I haven’t had a lot to say the past month because I’ve been a very busy boy. As they say, I have a lot on my plate.
Unfortunately it is a plate full of shit. A variety of turds, but all shit nonetheless.
One of those turds is an evaluation of a “Secure Web Gateway” (SWG) from a manufacturer who will remain nameless.
One of the functions of this SWG is Data Loss Prevention (DLP). This box wants to know everything about anything that’s coming and going through the corporate firewall. Web pages, email, ftp sessions, you name it.
It accomplishes this by being very snoopy, to the point of sniffing SSL traffic as it passes in and out of the box.
And you thought SSL was secure, didn’t you?
Not when it goes through an Evil Proxy!
Especially not a proxy that spins faux SSL certificates on the fly, which is exactly what this thing does.
Nothing is safe. Credit cards numbers? BAH! It eats them for breakfast. Those torrid emails you send to your significant other from your Yahoo account? BLAM! Laid bare for all to see. Nothing evades its steely, unimpassioned gaze.
You are 169% PWN3D if you’re unlucky enough to be stuck behind one of these suckers.
Do you scoff? Think you can get away with SSH tunnels? Think again. SSH is not SSL. Never has been, never will be. SSL wants certificates. SSH wants session keys. Your SSH tunnel will simply choke trying to get through. I know. I’ve tried.
So what is a L337 H@><0R to do?
Well, there is a half-solution out there. It’s called stunnel and it allows you to SSL-ify programs that don’t normally do SSL. It’s been around for ages. Since the turn of the century! Very mature. Very robust.
But there’s bad news.
THERE’S NO FUCKING PROXY SUPPORT!!!!! TEN FUCKING YEARS THIS GODDAMN THING HAS BEEN AROUND AND THERE’S NO FUCKING PROXY SUPPORT!!!!
Testing this SGW last week, I ran across the same exact problem with OpenSSL’s s_client tool. S_client allows you to peek into the SSL handshake between a server and a client to see what’s going on. BUT IT DOESN’T FUCKING SUPPORT PROXIES EITHER!
Jesus FUCKING Christ what is it with these people??? Proxies have been around a damn site longer than SSL. Where is the love?
I was lucky enough to run across a patch to an EIGHT YEAR OLD version of OpenSSL that adds proxy support. It was never accepted by the OpenSSL geeks. WHY IS THAT? WHAT IS THE PROBLEM? In spite of its advanced age, it worked perfectly during my testing.
And, luckily enough, I found a patch for a five year old version of stunnel. I haven’t tested it yet, but at least it compiles (although Cygwin barfs all over it at link time).
So what is the point?
Like I said, SSH is not SSL. The SWG expects a browser-like connection on the inside and a Web server-like connection on the outside. SSH through a (normal) proxy is a simple HTTP “CONNECT”, a straight-through pipe with no muss or fuss. You need to make the SWG think you have a browser/server handshake going on before it will make the pipe. Once the pipe is there it will decrypt everything going through it in order to look for naughty bits.
At the point the pipe starts flowing, you just shove your own encrypted tunnel through it. It can hack away at that traffic all it wants, it’s not going to find any naughty bits. And if your encrypted tunnel terminates at an obfuscated-openssh server, you are doubly protected since it will never see the initial SSH key exchange (it may not even be looking for it but… You Never Know).
But… and this is a BIG BUT… if the SWG is built right – and I’m 99% certain it’s not, given the dismal track record of this particular vendor - it should be able to tell that the data going through it is encrypted and kill the session (which seems – to me – like the Right Thing To Do if you’re truly concerned about Data Loss Prevention). Worst case it will either eat up CPU cycles or outright crash and burn. Best case, it will pass the traffic without making a peep or logging anything at all.
Whatever the outcome, it will be reported here!
