Re: DetecTor - client side detection of MITM, server impersonation, CA compromise
On Mon, 2013-09-16 at 22:47 +0200, Kai Engert wrote: DetecTor is an open source project to implement client side SSL/TLS MITM detection, compromised CA detection and server impersonation detection, by making use of the Tor network. The integration of transparent client side probing into the NSS SSL library code will take more time (and of course will trigger additional future discussion, whether it actually should be integrated at all, or how). However, I've made progress regarding the server monitoring proposal. I've updated the sphere-probe utility to support continuous probing of services for unexpected certificates, and calling a user defined script for alerting. It's still an early version of the software and I'm looking for feedback and testing. The tool could be used to monitor your own server for network level attacks, such as: - an attacker being close to your server and intercepting requests to your server - global DNS manipulation to redirect requests to a server controlled by an adversary. The tool uses the existing Tor network for probing from multiple remote network locations (Tor exit nodes), and compare the certificate used by a server against a local list of one or multiple expected certificates. The sphere-probe utility (beta) is based on NSS and is available for download from the http://detector.io project page. (Tested on Linux, only, and you'll have to build it yourself, step by step instructions available in the README.) I'm looking forward to your feedback! There's also a new mailing list available, for discussing the project. I'll do most future announcements and project updates on the new list. Regards Kai -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
DetecTor - client side detection of MITM, server impersonation, CA compromise
I've started yet another project to solve the right key problem. DetecTor is an open source project to implement client side SSL/TLS MITM detection, compromised CA detection and server impersonation detection, by making use of the Tor network. In short, make use of the existing Tor network, perform multiple connections to the destination server through multiple routes, check for consistency in the use of certificates, and either fail or proceed automatically, without user interaction. The detailed description of the idea, including suggestions for the handling of edge cases, can be found at http://detector.io/ I propose to create an implementation that transparently integrates this functionality into the NSS library, without requiring application changes. (Trigger the probing on the application's attempt to connect, delay the connection by returning the would block status until the probing has completed, then fail early if the probing result isn't satisfactory.) Activation of this new behaviour could potentially be driven by an environment variable or by a compile time option. (Details or alternate integration proposals can be discussed at a later time, once this project move forward.) In order to make this approach possible, we must tunnel TLS connections through a SOCKS5 proxy (which is the interface the existing Tor project software offers). I've ported Necko's SOCKS5 C++ implementation to plain C and propose it for integration into either NSS or NSPR, see https://bugzilla.mozilla.org/show_bug.cgi?id=916947 Looking forward to your feedback. Regards Kai -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto