A common belief is that the HTTPS protocol prevents so-called Man In The Middle (MiTM) attacks. Unfortunately, in some circumstances, this assumption is wrong.
HTTPS and authentication
A browser decides whether an HTTPS connection is secure if the two following conditions are verified:
- The owner information in the received X509 certificates matches the server name. The subject field of the X509 certificate defines the owner information. If the browser visits the website mysite.com, then the subject of the digital certificate should also be www.mysite.com.
- The received certificate must be valid and a Certification Authority (CA) that the browser trusts must have signed it. The issuer field of the X509 certificate identifies the issuing CA.
For instance, the certificate checked by your browser belonged to https://eric-diehl.com and was issued the CA AlphaSSL. AlphaSSL is not one of the Trusted Root CAs of Chrome. Nevertheless, its certificate was signed by GlobalSign that is one of the Trusted Root Certification Authorities.
Inside a corporate network, usually all Internet connections are forwarded to a proxy server that resides inside the corporate Demilitarized Zone (DMZ). This proxy may interact with the connection. The same browser does not verify the same certificate when connecting to https://eric-diehl.com. The received certificate was issued and signed by another CA than AlphaSSL. GNS Services issued the certificate of this CA. GNS Services is one of the Trusted Root CAs that were listed in my corporate version of Chrome.
The proxy acts as a local CA. It generates the X509 certificate for the eric-diehl.com domain and returns this new certificate to the browser. As the proxy signed it with a private key being part of a trusted key hierarchy, the browser validates this certificate. The proxy can perform its MiTM.
Why does it work? The Internet uses the trust listed CA model. In this model, the system manages a list of CAs that it trusts. Indeed, the list contains the self-signed certificate of the public key of each trusted root CA. A self-signed certificate is the certificate of the public key that is signed by its private key. The CAs are independent. Browsers have to access all legitimate websites to offer a satisfactory user experience. Thus, browsers have to trust most existing CAs. Therefore, browsers come with a large bunch of preinstalled public root keys of CAs. Internet Explorer hosts about twenty Trusted Root CAs. Mozilla recognizes more than 120 Trusted Root CAs. Each Trusted Root CA signs other CAs’ certificate. The current Internet ends up with more than 1,500 CA that the browsers trust!
A corporate proxy has two solutions:
- It may get a key pair with the certificate signed from one of the trusted CA. In that case, it may use the mainstream browsers without any issue. The certificate must be used for signature.
- If it allows only managed devices within its corporate network, the IT department can patch the browsers and add their own root public key as part of the trusted CA. Which is the solution used here.
Is this practice only limited to the corporate network? The answer is no. On my home computers, I use an anti-virus. The anti-virus has a feature called WebShield that attempts to protect against malicious websites. It has an option labeled “Enable HTTPS scanning.” This option is set on by default. The certificate validated by the browser when accessing the same website https:/eric-diehl.com with the option enabled, it is not the genuine certificate. It is a certificate that has been signed by the anti-virus that acts as a MiTM. During its installation, the anti-virus appended its own root certificate to the list of Trusted Root CA.
Is it difficult to install such a solution? Unfortunately, the answer is negative. An open source project mitmproxy provides all that is needed to install such a MiTM.
How to know if there is a “MiTM”?
Fortunately, there is a simple test. In 2007, a new flavor of X509 SSL certificates was created: Extended Validation SSL (EV SSL). Only CAs that have a strictly controlled, documented process to verify that the requester of a domain certificate is the actual owner of the domain can issue EV SSL certificates. Browsers provide a distinctively enhanced display for sites using EV SSL certificates. Usually, they display in the address bar the name of the entity owning the certificate, the name of the issuing CA and a distinctive color (usually green). Websites using EV SSL certificates should be more trustworthy than sites using standard X509 certificates.
Of course, if the connection is under a MiTM, the browser does not receive an EV SSL certificate but rather an SSL certificate. The MiTM cannot generate an EV SSL certificate. Thus, the browser displays a classical HTTPS connection.
Thus the simple test is:
- Select one website that uses EV SSL and bookmark it.
- Each time, you want to check whether there is MiTM, visit this website and check whether it presents an EV SSL certificate.
The current model of trust of Internet employs hundreds of CAs. This brittle model allows to set-up lawful or unlawful man in the middle attacks. As usual, vigilance is the only solution. Fortunately, a simple test detects this type of MiTM.
Update (9-oct-15): THe GNS Services certificate is not part of the standard distribution of Chrome. Thanks to Jim H. for having spotted this mistake