Selectively performing man in the middle decryption

US 9,621,517 B2
Filed: 04/09/2015
Issued: 04/11/2017
Est. Priority Date: 08/14/2013
Status: Active Grant

First Claim

Patent Images

1. A method for replacing code from an electronic communication performed by data processing apparatus, the method comprising:

receiving, from a client device within a network, a Hypertext Transfer Protocol (HTTP) request containing a first address of a first resource on a server outside the network, wherein the network hosts both the client device and a man-in-the-middle gateway, wherein the first address contains a first domain;

redirecting the HTTP request to the man-in-the-middle-gateway configured to only handle a certain class of traffic upon determining that the traffic in the request is of the certain class, wherein the class of traffic consists of;

incoming encrypted traffic, outgoing encrypted traffic;

establishing a first encrypted connection between the client device and the man-in-the-middle-gateway, and a second encrypted connection between the man-in-the-middle-gateway and the server;

retrieving, by the man-in-the-middle-gateway, the first resource from the server;

storing the first resource in a memory accessible by the man-in-the-middle gateway;

modifying the first resource by changing HTTP links that point to locations that are (i) outside the network, and (ii) in the first domain to point to locations in a second domain of the man-in-the-middle-gateway, wherein modifying the first resource comprises extracting HTTP links in the first resource and replacing the extracted HTTP links with different HTTP links corresponding to the location of the man-in-the-middle gateway, wherein the network is configured to redirect messages within the network, from the client device to the man-in-the-middle-gateway, when messages from the client device are addressed to the second domain; and

serving, by the man-in-the-middle-gateway to the client device, the modified first resource by transmitting the modified first resource on a network medium of the network.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A HTTP request addressed to a first resource on a second device outside the network is received from a first device within the network. The HTTP request is redirected to a third device within the network. A first encrypted connection is established between the first device and the third device, and a second encrypted connection between the third device and the second device. The third device retrieves the first resource from the second device. The first resource is modified to change pointers within the first resource to point to location in a domain associated with the third device within the network. The third device serves, to the first device, the second resource.

93 Citations

28 Claims

1. A method for replacing code from an electronic communication performed by data processing apparatus, the method comprising:
- receiving, from a client device within a network, a Hypertext Transfer Protocol (HTTP) request containing a first address of a first resource on a server outside the network, wherein the network hosts both the client device and a man-in-the-middle gateway, wherein the first address contains a first domain;
  
  redirecting the HTTP request to the man-in-the-middle-gateway configured to only handle a certain class of traffic upon determining that the traffic in the request is of the certain class, wherein the class of traffic consists of;
  
  incoming encrypted traffic, outgoing encrypted traffic;
  
  establishing a first encrypted connection between the client device and the man-in-the-middle-gateway, and a second encrypted connection between the man-in-the-middle-gateway and the server;
  
  retrieving, by the man-in-the-middle-gateway, the first resource from the server;
  
  storing the first resource in a memory accessible by the man-in-the-middle gateway;
  
  modifying the first resource by changing HTTP links that point to locations that are (i) outside the network, and (ii) in the first domain to point to locations in a second domain of the man-in-the-middle-gateway, wherein modifying the first resource comprises extracting HTTP links in the first resource and replacing the extracted HTTP links with different HTTP links corresponding to the location of the man-in-the-middle gateway, wherein the network is configured to redirect messages within the network, from the client device to the man-in-the-middle-gateway, when messages from the client device are addressed to the second domain; and
  
  serving, by the man-in-the-middle-gateway to the client device, the modified first resource by transmitting the modified first resource on a network medium of the network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, the method further comprising selecting the man-in-the-middle-gateway from a plurality of available devices within the network.
  - 3. The method of claim 2, wherein the man-in-the-middle-gateway is selected based on a comparison of the first resource with a rule defining destinations associated with encrypted communication traffic.
  - 4. The method of claim 2, wherein the man-in-the-middle-gateway is selected based on hardware performance.
  - 5. The method of claim 1, the method further comprising:
    - receiving, from a fourth device within the network, a second HTTP request addressed to an address of a second resource on a fifth device outside the network; and
      
      routing the HTTP request to the address of the second resource.
  - 6. The method of claim 1, the method further comprising modifying the first resource to conform with a security policy.
  - 7. The method of claim 1, the method further comprising modifying the first resource comprises replacing the first resource with a different resource.
  - 8. The method of claim 1, wherein modifying the first resource comprises replacing the first resource with an HTTP status code object.
  - 9. The method of claim 1, the method further comprising determining that a security policy of the network identifies the first resource for inspection upon entry to the network.
  - 10. The method of claim 1, wherein serving, by the man-in-the-middle-gateway to the client device, the modified first resource comprises serving, by the man-in-the-middle-gateway, the modified first resource such that the modified first resource can be displayed to a user.
  - 11. The method of claim 1, the method further comprising enabling observation of the changed HTTP links by a user by serving, by the man-in-the-middle-gateway to the client device, the modified first resource.

12. A non-transitory computer storage media encoded with computer program instructions that, when executed by one or more processors, cause a computer device to perform operations comprising:
- receiving, from a client device within a network, a Hypertext Transfer Protocol (HTTP) request containing a first address of a first resource on a server outside the network, wherein the network hosts both the client device and a man-in-the-middle gateway, wherein the first address contains a first domain;
  
  redirecting the HTTP request to the man-in-the-middle-gateway configured to only handle a certain class of traffic upon determining that the traffic in the request is of the certain class, wherein the class of traffic consists of;
  
  incoming encrypted traffic or outgoing encrypted traffic;
  
  establishing a first encrypted connection between the client device and the man-in-the-middle-gateway, and a second encrypted connection between the man-in-the-middle-gateway and the server;
  
  retrieving, by the man-in-the-middle-gateway, the first resource from the server;
  
  storing the first resource in a memory accessible by the man-in-the-middle gateway;
  
  modifying the first resource by changing HTTP links that point to locations that are (i) outside the network, and (ii) in the first domain to point to locations in a second domain of the man-in-the-middle-gateway, wherein modifying the first resource comprises extracting HTTP links in the first resource and replacing the extracted HTTP links with different HTTP links corresponding to the location of the man-in-the-middle gateway, wherein the network is configured to redirect messages within the network, from the client device to the man-in-the-middle-gateway, when messages from the client device are addressed to the second domain; and
  
  serving, by the man-in-the-middle-gateway to the client device, the modified first resource by transmitting the modified first resource on a network medium of the network.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
- - 13. The computer storage media of claim 12, the instructions further comprising selecting the man-in-the-middle-gateway from a plurality of available devices within the network.
  - 14. The computer storage media of claim 13, wherein the man-in-the-middle-gateway is selected based on a comparison of the first resource with a rule defining destinations associated with encrypted communication traffic.
  - 15. The computer storage media of claim 13, wherein the man-in-the-middle-gateway is selected based on hardware performance.
  - 16. The computer storage media of claim 12, the instructions further comprising:
    - receiving, from a fourth device within the network, a second HTTP request addressed to an address of a second resource on a fifth device outside the network; and
      
      routing the HTTP request to the address of the second resource.
  - 17. The computer storage media of claim 12, the instructions further comprising modifying the first resource to conform with a security policy.
  - 18. The computer storage media of claim 12, wherein modifying the first resource comprises replacing the first resource with a different resource.
  - 19. The computer storage media of claim 12, wherein modifying the first resource comprises replacing the first resource with an HTTP status code object.
  - 20. The computer storage media of claim 12, the instructions further comprising determining that a security policy of the network identifies the first resource for inspection upon entry to the network.

21. A system comprising:
- one or more processors configured to execute computer program instructions; and
  
  memory encoded with computer program instructions that, when executed by one or more processors, cause a computer device to perform operations comprising;
  
  receiving, from a client device within a network, a Hypertext Transfer Protocol (HTTP) request containing a first address of a first resource on a server outside the network, wherein the network hosts both the client device and a man-in-the-middle gateway, wherein the first address contains a first domain;
  
  redirecting the HTTP request to the man-in-the-middle-gateway configured to only handle a certain class of traffic upon determining that the traffic in the request is of the certain class, wherein the class of traffic consists of;
  
  incoming encrypted traffic or outgoing encrypted traffic;
  
  establishing a first encrypted connection between the client device and the man-in-the-middle-gateway, and a second encrypted connection between the man-in-the-middle-gateway and the server;
  
  retrieving, by the man-in-the-middle-gateway, the first resource from the server;
  
  storing the first resource in a memory accessible by the man-in-the-middle gateway;
  
  modifying the first resource by changing HTTP links that point to locations that are (i) outside the network, and (ii) in the first domain to point to locations in a second domain of the man-in-the-middle-gateway, wherein modifying the first resource comprises extracting HTTP links in the first resource and replacing the extracted HTTP links with different HTTP links corresponding to the location of the man-in-the-middle gateway, wherein the network is configured to redirect messages within the network, from the client device to the man-in-the-middle-gateway, when messages from the client device are addressed to the second domain; and
  
  serving, by the man-in-the-middle-gateway to the client device, the modified first resource by transmitting the modified first resource on a network medium of the network.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28)
- - 22. The system of claim 21, the instructions further comprising selecting the man-in-the-middle-gateway from a plurality of available devices within the network.
  - 23. The system of claim 22, wherein the man-in-the-middle-gateway is selected based on a comparison of the first resource with a rule defining destinations associated with encrypted communication traffic.
  - 24. The system of claim 22, wherein the man-in-the-middle-gateway is selected based on hardware performance.
  - 25. The system of claim 21, the instructions further comprising:
    - receiving, from a fourth device within the network, a second HTTP request addressed to an address of a second resource on a fifth device outside the network; and
      
      routing the HTTP request to the address of the second resource.
  - 26. The system of claim 21, the instructions further comprising modifying the first resource to conform with a security policy.
  - 27. The system of claim 21, wherein modifying the first resource comprises replacing the first resource with an HTTP status code object.
  - 28. The system of claim 21, the instructions further comprising determining that a security policy of the network identifies the first resource for inspection upon entry to the network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
iBoss
Original Assignee
iBoss
Inventors
Martini, Paul Michael
Primary Examiner(s)
Arani, Taghi
Assistant Examiner(s)
LYNCH, SHARON S

Application Number

US14/682,703
Publication Number

US 20150215296A1
Time in Patent Office

733 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0281   Proxies

H04L 63/0471   applying encryption by an i...

H04L 63/20   for managing network securi...

H04L 67/01   Protocols

H04L 67/02   based on web technology, e....

Selectively performing man in the middle decryption

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

93 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Selectively performing man in the middle decryption

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

93 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links