Improper handling of TLS certificates by sogou expressway browser can cause man-in-the-middle attacks

Improper handling of TLS certificates by sogou expressway browser can cause man-in-the-middle attacks

Improper handling of SSL/TLS invalid certificates by sogou high-speed browser can cause man-in-the-middle attacks

When the SSL/TLS certificate provided by the https webpage opened by sogou browser is invalid (such as self-Signed and Domain Name Mismatch), it will automatically open the page without explicit text prompts. Draw a bar on "https" and draw a cross on the lock. I don't know how many users can notice it.
 

I tried to use HTTPS cache pollution, but it was not successful. Every time I open the sogou browser page, it will be re-loaded. So far I have no idea why. I have tried to use cross-site references to steal cookies. Resources with incorrect certificates are automatically blocked.

But the following two exploitation is successful (no need to install the root certificate, no user interaction, part of the idea comes from the http://fex.baidu.com/blog/2014/04/traffic-hijack-2 ):

First, if the user uses the automatic login function of the website, the cookie will be sent at the first visit, so automatic page loading may cause cookie leakage.

Second, if you do not have automatic logon, but you have the automatic table filling function. When https is hijacked, the intermediary can insert JavaScript to read and send the form content.

These two points can be exploited through automatic redirection to steal cookies or passwords of any HTTPS website (if recorded by the browser ).

It is normal for non-HTTPS websites to steal cookies and passwords. However, if HTTPS websites can also steal cookies, This is a browser vulnerability.

Demo under Fiddler (emphasize again that you do not need to install the root certificate of Fidder ):

Add the following AutoResponder rules:
 

Open the sogou browser and visit http://www.example.com/. then, check the result of fiddlers' packets, and cookie's cover:
 

The redirection process is very fast, because the reply to the HTTP request is sent by the intermediary, rather than by the server. Therefore, this process is hard for users to notice. In addition, there is no chance for the browser to display "red bars https" during the whole process. What the user sees is the last loaded Baidu homepage.

Of course, this is just a demonstration. More flexible rules can be used in actual attacks. For example, you can jump to any website at the beginning to go to the "authentication" Page and click "OK" to go to the initial jump point. You can also use meta refresh to redirect, because 3xx redirection has the maximum number of redirects.

I am too lazy to automatically fill out the table. I think I should be able to get the password.

Solution:

When the SSL certificate is invalid, do not open the page unless you click Continue.