Which SSL Reviews

HTTPS

Https Connection Using Forged SSL Certificates

May 21, 2014 | By Editor 

Forged SSL Certificate

An attacker with a fake SSL certificate, be either a cyber criminal or a government spy, is the modern-day Internet bad guy. An attacker, in possession of a forged SSL certificate, can easily decrypt and monitor two-way traffic, steal vital credentials, and other important information from a system or a network.

A team of Facebook engineers and researchers from Carnegie Mellon University have managed to design an improvised detection technique for man-in-the-middle attacks over SSL certificate. This method will allow websites to detect SSL attacks on a large scale and the data of the methods used in those attacks were then extracted .

According to survey conducted by the team of the 3.5 million SSL connections made to Facebook during last December, 6,845 (0.2 percent) of users used a fake SSL certificate. Though the number is relatively small considering the survey was done on just one leading website, it is an indication this might happen on a much larger scale. Most of the phony SSL certificates were pretending to be anti-virus , firewall vendors, and other security software companies.

The team also noted that the second most popular division of phony SSL certificates belongs to commercial network security appliances, which perform virus scanning or web content filtering on SSL traffic. As noted in the cert subject fields, Fortinet, one of the issuers, manufactured web content filtering devices with support for HTTPS deep inspection.

The researchers went to write in their report, titled “Analyzing Forged SSL Certificates in the Wild,” that an user should be aware of professional attacks that can steal private key of the signing cert from anti-virus vendors allowing attackers to spy the anti virus users. The report also suggested that governments could push anti-virus vendors to submit their signing keys.

Many malware campaigns were in one way responsible for the fake certificates. The researchers found that five phony SSL certs shared the same public key allegedly from VeriSign.Majority of these forged certificates were found in the United States, Mexico, and Argentina; with 112 man-in-the-middle attacks in 45 countries. The report noted that Microsoft and Facebook malware researchers were able to single out the malware used in the attack and the affected users were immediately notified and were given malware scan and repair instructions.

Certain parental control software packages, especially ParentsOnPatrol and Qustodio, were being used in phone SSL certs, the researchers reported. The report went on to suggest various mitigations browser vendors could use to nullify the effects of such attacks; including the use of Public Key Pinning, HTTP Strict Transport Security, and TLS Origin Bound Certificates, among others. The report strongly encouraged leading websites and popular mobile applications to use similar mechanisms in order to start detecting SSL interception.

Be part of an IT community with thousands of subscribers. Get the latest news, blogs, and thought leadership articles. Subscribe now
Email *

Posted in HTTPS

Be Sociable, Share!

Leave a Comment


 


* fields are mandatory