Recently researching an internal tool to support chaos/resiliency testing, e.g. performing network delay on dependent redis/db/.., helps validate the service’s ability to handle and recover from unexpected network disruptions or delays in accessing external dependencies.
TCP layer network traffic can easily be classified and shaped using a Linux built-in tool called TC (traffic control). But how can we hijack and manipulate encrypted outbound HTTPS traffic?
1. Traffic Takeover
After sending the CONNECT method request, the https_proxy can proxy the TCP stream to and from the client by establishing a HTTP tunnel to the destination origin server.
1 | curl nginx (proxy_connect) github.com |
2. Traffic Processing
Currently we can only filter traffic by domain (from the CONNECT method request). The TLS encryption prevents us from inspecting the specific endpoints and body within the encrypted traffic.
How can we Hijack https requests and classify the network traffic by endpoint?
We have to address two issues:
- Identity:
- client → server: ask for appropriate certificate
- server → client: provide server certificate (and intermediate)
- client: receive certificate and ensure Common Name(domain name) of request matching
- client: Confirm that the root certificate (valid Certificate Chain)
- Encryption:
- TLS handshake: asymmetric Encryption → generates a symmetric encryption key (the session key)
- Data transmission: session key → data encryption
Appropriate workflow (i.e. MITM attack):