I want to use OpenWrt to see all images the clients see when connecting to my network

In my home only!
I have a trained, highly optimized neural network and a python script that takes image files and scans them for NSFW content. I want to load this onto an OpenWRT router and scan HTTP/HTTPS packets for image files and process them with the script. I am curious how to use (possibly) SSL interception to be able to see inside HTTPS traffic for these image files. Does anyone have any ideas or help on this idea?

The whole idea with https is that all data it is encrypted from point A to B. In other words you want to break in to a TLS VPN tunnel.

Every government and intelligence service in the world want to do the same but until quantum computers grows bigger that won’t happen easy.

What you want to do is a man in the middle attack. The only way that will work is if you try to make a false certificate for the the target webpage and hope your client wont react on all the alarms going of everywhere in the computer he/she is using.

2 Likes

Most Enterprise networks have internal CA-Certs to allow just for this type of packet-sniffing. It is only a MITM attack if you don't own the network.

You can force everything through a proxy and make sure the TLS certs are installed on every client. This way, the client talks to the proxy, which then talks to the outside. You could do this on OpenWrt if your router had enough grunt, but most hardware capable of doing it isn't running OpenWrt.

3 Likes

A MITM attack has nothing to do with ownership. It is only anything that breaks the data line and look at the data and send it on pretending to be the endpoint.

So you mean that enterprises has the ability to break x.509 chain of trust CA certificates?

The Enterprise will generate their own X.509 and install it on the client as a root certificate, either via AD Group Policy for Windows environment (most likely) to enforce the proxy (and the cert), or installed on anything that needs to use the proxy.. You can then deny anything that can't authenticate. It's never a perfect model.

No.. Users on private networks have no expectation of privacy. You can monitor/alter/drop anything you want to - on your network (or one in which you have permission to do so). The issue happens when entities do it outside of a network they don't own (Hong Kong Post Office, anyone?)

IDS/IPS/NMS programs like Suricata or Snort3 can readily do DPI and TLS decryption to scan in real-time, if they are given the certs the clients will use.

By this logic, changing your DNS to anything other than your ISP's default DNS servers constitutes a MITM attack. Yes, if someone ELSE does it on your network.. No, if you did it yourself.

2 Likes

Of course, everything encrypted will be looked at in real time. If the looker has the key, that is kind of the whole point…
But the webbrowser say who owns the cert.

The employee is basically required to sign an agreement to gain access to the corporate network.
The terms of service states that the network serves only corporate needs, so all traffic is going to be monitored and analyzed by passing it through a proxy with a custom CA deployed on all workstations.
This should not trigger any warnings since the CA is legitimately imported in the chain of trust.

2 Likes

This isn't about obscurity, it's about networking monitoring. The OP doesn't seem to be hiding the fact (or wanting to hide the fact) from the network owners - any other situation would be extremely illegal in most localities.

So, I take it as a given they have unfettered access to the devices on their network, as well as access control rights on the network edge. Under those, you can certainly scan every packet that comes in and catalog/sort/whatever.

Again, anyone wanting or needing to implement that level of network control will probably be grabbing a pfSense box, as it is designed for that exact purpose along with the hardware to actually do it.

So why do we bother with VPN and TLS tunnels then?
Especially in diffuse countries like USA, China, Russia and so on?
Especially OpenVPN that is TLS based, as you say that everyone will read the VPN tunnel data anyway and the whole worlds data integrity and all money transactions is compromised?

Why do not all these countries simply buy a pfSence instead and put it in the internet nodes if it breaks every encrypted online connection?

If you are using a network that forces you to install a root certificate on the device, then using the VPN/TLS tunnels won't protect you from them, but it will after it leaves the network.

This doesn't compromise the security trust chain for the network because the certificate is TRUSTED and protected like any other cert in your store. You need them for your webservers, you need them for code signing, you need them for x.509.. Infrastructure requires certs and at that level, if you own the network, you own the network.

Russian recently tested their "emergency disconnect from the world" proceedure (https://www.wired.com/story/russia-internet-control-disconnect-censorship/) and China's is well known. If you think the US Government doesn't have an Oh-Shit switch, think again.

If you are worried about your security, you should evaluate your threat profile. If you are in a part of the world whose surveillance is an issue, are you feeling the need for security for principle or because you need it?

This is not a new issue - The Internet was never designed for security. https://tech.slashdot.org/story/15/04/02/1231255/chinese-certificate-authority-cnnic-is-dropped-from-google-products - Remember, root certs also have ultimate authority, especially when giving rights TO delegated sub-certs.

If you are wanting to hide from someone in your life your online habits, a VPN and Incognito mode is good enough. You'll still share with Google, if you're using Chrome (https://www.wired.com/story/incognito-mode-explainer/), and of course, the VPN.

If you are worried about Nation-State level surveillance, you have bigger issues than Certs (See above about Root CAs).

Edit: If you really want to sweat about Certs - Go look how Chrome (and all those Chrome-based variants) handle Certificate Revocation :smiley:

3 Likes

It is just that, it is simply easier to go for the integrity of the actual endpoint device and look at the open data before it is encrypted and put online than to try to look at the encrypted TLS data stream.

Only if you TRUST the data.. and Why would you? What's it ever done for you? :slight_smile: <- Sorry, that was flippant, but in seriousness, that's what we are talking about in this situation.

You can never trust the data.. Ever..

That's the attack surface.. Always.. The data will always be a weakness in some form. The better your control, the better your security. The best security? No connection to a network. Or, you could block-list by default and have to approve-list for everything you know is SAFE (at the moment, at least). But its a hassle for everyone involved.. You balance usability with security because otherwise the users bypass security, which defeats the purpose.

1 Like

One final thought.. All of the above conversation applies to OUTBOUND data as well as INBOUND. Network Admins seem to forget this outside of blocking porn sites (if they even bother).

Go look at Sony, hackers managed to exfiltrate Terabytes on the network, and no one thought to ask "Hmm.. that's kinda weird".. Your users, employees, family/house-members are far more likely to be an infection or security lapse than any outside Actor - unless you have that legit concern for security (for whatever reason)..

I think you can set up a proxy with Squid (has a package in OpenWrt) and then you can use your tool to scan the pictures it loads in its cache https://wiki.squid-cache.org/Features/HTTPS

For HTTPS traffic that usually involves adding your proxy's certificate to the clients or some other form of client-side compromise of security, as that's the only way to bypass the SSL encryption.

You don't just "break" SSL encryption without access to the clients, that's kind of against the whole point of HTTPS.

There are probably haxxing ways to do stuff but this isn't really the place for that, you might have better luck with Kali Linux forums or other Penetration Testing tools.

Not just enterprises, a lot of Windows antivirus do it too (by adding their own root cert to the system when you install them)

To be an "attack" at all it has to be done without consent. Yes it's technically the same exact thing but in a company network or if you install an antivirus on Windows (see above) you agree to its terms of service and license and company policy and whatnot. So there is consent from the user, at least in the places in the world where privacy laws are strong.

(angry GDPR noises)
In the EU the end users need to be made aware and agree about this kind of control, by law. If you do this without the user consent, even if it's on a network you own you can get sued to hell and back

2 Likes

I think that someone has every right to block some content in a private network. But to spy on people is just wrong, in every way possible. I just hope no one helps you.

1 Like

It is wrong but we still live on this world and it very much happens for good and bad reasons.

To take peek in encrypted data happened already in Alexander the greats era and it hasn’t stopped. It is just the complexity in the data protection that has grown over the years. And some day probably pretty soon the quantum computers are here and we have a completely new ball game.

Data integrity is what this is about and not really data protection.

So we must be able to know about its possibility , find the clues that proof it happens and handle it.

Even in the US, most enterprises will disclose this, even if it's buried in a new-hire packet somewhere, or a yearly re-attestation. People still forget, or feel they don't have a choice (the alternative is not using the network, or not accepting the job. Why work for a company you don't trust?).

It would also depend on the OP being a company or just someone paranoid about whether their children are looking at things they shouldn't be, GDPR would (or wouldn't) apply:

The GDPR applies to processing carried out by organisations operating within the EU. ... The GDPR does not apply to certain activities including processing covered by the Law Enforcement Directive, processing for national security purposes and processing carried out by individuals purely for personal/household activities.

Article 2 of the GDPR states that the GDPR doesn't apply to a "purely personal or household activity." and Recital 18 gives examples.

So, it would depend on in what context, but Private Networks for Personal Use are GDPR exempt, it seems.

2 Likes

No but the router manufacturer, software manufacturer would be obligated to know and tell and get approved what GDPR data their device/software processes.

It gives examples of "personal/household activity" for a reason.
Personal or household activities could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities.

That is very different from "inspecting all traffic, surreptitiously compromising the encryption".

What he is doing is OK for his kids (maybe), but all adults have to be informed.

If done correctly and to the extent the OP is talking about, anyone who doesn't install the cert wouldn't be able to talk to the proxy, ergo, no access anyway and no GDPR issues. Again, people are seeing this as an attack on the OPs network and users, rather than what it is - proper defense of the network. Whether you (or I) think it's appropriate level of defense is another matter. Addendum: In the end, what the user thinks about the level of defense of a network also doesn't matter.

1 Like