Man-in-the-middle attack caused by improper handling of TLS certificates by the Cheetah and 2345 browsers

Man-in-the-middle attack caused by improper handling of TLS certificates by the Cheetah and 2345 browsers

When the SSL/TLS certificates provided by the https web pages opened by the two browsers are invalid (such as self-Signed and Domain Name Mismatch), the pages are automatically opened. A text prompt is displayed on the cheetah Security browser. 2345 the accelerated browser does not even have obvious text prompts. Draw a bar on "https" and draw a cross on the lock. I don't know how many users can notice it. Of course, it will be said below that text prompts are of little use, so they steal cookies.

 

 

The following describes how to use (without installing the root certificate, without user interaction, part of the idea comes from the http://fex.baidu.com/blog/2014/04/traffic-hijack-2 ):

First, if the user uses the automatic login function of the website, the cookie will be sent at the first visit, so automatic page loading may cause cookie leakage.

Second, if you do not have automatic logon, but you have the automatic table filling function. When https is hijacked, the intermediary can insert JavaScript to read and send the form content.

These two points can be exploited through automatic redirection to steal cookies or passwords of any HTTPS website (if recorded by the browser ).

It is normal for non-HTTPS websites to steal cookies and passwords. However, if HTTPS websites can also steal cookies, This is a browser vulnerability.

Demo under Fiddler (emphasize again that you do not need to install the root certificate of Fidder ):

Add the following AutoResponder rules:
 

Then open the 2345 browser and visit http://www.example.com/. the browser displays a hundred pages in two seconds. If there is no certificate, an alert is reported:
 

Then, check the packet capture result of Fiddler:
 

Look at the cheetah browser and visit ghost:
 

Then, check the packet capture result of Fiddler:
 

Of course, this is just a demonstration. More flexible rules can be used in actual attacks. For example, you can jump to any website at the beginning to go to the "authentication" Page and click "OK" to go to the initial jump point. You can also use meta refresh to redirect, because 3xx redirection has the maximum number of redirects.



I am too lazy to automatically fill out the table. I think I should be able to get the password.

Solution:

When the SSL certificate is invalid, do not open the page unless you click Continue.