Introduction
HTTPS (Hypertext Transfer Protocol Secure) is widely regarded as a secure way to communicate over the internet. It encrypts data using TLS (Transport Layer Security), ensuring confidentiality and integrity. But if HTTPS is secure, how can tools like Fiddler capture network packets sent over HTTPS?
This blog explores how HTTPS security can be compromised in certain scenarios, particularly through man-in-the-middle (MITM) attacks using an intermediate server.
How HTTPS Works in a Secure Connection
- The client initiates a TCP handshake with the server.
- The server responds by sending an SSL/TLS certificate containing its public key.
- The client validates the certificate, then generates a session key, encrypts it using the server’s public key, and sends it back.
- The server decrypts the session key using its private key.
- Both client and server now use the session key for symmetric encryption, ensuring secure communication.
How HTTPS Can Be Hijacked – Man-in-the-Middle Attack
The diagram below illustrates a MITM attack where an intermediate server intercepts HTTPS communication.
Step-by-Step Breakdown of the Attack
Step 1 – TCP Connection Hijack
- The client requests to establish a TCP connection with the actual server.
- Instead, the request is maliciously routed to an intermediate server that acts as a proxy.
- A TCP connection is established between the client and the intermediate server.
Step 2 – Intermediate Server Connects to the Real Server
- The intermediate server then establishes a separate connection with the legitimate server.
- This makes both the client and the server unaware of the interception.
Step 3 – Certificate Manipulation
- The intermediate server sends its own SSL certificate to the client instead of the actual server’s certificate.
- If the client trusts the certificate, the attack is successful.
Step 4 – Legitimate Server’s Certificate is Verified
- The legitimate server sends its real SSL certificate to the intermediate server.
- The intermediate server verifies it and continues the attack.
Step 5 – Session Key Interception
- The client encrypts the session key using the intermediate server’s public key and sends it.
- The intermediate server decrypts it with its private key, gaining access to the session key.
Step 6 – Re-Encrypting the Session Key
- The intermediate server encrypts the session key using the real server’s public key and sends it there.
- The actual server decrypts it with its private key.
Steps 7 & 8 – Data Decryption and Manipulation
- The client and server start communicating with symmetric encryption using the session key.
- However, since the intermediate server has access to this key, it can decrypt, modify, or log the data before re-encrypting it.
Why Does This Attack Work?
This attack is only possible if the client trusts the intermediate server’s certificate.
- In a normal HTTPS scenario, browsers only trust certificates issued by well-known Certificate Authorities (CAs).
- However, if the intermediate server’s certificate is added to the client’s trusted root store, the browser treats it as legitimate.
- This is how packet capture tools like Fiddler work—they install a root certificate that allows them to intercept HTTPS traffic.
How to Protect Against HTTPS Hijacking
- Do Not Install Untrusted Certificates – Be cautious about installing root certificates from unknown sources, as they can be used for interception.
- Enable Certificate Pinning – Applications can verify that a received certificate matches a pre-approved one, preventing MITM attacks.
- Use DNS over HTTPS (DoH) – This ensures that DNS queries are encrypted, making it harder to manipulate traffic routing.
- Monitor Network Traffic – Regularly inspect for suspicious certificates or unexpected network connections.
- Enable Strict Transport Security (HSTS) – This prevents browsers from connecting to sites over insecure HTTP.
Conclusion
While HTTPS is designed to be secure, it is not immune to attacks. If an attacker can manipulate trusted certificates, they can intercept and decrypt HTTPS traffic. Understanding these risks helps businesses and developers implement better security practices to keep their data safe.
Would you like to learn more about web security? Let us know in the comments!
Leave a Reply