[guardian-dev] Using tlspretense to test NetCipher's TLS verification

Fri May 31 16:09:54 EDT 2013

Hey folks,

A few months ago Tom Ritter pointed me to tlspretense [1], a ruby app to
test TLS verifiers in a blackbox manner.

Think of it is as unit tests for your TLS verification algorithm.

--- How it works

You install a trusted CA on the device, and then it generates a whole
slew of good and bad certificates signed with the trusted CA.

Then, you make sure the box running tlspretense can MITM all traffic to
the device so these certs can be served up.

See screenshots here: http://imgur.com/a/2KM2q

--- Results

I finally got around to setting tlspretense up and battering
NetCipher/OnionKit on Android against it.

We consistently fail 4 out of 25 tests. We've work to do!

The results are available here https://gist.github.com/abeluck/5686495

--- Reproducing

The setup is as follows.

tlspretense expects the traffic from the device on a particular network
interface, so we will configure the server to run an ipsec VPN and MITM
all traffic on the ppp0 iface.

We then connect the Android device to the VPN (requires 4.0 or higher)
so all traffic is tunneled to the man-in-the-middling VPN.

Next, we configure tlspretense to generate our certs for the domain of
our choice, and we install the CA cert on the android phone.

Finally, we start tlspretense and initiate the test from the device.

--- Detailed instructions

You will need:

1) One VM or VPS running Ubuntu >= 12.04 that is publicly accessible

WARNING: Use a throwaway server for this. I recommend an EC2 instance

2) One device running Android >= 4.0
3) A terminal and some Linux foo

Edit the variables in tlspretense-vpn.sh [2] and then run it on your
server to setup the VPN server.

Install tlspretense on the server with:
	apt-get install ruby1.9.1 ruby1.9.1-dev build-essential vim
	umask 0022 ; sudo gem install tlspretense

Create a tlspretense project:
	cd /root
	tlspretense init testproj
	cd testproj

Config the project, edit config.yml. Edit the following variables:
hostname: duckduckgo.com
packettheief's in_interface: ppp0

Run tlspretense:
	tlspretense run

Build and install the netciphertest Android application in the OnionKit
repo [3].

NOTE: This application already includes the default tlspretense ca
certificate, so you don't need to copy the CA cert.

Connect your device to the L2TP/IPSEC PSK VPN using the settings you
configured.

Run the application (TLS Pretense Client) and click "Start Tests"

---- Future Work & Ideas

Test Automation

It would be great if we could run this locally on a VM in our build
server and somehow tunnel an emulator to it to get these test results as
part of our continuous integration system.

Proxy Support

It would be so much nicer if tlspretense could run as a proxy server
(SOCKS?) instead of requiring a network interface to MITM.

Root

Making it not require root would be awesome.

~abel

[1]: https://github.com/iSECPartners/tlspretense
[2]: https://gist.github.com/abeluck/5687507
[3]: https://github.com/abeluck/OnionKit
[4]: http://imgur.com/a/2KM2q

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 630 bytes
Desc: OpenPGP digital signature
URL: <http://lists.mayfirst.org/pipermail/guardian-dev/attachments/20130531/586161f4/attachment.pgp>