Encryption – SSL MITM Proxy Security – Can we rely on that?

In my organization, we have an SSL MITM (Man-in-the-Middle) proxy (like the ZScaler proxy). When I browse an HTTPS website and verify the certificate, I can see that the proxy has issued a separate certificate for the site (that is, the original certificate chain is being replaced). I'm not getting any warning in my browser because I think the organization added the root certificate of the proxy as a trusted party in my browser / operating system.

My question is: Can we trust an SSL MITM proxy to exchange confidential information (for example, banking)? I believe that the organization can Snooping if it wants, since there is not a single end-to-end SSL connection (there are probably two – one from my system to the proxy and another from the proxy to the original website).

I understand that the traffic is also secure through the proxy if the proxy has not replaced the certificate chain. But this is not the case here. Can you please let me know? Thank you in advance.

tls – How do I check if my connection is not running through the MITM proxy?

I recognized the problem that a Mitm proxy can pose for my privacy and started to look into it more closely to see how it recognizes it as a client. Things I have to check so far are:

  • Check who issued the certificate and verify that it is a self-signed certificate that is installed in my own root certificate store.
  • Verify that I am provided web content from a local IP address instead of the external server IP address, and that the local IP address is always the same.
  • Verify that my system proxy settings are configured to localhost.

My questions are:
In addition to pinning certificates, what else can I check to see if all the above points are negative, but I still have reason to believe that I am being proxied? A typical example: AVAST claims that you use Mitm proxy to scan all web traffic except the whitelisted URLs of some banks, but I do not see any of Mitm's usual singles that are active. I've read somewhere that they could read directly from memory, but implementation and maintenance may sound expensive if they've already bundled a mitm proxy into their product and openly announce that they're using it. Is there a way to run a mitm without triggering any of the listed checks? A kind of transparent Mitm proxy for Windows machines?

Identify unknown potential MITM / malware using SSL connections

On my server, one of the services is a discord bot. It was downstairs, which led me to search for the why.

In my syslogs I noticed more and more three things:

do-agent(1066): 2019/08/25 08:50:21 
Sending metrics to DigitalOcean: Post https://sfo2.sonar.digitalocean.com/v1/metrics/droplet_id: 
x509: certificate is valid for *.com.com, com.com, not sfo2.sonar.digitalocean.com

discord-botd(26673): 2019/08/25 09:03:50
(DG0) wsapi.go:827:reconnect() error reconnecting to gateway, Get https://discordapp.com/api/v6/gateway: 
x509: certificate is valid for *.com.com, com.com, 
not discordapp.com

discord-botd(26673): 2019/08/25 09:04:59
(DG0) wsapi.go:827:reconnect() error reconnecting to gateway, 
x509: certificate is valid for www.chinanetcenter.com, oir.6rooms.com, upload.v.6.cn, pic.v.6.cn, uploadmp3.v.6.cn, *.1z123.com, ulink.6.cn, 
passport.6.cn, shrek.6.cn, www.huanpeng.com, img.huanpeng.com, mlog.chinanetcenter.com, mauth.chinanetcenter.com, i.g-fox.cn, s1.chunboimg.com, s2.chunboimg.com, s3.chunboimg.com, sstatic.chunboimg.com, s0.chunboimg.com, app.showcai.com.cn, auth.microfun.cn, ss.sysad.cn, ss.sysair.cn, sso.kongzhong.com, stc2.kongzhong.com, passport.kongzhong.com, auth-live.kongzhong.com, api.kongzhong.com, i.zhulang.com, m.zhulang.com, s.zhulang.com, app5.zhulang.com, www.cmyynet.com, start.crestdrop.net, load.ginamind.com, fast.sireech.com, play.homesava.net, 
qfcnc.calaprilia.net, mobcdn.znoopbag.net, start88.trackeast.com, play88.trackeast.net, amengsk.haitangbase.net, *.1zhe.com, res.samsungshop.com.cn, mobcdn.clerkin.net, h5cont.trueleffy.net, marsara.nidajudo.com, *.app.meitudata.com, *.meitu.com, *.meipai.com, *.meitubase.com, *.img4399.com, *.converse.com.cn, apk-ssl.tancdn.com, m.wywna.cn, media-qtil.licdn.com, media-exp1.licdn.com, media-exp2.licdn.com, media-exp3.licdn.com, media.licdn.com, platform-qtil.linkedin.com, platform.linkedin.com, static-qtil.licdn.com, static-exp1.licdn.com, static-exp2.licdn.com, static-exp3.licdn.com, static.licdn.com, m.staff.tcl.com, *.ourdvsss.com, cdn.zj96596.com, addons.cdn.mozilla.net, *.tcl.com, *.mall.tcl.com, www.17un.com, m.li0gx.cn, korhal8.clerkin.net, start88.nidajudo.com, usercenter-stage.ewfresh.com, pay-stage.ewfresh.com, mall-stage.ewfresh.com, order-stage.ewfresh.com, settle-stage.ewfresh.com, m.leinue.cn, m.aonanp.cn, m.nbuic.cn, m.xrhen.cn, m.zosue.cn, m.bustz.cn, m.yuwxe.cn, m.bxuwg.cn, m.ykdsbsc.cn, m.rushour.cn, m.nlpzzd.cn, *.xunsd.cn, m.mmgdfr.cn, m.kigoxhz.cn, m.xxqysj.cn, m.mmzdjq.cn, m.ybwbmk.cn, *.zhangyixun.cn, m.i2d1kc.cn, m.hr00.cn, m.ubmhu.cn, fsdext.fshares.com, fscant.fshares.com, www.fshares.io, fscan.fshares.io, fsdex.fshares.io, manage.fsdex.fshares.io, api.fshares.io, dex.api.fshares.io, manage.dex.api.fshares.io, chain.api.fshares.io, manage.chain.api.fshares.io, jpa.api.fshares.io, jpa.node.fshares.io, hka.api.fshares.io, hka.node.fshares.io, fs.fshares.io, guide.fshares.io, browser.api.fshares.io, wallet.api.fshares.io, wss.api.fshares.io, wss.dex.api.fshares.io, back.dex.api.fshares.io, back.chain.api.fshares.io, gate.dex.api.fshares.io, *.sg2046.cn, 
not gateway.discord.gg

After a restart, this went away.

openssl s_client -showcerts -connect did not show anything unusual (though I wish I had done this before rebooting).

Some background information:

  • Server is a current Fedora 28 server.
  • The non-standard services I perform are:
    • a Golang-based web server (HTTP REST API)
    • a Golang-based discord bot
    • Statistics Agent of Digital Ocean
  • SSH is passwordless and the firewall is limited to specific IP addresses.

I've never encountered it and can not find similar results on Google.

Is it possible to determine how this happened or if there is any cause for concern?

Should I nuke the server?

Thanks a lot!

tls – Preventing changing of DNS MITM at ISP level?

A few days ago, the Kazakh government passed legislation to enforce the use of government-signed SSL certificates for all https traffic on all (near) ISPs. So, if you visit https://google.com, your browser will warn you that the certificate is untrusted and you need to trust these certificates or install them manually.

In short, you use government-issued certificates to encrypt your traffic, which is then decrypted at the ISP level and then re-encrypted by the government original (valid) certificates before they are sent to the websites you access. This basically means that ISPs can do what they want with their data as if they were using HTTP all the time.

AFAIK, one solution would be to use a trusted VPN service. However, this drastically degrades the user experience and lets you essentially trust the VPN provider (which the majority does not want to check).

So my question is this: if I changed my DNS to say: by clouds torchCan my ISP not act as a middleman?

To edit: What can I do to protect my privacy if it does not help?

Network – Local AP – External Router MitM Attack?

No, you can not MITM attack the edge router and your access point / router. To attack a man in the middle, you must be in a network segment that allows your device to actually get between these two routers. As mentioned earlier, your gateway is the internal router / access point. Without it, you can neither reach the edge router nor direct the traffic. In a MITM, you are attempting to redirect traffic in some way (in which case, do you think you are referring to ARP poisoning?). This is impossible if you can not reach one of your goals without going through the other.

To perform a MITM on these routers, you must switch to a network segment that is between the edge router and the internal one. You need this because ARP poisoning handles an error in ARP that occurs at the second level of TCP / IP. In this case, you will not have access to the second level the edge router is working with because you are behind the internal router.

Man in the middle – Captcha against Mitm attacks works?

I pestered a site that had no security against MITM attacks, and found that when I tried to steal the credentials and attacked myself, the CAPTCHA was unable to connect to the Internet (the site was disconnected from http ) I could not send the credentials to the website and steal them with my other PC.

Is this a standard answer, can it be bypassed? Is it safe to use it to ward off MITM attacks?

While browsing Google, I found that this was not the case, but for some reason, it was good protection when I attacked this site, so I do not really know what to think.

man in the middle – no hsts but still protected against mitm attacks?

I know HSTS and their instructions … However, if you have enabled HSTS on your website and that user has already visited your website, the browser will remember that it should return to https. Since the fake site does not have an SSL certificate, the user can not visit the site and is safe.

However, I can not reproduce a mitm attack if I visited the site before. Only if I delete all cookies and try again, this works perfectly. For some reason, the site behaves as if it had HSTS, but not … so, what's wrong here? If the website does not have HSTS, the browser should not think about connecting to HTTPS

Man in the middle – How do FIDO keys prevent MITM reflection attacks?

FIDO keys used for 2-factor authentication are based on a challenge-response mechanism.

In addition to using diffie-hellman to generate a common 1-time key or transmit all data via TLS, how can they prevent reflection attacks?

Challenge: Alice -> Eve -> Bob

Answer (even if encrypted): Bob -> Eve -> Alice

eve <-> Alice initiates a secure connection.

Routing – Can we use the network hub as a MITM sniffing device?

My intention is to analyze all network traffic coming from and originating from a network connected device. From the configurations of the device I can characterize all the HTTP traffic coming from the device. However, I believe that the device also communicates over other protocols.

The device and my computer are both in a switched network, and I do not want to use ARP cache poisoning to route all the packets through my computer. I'm looking for a simpler solution where I could replace the printer with a hub and then connect the printer to one of the hubs' ports. I also want to connect my laptop to one if the hubs of this hub were introduced to the network. Technically, the hub would flood all packets to all ports, and I should be able to snoop them in promiscuous mode with Wireshark from my laptop.

One problem that I discovered in this approach was finding a & # 39; hub & # 39 ;. The search itself returns "switch" results, which are Layer 2 devices. I am confused about the popular use of the words "switches" and "hubs". What should I buy for this purpose? Should it be a hub or a switch (technically only one hub can be used for this purpose, but I want to know if the devices listed on websites are actually hubs)?