Ssl – How to prevent a third party from proxying an HTTPS website

httpsmitmproxyssl

I am hosting some kind of database management interface on https://www.prettylongdomainname.example/ I have implemented HTTP Strict Transport Security to prevent people accessing this website over HTTP because I don't want my users to submit their login credentials over an unencrypted channel.

Now one user has registered the domain www.pld.example with a domain name provider that offers some kind "domain name redirection service" that effectively performs a man-in-the-middle attack on my website. It proxies the original website and makes it available at http://www.pld.example/ Some users are – for convenience – using the shorter URL and are unaware that they are now sending their passwords in plain-text to a third party.

What are the mechanisms I can use to prevent this type of MITM attack?

Best Answer

Heres a number of strategies you might want to consider:

1. From your server logs, figure out by which means the proxy is downloading your site and selectively change responses for him e.g. if hes using one specific provider, block or change responses for their address space

2. It may be completely sufficient to just informally notify the provider of the proxy be sure to contact their abuse department directly, not the sales guys. if their server IP is registered by different company than their domain registrar, take the path of least resistance - first ask the provider headquartered in a country closer to yours.

3. Depending on the TLD it will be anywhere from trivial to impossible to figure out the operator of the site and/or get a court order that forces their dns provider to drop them

4. Report them to Google Safe Browsing Use the option Report Phishing Page. This will - if our Google overlords decide so - create a big fat warning for users of the proxy AND it will remove the site from search results. Most users of most browsers are using the google safe browsing block lists, so this will effect not quite everyone, but close to.

Correct way in new versions of nginx

Turn out my first answer to this question was correct at certain time, but it turned into another pitfall - to stay up to date please check Taxing rewrite pitfalls

I have been corrected by many SE users, so the credit goes to them, but more importantly, here is the correct code:

server {
       listen         80;
       server_name    my.domain.com;
       return         301 https://$server_name$request_uri;
}

server {
       listen         443 ssl;
       server_name    my.domain.com;
       # add Strict-Transport-Security to prevent man in the middle attacks
       add_header Strict-Transport-Security "max-age=31536000" always; 

       [....]
}

SSL Certificate – How to Download SSL Certificate from a Website

In order to download the certificate, you need to use the client built into openssl like so:

echo -n | openssl s_client -connect $HOST:$PORTNUMBER -servername $SERVERNAME \
    | openssl x509 > /tmp/$SERVERNAME.cert

That will save the certificate to /tmp/$SERVERNAME.cert.

The -servername is used to select the correct certificate when multiple are presented, in the case of SNI.

You can use -showcerts if you want to download all the certificates in the chain. But if you just want to download the server certificate, there is no need to specify -showcerts. The x509 at the end will strip out the intermediate certs, you will need to use sed -n '/-----BEGIN/,/-----END/p' instead of the x509 at the end.

echo -n gives a response to the server, so that the connection is released

openssl x509 removes information about the certificate chain and connection details. This is the preferred format to import the certificate into other keystores.

Best Answer

Related Solutions

NGINX Redirect – How to Rewrite All HTTP Requests to HTTPS While Maintaining Sub-Domain

Correct way in new versions of nginx

SSL Certificate – How to Download SSL Certificate from a Website

Related Topic