Keeping The Kids Safe Part 2: MITM Lessons Learned

We lasted about a day with the new content filtering that I put in place before we switched the kids back to the old open WiFi network. We encountered two problems: Missing whitelist entries, and well built apps that depended on not messing with their certificates with a MITM attack.

Amazon Video, for one, will not communicate with its servers if you tamper with its certificates. Given that the sort of inspection I am doing is a Man-In-The-Middle (MITM) Attack, they have a point. I thought I had prevented this problem, but as it happens, I did not understand two things: SSL inspection, and how Squid decides to mess with certificates.

SSL Peek, Splice and Bump

First, I didn’t get how SSL inspection works, and second, that Squid has a separate set of ACLs to control it. I had though that when I chose ‘Splice Whitelist, Bump Otherwise’ that the ‘whitelist’ is was referring to was the squidguard whitelist. However, Squid itself has an Access Control List (ACL) that controls this.

To summarize this very helpful link at www.squid-cache.org, and this link which explains more, when squid is intercepting connections, it first peeks at the connection to check the certificate and determine the hostname it is trying to reach (SNI).

Then it evaluates its access list to either do nothing (what it calls ‘Splice’), or decode the HTTPS stream, read and inspect the contents, and re-encrypt (what it calls ‘Bump’).

So I actually had the configuration almost right, but I was MITM-ing everything, even things I trusted (expanding the (i) after ‘SSL/MITM Mode’ helps a lot):

Squid SSL Setup
Squid SSL Setup

The ‘ACL’ it is referring to is actually in the Squid configuration (tab 5).

Squid ACL Location
Squid ACL Location

To get this to work correctly, all I needed to do was add the sites that are sensitive to having their certificates manipulated in the ‘Whitelist’ box, and restart Squid. Now Amazon Video works.

Squid ACL Whitelist Setup
Squid ACL Whitelist Setup

Summary

The interesting thing about this is that it shows a lot of the security design philosophy of an app. If an app will work with MITM interception, then it’s insensitive to SSL forgery. If it won’t work, then it probably has an SSL certificate compiled into the app, to provide further protection against casual attacks on their API endpoints. While it is definitely possible to extract a certificate from an iOS app, it’s not trivial, and surely makes amazon’s endpoints more resistant to your average person looking for vulnerabilities. On the other hand, it means that changing certificates requires updating their app, which takes a bit of effort.

On the whole, it’s a security posture that I wholly endorse. I imagine that each app has its own certificate, and each set of APIs uses those certificates to connect each app to its allowed APIs. If this is what they are doing, I like it, since I prefer each app having its own APIs, rather than a bunch of apps sharing one API. Someday I’ll write a few posts on that. Anyhow, my Kids LAN is working again, which is good.

Coming up we’ll explore ZFS, and unifi video…

What I’m listening to as I do this:

EpicRockRadio.com. If you like symphonic metal, this is the station for you. Sure, that might be a relatively small number of people, but I’ve been a fan for years, and pick up lots of great albums to download from here. If you think that Conan the Barbarian needs metal songs about him, this is definitely the place for you.