TLS man-in-the-middle laboratory exercise for network security education

Quantified Score

Visualization

Abstract

A novel laboratory exercise is presented that demonstrates a man-in-the-middle (MITM) attack on web browser sessions that use the "secure" HTTPS protocol. The exercise presents the students with six different scenarios and challenges the student to determine if a MITM attack is taking place when they browse any website using the HTTPS protocol. Each scenario is defined in a single computer running Microsoft Windows Server with VMWare Workstation as an application. The virtual machines running in VMWare are connected and configured in such a way that a MITM attack is possible. Students log into a virtual machine running Microsoft Windows XP and use four different browsers, Internet Explorer, Mozilla Firefox, Opera, and Google Chrome to browse the Internet and go to sites secured with HTTPS. Depending on the scenario, the MITM attack may or may not be present, and a malicious root certificate may or may not be installed in the web browser. Students are challenged to explain the browser behavior and to determine if a MITM attack is under way. The Windows Server images for the six scenarios can be automatically scheduled to be loaded on available blade servers based on reservations made by the students. Students then use the Remote Desktop Protocol to remotely log into the Windows Server host machine and perform the exercises. This exercise demonstrates the chain of trust of certificates in PKI, the importance of the authenticity of root certificates, the behavior of different web browsers under a MITM attack, and the ability to perform an undetectable MITM attack if the private key corresponding to a root certificate is know by the attacker. The experience of using this laboratory exercise during the spring semester of 2010 will be discussed along with student reactions.