Which SSL Reviews

SSL

Nogotofail – Google’s New Security Testing Tool

November 11, 2014 | By Editor 

Summary

Headlines : Another top company hacked !!!

  • In recent times, this is the only news we are hearing. Hacking multinational companies is fast becoming a habit and, as a result, many user records are accessed and exposed.
  • The tech industry has always been security conscience, but it does appear malware and cyber criminals have increased it more lately. Unfortunately, this is not new and is not likely to go away either.

Why Need a New Security Testing Tool

  • The year 2013 produced a hackers’ gallery of security exploits in transport layer security (TLS) implementations and new vulnerabilities on important protocols.Starting from Heartbleed flaw to the Apple gotofail vulnerability to the recent POODLE bug, security violations have had tremendous impact on businesses and individuals alike.
  • To help security researchers and software developers identify apps vulnerable to known SSL/TLS attacks and configuration issues, Google is planning on a tool that checks for these issues.
  • In their quest to make businesses, users, the Web, and digital devices more secure, a lot of large Internet firms have decided to focus on making open source projects more easier for everyone. As a matter of fact, some corporates have already begun to open source their own projects.
  • Secure Socket Layer (SSL) and its successor, Transport Layer Security (TLS) are encryption protocols designed to safeguard over the Web.
  • Unfortunately, today there are too many known SSL/TLS flaws, misconfigurations, and library bugs. One firm that is working to resolve these problems is Google.
  • Originally, SSL and TLS protocols were designed to safeguard the confidentiality of data in transit. Considering the fact that SSL is old and has been a favorite target of numerous attacks in recent times.
  • Although TLS is SSL’s successor, considered more resistant and robust to cyber attacks, its newer versions are not as widely supported as older versions of SSL.

Nogotofail Security Tool

  • This week Google released a new security tool for testing network traffic called nogotofail.Google released the tool as an open source project on GitHub. This means that anyone can use it, contribute new features, offer support for more platforms, and do anything else as long as it helps better Internet security.
  • The core of nogotofail is the on path network man-in-the-middle (MiTM) named nogotofail.mitm that intercepts transmission control protocol (TCP) traffic.
  • The tool runs on path and centers around a set of handlers for each connection that are responsible for the active modification of traffic to test for flaws or check for issues. nogotofail detects vulnerable traffic using deep packet inspection (DPI) and not based on port numbers.
  • In addition, because it uses DPI, it can test SSL/TLS traffic in protocols that use STARTTLS.
  • The Android security team built the nogotofail tool and, Google has said it has been using the tool internally for quite some time and has worked with developers to better security of their apps. In fact, the attack engine can be used in many different ways.
  • Chad Brubaker said that Android security team built nogotofail to provide an easy way to confirm apps or devices you are using are secure from known SSL/TLS exploits and misconfigurations.
  • The tool works for Android, Windows, Linux, iOS, OSX, Chrome OS, and in fact any device used to connect to the Web.
  • Clients can configure the settings and receive notifications on Android and Linux, and the attack engine itself can be deployed as a router, VPN, or proxy.

Conclusion

One thing that makes cyber attacks on SSL/TLS protocols so challenging is that, in general users are not aware that the attacks are occurring. We have seen this during the past one year from firms such as Kmart, AT&T, Home Depot, Target, and JPMorgan Chase. While some cyber attacks attacks were found within a week, others lasted for several months. The Google nogotofail tool helps developers to identify the weak spots in their implementation of apps before a hacker can take advantage.

Be part of an IT community with thousands of subscribers. Get the latest news, blogs, and thought leadership articles. Subscribe now
Email *

Posted in SSL

Be Sociable, Share!

Leave a Comment


 


* fields are mandatory