What does an HTTPS proxy and a man-in-the-middle attacks have in common?

[temporaryuser]

Hi everyone,

I just stumbled upon this tweet: https://twitter.com/MacLemon/status/712278845425115136

Can somebody explain to me what it is that MacLemon is complaining about?

Cheers

[AdSchellevis]

Hi temporaryuser,

I can't tell you what he's complaining about (you should ask him obviously), but I can explain what feature we added.

Most modern next generation firewalls provide the possibility to do deep packet inspection to guard your network against all different kind of threads (IPS).

As part of deep packet inspection some also provide the possibility to use a transparent web proxy between your network and the internet, but to be able to do so for most new websites on the internet these days, you need to support SSL decryption/encryption on the firewall. Which is what we will provide (optionally, not enabled by default) as of version 16.1.9.
When this feature is enabled, you could for example also block malicious or inappropriate sites for the users on your network.

This feature has been requested many times, and now its (almost) available.

Some background about the subject (and users requesting it):

https://github.com/opnsense/core/issues/460
http://wiki.squid-cache.org/Features/HTTPS

There are security implications by using this feature, because your introducing a "man in the middle" between your clients and the sites they are visiting, for banking sites its therefore highly recommended to add them to the exclude list.
Its up to the system administrator if he/she decides to use this feature or not, like I said.... its disabled by default.

Cheers,

Ad

[Zeitkind]

Can somebody explain to me what it is that MacLemon is complaining about?

The problem with intrusion detection is quite simple: You can only block bad thing if you see the bad things.
For years now, accessing simple webpages = use not encrypted http. But things start to change and more and more people and companies like Google start promoting using encrypted https instead. This may be fine for your personal privacy, but it's a bad idea if you are a network admin which is trying to block bad things on the firewall. Https means end-to-end encryption and no firewall is able to look inside the traffic. Not for good reasons (block trojans) and not for bad reasons (kill privacy). So e.g. in a company, you have to decide to either block https or somehow break the privacy by decrypting all traffic at the firewall. Every firewall which is able to analyze (and therefor able to block trojans and exploits) https-traffic is more or less the same as a man-in-the-middle-attack. Most proxys like squid or Microsofts ISA are able to proxy https for many many years, but it was normally only used in companies. Nowadays, with more and more sites using https as default and malicous ads also using https (and bypass any AV-filter this way), it is a rising risk to allow unfiltered https and therefor more people like to have the possibility to also filter https-traffic.

[weust]

I saw the Tweet as well, and it made me think that the poster fixates on "man in the middle" too much.
A man in the middle is not a bad thing by definition (whether that is true or not for a fact, I do no know tbh), it's like escalating something.
You escalate because things get out of control, or because something needs to be done. It can be either negative or positive.

In this case, if you can't trust your own firewall/IPS then what can you trust between your clients and the internet?

[temporaryuser]

Dear all,

thank you very much for your detailed explanations, they where very helpful for me to understand the matter.

Cheers
temporaryuser

[temporaryuser]

<moved my answer to a separate topic: https://forum.opnsense.org/index.php?topic=2531.0>

[Zeitkind]

In this case, if you can't trust your own firewall/IPS then what can you trust between your clients and the internet?

I don't think it's a matter of trusting _your_ firewall - but the firewall you have to use at the place you connect to the internet. This may be your office (and trust your company and company network admin) or your school (and trust your teachers) or your home (and trust the one that is managing your firewall). At home, you normally don't have e.g. a Windows AD and won't autotrust your AD certificates. So you have the control to either trust or not trust a firewall certificate (which is needed for a https-proxy). In a company or school you won't have the control. Your OS will likely autotrust any certificates the firewall will present, in fact, you won't even see any sign of all that decryption stuff taking place at the firewall. So, yes, it is a kind of man-in-the-middle-attack but better call it firewall-in-the-middle-protection. It can be misused as an attack, but that depends on local privacy laws and other stuff like agreements between works committee and management or works/company agreements. In most contries a misused firewall to break privacy will be a violation of law, an infringement if the user is not informed that all traffic is observated. But not all contries are as free as mine..
Anyway, using a proxy for https is only a good idea if you really know what you are doing and should be avoided for eg. banking and other things like that. Therefor all proxys can handle exception lists you can and should manage.

[temporaryuser]

Hi all,

Is there actually a way that someone can protect himself from a HTTPS proxy, or at least get knowledge about if a HTTPS proxy is in between, e.g. when he is logging into a foreign WLAN?

Cheers

[franco]

Certificates are not trusted by default unless someone stole a root certificate that is being used to fake other website's certificates. In that case, however, all of the Internet is at risk at the same time.

It's getting ever important to not directly trust odd certificates with unknown chains and/or verify fingerprints. "Permanently accept this exception" being checked by default is a good example of how Firefox got that wrong and still provides a way to push users down a dangerous alley.

MITM is a risk, but it's a visible risk unless we talk about things like DROWN that build on other weaknesses that elude the scope of a valid end-to-end encryption. In a normal HTTPS proxy scenario you log onto your website and get a security warning. You can inspect the certificate, it will probably match e.g. the WiFi you're currently using. You can accept this state by continuing to browse, knowing that the server side of the encryption may be prone to lower security standards or bad defaults that could leak your credentials even though you're using a strong connection to the proxy.

In the day to day cases, it's up to you to say no and take your connection to another network.

[temporaryuser]

Hey franco, thank you for this great explanation!

Cheers
temporaryuser

[Zeitkind]

Is there actually a way that someone can protect himself from a HTTPS proxy, or at least get knowledge about if a HTTPS proxy is in between, e.g. when he is logging into a foreign WLAN?

A foreign (guest-)WLAN should _never_ ever use a https-proxy. This is a very bad idea and a very bad setup.
If you connect to an internal foreign company WLAN - this itself is a no-go (for this company..) - you likely will see a certificate warning and a certificate based on that companies Active Directory or simular trust chain. For your computer is not member of that AD it won't automatically trust this certificate and will show a warning.
A guest WLAN should have unrestricted access to the internet - or at least do not filter/proxy http nor https. It may be restricted to several ports (common are dns, http, https, imap, pop3, submission, imap-ssl, pop3-ssl) but should not use a transparent proxy or even https-proxy. In such a case I recommend not to use this WLAN.
Same is for any free WLAN or WLAN's in universities, schools, restaurants, airports etc.