Can proxy change SSL certificate?

Question

I noticed an intersting thing. Every time when I access a SSL enabled website like chase.com in my company. The SSL certificate is not from a well known CA like VeriSign but the IT department of my company. We use a dynamic proxy (I don't know how to explain but we don't need to set it up in IE->connection section for sure) for every internet access. I was guessing that the proxy changes the SSL certificate to our IT's own certificate. My guess: Every time a SSL connection start, the proxy take my HTTPS request, get the certificate (let's call it SSL_Chase, for both SSL and the symetric key for data encryption) from the website like chase, change the certificate to our own IT certificate (let's call it SSL_IT) and send it with the respose to me. I fill out the user name and passowrd, my machine using SSL_IT to encrype my data and our proxy get it and unencrype it. Then the proxy encrype it using SSL_Chase and send to chase. So chase think our proxy is me and I think our proxy is chase, except the IT certificate is not from chase (I think most users won't notice it). This means, IT department knows everything we send to chase and chase send to me!! I was wondering if my guess is possible, from the SSL connection algorithm point of view. Hope anybody can give me a hint.

Thanks a lot!

http://www.zdnet.com/article/how-the-nsa-and-your-boss-can-intercept-and-break-ssl/ — Steven de Salas, Jul 28 '16 at 23:24

On Freund · Accepted Answer · 2021-09-20T12:49:57.040

13

It probably goes like this: you have your IT department's certificate as a trusted root certificate on your computer. When you browse to an HTTPS address, the proxy generates a certificate for that site on the fly, signed by the certificate that's trusted by your browser. You then communicate with your proxy, and the proxy communicates with the real site. Both "legs" of the travel are over SSL/TLS, so you're safe from a random man in the middle, but your IT department can theoretically view all the communication.

edited Sep 20 '21 at 12:49

answered May 01 '11 at 05:27

On Freund

4,376
2
23
30

2

@user299230 this is 100% impossible. The proxy is unable to do what is described here unless it has access to the IT department's trusted certificate's private key, which again is most unlikely, indeed a *prima facie* security breach on its own. More likely the proxy has its *own* SSL certificate, i.e is a trusted SSL endpoint to your client, and has its own notion of which external servers are trusted. – user207421 May 01 '11 at 10:10
BTW, don't take my word for it - [listen to proxy vendors](http://www.google.com/url?sa=t&source=web&cd=8&ved=0CFsQFjAH&url=http%3A%2F%2Fwww.bluecoat.co.jp%2Fdownloads%2Fmanuals%2FSGOS_DG_4.2.x.pdf&rct=j&q=proxy%20certificate%20intercept&ei=OH69Tb2MJ9Gz8QPh9vXdBQ&usg=AFQjCNFwapYoIM6wuBO2kMYe3kmpApl9qA&cad=rja). See page 15, for example – On Freund May 01 '11 at 15:50
With respect, page 15 doesn't say that. It says that the proxy has its *own* issuer, which must be trusted by the client to avoid popups. That's not the same thing as what you described, which it seems to me amounts to spraying the IT department's private key all over the place. – user207421 May 02 '11 at 04:26
page 15 is clear enough. What you wrote isn't. Period. – user207421 May 02 '11 at 10:36
Correct me if I'm wrong, but if the proxy is not passing along the remote server's (chase's) certificate, but rather is issuing an "emulated" certificate, then it doesn't matter whether the proxy has access to the IT department's private key. The proxy can just use its own private key. So yes, then the proxy—and the IT department that controls it—can read the request and response bodies passing through as clear text. – greim Feb 06 '12 at 04:19

dawebber · Answer 2 · 2011-05-01T05:33:54.467

This is a classical "man in the middle" approach, from a proxy's perspective. It's your browser's responsibility to warn you that the certificate presented doesn't match the site you are visiting. If you are using IE, your IT department most likely pushed the corresponding CA to you as trusted CA, so your browser trusts it automatically. For other browsers, not using Windows Cert Store, it's also possible, but a bit harder to do. In any way, an unsuspecting user can be led to believe that the information is transmitted in a direct SSL link to Chase, when it's not. In either case, you should still get a browser warning, if the proxy has the corresponding feature for the CONNECT verb.

score 0 · Answer 3 · answered May 01 '11 at 05:25

0

Yes, a proxy can act like a Man in the Middle.

answered May 01 '11 at 05:25

dhruvbird

6,061
6
34
39

3

Assuming that proxy's certificate is trusted by the requesting computer – On Freund May 01 '11 at 05:28
1

Yes. And in this case, it seems like the user is getting a cert. warning because the cert does not belong to the web-site that is being browsed. You should be using a proxy that supports the HTTP CONNECT method for secure browsing – dhruvbird May 01 '11 at 05:31
My machine is given by our IT department. So I guess IT installs the CA already when I get the machine. So I don't see any warning. – Frank May 01 '11 at 05:40
1

@user299230 Yes, if the machine has been instrumented, then all bets are off. In fact they could even give you a tainted browser which never gives a cert. error – dhruvbird May 01 '11 at 09:17

Can proxy change SSL certificate?

3 Answers3

Linked

Related