Debookee

 



  1. Debookee Vs Wireshark
  2. Debookee Tsl
  3. Debookee Review
  4. Debookee Tools
Debookee

Debookee is able to intercept and monitor the traffic of any device in the same subnet, thanks to a Man-in-the-middle attack (MITM) It allows you to capture data from mobile devices on your Mac (iPhone, iPad, Android, BlackBerry.) or Printer, TV, Fridge (Internet of Things!) without the need of a proxy.

  • Update on 4th Sept 17: v6 is not private anymore but in public beta, checkout and docs After 7 months of work, I'm pleased to release Debookee 6.0.0 beta, which implements SSL/TLS decryption in less than 4 clic for a.
  • This first blog post presents HSTS mechanism in a practical way with tests done with Chrome. HSTS allows a site to always be contacted over HTTPS Every SSL errors (warnings, bypassable).
  • The latest tweets from @debookee.
  • Debookee دانلود نرم افزار Debookee 8.0.1 نرم افزاری ساده و در عین حال کاربردی در زمینه مدیریت شبکه در سیستم عامل مکینتاش میباشد که امکان بررسی تمام ترافیک شبکه و همچنین پایش فعالیت دستگاه های Wi-Fi اطراف کاربر را فراهم می کند.

HSTS - HTTP Strict Transport Security

This first blog post presents HSTS mechanism in a practical way with tests done with Chrome.

What is HSTS?

  • HSTS allows a site to always be contacted over HTTPS
  • Every SSL errors (warnings, bypassable) are non-bypassable
  • Trust On First Use mechanism
  • A list of preloaded HSTS domains can be embedded in browsers and will override HSTS responses from the servers
  • RFC 6797

This mechanism helps against downgrade attacks like SSL stripping.

For tests, we’ll use projects.dm.id.lv, as it offers various test pages specifically for HSTS, with Chrome browser, the most advanced to debug HSTS.

HTTP headers

An HSTS header can only be sent in a secure HTTPS connection.
Here is the view in the network tab of Chrome DevTools (Debookee can’t decrypt SSL yet)

  • max-age: (Required) - Time in seconds for the browser to retain this host’s policy (1 year here)
    max-age=0 will delete the HSTS policy
  • includeSubDomains: (Optional) - HSTS policy applies to any subdomains of the host’s domain name
  • preload: (Optional) - This directive can be seen for websites that ask to be added in preload list as an opt-in signal from the server

What Chrome knows about a specific website?

Make sure to make this tests in non-incognito mode, as it prevents saving HSTS responses.

  • Visit chrome://net-internals/#hsts

This menu mixes information for HSTS and HTTP Public Key Pinning (HPKP) which we’ll see in another post.

Debookee

1. Non preloaded website

  • static_*: Infos if the website is preloaded in Chrome’s internals
  • dynamic_*: Infos received in the Strict-Transport-Security header of an HTTPS response
  • upgrade_mode: STRICT | UNKNOWN | OPPORTUNISTIC
    Chrome internals variable to know if it must redirect a HTTP to HTTPS.
    Always STRICT for HSTS, but as this menu mixes info with HPKP, this can be set to another value if Chrome doesn’t have HSTS info for a domain. (Query google.cz for ex.)
  • sts_include_subdomains: Value of includeSubDomains
  • sts_observed: Unix timestamp of HSTS policy creation
  • pkp_*: concerns HPKP

We have informations concerning this domain as we’ve already visited it, let’s delete it and requery -> no more results as it’s not preloaded.


2. Preloaded website

Debookee

The full list of preloaded websites is available here.

After deleting twitter.com, only the static_ preloaded informations stay, they will override any dynamic infos learned from the network.

Debookee

static_sts_observed corresponds to the date of Chrome’s commit.

Debookee

Debookee Vs Wireshark


In practice: HTTP redirection to HTTPS

Let’s observe the behaviour without/with HSTS.

1. Delete all HSTS info concerning projects.dm.id.lv
2. Visit http://projects.dm.id.lv/s/hsts-testresult.html
→ The page should be presented, without redirection, as HSTS is not activated yet for this domain

3. Visit https://projects.dm.id.lv/Public-Key-Pins_test
→ This HTTPS page will populate HSTS informations
→ An HSTS query on projects.dm.id.lv will show dynamic_sts infos

4. Revisit the non secure http://projects.dm.id.lv/s/hsts-testresult.html
→ This time, redirection “307 Internal Redirection”

→ Second request is immediately sent to the HTTPS URL

5. Now during 1 year, all requests to http:// will be redirected to the https:// version for this domain


In practice: Certificate errors & user access to faulty pages

1. Delete all HSTS info concerning projects.dm.id.lv
2. Visit the https://certerror.projects.dm.id.lv/hsts-recourse.html
→ The page will present a certificate error, as the server’s certificate does not match the URL.

3. It’s possible to visit the page

4. Visit https://projects.dm.id.lv/Public-Key-Pins_test
→ This will populate HSTS informations

5. Revisit the https://certerror.projects.dm.id.lv/hsts-recourse.html
→ First time, you’ll be authorized to access cause Chrome saved the previous exception “Proceed to certerror…”
→ Double click on the locker and “Stop using an invalid certificate”

→ This time, you can’t access to the page at all

Debookee Tsl


Debookee Review

Links

  • Include your domain in the preload list
    https://hstspreload.appspot.com/
  • List of all preloaded domains
    https://code.google.com/p/chromium/codesearch#chromium/src/net/http/transport_security_state_static.json

Debookee Tools

  • Supported browsers
    http://caniuse.com/#feat=stricttransportsecurity