tags:

views:

32

answers:

1
Q: 

c# Recognize Https Packets

Hello,

Presently I am working on a firewall project. First thing I have to do if any user wants to access illegal site I will not let him do so. So I am tracking TCP packets. So far for HTTP requests I don't have any problem. But for HTTPS I do have some problems. I am unable to recognize a HTTPS packet. Can any one help me on that please?

Thanks.

+2  A: 

There's no way to recognize an HTTPS request (that is, there's no way to distinguish an HTTPS request from any other SSL-wrapped request).

The best you could do would be to learn the format of the different SSL handshakes (Google search) and recognize them and compare the destination to your blacklist.

Adam Robinson  2010-09-13 12:43:10
Thanks. Very valuable advice.
Harun  2010-09-13 12:44:25
But I wonder how WireShark do that ?
Harun  2010-09-13 13:51:47
The destination will be at the TCP/IP level, you don't need to process the SSL/TLS handshake for this. (For HTTPS: port 443 by default.)
Bruno  2010-09-13 14:45:09
@Harun: Most monitoring programs like WireShark or Fiddler execute what are essentially man-in-the-middle attacks on the communication. They use a self-signed certificate that says they're the remote host, then negotiate an SSL connection with the client using that certificate then another with the server as a client. It then decrypts the communication between the client and server (since it's the one with the actual connection), then reencrypts it using the appropriate certificate for the destination.
Adam Robinson  2010-09-13 16:42:40
@Bruno: Yes, that's obviously true, but I'm assuming that exercise here is to do some sort of DPI as part of the firewall (I'm assuming this is a college project).
Adam Robinson  2010-09-13 16:43:32
The only relevant thing you'll see during the handshake is the certificate is the server certificate (and the client certificate if there is one and if the client cert negotiation is initial/not renegotiated), the rest will be encrypted. What could also be relevant is to look at connections to HTTP proxy servers, as you'd be able to see to which machine the connection is made by inspecting the `CONNECT` command.
Bruno  2010-09-13 16:53:58
@Bruno: Again, I'm not trying to say that inspecting the SSL handshake will be *valuable*, but if the point of the exercise is to be able to identify what it *is*, then simply looking for a connection on 443 is likely not going to be sufficient.
Adam Robinson  2010-09-13 17:44:23
Indeed, I agree :-)
Bruno  2010-09-13 18:29:31

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?