[squid-dev] proof of concept for mitm attack for all ssl including pinned certificates

Steve Hill steve at opendium.com
Wed Oct 4 13:08:49 UTC 2017 

On 27/09/17 18:51, Eliezer Croitoru wrote:

> What exactly do you mean by proof of concept for such an attack?
> With commodity hardware and normal budget you cannot attack pinned certificate.
> The only "efficient" way to enable such an attack would be to patch the client side OS memory or Binary.

Pinning is _supposed_ to be disabled in cases where the certificate 
presented by the website is signed by a root certificate that was 
imported by the user, rather than in the device's default certificate 
store.  So in theory, a website with a pinned certificate can still be 
man-in-the-middled by Squid in the usual way, since Squid's CA 
certificate would have been manually imported into the device.

In practice, web browsers tend to follow this rule, but apps don't - for 
example, you can MITM communications between Chrome and Facebook's 
servers, but you can't MITM communications between the Facebook Android 
app and Facebook's servers.

The situation is further complicated by the fact that Android 7 disables 
the use of the user's trusted certificate store by all applications 
unless they specifically opt into it.  This renders Squid's sslbump 
functionality practically useless for those devices, even though the 
user has consented to being MITM'd by importing Squid's CA certificate.
 
https://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html

(For what its worth, our business is supplying esafety systems to 
schools, and we are of the opinion that Google have ruled Android 
devices out of the British education sector because schools cannot meet 
the UK government's safeguarding requirements when Android 7 devices are 
in use on their network).

-- 
  - Steve Hill
    Technical Director
    Opendium    Online Safety / Web Filtering    http://www.opendium.com

    Enquiries                 Support
    ---------                 -------
    sales at opendium.com        support at opendium.com
    +44-1792-824568           +44-1792-825748

More information about the squid-dev mailing list