[sriram_sun]

FTA: "Using a combination of proxies, modified DNS records, sslsplit and a new CA certificate installed in Windows, we were able to inspect all traffic, including HTTP and XMPP, in our test environment."

I have setup wireshark for troubleshooting. That's about it. What's the role of proxies, modified DNS records etc. in this setup? How can I duplicate this?

Thanks.

[e12e]

In addition to what others have mentioned - you could probably find the session keys in ram - but for a system without debug knobs, injecting your own certificate authority is probably easier.

For stuff using nss(Firefox)/openssl/gnutls - you can usually just ask nicely for a copy:

> The key log file is a text file generated by applications such as Firefox, Chrome and curl when the SSLKEYLOGFILE environment variable is set. To be precise, their underlying library (NSS, OpenSSL or boringssl) writes the required per-session secrets to a file. This file can subsequently be configured in Wireshark

https://wiki.wireshark.org/TLS#TLS_Decryption

https://gnutls.org/manual/html_node/Debugging-and-auditing.h...

[1vuio0pswjnm7]

With DNS one can avoid having to use the firewall for redirection

sslsplit documentation actually suggests DNS as an alternative to using firewall

Theres a number of easy-to-use UNIX firewalls. Not sure about Windows

Proxies allow easy inspection of HTTP traffic, among other things. Arguably sslsplit is itself a proxy, specifically a forward proxy

There are many ways to monitor HTTP traffic. More than one way to do it

Why doesnt Zoom use certificate pinning

(I avoid using sites/apps that force use of third-party controlled pinned certificates. What are they trying to hide from the user)

[Wowfunhappy]

Certificate pinning makes it impossible to examine what the software on my own machine is sending over my network! Please don't do that.

[fn-mote]

Isn't certificate pinning what keeps my employer from MITM'ing my personal email session on their network?

[1vuio0pswjnm7]

As an employer I would prefer employees not to use the corporate network for personal email. The network exists for business use.

As an employee I prefer not to use the corporate network for truly personal email.

If I am the employer that responsibly monitors the traffic to and from our network, including TLS traffic, an employee that uses our network for personal use with a surveillance "tech" company service such as Google Mail, Facebook, etc. is putting her own privacy at risk. Because I can extract her cookies from the traffic, all she has to do is forget to log out once and I now have a "bearer token", i.e., a cookie, with no expiration,^1 that lets me access her account at any time in the future.

1 The type of cookie that lets users stay "logged in" indefinitely. A non-"tech" company with sufficient legitimate sources of revenue besides online ads may not use such cookies. For example, if an employee logs in to her personal bank account using the corporate network but forgets to log out, the bank website will log her out automatically, the cookies will expire.

[xxpor]

>As an employer I would prefer employees not to use the corporate network for personal email. The network exists for business use.

And as an employee that actually exists in 2021, I'd tell you to get a clue.

>As an employee I prefer not to use the corporate network for truly personal email.

And that's your preference. If you think everyone shares that preference or even realizes the implications you're delusional.

>If I am the employer that responsibly monitors the traffic to and from our network, including TLS traffic, an employee that uses our network for personal use with a surveillance "tech" company service such as Google Mail, Facebook, etc. is putting her own privacy at risk.

No, you're putting them at risk by MITMing their traffic. There's absolutely nothing that forces you to do that. If you don't have separation between the network where humans live, and where The Business lives, that's what's irresponsible.

[tbrownaw]

... As someone who exists in 2021, I have a smartphone. Why would I want to do my stuff on someone else's machine?

[nitinreddy88]

Probably you might need to re-read your employee agreement. Some of these policies are clearly stated and you signed up for them when you are employeed

[Thorrez]

I assume you're talking only about employees using corporate devices on the corporate network. If the employee can connect a personal device to the corporate network the employee will be safe from the MITM.

[1vuio0pswjnm7]

"If the employee can connect a personal device to the corporate network..."

Why not use the cellular network.

[PeterisP]

Basic TLS is sufficient to stop your employer from MITM'ing your personal email session as long as you control what certificates your machine trust.

Certificate pinning is what protects the main sites (who use pinning) from an advanced attacker or a rogue government who are able get a proper CA to issue fake certificates.

[Silhouette]

Basic TLS is sufficient to stop your employer from MITM'ing your personal email session as long as you control what certificates your machine trust.

Which, on almost any employer-issued device on a large corporate network today, you won't.

Personal stuff goes on personal devices with personal connectivity and uses personal accounts with personal security. Work stuff goes on work devices with work connectivity and uses work accounts with work security. Contaminating either with the other is just a recipe for bad things happening, often for both the employer and the employee.

[staticassertion]

By contrast, I'm typing on a work computer right now. We deploy no special certificates to attempt to MITM traffic, nor will we ever.

I'm using a Chromebook, which allows me to run multiple users at the same time, each with their own profiles. Each user has their own encryption keys for their hard drive. We have no corporate network, no VPN, and instead rely on attestation for authorization.

I prefer to use this device for personal use because I know how safe it is.

[Thorrez]

Yep. Pinning doesn't protect you, using a personal device protects you.

You mention needing to use personal connectivity. I don't think that's necessary. HTTPS should protect you from malicious networks.

[Thorrez]

You're checking your personal email on your work computer? Your employer can see that. One way would be through screen recording. But even without screen recording, your employer can install its own certificates. Chrome at least ignores certificate pinning if there are custom installed local certificates.

If you're on a personal device (e.g. your personal phone) on a work wifi, you're secure whether or not certificate pinning is used.

So I don't really see any situation in which certificate pinning will help you. The purpose of certificate pinning is to protect against malicious regular root CAs. It's not to protect against your employer or anyone else who can install custom root CAs on your machine, because they could also install malware that steals data directly from Chrome.

>Chrome does not perform pin validation when the certificate chain chains up to a private trust anchor.

https://chromium.googlesource.com/chromium/src/+/refs/heads/...

[EvanAnderson]

No. Your employer can't MITM your personal email session if you don't trust their MITM proxy's CA.

[notatoad]

if your employer controls your work computer, they can set it to trust their MITM CA.

cert pinning means they can't do that unless they're also modifying yoru email client binaries.

[Thorrez]

It depends on your email client. If your email client is Chrome, then the pinning won't help you at all.

>Chrome does not perform pin validation when the certificate chain chains up to a private trust anchor.

https://chromium.googlesource.com/chromium/src/+/refs/heads/...

[xnyhps]

The HTTP and XMPP traffic is encrypted using TLS. The proxies were used to decrypt, log and re-encrypt this traffic in real-time.

[jraph]

And the new certificate and DNS records are to make the proxy look legit to the Zoom client, which would otherwise not accept TLS connections. Especially if there are DNS records which specify which CA is used for the certificate.

[tialaramex]

> Especially if there are DNS records which specify which CA is used for the certificate.

If you're thinking of CAA, those records are not for anybody except the CAs. They're an indication to the CA "You may/ may not issue for these names" and explicitly never an instruction to clients about what's trustworthy.

It's unusual but completely sound to have CAA set to forbid all CAs, switch it to allow just one CA, get a certificate issued, then put it back to blocking them all again for a week or months. I'm not recommending that procedure, but it's sound and if any software can't handle that the software is broken.

The idea here is that all the public CAs are trustworthy but their procedures may not be a good match to your particular way of doing things. For example if a CA does ACME http-01 proof-of-control (like Let's Encrypt) and you let customers run arbitrary stuff on port 80 on your machines that's a bad combination, probably you should get your certificates from a CA which doesn't use ACME http-01 and restrict CAA.

[jraph]

Indeed, my mistake. Then I don't understand why they need to modify dns records.

[TobTobXX]

Not entirely sure if this I'm understanding this correctly (since it doesn't really make sense to me), but this is what they wrote almost at the end:

> Anything we did differently could influence the heap layout. For example, we noticed that adding network interception could have some effect on how network requests were allocated, changing the heap layout.