"TLS cert for wrong hostname" attack issue.

[swaraj...@gmail.com]

Hello,

I tried to perform "TLS cert for wrong hostname" attack on Youtube application for demo testing.

Following was the configuration set in nogotofail --> settings --> Attacks

Probability of attack -- 100% 

Custom list of attacks -- Checked 

Only following attack was checked rest all the attacks were unchecked,

TLS cert for wrong hostname -- Checked

Procedure 

Step1 -- nogotofail attack configured as above and RECONNECT is established

Step2 -- Open the YOUTUBE app and stream the video 

Outcome 

Video can be played successfully 

Expected result 

Video should not have been stream as its HTTPS  

 

Note: In case if we select any other TLS attacks other then "TLS cert for wrong hostname" , youtube does not stream video.

As i investigated the issue 

https://github.com/google/nogotofail/blob/dev/docs/getting_started.md

it seems that i need to create “trusted-cert.pem” file (as mention under "Invalid Hostname Certificate " )

Can you please guide me regarding how to create this  “trusted-cert.pem” file 

FYI, the packet capture via Wire shark has beem attached.

Please feel free to revert in case any more information is required 

Regards,

Swaraj Waikar

[Alex Klyubin]

You need to obtain a valid TLS/SSL certificate from a trusted CA. It doesn't matter for what hostname. This certificate then becomes your "wrong hostname" certificate: its chain of trust verifies to a stock CA installed on your phone, but the hostname in the certificate won't match youtube hostnames.

--
You received this message because you are subscribed to the Google Groups "nogotofail" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nogotofail+...@googlegroups.com.
To post to this group, send email to nogot...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/nogotofail/d1b863fc-c802-47fc-91a8-73a886a2b18d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Alex Klyubin]

P. S. You only have to do this if you're setting up your own instance of nogotofail MiTM daemon/VPN. We already have a production instance and dev instance which are set up with all the right certs.

Chad, which instance is usable these days? I recall dev-2 is most likely to work. Does prod instance work?

Alex

[Alex Klyubin]

Oh, sorry, these nogotofail MiTM instances are not accessible from outside of Google.

Also, beware that some Google Android apps are using QUIC for their secure traffic. QUIC completely bypasses nogotofail's attacks against TLS. This is because nogotofail currently only looks at TCP traffic, whereas QUIC is UDP.

Alex

[swaraj...@gmail.com]

Hi

As you said "You need to obtain a valid TLS/SSL certificate from a trusted CA" 

I have used the following method the get trusted-cert.pem

  –  MiTM server Certificate 

          $ openssl req -x509 -newkey rsa:2048 -sha256 -subj "/CN=mitm.nogotofail/" -nodes -keyout server.crt -out server.crt

          $ cp server.crt trusted-cert.pem 

Is it correct ?? or if not then can you please explain how to get thevalid TLS/SSL certificate from a trusted CA ??\

Secondly 

What should be the expected outcome if the attack is successful?

For eg, if my target app is Youtube , and i am performing the attack with following configuration,

configuration set in nogotofail --> settings --> Attacks

Probability of attack -- 100% 

Custom list of attacks -- Checked 

For example i have selected the following random attacks,

TLS MiTM using an anonynous server -- Checked 

Client HeartBleed -- Checked

TLS cert for wrong hostname -- Checked

Then i go to steam video on Youtube app  to check the attack.

Then what should be the expected result if the attach is successful??

Video is streaming on Youtube app -- Attack successful

Video cannot be streamed on Youtube  -- Attack unsuccessful (This means the app is secure to the above checked attacks is my understanding)

Is my understanding correct? can you please explain ?

Regards,

Swaraj Waikar 

[Alex Klyubin]

To obtain a certificate which chains to one of the stock CAs preinstalled as trusted on Android, you need to obtain the certificate from one of these CAs (see System settings -> Security -> Trusted Credentials. This typically means you need to prove ownership of a web domain to that CA so that they can issue you a certificate.

When "TLS cert for wrong hostname" attack succeeds, nogotofail MiTM can see the cleartext of the TLS traffic flowing between the client and the server. nogotofail MiTM logs that even and the traffic in its logs. If you're using the companion nogotofail Android app, nogotofail MiTM will notify the app and the app will pop up a notification on your Android.

Alex

--

You received this message because you are subscribed to the Google Groups "nogotofail" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nogotofail+...@googlegroups.com.
To post to this group, send email to nogot...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/nogotofail/4991a36c-553e-4f15-8112-fec144c9e236%40googlegroups.com.