stackoom
  简体   繁体   中英

HTTPS intercept

 原文  2011-11-28 09:34:55       ssl/ https/ intercept

Question

I don't know much about SSL, but I've read something and I was wondering if it's possible to intercept the communication between client and server (for example, a company can monitor employees data transfer?). I thought it was a difficult task, but it looks like that it is very simple. When a client requests a https connection the router can be instructed to intercept the key exchange and send to the server and the client it's own public keys (further it can encode/decode the hole traffic). Is it true, or I'm misunderstanding something?

3 answers

solution1
 5 ACCPTED  2011-11-28 09:45:49

If a CA under your control is trusted in all browsers used by employees it's easily possible:

The company proxy needs to create certificates resembling the original certificate on the fly and present those certificates to the clients. All information could be taken from the real certificate, the only difference would be in the CA signing the certificate.

However, at least google chrome would complain for google-owned domains since they have an explicit whitelist on which CAs may sign certificates used for google domains.

solution2
 2  2011-11-28 09:41:43

At a company network, the companies own SSL CA:s are often installed on all machines. In this case, a company proxy can present a company certificate which will be accepted by the browser, and read the traffic.

I you look at the certificate details (found in your browser's address bar), you can check if it is the expected certificate of the remote server, or if it is another certificate created by the company.

You can use for example http://www.sslshopper.com/ssl-checker.html#hostname=www.google.com to check what certificate its supposed to be. (obviously change the hostname to whatever server it is you want to use)

solution3
 1  2011-11-28 09:37:23

It's partially true: the process you describe would work but the client would be notified that the server certificate is not the expected one (not certified, assigned to another site). So it's not possible to do it transparently and without them knowing, but that may be acceptable in a corporate environment.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Spring Security HTTPS intercept url access Intercept SSL/TLS requests in HTTPS Grizzly server How does burp-suite intercept https requeest inspite of the encryption? How do I (manually) intercept and return a custom message to a browser making a HTTPS request Intercept SSLHandshakeException in Spring boot Redirect https://www to https:// NGINX redirect HTTPS to HTTPS Apache proxypass https to https Intercept traffic from android app Intercept Android GMail SSL connection
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM