From steve at opendium.com  Wed Oct  4 13:08:49 2017
From: steve at opendium.com (Steve Hill)
Date: Wed, 4 Oct 2017 14:08:49 +0100
Subject: [squid-dev] proof of concept for mitm attack for all ssl
 including pinned certificates
In-Reply-To: <14ae01d337b9$4e2c9b60$ea85d220$@ngtech.co.il>
References: <1506525909045-0.post@n4.nabble.com>
 <14ae01d337b9$4e2c9b60$ea85d220$@ngtech.co.il>
Message-ID: <da6358fa-3ad3-88a6-30f7-e5cbe5340e0b@opendium.com>

On 27/09/17 18:51, Eliezer Croitoru wrote:

> What exactly do you mean by proof of concept for such an attack?
> With commodity hardware and normal budget you cannot attack pinned certificate.
> The only "efficient" way to enable such an attack would be to patch the client side OS memory or Binary.

Pinning is _supposed_ to be disabled in cases where the certificate 
presented by the website is signed by a root certificate that was 
imported by the user, rather than in the device's default certificate 
store.  So in theory, a website with a pinned certificate can still be 
man-in-the-middled by Squid in the usual way, since Squid's CA 
certificate would have been manually imported into the device.

In practice, web browsers tend to follow this rule, but apps don't - for 
example, you can MITM communications between Chrome and Facebook's 
servers, but you can't MITM communications between the Facebook Android 
app and Facebook's servers.

The situation is further complicated by the fact that Android 7 disables 
the use of the user's trusted certificate store by all applications 
unless they specifically opt into it.  This renders Squid's sslbump 
functionality practically useless for those devices, even though the 
user has consented to being MITM'd by importing Squid's CA certificate.
 
https://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html

(For what its worth, our business is supplying esafety systems to 
schools, and we are of the opinion that Google have ruled Android 
devices out of the British education sector because schools cannot meet 
the UK government's safeguarding requirements when Android 7 devices are 
in use on their network).

-- 
  - Steve Hill
    Technical Director
    Opendium    Online Safety / Web Filtering    http://www.opendium.com

    Enquiries                 Support
    ---------                 -------
    sales at opendium.com        support at opendium.com
    +44-1792-824568           +44-1792-825748

From rousskov at measurement-factory.com  Wed Oct  4 14:58:46 2017
From: rousskov at measurement-factory.com (Alex Rousskov)
Date: Wed, 4 Oct 2017 08:58:46 -0600
Subject: [squid-dev] proof of concept for mitm attack for all ssl
 including pinned certificates
In-Reply-To: <da6358fa-3ad3-88a6-30f7-e5cbe5340e0b@opendium.com>
References: <1506525909045-0.post@n4.nabble.com>
 <14ae01d337b9$4e2c9b60$ea85d220$@ngtech.co.il>
 <da6358fa-3ad3-88a6-30f7-e5cbe5340e0b@opendium.com>
Message-ID: <cbc08db1-b865-f9b2-06da-c6dcd8caeb41@measurement-factory.com>

On 10/04/2017 07:08 AM, Steve Hill wrote:

> Pinning is _supposed_ to be disabled in cases where the certificate
> presented by the website is signed by a root certificate that was
> imported by the user

What makes you think that? Is there a standard or specification that
documents what a pinning application is supposed to do?

Alex.