InfoconDB

Presented at BSidesDC 2014, Oct. 19, 2014, 12:30 p.m. (50 minutes)

Enterprises increasingly deploy network security devices to intercept and inspect SSL-protected employee web traffic, often without adequate understanding on the employee's behalf, and almost certainly without the consent of the entity operating the server. Motivated by the cases of Trustwave, TURKTRUST, and ANSSI, where fraudulent sub-CAs chaining to trusted roots were loaded into SSL interception devices, I examine how an HTTPS web server can (ab)use client certificate authentication to detect the presence of an SSL interception device and block connections traveling through one of these devices. I show how browsers' built-in certificate enrollment capabilities, well-understood in academia but rarely used in practice, can be leveraged to achieve a mild form of mutual authentication relatively painlessly. Using this technique, the server, too, now has a say in whether its traffic can be intercepted and inspected.

Presenters:

Jacob Thompson - Security Analyst at Independent Security Evaluators
Jacob Thompson is a security analyst at Independent Security Evaluators, a Baltimore, Maryland, company specializing in high-end, custom security assessments of computer hardware and software products. Jacob holds an M.S. in Computer Science from the University of Maryland, Baltimore County. His primary security interests include analyzing commercial software products for design flaws and other vulnerabilities, reverse engineering, and cryptography. Prior to joining ISE, Jacob served as a Computer Science teaching assistant and briefly worked as an intern software engineer developing desktop and embedded applications for process control systems. Jacob has previously presented at DEF CON 21 and the inaugural 2013 B-Sides DC.

Fighting Back Against SSL Interception (or How SSL Should Work)

Presenters:

Links:

Similar Presentations: