Is BASIC-Auth secure if done over HTTPS?

And I don't get it. I just installed ProxyDroid (http proxy) on my rooted android device, and started up BlurpSuite on my Ubuntu Machine.

The first request I saw was some Exchange ActiveSync call to a corporate Server via SSL.

In this request, BurpSuite, on my Ubuntu Machine, presented me the fully readable and unencrypted headers, including the base64 encoded credentials.

Also this thread clearly states the headers should be also encrypted: https://stackoverflow.com/questions/187655/are-https-headers-encrypted

How's this possible? Do I overlook something?

What worries me that I assumed that SSL avoids trickery by man-in-the-middle attacks, but this doesn't seem to apply here.

derFunk
  • 121
  • 1
  • 5

1 Answers1

6

Man-in-the-middle attacks are prevented on SSL secured channels by using host certificates signed by trusted third parties (Certificate Authorities). Burp Suite can generate certificates for arbitrary hostnames but can't have them signed. If you connect to a HTTPS site via a standard browser through Burp you will see a warning window, telling you that the identity of the remote host can not be verified. If you ignore the warning Burp will intercept and decrypt all the traffic (including headers) for you.

In your case it seems like one of the apps on your Android device accept untrusted certificates generated by Burp:

  • Exchange ActiveSync may simply ignore the fact that it connects to a host with forged certificate
  • ProxyDroid may provide an HTTP interface for ActiveSync and ignore the server certificate
  • ProxyDroid may have installed its own CA certificate to your device and provide an HTTPS interface for ActiveSync.

So in summary SSL can protect you from MitM attacks only if your applications actualy verify the digital certificates of the remote hosts they connect to.

buherator
  • 1,740
  • 1
  • 9
  • 15
  • 1
    All of that said, everyone should be very strongly discouraged from the use of Basic auth. If you do use it make sure that the server only responds over HTTPS. If it has an HTTP port listening then browsers which have already authenticated who then send a request to this port will automatically embed the base 64 encoded credentials, which are essentially plain-text. – David Hoelzer Jul 15 '13 at 19:17
  • Thanks! Indeed it was the fact that the Android Device had "Accept any SSL certificate" enabled. Burp Proxy was set to "Generate CA-signed per-host certificates". Both in combination worked to see the requests in clear text. – derFunk Jul 22 '13 at 13:56