[Bro] Stripping SSL on network level
Michał Purzyński
michalpurzynski1 at gmail.com
Thu Dec 13 15:10:44 PST 2018
Well, the design of SSL makes it impossible to strip it at the network level.
How’s that usually done is, there’s a proxy that terminates each connection and initiates a new one, generating certificates on the fly for every destination site, signed by a CA sitting on that proxy, that’s trusted by clients.
What that means - you need to configure your clients to trust that CA anyway.
Before someone mentions SSLstrip - it looks for HTTP connections before they are 302 to the SSL endpoint. If connection is SSL end to end, it won’t do anything.
> On Dec 13, 2018, at 2:44 PM, Johanna Amann <johanna at icir.org> wrote:
>
> Hi,
>
>> I was wondering if it is possible for bro to do monitoring at network level
>> and also strip SSL from all the machines in network and log unencrypted
>> data?
>
> Bro itself does not support any kind of SSL/TLS decryption. If it is fed
> unencrypted data (e.g. sitting behing a SSL terminator) it will happily
> log it.
>
>> Has something be done to achieve this or are there any plans?
>
> There are no plans current plans that I know of to implement this.
>
> Johanna
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list