[AusNOG] Interception?

[Robert Brockway]

On Thu, 5 Jul 2012, Skeeve Stevens wrote:

> The issue that I've recently come up against is HTTPS.  Many sites are
> moving to HTTPS as default.  Facebook, Google, etc etc are starting to use
> it more and more.  Now this is not a problem at all, and fully supported as
> normal web traffic should be.
>
> The problem we're facing is that as per normal hotspot solutions, when a
> user connects to the hotspot, they get an IP.  Then they start a browser,
> and if it goes to a home-page, it gets redirected to a captive portal page
> where they click some terms and we move on.
>
> Now that many people are having a HTTPS address as their
> 'home/startpage/etc', the HTTPS not able to get anywhere and breaking.  So
> to solve this issue, we now also intercept 443 - HTTPD and redirect it back
> to the portal.
>
> Due to the user trying to go to https://blah.com/ being re-directed, the
> browser is freaking out with an interception or man-in-the-middle attack
> potential alert and so on.
>
> Now, I think its possible to work our way around this, but the question
> remains - "Is intercepting HTTPS for redirection purposes - an interception
> issue" ?

Hi Skeeve.  If you can work around this then so can anyone in the path 
trying a malicious MITM, and yes a lot of people are encountering this 
issue.  I'm currently trying to convince a fairly large organisation (that 
proxies all http & https) that having their users get used to clicking 
past browser SSL warnings is a bad thing.

There is a way to get this working but it is messy.  I am in no way 
recommending this.

You can have the user import a copy of the CA certificate of a local CA[1] 
as a trusted certificate.  You can then generate signed requests on the 
fly and the browser warnings will go away.  quite a few appliances and 
apps are available that will do this.

The issues include:

(1) Getting the user to successfully import your CA certificate. Importing 
strange certificates is not something that browser vendors want to make 
transparent to the user.  Organisations that control the desktop can put a 
local CA cert in their standard build and have this work transparently but 
for someone serving client systems that they do not control this is an 
issue.

(2) Convincing them that they should import your CA cert.  This is a real 
can of works.  Why do they trust you?  You can MITM any https site they 
wish to visit after they have acceptered your CA cert, at least while on 
your network.[2]

Just a few comments on a complex subject.

Cheers,

Rob

[1] That you run.

[2] This brings up questions like why we trust the CAs that have their 
certs in the browsers by default. That's a discussion for another day ;)

-- 
Email: robert at timetraveller.org		Linux counter ID #16440
IRC: Solver (OFTC & Freenode)
Web: http://www.practicalsysadmin.com
Director, Software in the Public Interest (http://spi-inc.org/)
Free & Open Source: The revolution that quietly changed the world
"One ought not to believe anything, save that which can be proven by nature and the force of reason" -- Frederick II (26 December 1194 – 13 December 1250)