Recently, I browsed a known problem: during the trial period, a certain operating student visited a certain 1024 website during the work period, which resulted in the trial period not being reached.
I saw a lot of tweets two days ago. The general idea is: Before watching a small movie, you must pay attention to whether the URL is HTTPS. Because HTTPS is encrypted, others will not know.
Seeing the above questions, I can't help but want to ask (this brain circuit is also...):
- Is it really impossible for other people to know the HTTPS site through a browser?
- How does the company know about accessing anonymous forums (HTTPS) through the App? (Did he access the company WiFi?)
In short, do you fish online during working hours? Even if it is accessed using HTTPS, if the company knows, by what means?
This article talks about my views, mainly divided into the following aspects:
- Why is HTTPS secure?
- Is HTTPS really secure?
- How does the App ensure information security and not be crawled away?
- What are the possible monitoring methods for the company? How can we ensure that our privacy is leaked?
Why HTTPS is safe
HTTPS, also known as HTTP over TLS, TLS predecessor is SSL, and there will be various versions.
The relationship of TLS protocol in TCP/IP protocol stack
The figure above describes the relationship between TLS (sub-protocols) and HTTP in the TCP/IP protocol stack. HTTP+TLS is also HTTPS.
Compared with HTTP, the advantages of HTTPS:
- **Data Integrity: **Content transmission has been checked for integrity.
- **Data privacy: **The content is symmetrically encrypted, and each connection generates a unique encryption key.
- **Identity Authentication: **The third party cannot forge the identity of the server (client).
HTTPS principle
The above figure is a rough introduction to the HTTPS handshake process. Interested students can use WireShark to capture packets to take a detailed look at each of the steps, which will help understand the complete process of HTTPS. I will not go into details here.
Roughly, the client and the server negotiate an encryption algorithm supported by both parties and the corresponding random parameters through a "handshake meeting" to obtain a pair of keys, and subsequent transmissions are encrypted and decrypted by this pair of keys.
This pair of keys is very leathery. For example, to encrypt the transmission message "tangleithu", the client transmits the ciphertext "xyyaabbccdd" obtained by public key encryption, and the server uses its own private key to decrypt the ciphertext, and it happens to get "tangleithu" .
It is not possible to make a mistake in the middle, which ensures the integrity and privacy of the data. This process is more complicated and will not be detailed in this article.
Therefore, when you visit a website via HTTPS, even if the traffic is intercepted and monitored, the information obtained is encrypted, and you can't see any substantial content.
For example, as shown in the figure below, when I visit a certain website, the information obtained through the wireshark capture at this time can only obtain the IP address of some communication.
HTTPS encrypted transmission
Do you feel relieved now? In the process of fishing, even if the visited IP address is known, it doesn't seem to matter? In fact, a lot of information can be obtained with an IP address.
Fortunately, this IP was found on Github, not...
You may be happy that you can't even see the domain name of a website, so you can rest assured to fish. But is this true?
Is HTTPS really secure?
Is HTTPS really completely secure? Can't even access the domain name? the answer is negative. The aforementioned HTTPS has a very important thing in the handshake phase: the certificate.
SNI: Domain name streaking
When accessing an HTTPS site, it will first establish an SSL connection with the server. The first step is to request the server's certificate.
When a Server IP corresponds to only one domain name (site), it is very convenient. Any client requests it and brainlessly returns the certificate corresponding to the domain name (service).
But the IP address (IPv4) is limited, what should I do when multiple domain names reuse the same IP address?
When the server sends the certificate, it does not know which domain name the browser is visiting, so it cannot send different certificates according to different domain names.
Therefore, the TLS protocol has been upgraded, and SNI is added. SNI stands for Server Name Indication, which is to solve the SSL/TLS extension of a server using multiple domain names and certificates.
Now mainstream clients all support this protocol. Don’t ask me how I knew this. I had to work hard because of this before...
Its principle is: before establishing an SSL connection with the server, first send the domain name (Hostname) of the site to be visited, so that the server will return an appropriate certificate based on this domain name. At this time, there is no way to encrypt and decrypt, so at least this domain name is naked.
In the packet capture situation shown in the figure below, when the client sends a handshake request, it consciously brings its own domain name.
HTTPS SNI
Therefore, even if it is HTTPS, the domain name information accessed is in a streaking state. When you visit the small movie website during work, you have left traces. If you connect to the company's network, you will naturally be caught.
In addition to the streaking of the domain name, there is actually a more serious risk, that is, a man-in-the-middle attack.
Man-in-the-middle attack
As mentioned earlier, the key to HTTPS is actually this certificate.
It can be seen from the name that a man-in-the-middle attack is an additional "intermediary" between the client and the server, and the "intermediary" pretends to be each other between the client and the server.
As shown in the figure below, this "MitmProxy" acts as an intermediary and deceives each other:
Man-in-the-middle attack
You can install a packet capture software such as MitmProxy or Fiddler to try it, and then turn on the proxy.
At this time, I visit Baidu with my mobile phone, and the information I get is as follows:
Before certificate trust
Prompt, the connection is not a private connection. In fact, the browser recognizes that the certificate is not right, and there is no trust. And if the Fiddler certificate is installed on the phone at this time, it will be accessed normally.
After the certificate is trusted, it can be accessed normally
Therefore, when you trust the certificate, you will see the middleman again.
And if you use a company computer, it is estimated that you have the corresponding operation to trust the certificate, or is there a similar client software installed on the phone?
Hurry up and look at the certificate installation details of your mobile phone (for example, the one on my mobile phone):
My predecessor company was very cautious about information security. Mobile phones have work phones, and any unauthorized apps cannot be installed. Who knows what apps will do quietly. (The latest hotspot, QQ scans the browser history, do you know)
Of course, various apps are certainly not vegetarian, and will not allow the "man-in-the-middle attack" to succeed so easily. Let's continue.
How to prevent information security and anti-climbing
As mentioned earlier, the key to implementing a man-in-the-middle attack is whether the certificate is trusted. The behavior of the browser is that the certificate allows the user to authorize whether to trust, and the APP can be controlled by the developer.
For example, I tried to capture and decrypt HTTPS from an anonymous community in a similar way, but it failed in the end. Why?
This is about the "SSL Pinning" technology. The App can check whether the certificate returned by the server during the SSL handshake is legal. The "SSL pinning" technology means that only fixed certificates or public keys are trusted in the App.
Because the server certificate must be returned to the client during the handshake phase, if the client puts the server certificate locally when packaging, and compares the certificate during the handshake verification process. The certificate returned by the server is compared with the local built-in certificate. Exactly the same, only then initiated the network request.
Otherwise, the connection is directly disconnected and it is unavailable. Of course, under normal circumstances, using this technique can also prevent HTTPS information from being decrypted.
However, there are other technologies that can crack this method, such as some Hook technologies under Android, which specifically bypass the logic of strong local certificate verification.
Interested students can study with the purpose of learning. However, it is said that this method requires rooting, jailbreaking, etc., and some higher authority settings are required.
Therefore, we also warn us that we must not install some software indiscriminately. If we don't pay attention to it, we may be tricked and let ourselves run naked on the Internet.
On the one hand, personal privacy information is leaked, and on the other hand, some very important things such as account passwords may also be stolen.
What are the possible monitoring methods?
Office computers must of course be connected to the company's network. Through the content introduced above, you should also know which websites you have browsed when and when the company is actually clear.
If your mobile phone is connected to the company network, it is exactly the same (even the Agent software does not need to be installed). This reminds us to use our own mobile network as much as possible for private Internet access.
As mentioned above, if some sensitive information involving privacy, such as some PC software and mobile phone apps, is encrypted and transmitted internally, the content encryption (including but not limited to HTTPS) will not be cracked and there is no problem.
However, this of course depends on the level of these software designers. For example, the ID displayed externally by the same anonymous user cannot be the same, and if it is the same, it also happens to expose a logical loophole.
Of course, we still don’t have a fluke. Under the requirements of supervision, if there are some illegal and other inappropriate remarks, there will always be a way to find you.
What's more, general office computers will have some company security software pre-installed. As for what these software do, whether there is a screenshot or something in the legend, this varies from person to person (company). (Do not discuss whether similar behaviors involve infringement of employee privacy and other issues)
However, I personally think that we don't need to worry too much. Generally, companies won’t bother you occasionally because you go to work, visit Taobao, and check Weibo. After all, there is no need for such a sesame thing to "make a big fight".
But is it best to check the employee handbook to see if there are any prohibited behaviors? Is your behavior too much, so as not to be caught, as the saying goes, "I always walk by the river, there is no way to not wet shoes", "If you want to commit a crime, there is nothing wrong with it."
At last
Having said that, in my opinion, the main thing is to improve yourself is the most important thing. With the improvement of technology, even if you fish the boss occasionally, you will only open one eye and close one eye after all. After all, your strength lies in it.
So how can we improve ourselves better? Here I have compiled Android learning PDF+architecture video+interview document+source notes**, advanced architecture technology advanced mind map, Android development interview special materials, advanced advanced architecture information, if you need it, you can also organize it with me . Simply believe in me**【Advanced】Get**
These are all fine materials that I will read again and again in my spare time. There are detailed explanations on the high-frequency knowledge points of interviews with major factories in recent years. I believe it can effectively help everyone master knowledge and understand principles.
You can also use it to check for omissions and improve your competitiveness.