Creating smart background services

M

Mortadello

New Member
Messages
20
Reaction score
1
Hey,

I wanted to create some post ntlite debloat "smart background services", smart because I want to create a Background-Service which runs permanently in the background after the debloat process, which will block insecure and deprecated (SHA-1, TLS1.0, TLS1.1) connections on machine-start up/boot and immediately turn those back on for certain apps or Games which still make use of those old connections and immediately turn those back off the moment these Apps/Games are shut down.is this doable under "Windows 11 24H2 Pro"?

Much appreciation from me for this tool :-)
 
I highly doubt a Windows background service is possible, because to change the list of allowed SSL ciphers requires a reboot.

The closest thing I could imagine is creating a proxy server on another host (like Squid or Rebel TLS Proxy), which does allow deprecated ciphers, and works as a middle man to forward the traffic outbound as TLS 1.2 traffic.
 
garlin said:
I highly doubt a Windows background service is possible, because to change the list of allowed SSL ciphers requires a reboot.

The closest thing I could imagine is creating a proxy server on another host (like Squid or Rebel TLS Proxy), which does allow deprecated ciphers, and works as a middle man to forward the traffic outbound as TLS 1.2 traffic.
Click to expand...
that sounds very interessting and kinda what i want, because sadly i am a sucker for blizzard games and these mofos still do run insanely outdated crap-protocolls like the ones mentioned and i wanted to somehow get a service running which auto-detects if some hardcoded games in an array inside my script is running and based of that it shall enable <insecure> connections and IMMEDIATELY after closing such games (and their respective launcher) it shall turn these insecure connections OFF, maybe i can do that with your proposal.

thx dude
 
The problem isn't the service, but a requirement to snoop each HTTP session as they're opened. All of them use the same protocol, but the difference is what both sides end up agreeing from the cipher negotiation (you start with the highest supported security level, and decline down towards the weakest level).

Snooping implies you've added a security problem, because you're open to a MITM attack.

So you can't tell until after the HTTP session is already open, and too late to do anything. The other method is write a wrapper to change the cipher suites, then launch your app. But if you had overlapping apps (which could be possible), you would have to monitor when the last one that could use the legacy cipher exits and switch them around.

But all that is academic, because Windows doesn't support dynamically changing the cipher suite list on the fly. That would be an insecure thing to do, since an attacker could abuse that to always lower the cipher list to be the weakest. A restart is mandatory.

If you really like your legacy Blizzard games, then maybe consider a dual-boot setup with a stripped down "gamer" image. Then you're not worried that your main personal apps aren't being tricked to fall down to TLS 1.0 or 1.1 encryption.
 
garlin said:
The problem isn't the service, but a requirement to snoop each HTTP session as they're opened. All of them use the same protocol, but the difference is what both sides end up agreeing from the cipher negotiation (you start with the highest supported security level, and decline down towards the weakest level).

Snooping implies you've added a security problem, because you're open to a MITM attack.

So you can't tell until after the HTTP session is already open, and too late to do anything. The other method is write a wrapper to change the cipher suites, then launch your app. But if you had overlapping apps (which could be possible), you would have to monitor when the last one that could use the legacy cipher exits and switch them around.

But all that is academic, because Windows doesn't support dynamically changing the cipher suite list on the fly. That would be an insecure thing to do, since an attacker could abuse that to always lower the cipher list to be the weakest. A restart is mandatory.

If you really like your legacy Blizzard games, then maybe consider a dual-boot setup with a stripped down "gamer" image. Then you're not worried that your main personal apps aren't being tricked to fall down to TLS 1.0 or 1.1 encryption.
Click to expand...
thank you garlin, pretty detailed in that, but yea I do fear that i wont get around this reboot-thing like writing a bg-service which detects an app is being opened, turning off those insecure protocols BEFORE they are doing the handshake stuff (not sure you can hook into that event from windows, it really should start the moment you double click the .exe BEFORE it is even loaded into ram let alone the connection-stuff begins

but I think a gamer-dual boot partition will do the trick aswell :D
 
You must log in or register to reply here.
Back
Top