Skip to content
This repository was archived by the owner on Dec 6, 2023. It is now read-only.

"noforwardsecrecy" handler to detect cipher suites not using DHE#79

Closed
mkenne11 wants to merge 2 commits intogoogle:devfrom
mkenne11:nofowardsecrecy
Closed

"noforwardsecrecy" handler to detect cipher suites not using DHE#79
mkenne11 wants to merge 2 commits intogoogle:devfrom
mkenne11:nofowardsecrecy

Conversation

@mkenne11
Copy link

@mkenne11 mkenne11 commented Jul 24, 2015

Added the "noforwardsecrecy" connection handler to detect TLS ciphers negotiated between client and server which don't support forward secrecy i.e. Ephemeral Diffie-Hellman methods DHE or ECDHE.

@yzninja
Added "noforwardsecrecy" connection handler to detect cipher suites n…
fb14efa 
…egotiated between client and server which don't support forward secrecy i.e. Ephemeral Diffie-Hellman methods DHE or ECDHE.

Handler was added to mitm daemon and notification strings were added to Android client code.
@chadbrubaker
Copy link
Contributor

chadbrubaker commented Aug 21, 2015

Sorry for not commenting here earlier, missed the PR.

Can you make your handler a data handler(and probably a passive one) instead of a connection handler since it just passively checks the connection, you could add it to https://github.com/google/nogotofail/blob/dev/nogotofail/mitm/connection/handlers/data/ssl.py which has similar data handlers.

Also you probably don't need to buffer for the server hello, its small enough to always come in in one recv(), its fine to keep it though but if you do make it store the buffer internally but still pass the traffic through (ie: always return response but store response if you need more data).

@yzninja
Made changes to the noforwardsecrecy handler suggested by main ngtf a…
010d791 
…uthor:

- Changed it from a "connection" to a "data" handler
- Made the handler passive
- Moved the NoForwardSecrecy class to the ssl.py data handler file
@mkenne11
Copy link
Author

mkenne11 commented Aug 26, 2015

Chad - I made the suggested changes to the noforwardsecrecy handler in my local forked repo. If you have a chance have a look before I create a pull request:
https://github.com/mkenne11/nogotofail/blob/010d791f214deed3b07d75318e071f019bd27337/nogotofail/mitm/connection/handlers/data/ssl.py#l99

I did find one app (AirAsia) whose "server hello" response was large and needed to be buffered.

Let me know if I didn't address your last comment i.e. ... store the buffer internally but still pass the traffic through (ie: always return response but store response if you need more data).

@chadbrubaker
Copy link
Contributor

chadbrubaker commented Aug 27, 2015

You want to make sure to avoid buffering after you've found what you're looking for or you will probably run into issues once it becomes encrypted.

Let me create a base handler that does all the buffering for you, this has been a request I've gotten a couple times already now.

@mkenne11 mkenne11 changed the title "noforwardsecrecy" connection handler to detect cipher suites not using DHE "noforwardsecrecy" handler to detect cipher suites not using DHE Sep 27, 2015
@mkenne11
Copy link
Author

mkenne11 commented Dec 6, 2015

Closed and replaced by PR #98.

@mkenne11 mkenne11 closed this Dec 6, 2015
@mkenne11 mkenne11 deleted the nofowardsecrecy branch December 29, 2015 10:32
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mkenne11 @chadbrubaker @yzninja