HTTPS Downgrader
  • Priest of the Order of the Butterfly
    Priest of the Order of the Butterfly
    Cego
    Posts: 587 from 2006/5/28
    From: Germany
    Hey there MorphOS community, long time no see :)

    There has been always an issue that bugged me a lot in the recent years with MorphOS.
    I couldn't stream Youtube videos directly in MPlayer as it only supports HTTP connections. So what we had to do is to save the file first and play it while saving.

    I have found a solution for this. It all started when i thought about finding a solution for the general SSL issues on our beloved classic amiga hardware. The internet slowly shifted towards HTTPS lately and because of that it is nearly impossible to surf the web at all with such underpowered CPUs and old SSL methods.

    So i put some time into investigating and experimenting. Aaaand i came up with a hacky solution :)

    Why not have another machine in between to do the SSL stuff? All we need is a Linux based system and do a Man In The Middle attack :D
    Now that sounds crazy at first sight, but its absolutely safe as everything happens in our local network behind the firewall between two machines under our control.


    To put it in simple terms we're gonna do convert a HTTPS connection into a HTTP connection.

    Client ---HTTP---> Proxy ---HTTPS---> Website---HTTPS---> Proxy ---HTTP---> Client

    The puplic connections are still SSL encrypted! So we are still safe from the outside.

    We need the following software:

    - Linux (f.e. Debian)
    - iptables
    - ettercap
    - sslstrip

    We also have to look up our device name of the network device. Use ifconfig. For my tutorial i will use "wlan0"
    Check your Client and routers IP adress. We'll need them too of course.

    I'll use these to explain

    Client 192.168.0.20
    Router 192.168.0.1


    1. Redirect port from the client


    At first, we have to tell our mitm-proxy to reroute incoming traffic at port 80 to the destination port 10000. Thats the port where SSLstrip is listening to by default.

    Open a console and type:

    Code:
    sudo iptables -t nat -A PREROUTING -p TCP -s 192.168.0.20 --destination-port 80 -j REDIRECT --to-port 10000




    2. Configure Man In The Middle


    Now we will use the mitm method to trick our Client and reroute its traffic to the mitm proxy machine.
    It will fetch the traffic, strip down the SSL stuff and forward it to the client as unsecured data.

    Code:
    ettercap -Tq -M arp:remote -i wlan0 -S /192.168.0.20// /192.168.0.1//



    3. run SSLStrip


    All we need to do now is to start SSLstrip

    Code:
    sslstrip


    Just try it out for yourself. Every HTTPS connection will now be downgraded to HTTP and you should be able to watch Youtube videos directly from MPlayer again!

    [ Edited by Cego 07.01.2019 - 04:36 ]
    Powerbook G4@1,67GHz, 2GB DDR2 Ram, Radeon 9700, 60GB SSD, MorphOS 3.7
    PowerMac Dual G5 @2.3GHz, 4GB DDR Ram, Radeon 9600XT, 2x250GB HD, MorphOS 3.7, MacOS X Leopard 10.5.8
  • »07.01.19 - 04:33
    Profile
  • MorphOS Developer
    Piru
    Posts: 391 from 2003/2/24
    From: finland, the l...
    WARNING: This is a massive security risk as the setup will allow ANY https certificate without any kind of checking. All your browsing is visible to anyone performing man-in-the-middle, too.

    You have been warned.
  • »07.01.19 - 07:44
    Profile
  • Priest of the Order of the Butterfly
    Priest of the Order of the Butterfly
    Cego
    Posts: 587 from 2006/5/28
    From: Germany
    is there a way to use certificates checking for proxy<-->website connection?

    In my setup client to proxy has to be unsecured, but the rest has to be safe. Any idea is appreciated.

    [ Edited by Cego 07.01.2019 - 09:55 ]
    Powerbook G4@1,67GHz, 2GB DDR2 Ram, Radeon 9700, 60GB SSD, MorphOS 3.7
    PowerMac Dual G5 @2.3GHz, 4GB DDR Ram, Radeon 9600XT, 2x250GB HD, MorphOS 3.7, MacOS X Leopard 10.5.8
  • »07.01.19 - 09:47
    Profile
  • Order of the Butterfly
    Order of the Butterfly
    asrael22
    Posts: 381 from 2014/6/11
    From: Germany
    Quote:

    Piru wrote:
    WARNING: This is a massive security risk as the setup will allow ANY https certificate without any kind of checking. All your browsing is visible to anyone performing man-in-the-middle, too.

    You have been warned.


    I don't see a lot of harm there.

    OK, the browsers check the server certificates against some certificate authority.
    So this method should only be done to known sites.

    For classic Amigas this is pretty nice.


    Manfred
  • »07.01.19 - 18:22
    Profile
  • Order of the Butterfly
    Order of the Butterfly
    asrael22
    Posts: 381 from 2014/6/11
    From: Germany
    Quote:

    Cego wrote:
    is there a way to use certificates checking for proxy<-->website connection?



    Not certain, but couldn't the proxy check the server certs?


    Manfred
  • »07.01.19 - 18:23
    Profile
  • Priest of the Order of the Butterfly
    Priest of the Order of the Butterfly
    Cego
    Posts: 587 from 2006/5/28
    From: Germany
    Just forget the solution presented. Its pretty straight forward and we don't need iptables or ettercap.

    Just activate ip forwarding in debian and start sslstrip. All we have to do is use proxy settings in OWB.
    The benefit of this way is that we can configure specific URL settings in OWB and use the HTTPS downgrader on demand. So we can f.e. configure it in a way that only Youbtube will make use of it.


    1. enable IP forwarding Code:
    echo "1" > /proc/sys/net/ipv4/ip_forward


    2. Start sslstrip Code:
    sslstrip


    3. change proxy settings in OWB. Just enter the IP of our debian machine and use port 10000

    Thats it!

    [ Edited by Cego 12.01.2019 - 10:35 ]
    Powerbook G4@1,67GHz, 2GB DDR2 Ram, Radeon 9700, 60GB SSD, MorphOS 3.7
    PowerMac Dual G5 @2.3GHz, 4GB DDR Ram, Radeon 9600XT, 2x250GB HD, MorphOS 3.7, MacOS X Leopard 10.5.8
  • »12.01.19 - 10:32
    Profile
  • MorphOS Developer
    cyfm
    Posts: 381 from 2003/4/11
    From: Germany
    In the midterm, it probably makes more sense to update MorphOS mplayer with some proper https:// support ...
  • »12.01.19 - 10:50
    Profile Visit Website
  • Priest of the Order of the Butterfly
    Priest of the Order of the Butterfly
    KennyR
    Posts: 506 from 2003/3/4
    From: #AmigaZeux, Gu...
    Quote:

    cyfm wrote:
    In the midterm, it probably makes more sense to update MorphOS mplayer with some proper https:// support ...



    Easier said than donut. So far only Odyssey has proper https support and that has come at a cost in exe size.

    OpenSSL linklibs are mega complicated for porting. Best solution would be to have a shared library like amissl to avoid all of it, but nobody seems able to do so and keep it up to date.
  • »12.01.19 - 13:40
    Profile