Forgot your password?
typodupeerror
Security Encryption The Internet

Researchers Find, Analyze Forged SSL Certs In the Wild 86

Posted by timothy
from the they're-out-there dept.
An anonymous reader writes "A group of researchers from Carnegie Mellon University and Facebook has managed to get a concrete sense of just how prevalent SSL man-in-the-middle attacks using forged SSL certificates are in the wild. Led by Lin-Shung Huang, PhD candidate at Carnegie Mellon University and, during the research, an intern with the Facebook Product Security team, they have created a new method (PDF) for websites to detect these attacks on a large scale: a widely-supported Flash Player plugin was made to enable socket functionalities not natively present in current browsers, so that it could implement a distinct, partial SSL handshake to capture forged certificates."
This discussion has been archived. No new comments can be posted.

Researchers Find, Analyze Forged SSL Certs In the Wild

Comments Filter:
  • by Anonymous Coward on Tuesday May 13, 2014 @10:03AM (#46989003)

    I'm behind a Bluecoat proxy at work. The software plays man-in-the-middle when I access my mailbox or online bank.
    I never understood where my employer got the right to impersonate gmail or xyz-bank with their own certificates.

  • by Anonymous Coward on Tuesday May 13, 2014 @04:12PM (#46993159)

    If you're using OS X, a secure outside connection is as simple as:

    ssh -D127.0.0.1:1080 user@machine

    That establishes a SOCKS proxy on port 1080 which tunnels connections to the remote machine. Then change your network settings to point your browser at port 1080.

    I'm pretty sure PuTTY on Windows supports SOCKS proxies, too.

    Warning: if using Firefox you need to disable local DNS resolving (so that the domain name is resolved on the other end). I forgot what the config name is, but Google will help you.

    Of course, you could use some paid VPN service. But they usually require you to install a local client, and I refuse to run any such software unless it's FOSS. The only apps I run are native from the vendor, or FOSS.

    If you really want to be elite, you run OpenBSD and setup an L2TP or PPTP tunnel over IPSec. OpenBSD only recently gained reliable, native L2TP/PPTP support, so I haven't had a chance to play around with that. But both OS X and Windows support that natively, at least as a client. Linux of course requires some kind of convoluted setup. On OpenBSD it should be pretty easy to configure, because they make configuring IPSec a breeze (as in an order of magnitude simpler than OpenVPN, which many consider to be pretty easy). Although, they may not have had time yet to simplify the L2TP/PPTP configuration. In any event, with IPSec+PPTP, it should be much easier to switch it on and off compared to SSH tunneling.

The reason why worry kills more people than work is that more people worry than work.

Working...