Some complex questions about ssl stripping and re-encrypting ssl traffic?

Viewing 4 reply threads
  • Author
    Posts
    • #6125
      manoj9372
      Participant

      I have been studying a lot regarding cryptography these days,
      I tried to learn the indpeth operations of the ssl stripping,but i got strucked at a point,so tought of asking here,

      As far as i have learnt First attacker capturing or listening the victims traffic with arp spoofing/arp poisoning(in most cases) and applys ssl stripping and decode the traffic and passing it back as a “http” traffic to the victim ,this is how i assume ssl stripping works,

      1)like the same way can we strip out a ssh or any kind of encrypted traffic?

      2)if suppose a victim is using multiple encryptions means what will happen?
      for example say a victim is using a vpn,inside the vpn he is using some ssh tunneling to access the g-mail account,so now at this stage 3 layers of encryptions are there

      i.e ssl for vpn,ssh encryption,another ssl for g-mail,now at this junction is it possible for a attacker to strip out these multiple encryptions?

      3)Also why not the ssl encryption developers are not developing a technology that can verify data integrity like the IP-SEC standards? why they are merely developing some complex algorithms and focusing more and more on increasing the strength on the encryption,why they are not focusing any thing on data integrity?

      4)i have been thinking about some LAW enforcement level ssl decryption after i seen the following device


      http://www.wired.com/threatlevel/2010/03/packet-forensics/

      what makes me amuzed was,there are class of hackers just strip the ssl and access the plain text,this is the most come scenarios we are seeing in the real world,but there exists another side,which is being missed by most of the professionals,the law enforcement guys are using like this

      victim aka bad guy


      >ssl stripping by law enforcement( and after decryption ,they have been re-encrypting the  traffic because they have valid digital certificates from the COA’s all over the world)


      >
      victim’s destination,..

      even tough we don’t have a root certificate , As a pen-tester is it possiblefor us  to do like the above?

      Because i don’t want my victim to know that i am stripping his traffic,that is the main thing i am willing to learn..

      hope i will get my doubts cleared…

    • #38381
      mambru
      Participant

      you are missing a very important point: man-in-the-middle

    • #38382
      manoj9372
      Participant

      couldn’t get your exact point sir,yes i know this is a MITM attack?i am bit confused sir…

    • #38383
      dynamik
      Participant

      No, they’re not passing HTTP back to the user; they’re swapping out the legitimate cert with an untrusted one. The users will be alerted of this, but most will simply click-through. Have you seen the presentation by the creator of sslstrip? It’s worth watching: http://www.thoughtcrime.org/software/sslstrip/

    • #38384
      timmedin
      Participant

      It’s not just that, there is more too it. I you type http://www.paypal.com into your browser you will go to paypal and be redirected to https. SSLStrip will negotiate the secure traffic with the server, but then rewrite it so the user is never sent to the SSL site. No need to see any cert errors on the client side.

      I don’t believe it is implemented yet, but since you are in the middle of the connection you can mess with the nline Certificate Status Protocol (OCSP). “Applications are required to check for revocation of the certificate before accepting it. The application should support both CRL and OCSP, although OCSP is clearly the wave of the future and the only scalable approach.
      (In his presentation Marlinspike suggests a method for bypassing OCSP by returning a “Try again later” code, in which case the application typically gives up and authenticates. The EV rules state: “If the application cannot obtain a response using one service, then it should try all available alternative services.” This precludes the lazy behavior described by Marlinspike.)”
      (ref: http://extendedvalidationsslcertificates.com/)

      The “Try again later” code is the only response from the server that is not encrypted. If I remember correctly, most of the browsers will continue to the site if they can’t get a good OCSP response, but you might want to double check.

Viewing 4 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?