Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

At work, I\'m behind an NTLM Proxy. When the SSL Poodle flaw came out, I hardene

ID: 656260 • Letter: A

Question

At work, I'm behind an NTLM Proxy. When the SSL Poodle flaw came out, I hardened the configuration of my private server, and found out that even if the client and server shared common ciphers, some configurations led to unsuccessful handshakes. I suspected the proxy to modify the list of supported ciphers and this problem came out again today when a website that I regularly visit stopped working saying that the connection was downgraded to a version of TLS lower than the minimum required by the server, an operation that my web browser wouldn't do.

So I'm wondering, why would a corporate proxy behave like this if it wasn't in an attempt to weaken and spy a connection? I checked the certificates, it doesn't attempt to do MITM attack by issuing fake certificates. Then, what is the point? If I still manage to get an SSL connection, should I consider it secure?

Explanation / Answer

I suspected the proxy to modify the list of supported ciphers and this problem came out again today when a website that I regularly visit stopped working saying that the connection was downgraded to a version of TLS lower than the minimum required by the server, an operation that my web browser wouldn't do.

It is not possible to just modify the ciphers within the handshake and leave the rest the same. Since the handshake is protected by a cryptographic checksum this would cause a handshake error because the checksum inside the Finished message (last part of handshake) does not match any longer.

Changes in ciphers can only be done with real man-in-the-middle attack (or SSL interception, which is the same but sounds more friendly), where the man in the middle must change the servers certificate too. This is often done in companies to make scanning of SSL traffic for malware possible. Change of cipher is only a side effect of this, since you have independent SSL connections from the middlebox to the client and another to the server when doing SSL interception.

I checked the certificates, it doesn't attempt to do MITM attack by issuing fake certificates.

The contents of the servers leaf certificate like subject, lifetime etc often gets replicated when doing SSL interception. But if you check fingerprint, certificate chain and trust anchor (root-CA) you will detect the difference.

Related Questions

At what speed must the sliding rod in Figure 22.7 move to produce an emf of 1.00
Question #1376325
At what speed should air flow through a 50 cm^2 heating duct so the air in a 200
Question #1509791
At what stage in the development of cancer do the cancerous cells grow out of co
Question #280422
At what stage of meiosis, the chromosome number is reduced by half? Prophase I.
Question #312276
At what stage of snapdragon development would you screen for putative mutants in
Question #188976
At what step in the experimental process were benzene and biphenyl impurities re
Question #1020304
At what steps in the Krebs cycle are coenzymes reduced? How would you classify t
Question #163659
At what temperature does the rms speed of (a) H_2 (molecular hydrogen) and (b) O
Question #1589731

Navigate

Previous
At work we use a central portal that provides basic SSO functionality to other a
Next
At work, no one can find the digital version of a 20-page document that needs to

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.