Web-based applications rely on the HTTPS protocol to guarantee privacy and security in transactions ranging from home banking, e-commerce, and e-procurement to those that deal with sensitive data such as career and identity information. Users trust this protocol to prevent unauthorized viewing of their personal, financial, and confidential information over the Web. The Internet Engineering Task Force (IETF) adopted it in 1999 as a standard known as Transport Layer Security (TLS)2 to secure HTTP into HTTPS.
Consequently, most people consider HTTPS-based data exchanges safe, and the average user tends to trust the Web application as soon as the “lock” symbol appears. In this article, we show the danger of that assumption by demonstrating how attackers can successfully intercept the data transfer and corrupt the safety of the communication.
The man-in-the-middle (MITM) attack exploits the fact that the HTTPS server sends a certificate with its public key to the Web browser. If this certificate isn’t trustworthy, the entire communication path is vulnerable. Such an attack replaces the original certificate authenticating the HTTPS server with a modified certificate. The attack is successful if the user neglects to double-check the certificate when the browser sends a warning notification. This occurs all too often—especially among users who frequently encounter selfsigned certificates when accessing intranet sites. The below figure shows how the attacker builds the attach in following steps:
Act as a gateway (MITM) between the CH and the LAN default router.
• Forward CH requests to connect to the SH to the default gateway without any interference.
• Intercept SH replies forwarded by the LAN default gateway.
• Create a false self-signed certificate to replace the original.
• Send the false certificate to the CH.
• When the CH accepts the certificate, build an encrypted channel between the CH and the attacker and another between the SH and the attacker.
At the end of these phases, the CH and the SH see an apparently secure communication channel between them. In reality, the attacker has the ability to decrypt the entire communication because he or she possesses the necessary keys.
The MITM attack is realized by maliciously modifying the Address Resolution Protocol (ARP) and Domain Name System protocol(DNS). Hosts rely on the MAC address to deliver IP datagrams, using the ARP protocol to find the matching IP and MAC addresses. As the ARP requests are broadcasted, the attacker can read them and learn the MAC addresses of other LAN hosts. The attacker then implements ARP spoofing by impersonating MAC addresses of other hosts. By corrupting the matching between IP and MAC addresses, the attacker receives traffic from or to a given IP address. Thus, we can come to the conclusion that it is possible to attack web based connections in HTTPS.
Authored By - Mahindra Kubsad
TCS Cyber Security Practice