0

I'm using ADAL(a 3rd party OAuth2.0 implementation). I'm trying to collect traces of the communication using Charles as a proxy. What I imagine is happening (not relying on anything):

  1. ADAL requests a certificate from the Authority through Charles
  2. Charles requests a certificate from the Authority and passes it to ADAL.
  3. ADAL wants to open an SSL channel with the Authority but actually opens it with Charles.
  4. Charles opens an SSL channel with the Authority and forwards any requests/responses to ADAL

However, ADAL rejects the Authority's certificate. Now as far as I know, certificates are passed unencrypted. So if I was correct in describing all the above steps, how does ADAL know that the entity he's talking to isn't infact the Authority he's supposed to be talking with?

Shmoopy
  • 5,334
  • 4
  • 36
  • 72

1 Answers1

0

ADAL doesn't really look at the authority's certificate - it checks that the channel used to connect to it is trusted. The presence of a proxy can disrupt the SSL channel trust. If I want to connect via SSL to www.domain.com, I expect the certificate used to establish the channel to be in my trusted authorities, to have a subject that contains www.domain.com, to be still within its validity period, and so on. I am not familiar with Charles, but I guess it might look like a DNS redirect attack from ADAL's viewpoint. You can turn off authority validation in the constructor of AuthenticationContext if you need to do a quick test, but I would strongly recommend against doing that in production code.

HTH V.

vibronet
  • 7,364
  • 2
  • 19
  • 21