Preventing man in middle attack over over SSL

Category: windows phone development


Intuition Technology on Mon, 17 Dec 2012 20:46:27

Hi, I am using the HttpWebRequest to make a request to a URL over SSL, which is hosted by us.  Its been identified that a user is able to use a proxy server to intercept and edit these requests, which we need to prevent.  The proxy I used to recreate this was "Charles" and I also installed the client certificate they provide, on  the device.

I was trying to find a way to code it into my application to do a check after the SSL handshake takes place, but before the full request is actually made, to compare the public key from the server with one that is known on the device (probably hard coded at this stage), and abort if necessary, but haven't found a way to do this.  

Does anyone have any ideas on how this might be done?


eschumac on Mon, 17 Dec 2012 21:10:15

I use Fiddler. Does Charles still have that whacky image when you start it up?

Perhaps a more flexible approach would be to generate an HMAC for your requests.

Intuition Technology on Tue, 18 Dec 2012 13:23:53

Ha, yes, the image is there.  

Thanks for the suggestion, unfortunately, we are trying to get around this without altering our server-side piece, so I dont think using an HMAC will work as a solution for us.

eschumac on Tue, 18 Dec 2012 15:55:27

Without some auth you are always at risk of someone spoofing the client.

Did you try looking at .ClientCertificates? I haven't looked at it, but you could try checking the collection it returns to see if you can compare certs in some way. This might allow you to tell if the app is talking to something with a different cert.

Many of the debugging proxies generate their own certs. There might be a way to check the root.

Its and interesting problem. Others could really benefit from a good pattern that helps make abuse harder.

Intuition Technology on Tue, 18 Dec 2012 16:28:42

Seems they have not made the ClientCertificates property available on WP7, so not sure if we can get to that info or not.  Shame, as that sounded like a promising approach to take.  I've read some stuff elsewhere online that there is just no way on WP7 to intercept the auth challenge during an http request, so not looking too promising....

Darin Rousseau on Tue, 18 Dec 2012 17:46:34

You could create a https connection manually with a TCP socket and use a library such as bouncy castle to negotiate the encrypted TLS stream.  That would allow you to see the cert coming from the server and verify that it is correct.

You could either re-create the HttpWebRequest class, or just create a utility class that pings the server periodically to verify there isn't a mitm attack going on.

Intuition Technology on Tue, 18 Dec 2012 19:22:34

Thanks for the input.  I might give that a try :)