Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

I\'m looking into using mitm-proxy, but part of the process of filtering/snoopin

ID: 660133 • Letter: I

Question

I'm looking into using mitm-proxy, but part of the process of filtering/snooping SSL is that you must generate and install a root cert as a trusted CA, so that mitm-proxy can generate and throw out fake certs on the fly. This seems like a potentially huge security hole to me though. I'm wondering what are the implications exactly, the risks and how can one go about mitigating them? To be more specific, couldn't a malicious application simply abuse this cert? If so, how can one prevent it?

Let me further clarify. Let's say I want to install the cert because I want to use mitm-proxy. But, now theres a cert that the entire system trusts as an authority. Could this not be abused by a malicious program?

Explanation / Answer

The certificate file by itself does not suppose a threat. When you load it into your browser it only lists it as a trusted source.

That means that any certificate signed by that issuer should be trusted and thus allow you to connect to a site.

Without access to the corredponding private key (which should be only present in the proxy), it cannot be used to sign a new certificate, just as any other trusted CA you have already in your browser, like VeriSign, GlobalSign, Thawte, etc.

Your custom CA should be strong enough to avoid being broken too easily (just use 2048bit and SHA-1 or higher), but as long as you keep your private key safe, it would be like any other CA in your system.

The only security concern that you should take seriously into account is what the proxy trusts, as all the systems that use that proxy would "share" its weaknesses.

If you configure the proxy itself to verify the certificates from third party sites and refuse to connect to sites with bad certs (expired, wrong name, unknown CA, and such), you should be safe.

Note: sites that ask for client certificates to authenticate will not work under this scenario, as the client certificate and its private key would reside on the client browser, so the proxy will not be able to use them. Use an exception list to such sites to allow the clients to connect without doing the mitm if in need.

Related Questions

I\'m looking for answers for all the questions not just one. I don\'t need with
Question #3291919
I\'m looking for anything consumable that will go beyond just the results. In an
Question #656610
I\'m looking for below code to run into android studio to make it run on your de
Question #3583565
I\'m looking for explanations of how you arrived at this particular answer and n
Question #1499121
I\'m looking for formal statements and proofs that I can make when using SCXML s
Question #653424
I\'m looking for free (gratis) software for Ubuntu that allows me to easily reco
Question #660501
I\'m looking for help for a C++ program that utilizes stacks/hash tables that ha
Question #3698431
I\'m looking for help on Part 2 (Extra Credit) of this question. I have attached
Question #3653526
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
I\'m looking into multiplication-homomorphic schemes now and basically I see tha
Next
I\'m looking to build a website (it\'s actually going to be a commercial startup

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.