Reputation: 341
HTTPS intercept
I don't know much about SSL, but I've read something and I was wondering if it's possible to intercept the communication between client and server (for example, a company can monitor employees data transfer?). I thought it was a difficult task, but it looks like that it is very simple. When a client requests a https connection the router can be instructed to intercept the key exchange and send to the server and the client it's own public keys (further it can encode/decode the hole traffic). Is it true, or I'm misunderstanding something?
Upvotes: 2
Views: 2262
Answers (3)
Reputation: 318578
If a CA under your control is trusted in all browsers used by employees it's easily possible:
The company proxy needs to create certificates resembling the original certificate on the fly and present those certificates to the clients. All information could be taken from the real certificate, the only difference would be in the CA signing the certificate.
However, at least google chrome would complain for google-owned domains since they have an explicit whitelist on which CAs may sign certificates used for google domains.
Upvotes: 5
Reputation: 2915
At a company network, the companies own SSL CA:s are often installed on all machines. In this case, a company proxy can present a company certificate which will be accepted by the browser, and read the traffic.
I you look at the certificate details (found in your browser's address bar), you can check if it is the expected certificate of the remote server, or if it is another certificate created by the company.
You can use for example http://www.sslshopper.com/ssl-checker.html#hostname=www.google.com to check what certificate its supposed to be. (obviously change the hostname to whatever server it is you want to use)
Upvotes: 2
Reputation: 3025
It's partially true: the process you describe would work but the client would be notified that the server certificate is not the expected one (not certified, assigned to another site). So it's not possible to do it transparently and without them knowing, but that may be acceptable in a corporate environment.
Upvotes: 1
Related Questions
- Intercept HTTP requests on linux
- SSL Intercepting Proxys
- Intercept TLS/HTTP/2 from browsers
- mitmproxy configuration to intercept HTTPS
- Capturing HTTPS traffic in the clear?
- Intercept and filter HTTP request
- Respond to HTTP CONNECT in proxy
- HTTPS / SSL sniffing
- https requests using a proxy
- How to catch https data before send?