Are your secure SSL communications being compromised by a man-in-the-middle (MITM) attack?

This issue came up when it was discovered that TURKTRUST issued an unauthorized certification authority (CA) certificate. When the CA certificate was installed on a Check Point firewall configured for inspection, it allowed the firewall to clone certificates for any given Internet website. When an enterprise user tried to contact a secure site, the firewall cloned a certificate for that site. This allowed the enterprise to proxy the SSL communications and gave them the ability to inspect what was being communicated.

A similar issue was also recently reported when it was discovered that Nokia was performing MITM to help compress data and speed up loading of Web pages on some of its phones. Opera Mini and BlackBerry also perform MITM. However, these companies openly state their process.

An enterprise may also want to perform MITM. In the past, most traffic was HTTP — no security. This allowed the enterprise to monitor traffic and try to ensure its intellectual property was not being exposed and that users were not performing in a manner which could harm the enterprise. However, as sites have added security with HTTPS, it was harder to monitor the traffic. The enterprise still wants to know what is being communicated as it is responsible for the actions of its users.

The enterprise can discover what is being communicated by proxying SSL communications. This is done by installing an HTTPS proxy appliance and creating a CA certificate. In order to do this, they must first install the CA certificate on the workstations in the enterprise. Then, when an end-user goes to a secure site, the HTTPS proxy creates its own clone certificate for the website that is signed by the private key that signed the enterprise’s CA certificate. As the workstations already trust the CA certificate, the SSL connection is established without a trust message.

How do you know if your enterprise is proxying your SSL communications?

GRC has created HTTPS Fingerprints. This service allows you to check whether or not your enterprise is performing MITM on the SSL secured site that you are trying to reach. It compares the certificate fingerprint to what you would receive to the fingerprint that they receive by going direct. If they are the same, the certificate is authentic and you have no problem. If they are different, then it is likely that someone is performing MITM on your SSL connection.

I say likely because if you find a difference they could be generated for a number of ways:

  • Your SSL communications are being proxied by your enterprise
  • You are under a legitimate MITM attack from a malicious group or hacker
  • The website you tried to reach uses multiple certificates and the one you reached does not match the one that GRC reached

If you find a difference then you need to consider reporting the problem to your IT group. If you are uncomfortable with your enterprise performing a proxy of your personnel SSL communications, consider performing those tasks at home.