Selectively altering references within encrypted pages using man in the middle

US 9,680,801 B1
Filed: 05/03/2016
Issued: 06/13/2017
Est. Priority Date: 05/03/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method executed by one or more processors, the method comprising:

receiving, from a client device within a network, a request addressed to a particular resource on a server outside the network;

determining that the request should be redirected to a man-in-the-middle gateway within the network;

redirecting the request to a man-in-the-middle gateway within the network responsive to determining that the request should be redirected;

establishing a first encrypted connection between the client device and the man-in-the-middle gateway, and a second encrypted connection between the man-in-the-middle gateway and the server;

retrieving, by the man-in-the-middle-gateway, the particular resource from the server;

modifying the particular resource into a modified resource by changing pointers within the particular resource to point to a location in a domain associated with the man-in-the-middle gateway within the network; and

serving, by the man-in-the-middle-gateway to the client device, the modified resource.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A request addressed to a particular resource is received and a determination is made that the request should be redirected to a man-in-the-middle gateway within the network. A first encrypted connection is established between the client device and the man-in-the-middle gateway, and a second encrypted connection between the man-in-the-middle gateway and the server. The resource is modified into a modified resource by changing pointers within the particular resource to point to a location in a domain associated with the man-in-the-middle gateway within the network. The modified resource is served.

Citations

24 Claims

1. A computer-implemented method executed by one or more processors, the method comprising:
- receiving, from a client device within a network, a request addressed to a particular resource on a server outside the network;
  
  determining that the request should be redirected to a man-in-the-middle gateway within the network;
  
  redirecting the request to a man-in-the-middle gateway within the network responsive to determining that the request should be redirected;
  
  establishing a first encrypted connection between the client device and the man-in-the-middle gateway, and a second encrypted connection between the man-in-the-middle gateway and the server;
  
  retrieving, by the man-in-the-middle-gateway, the particular resource from the server;
  
  modifying the particular resource into a modified resource by changing pointers within the particular resource to point to a location in a domain associated with the man-in-the-middle gateway within the network; and
  
  serving, by the man-in-the-middle-gateway to the client device, the modified resource.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the request is a first request and the client device is a first client device, the method further comprising:
    - receiving, from a second client device within the network, a second request addressed to the particular resource;
      
      determining that the second request should not be redirected to the man-in-the-middle gateway within the network;
      
      responsive to determining that the second request should not be redirected to the man-in-the-middle gateway, redirecting the second request to a proxy service outside of the network configured to;
      
      establish a third encrypted connection between the second client device and the proxy service, and a fourth encrypted connection between the proxy service and the server;
      
      retrieve the particular resource from the server;
      
      modify the particular resource into a second modified resource by changing pointers within the particular resource; and
      
      serve the second modified resource to the second client device.
  - 3. The method of claim 2, the method further comprising:
    - receiving, from a third client device within the network, a third request addressed to an address of a second resource on a second server outside the network; and
      
      routing the request to the address of the second resource.
  - 4. The method of claim 1, wherein modifying the particular resource into the modified resource comprises modifying the particular resource based on a security policy.
  - 5. The method of claim 1, wherein modifying the particular resource into the modified resource comprises replacing the resource with a different resource.
  - 6. The method of claim 1, wherein modifying the particular resource into the modified resource comprises replacing Hypertext Transfer Protocol (HTTP) links in the particular resource with different HTTP links.
  - 7. The method of claim 1, wherein modifying the particular resource into the modified resource comprises replacing the resource with an HTTP status code object.
  - 8. The method of claim 1, the method further comprising determining that a security policy of the network identifies the particular resource for inspection upon entry to the network.

9. A system comprising:
- a processor configured to execute computer program instructions; and
  
  a tangible, non-transitory computer storage medium encoded with computer program instructions that, when executed by the processor, cause the system to perform operations comprising;
  
  receiving, from a client device within a network, a request addressed to a particular resource on a server outside the network;
  
  determining that the request should be redirected to a man-in-the-middle gateway within the network;
  
  redirecting the request to a man-in-the-middle gateway within the network responsive to determining that the request should be redirected;
  
  establishing a first encrypted connection between the client device and the man-in-the-middle gateway, and a second encrypted connection between the man-in-the-middle gateway and the server;
  
  retrieving, by the man-in-the-middle-gateway, the particular resource from the server;
  
  modifying the particular resource into a modified resource by changing pointers within the particular resource to point to a location in a domain associated with the man-in-the-middle gateway within the network; and
  
  serving, by the man-in-the-middle-gateway to the client device, the modified resource.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The system of claim 9, wherein the request is a first request and the client device is a first client device, the operations further comprising:
    - receiving, from a second client device within the network, a second request addressed to the particular resource;
      
      determining that the second request should not be redirected to the man-in-the-middle gateway within the network;
      
      responsive to determining that the second request should not be redirected to the man-in-the-middle gateway, redirecting the second request to a proxy service outside of the network.
  - 11. The system of claim 10, the operations further comprising:
    - receiving, from a third client device within the network, a third request addressed to an address of a second resource on a second server outside the network; and
      
      routing the request to the address of the second resource.
  - 12. The system of claim 9, wherein modifying the particular resource into the modified resource comprises modifying the particular resource based on a security policy.
  - 13. The system of claim 9, wherein modifying the particular resource into the modified resource comprises replacing the resource with a different resource.
  - 14. The system of claim 9, wherein modifying the particular resource into the modified resource comprises replacing Hypertext Transfer Protocol (HTTP) links in the particular resource with different HTTP links.
  - 15. The system of claim 9, wherein modifying the particular resource into the modified resource comprises replacing the resource with an HTTP status code object.
  - 16. The system of claim 9, the operations further comprising determining that a security policy of the network identifies the particular resource for inspection upon entry to the network.

17. A non-transitory computer-readable medium storing instructions operable when executed to cause at least one processor to perform operations comprising:
- receiving, from a client device within a network, a request addressed to a particular resource on a server outside the network;
  
  determining that the request should be redirected to a man-in-the-middle gateway within the network;
  
  redirecting the request to a man-in-the-middle gateway within the network responsive to determining that the request should be redirected;
  
  establishing a first encrypted connection between the client device and the man-in-the-middle gateway, and a second encrypted connection between the man-in-the-middle gateway and the server;
  
  retrieving, by the man-in-the-middle-gateway, the particular resource from the server;
  
  modifying the particular resource into a modified resource by changing pointers within the particular resource to point to a location in a domain associated with the man-in-the-middle gateway within the network; and
  
  serving, by the man-in-the-middle-gateway to the client device, the modified resource.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The non-transitory computer-readable medium of claim 17, wherein the request is a first request and the client device is a first client device, the operations further comprising:
    - receiving, from a second client device within the network, a second request addressed to the particular resource;
      
      determining that the second request should not be redirected to the man-in-the-middle gateway within the network;
      
      responsive to determining that the second request should not be redirected to the man-in-the-middle gateway, redirecting the second request to a proxy service outside of the network configured to;
      
      establish a third encrypted connection between the second client device and the proxy service, and a fourth encrypted connection between the proxy service and the server;
      
      retrieve the particular resource from the server;
      
      modify the particular resource into a second modified resource by changing pointers within the particular resource; and
      
      serve the second modified resource to the second client device.
  - 19. The non-transitory computer-readable medium of claim 18, the operations further comprising:
    - receiving, from a third client device within the network, a third request addressed to an address of a second resource on a second server outside the network; and
      
      routing the request to the address of the second resource.
  - 20. The non-transitory computer-readable medium of claim 17, wherein modifying the particular resource into the modified resource comprises modifying the particular resource based on a security policy.
  - 21. The non-transitory computer-readable medium of claim 17, wherein modifying the particular resource into the modified resource comprises replacing the resource with a different resource.
  - 22. The non-transitory computer-readable medium of claim 17, wherein modifying the particular resource into the modified resource comprises replacing Hypertext Transfer Protocol (HTTP) links in the particular resource with different HTTP links.
  - 23. The non-transitory computer-readable medium of claim 17, wherein modifying the particular resource into the modified resource comprises replacing the resource with an HTTP status code object.
  - 24. The non-transitory computer-readable medium of claim 17, the operations further comprising determining that a security policy of the network identifies the particular resource for inspection upon entry to the network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
iBoss
Original Assignee
iBoss
Inventors
Martini, Paul Michael
Primary Examiner(s)
Truong, Lan-Dai T

Application Number

US15/145,672
Time in Patent Office

406 Days
Field of Search

709227, 709230, 709229, 709245, 709246, 709249
US Class Current
CPC Class Codes

H04L 63/0236   Filtering by address, proto...

H04L 63/0281   Proxies

H04L 63/0428   wherein the data content is...

H04L 63/1483   service impersonation, e.g....

H04L 63/168   above the transport layer

H04L 67/01   Protocols

H04L 67/02   based on web technology, e....

H04L 67/141   Setup of application sessio...

H04L 67/2871   Implementation details of s...

H04L 67/563   Data redirection of data ne...

Selectively altering references within encrypted pages using man in the middle

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Selectively altering references within encrypted pages using man in the middle

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links