Tunneling through hostile proxy

[Jason Holt]

 Roy M. Silvernail[SMTP:[EMAIL PROTECTED]]
 Given internet access from a private intranet, through an HTTP 
 proxy out of the user's control, is it possible to establish a secure 
 tunnel to an outside server?  I'd expect that ordinary SSL 
 connections will secure user - proxy and proxy - server 
 separately, with the proxy able to observe cleartext.  Could an SSH 
 connection be made under these conditions?
[...]

The default behavior for an SSL proxy is to pass the encrypted bytes
back and forth, allowing you to connect all the way to the other server.  
However, it is possible for the proxy to have its own CA which has been added
to your browser.  Then it acts as a man in the middle and pretends to be the
remote host to you, and vice versa.  In that case, it works as you describe,
watching the data during its interim decryption.

Typically, the proxy would give you generic certificates (like
*.com), but it could conceivably generate a certificate for each site you
visit (secure.yahoo.com, etc.).  The way to tell would be to look at the
issuing authority according to your browser - if it's one of the public ones,
like Thawte, you've got a connection to the far end.  If it's Th4wt3, or
your company's, the proxy is probably watching.

Incidentally, another company that does private browsing over SSL is
www.orangatango.com (along with other nifty anonymizing stuff).

-J

Re: Tunneling through hostile proxy

[Adam Back]

On Tue, Jul 23, 2002 at 06:11:04PM +, Jason Holt wrote:
   The default behavior for an SSL proxy is to pass the encrypted bytes
 back and forth, allowing you to connect all the way to the other server.  

This isn't just the default behavior; it's the only defined behavior
right?

 However, it is possible for the proxy to have its own CA which has
 been added to your browser.  Then it acts as a man in the middle and
 pretends to be the remote host to you, and vice versa.  In that
 case, it works as you describe, watching the data during its interim
 decryption.

While it's _possible_ to do this, I've never heard of a server hosted
application that advertises that it's doing this.  I would think it
would be quite hard to get a CA to issue you a certificate if this is
what you intended to do with it (act as a general MITM on SSL
connections you proxy).

There have been applications which do this locally eg. a no longer
shipped product called SafePassage by c2.net, and achilles a SSL
debugger both of which are local proxies and both of which ask the
user to install a certificate allowing this when they are installed.
The installed certificate is self-signed however, and not issued by a
CA, as it is only valid for that user machine anyway, the user won't
want to buy a cert to authenticate information to their own machine,
it would be less secure to do so, and the user won't want to pay for
this certificate.

   Typically, the proxy would give you generic certificates (like
 *.com), 

Is there any software actually doing this?  (I know wild card certs
are available, but would think a wild card cert on .com would be a
very dangerous thing for a CA to issue, and you'd hope browsers would
be smart enough to reject such certs).

 but it could conceivably generate a certificate for each site you
 visit (secure.yahoo.com, etc.).  

This is what SafePassage et al do.

Adam

Re: Tunneling through hostile proxy

[Jason Holt]

On Tue, 23 Jul 2002, Adam Back wrote:
[...]
  However, it is possible for the proxy to have its own CA which has
  been added to your browser.  Then it acts as a man in the middle and
  pretends to be the remote host to you, and vice versa.  In that
  case, it works as you describe, watching the data during its interim
  decryption.
 
 While it's _possible_ to do this, I've never heard of a server hosted
 application that advertises that it's doing this.  I would think it
 would be quite hard to get a CA to issue you a certificate if this is
 what you intended to do with it (act as a general MITM on SSL
 connections you proxy).
[...]

I don't know of any other real-world examples.  Rescorla mentions the
technique on pp. 316-319 of SSL and TLS.  Certainly Thawte isn't going to
issue such wildcard certs, for exactly the reasons you mention.  That's why
you (or your government, or company, or whoever keeps an eye on you) create
your *own* CA and tell your browser to trust it.  Then it'll accept the
wildcard certs without complaint.

-J

Re: Tunneling through hostile proxy

[Ben Laurie]

Adam Back wrote:
 On Tue, Jul 23, 2002 at 06:11:04PM +, Jason Holt wrote:
 
  The default behavior for an SSL proxy is to pass the encrypted bytes
back and forth, allowing you to connect all the way to the other server.  
 
 
 This isn't just the default behavior; it's the only defined behavior
 right?
 
 
However, it is possible for the proxy to have its own CA which has
been added to your browser.  Then it acts as a man in the middle and
pretends to be the remote host to you, and vice versa.  In that
case, it works as you describe, watching the data during its interim
decryption.
 
 
 While it's _possible_ to do this, I've never heard of a server hosted
 application that advertises that it's doing this.  I would think it
 would be quite hard to get a CA to issue you a certificate if this is
 what you intended to do with it (act as a general MITM on SSL
 connections you proxy).

Errr - its tricky anyway, coz the cert has to match the final 
destination, and, by definition almost, that can't be the proxy.

I believe its pretty common for server farms to use SSL-enabled reverse 
proxies where the SSL terminates at the proxy. Different scenario, though.

Cheers,

Ben.

-- 
http://www.apache-ssl.org/ben.html   http://www.thebunker.net/

There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit. - Robert Woodruff

Re: Tunneling through hostile proxy

[Dave Howe]

Ben Laurie wrote:
|| Errr - its tricky anyway, coz the cert has to match the final
|| destination, and, by definition almost, that can't be the proxy.
provided you can impose a CA cert onto the user browser (not hard in a
corporate environment) it isn't as if signing a certificate on the fly
is hard - consider the following
1. proxy has CA private key A and SSL public key B
2. client requests connect to SSL on xxx.yyy.zzz.com
3. proxy uses OpenSSL library to create certificate for xxx.yyy.zzz.com
on the fly (with Public key B) signed by CA key A
4. proxy opens SSL link to xxx.yyy.zzz.com
5. if step 4 succeeds, proxy sends cert to client
5. client checks cert against its own local copy of public key A (from
its root cert dir) which claims to be thawte, inc
6. client approves link and negotiates SSL with proxy
7. proxy links its connection to xxx.yyy.zzz.com to inbound client
connection
8. proxy passes (and logs) packets

Re: Tunneling through hostile proxy

[Dave Howe]

Ben Laurie wrote:
|| Errr - its tricky anyway, coz the cert has to match the final
|| destination, and, by definition almost, that can't be the proxy.
provided you can impose a CA cert onto the user browser (not hard in a
corporate environment) it isn't as if signing a certificate on the fly
is hard - consider the following
1. proxy has CA private key A and SSL public key B
2. client requests connect to SSL on xxx.yyy.zzz.com
3. proxy uses OpenSSL library to create certificate for xxx.yyy.zzz.com
on the fly (with Public key B) signed by CA key A
4. proxy opens SSL link to xxx.yyy.zzz.com
5. if step 4 succeeds, proxy sends cert to client
5. client checks cert against its own local copy of public key A (from
its root cert dir) which claims to be thawte, inc
6. client approves link and negotiates SSL with proxy
7. proxy links its connection to xxx.yyy.zzz.com to inbound client
connection
8. proxy passes (and logs) packets

Re: Tunneling through hostile proxy

[Ben Laurie]

Adam Back wrote:
 On Tue, Jul 23, 2002 at 06:11:04PM +, Jason Holt wrote:
 
  The default behavior for an SSL proxy is to pass the encrypted bytes
back and forth, allowing you to connect all the way to the other server.  
 
 
 This isn't just the default behavior; it's the only defined behavior
 right?
 
 
However, it is possible for the proxy to have its own CA which has
been added to your browser.  Then it acts as a man in the middle and
pretends to be the remote host to you, and vice versa.  In that
case, it works as you describe, watching the data during its interim
decryption.
 
 
 While it's _possible_ to do this, I've never heard of a server hosted
 application that advertises that it's doing this.  I would think it
 would be quite hard to get a CA to issue you a certificate if this is
 what you intended to do with it (act as a general MITM on SSL
 connections you proxy).

Errr - its tricky anyway, coz the cert has to match the final 
destination, and, by definition almost, that can't be the proxy.

I believe its pretty common for server farms to use SSL-enabled reverse 
proxies where the SSL terminates at the proxy. Different scenario, though.

Cheers,

Ben.

-- 
http://www.apache-ssl.org/ben.html   http://www.thebunker.net/

There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit. - Robert Woodruff