Today’s threat landscape requires a comprehensive deep security strategy that often includes interception and inspection of traffic within SSL. Since most attacks use some type of encryption, the ability to log and verify encrypted content is vital. SSL inspection work has exceptions for entire categories of sites that can be used by attackers.
Due to the requirements of local privacy laws, many organizations whitelist certain categories of websites (e.g., finance / banking and health care), thus creating problems to investigate potential incidents due to lack of detailed logging.
Attackers can use this loophole after a break-in to install more hidden permanent C2 channels. Proxy server logs do not display full URLs associated to shared C2 profiles, and encrypted traffic cannot be checked for threats within SSL. This makes it possible to transfer dubious binary files, increasing the load on endpoint protection.
How does SSL check work?
SSL validation relies on a proxy server to dynamically issue certificates from trusted websites. All these certificates will have the same issuer and are usually valid from the date of issuance. Since the proxy server now has “SSL trust” installed at both ends, it can now decrypt and verify the contents of the traffic.
Example 1 – SSL certificate for a site that is not on the white list
Example 2 – SSL certificate for a white list site
To use ProxyPunch
ProxyPunch helps identify SSL blind spots by identifying the issuer of the proxy server certificate. Once this issuer is created, any web sites whose certificate has not been issued by this body must be listed on a white list or white category. ProxyPunch has a built-in list of sites for different categories.
ProxyPunch determines whether there is an SSL exception for all banking / financial sites. In this example, as in most organizations, access to email websites is not allowed.
Now we need to find the domain name that belongs to the category “Banking / Finance”. The easiest way to do this is to use the website
Before you buy a domain, you should check if it is correctly categorized, because the category is influenced by web content, not words in the domain name. Fortunately, there are a number of online tools that can be used to check categories.
The third domain on the list, puremortgage.info, looks promising:
A quick check on Namecheap shows that the domain is available (and inexpensive):
After purchasing a domain, configure the web service with Let’s Encrypt certificate. Now you can verify that the proxy is whitelisted for our domain by making sure that we see Let’s Encrypt’s certificate and not the corporate WWW gateway:
So now we have a site that is on the white list. All traffic passing through the proxy server to this site will not be checked.
As a quick test I used a flexible C2 profile, using a certificate for
This is how the proxy logs for a white list site look like:
Compared to a site that is not included in the white list:
It should be noted that the paths to SSL Inspection white list sites are not limited to categorization. In my experience, I have seen that certain websites are whitelisted for a number of reasons, for example, with a client application that connects through a proxy, but requires a certain SSL certificate to be authenticated. You can also find misconfigured exceptions with wildcards, such as the ones below, which you can use using matching subdomains in your domain:
- .microsoft. *
I will leave this topic for the readers to study for themselves…..
ProxyPunch Repo can be downloaded