Friday, November 17, 2017

SSL cert caching for MiTM inspections

Firefox and a host of other  browsers  are notorious for  caching SSL certificates in the trust-chain.

This can lead to  mis-information  when doing any diagnostics/debugging &  if you  using a browser and actually inspect  the cert-chain for the trusteded-CA for a website.


Take my day-job which has a bluecoatSGproxy for SSL inspection  & we have a trusted  entrerprised-CA-cert that's present in the chain for pcgus  { aus-web.gateway.pcgus.com in  this example }






That CA-chain is from the trust CAcert that we delivered and imported into our browsers.






Now that I'm off the  pcgus network, that chain is misleading since I'm going to the website
https://forum.fortinet.com directly. Until we tell firefox to clear it's self , that chain is misleading to the unaware , unsuspecting end user.

 




Now look at the  chain once we reload the website. Notice how the previous aus-webgateway.pcgus.com is now eliminated? And the real CA-chain is presented?






So always us a tool like curl or gnutls-cli when you wan to double or triple check the CA-chain for a website.

Or

Run the website thru  a site like SSLlab and inspect the chain.







 Doing this,  is a 100% sure way to determine if a MiTM device is doing inspections.If you see a CA-chain that does not reflect  the true raw chain from a site inspection-too, than you know that a "imposter" is in  the CA-chain .




Ken Felix





NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \

No comments:

Post a Comment