Users susceptible to man-in-the-middle attacks due to corporate https inspection

A large number of companies use “security” products to inspect HTTPS traffic for detecting malware and prevent other types of attacks. However, they might inadvertently make their user’s more susceptible to man-in-the-middle attacks by  decrypting and re-encrypting HTTPS connections.

The U.S. Computer Emergency Readiness Team (US-CERT) warns in an advisory that HTTPS inspection products don’t mirror the security attributes of the original HTTPS connections between the client and the server (Mirror: HTTPS Interception Weakens TLS Security | US-CERT).

HTTPS inspection is deployed in companies for checking the encrypted traffic coming from an HTTPS website to make sure it does not contain any malware or any other type of attacks. It basically performs a decryption and re-encryption of the client’s connection to an HTTPS server. The “security” products (proxy, web-gateway, firewall etc.) establish the connection on the client’s behalf by first decrypting the client’s HTTPS connection and re-encrypting the traffic sent to the HTTPS server. The client is served with a different, locally generated certificate by the security product which essentially perform a man-in-the-middle attack.

In some enterprise environments, an HTTPS connection may even be intercepted and re-encrypted multiple times. For example, at the network perimeter by a security gateway product and later, on the endpoint by a client’s antivirus program which needs to inspect the traffic for malware.

The problem revolves around the fact that the client’s browser no longer validates the real certificate issued by the server because its replaced with a locally generated certificate from the security product. In return, the task of validating the certificate now falls to the intercepting proxy.

According to the published advisory, those security products are evidently pretty bad at validating server certificates. An investigation conducted by researches from Google, Mozilla, Cloudfare, and multiple Universities states that the intercepted connections use weaker cryptographic algorithms (Source: interception-ndss17). The security products even advertise support for known-broken encryption ciphers that would allow an active man-in-the-middle attack by intercepting and downgrading a connection in order to decrypt it.

The analysis by the researches found that at least 32 percent of connections to e-comerce sites and 54 percent of Cloudflare HTTPS connections, which were intercepted, became less secure than they would have been if the user had connected directly to the server.

Browser makers had a long time to properly unterstand the quirks of TLS connections and certificate validation. Therefore, there is no better client-side implementation of TLS, the protocol used for encrypting HTTPS connection, than the one found in modern browsers.
In comparison, security product vendors use outdated, customised TLS libraries where they even back-port new protocol features. Re-implementing those features found in newer libraries makes them susceptible to serious vulnerabilities.

Furthermore, the US-CERT points out another widespread problem that many products intercepting HTTPS don’t properly validate the certificate chain presented by servers. Certificate-chain verification errors are infrequently forwarded to the client, leading the client to believe that operations were performed with the correct server.

The BadSSL website allows organisations and even employees to check if their HTTPS inspection products improperly validate certificates or allow for insecure ciphers. The client test from Qualys SSL Labs also provides checks for some known TLS vulnerabitiles and weakenesses.

 

Homebrew on macOS 10.12 Sierra

Apple introduced a few changes with the directory structure and permissions in macOS Sierra 10.12 which in the beginning broke Homebrew on macOS without some CLI magic to manually fix things. However, this has been fixed and Homebrew now full supports macOS 10.12. One of the issues was around a change in permissions on the directory /usr/local which on a new installation either doesn’t exist or wasn’t writeable.

Therefore Homebrew changed their installation routine and migrated the installation folder to /usr/local/homebrew in order to circumvent the whole permissions issues.

Install Homebrew

The following Terminal command will download and install Homebrew. Ruby comes pre-installed with macOS and therefore just copy and paste the following command in your Terminal:

ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"

Homebrew requires the command line tools which ship with Xcode. If you don’t have Xcode or the command line tools installed, macOS will automatically prompt you to install them. You can get away with the command line tools by clicking install.

However, you can also get Xcode by downloading it free of charge from the AppStore. Here, I will simply install the command line tools.

To check for any issues after the installation, run:

brew doctor

To search for an application:

brew search <application_name>

To install an application:

brew install <application_name>

To list all applications installed by Homebrew:

brew list

To remove an installation application:

brew remove <application_name>

To update Homebrew:

brew update

Fixing brew after upgrade to macOS 10.12

If you had brew installed before upgrading to macOS 10.12 you will notice that the upgrade broke brew. The following instructions will fix the broken install and will let you upgrade brew to the latest and greatest which supports 10.12

Accept the license agreement of the command line tools shipped with Xcode

sudo xcodebuild -license

Change ownership of /usr/local to yourself:

sudo chown -R $(whoami) /usr/local

Run brew doctor and brew update. The installer of the update will inform you that it will migrate the brew repository to a new directory:

brew doctor && brew update

=> Migrating HOMEBREW_REPOSITORY (please wait)...
==> Migrated HOMEBREW_REPOSITORY to /usr/local/Homebrew!
Homebrew no longer needs to have ownership of /usr/local. If you wish you can return /usr/local to its default ownership with:
sudo chown root:wheel /usr/local

Change the owner back to the defaults with:

sudo chown root:wheel /usr/local

Homebrew on OSX 10.11 El Capitan

Homebrew is a great package manager for OSX and one of the easiest ways to install Unix tools and open source software (Homebrew most certainly isn’t the only package manager out there: other popular choices: Macports and Fink but Homebrew is my personal favorite).

In order to install Homebrew you need XCode and the respective command lines tools. Xcode is available in the AppStore Screenshot 2016-01-01 13.53.40

Download and Install Xcode. You have to run it once and agree to the license. It will automatically start installing the components. Grab a cup of coffee/tea it will take a few minutes even on a fast machine with a SSD.

Screenshot 2016-01-01 13.54.45

Open up a Terminal and issue the following command to install the command line tools

xcode-select --install

Before you can download and run the script to install Homebrew you have to temporarily disable the System Integrity Protection of OSX in order to write to the /usr folder and create the installation root directory /usr/local.

If you encounter any permissions issues the following article provides instructions to fix the permissions problem. In case you upgraded an existing installation to El Capitan the /usr/local folder will most probably exist already and you will only have to issue the following command to fix the permission problem:

sudo chown -R $(whoami):admin /usr/local

If it’s a fresh installation (wiped the hard drive or simply bought a new Mac) /usr/local will not exist and you have to manually create the folder.

  • Reboot into recovery mode (Hold CMD + R on boot) → Utilities → Terminal
  • Temporarily disable SIP: csrutil disable
  • Reboot back into OSX
  • Open the Terminal application and issue the following command:

sudo mkdir /usr/local && sudo chflags norestricted /usr/local && sudo chown -R $(whoami):admin /usr/local

The command creates the installation directory for Homebrew and removes the directory flags that restrict access to it when SIP is re-enabled.

Reboot back into recovery mode and issue the following command to reenable SIP protection:

csrutil enable

Reboot back into OSX and now you will be able to write to /usr/local and install Homebrew by starting the following script in a Terminal:

ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"

homebrew-osx-install-mountain-lion

After completion of the installation check for any outstanding issues as suggested at the end of the setup by issuing the following command:

brew doctor

A short list of commands for Homebrew, refer to the man page for more information:

To search for an application: brew search <search_keyword>

To install an application: brew install <application_name>

To list all applications installed by homebrew: brew list

To remove an installed application: brew remove <application_name>

To update Homebrew: brew update

Homebrew’s default installation directory: /usr/local/Cellar
This ensures that Homebrew doesn’t interfere with Unix utilities shipped by OSX (e.g. if you install python3 via Homebrew it will not interfere with the Version shipped with OSX)

System Integrity Protection in OSX 10.11 EL Capitan

System Integrity Protection is a security technology introduced with OSX 10.11 that helps to inhibit potentially malicious software of modifying essential system files and folders on the Mac which can prevent your Mac from booting or compromise its security.

In previous OSX Versions the “root” user account had no permission restrictions and had access to any system files and applications. Software gained root-level access when a user entered an administrator name and password to install or run an application which then was able to modify or overwrite any system file or application.

System Integrity Protection (SIP) uses sandboxing technology to restrict the root account and limit actions that it can perform on the protected system parts of OSX.

Paths and applications protected by System Integration Protection include:

  • /System
  • /usr
  • /bin
  • /sbin
  • Applications that are shipped with OSX

Paths and applications that are exempt from SIP and third-party software can write to include:

  • /Applications
  • /Library
  • /usr/local

The protected parts of OSX can only be modified by processes that are signed by Apple which are granted special permissions to write to system files such as Apple software updates and Apple installers.

Third-party applications downloaded from the Mac App Store already work with SIP. Other third-party software might conflict with SIP and might require an update to make it compatible with OSX EL Capitan.

In addition, SIP also prevents software from automatically changing your startup volume. To start up the Mac from a different volume, press down the Option key while the Mac is restarted or use the Startup Disk Pane in System Preferences and select a Volume from the list.

[Disclaimer – I take no responsibility for any damage to you or your system inflicted by following any of the presented instructions]

Certain applications or abandoned old software that is no longer supported might require you to disable SIP in order to make them work on OSX El Capitan. Follow this steps to disable SIP:

  1. Reboot the Mac into Recovery Mode by restarting the Computer and holding down Command + R until the Apple Logo appears on the screen
  2. Select Utilities → Terminal to open up a shell
  3. Enter: csrutil disable
  4. Reboot the Mac

You can verify if a file or folder is is restricted by issuing the ls command with the -O (capital “O” not zero) to modify the long listing flag

root folder listing