WIP Add TLS key log to okta and duo libs, use in add

[nickatsegment]

This is a POC to show how TLS key logging might look, addressing #129. TLS key logging works by logging TLS session keys to a log file, which can then be used to decrypt a packet capture, even in the face of perfect forward secrecy.

• User must build with special flag: go build -ldflags='-X cmd.UseTLSKeyLogFile=yes'; this would be disabled in general release
• Start Wireshark packet capture
• Run SSLKEYLOGFILE=./keylog aws-okta add
• Configure Wireshark to use key log
• Use the filter ssl && http to see decrypted SSL.

I believe this would be fairly straightforward way for advanced users to be able to debug their raw HTTP traffic.

Alternatives:

Setting up a MITM with omni-CA a la Charles

MITM's all traffic and requires installing a root CA. Not very 🔒

Dump all HTTP traffic to a file instead

• Probably more complicated in the code
• What dump format?

[abraithwaite]

MITM's all traffic and requires installing a root CA. Not very 🔒

I'd argue that MITM is much more secure. Takes more of a conscious effort to install a root CA.

[nickatsegment]

I'll disable this by default in the real PR

[nickatsegment]

I'd argue that MITM is much more secure. Takes more of a conscious effort to install a root CA.

I dunno, the limited scope of key logging to me says more secure?

At any rate, I'd argue it takes a pretty conscious effort to

1. Compile a custom build with the env var enabled
2. Run that custom build with the env var set
3. Not notice the spew of security warnings

Plus it limits your ability to shoot yourself in the foot by only logging for this invocation. You can still have a standard installation of aws-okta that has logging totally disabled running at the same time, and it will still work fine and be secure.

[boggsboggs]

Can we setup a docker image with aws-okta and a root CA installed? That would keep the scope of the root CA to only aws-okta, and might be able to work without needing custom code inside the application. Could be a reasonable pattern for debugging other apps as well if we can make it run smoothly for aws-okta.

[nickatsegment]

Can we setup a docker image with aws-okta and a root CA installed?

Yep, that's reasonable. You'd only be able to test the Linux version, but I can't imagine the HTTP behaviour would be that different

[abraithwaite]

Compile a custom build with the env var enabled

If it requires recompiling with a build flag then that seems like a reasonable compromise.

In any case, MITM proxies are pretty typical for debugging TLS both in normal development and in the security community. Lots of options that don't require adding it as a global root certificate to your personal keychain. Even that isn't too bad though since it's only trusted by you and can only be used by you to access websites you're trying to debug.

[nickatsegment]

I did a write up of the two methods here.