More TLS Man-in-the-Middle failures - Adguard, Privdog again and ProtocolFilters.dll

Hanno's Blog

Thursday, August 13. 2015

More TLS Man-in-the-Middle failures - Adguard, Privdog again and ProtocolFilters.dll


Trackbacks

Superfish 2.0: Dangerous certificate on Dell laptops breaks encrypted HTTPS-connections
tl;dr Dell laptops come preinstalled with a root certificate and a corresponding private key. That completely compromises the security of encrypted HTTPS connections. I've provided an online check, affected users should delete the certificate. It seems
Weblog: Hanno's blog
Tracked: Nov 23, 17:39

Comments
Display comments as (Linear | Threaded)

Hello Hanno!

First, thank you for the research and for reporting it to us back then!

I have some clarifications on that issue.

1. We do not simply use nfsdk, but a fork of it.
2. Also we report all security-related changes made by us back to nfsdk author and it usually works. At least this horrible shared key issue is fixed now.
#1 Andrey Meshkov on 2015-08-13 01:56 (Reply)
Also let's return to the main question - what to do if one needs to get to the encrypted traffic?

I know your answer - just don't do this, browser extension. But it's not enough.

Let's take a look at some situations when extension is not an option:
1. The browser does not support extensions. Like Edge.
2. What about apps? For instance, blocking annoying skype ads.
3. Mobile. We have an android app and users are begging for SSL filtering there.

Don't you think there should be some more reliable way to both filter encrypted traffic on the local computer/device and to leave SSL validation to browser?
#2 Andrey+Meshkov on 2015-08-13 02:10 (Reply)
One thing you can do is SNI-based interception - connections to "clean" websites are passed through without messing with them, while suspicious domains get redirected to an interstitial using a per-device CA.

This way, you aren't reimplementing certificate verification, and software with hardcoded certificate fingerprints can be passed through.
#2.1 Riking on 2015-08-13 06:55 (Reply)
We do this already. There is a list of domains for which SSL filtering is disabled by default. Banking websites and some websites with sensitive personal information. Also user can add any domain manually to this list.
#2.1.1 Andrey Meshkov on 2015-08-13 10:03 (Reply)

Add Comment

E-Mail addresses will not be displayed and will only be used for E-Mail notifications.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA

 
 

About

This blog is written by Hanno Böck. Unless noted otherwise, its content is licensed as CC0.

You can find my web page with links to my work as a journalist here.

I am also publishing a newsletter about climate change and decarbonization technologies.

The blog uses the free software Serendipity and is hosted at schokokeks.org.

Hanno on Mastodon | Contact / Imprint | Privacy / Datenschutz