Researchers Find, Analyze Forged SSL Certs In the Wild 86
An anonymous reader writes "A group of researchers from Carnegie Mellon University and Facebook has managed to get a concrete sense of just how prevalent SSL man-in-the-middle attacks using forged SSL certificates are in the wild. Led by Lin-Shung Huang, PhD candidate at Carnegie Mellon University and, during the research, an intern with the Facebook Product Security team, they have created a new method (PDF) for websites to detect these attacks on a large scale: a widely-supported Flash Player plugin was made to enable socket functionalities not natively present in current browsers, so that it could implement a distinct, partial SSL handshake to capture forged certificates."
More secure browsing... (Score:3, Funny)
brought to you by the Adobe Flash plugin!
Re: (Score:1)
Re: (Score:1)
As opposed to regular browsing where you have no way of detecting these types of activities?
You mean other than the browser warning the article discusses?
"These certificates are not authorized by the website owners, but most browsers will "accept" them, i.e. they will warn users of the error, but will allow them to choose whether they will continue on to the (potentially insecure) website."
Yep, no way to tell.
Re: (Score:2)
When enabled the client will sign (using their client cert, generally with a site-specific internally managed CA) all the communications after the key negotiation finishes, so if there is a middle-man that modified the certificate/keys the server will see the clients signature of the communications as incorrect (as the client and server wouldn't agree
Re: (Score:1)
Some things are just to freaking hard to exterminate!
Windows... XP.... Flash... browsers...
Re: (Score:2)
Why would you exterminate browsers? Do you really want/need an app for everything?
Flash? I removed Flash to avoid problems! (Score:1, Troll)
Flash has had too many security breaches & just isn't useful enough for me to justify it's continued existence on my main browsers.
When I need flash for a few select sites I use Chrome & for the rest I use a windows VM that is regularly wiped back to a clean config using snapshots.
Too bad they didn't implement their validation tool as a normal browser plugin (or a suite of such for FF/Chrome/Safari/IE).
Re: (Score:2)
FlashBlock works great for me, all the advantages of disabling flash, but it's only a click away when desired.
Re: (Score:2)
Do those alternatives to Flash allow the developer to enable socket functionalities not natively present in current browsers"?
Are low level socket functions beyond what is available to Browser plug-ins absolutely necessary to perform the function? I don't know, which was pretty much the point of my post.
Re: (Score:3, Funny)
Re: (Score:2, Funny)
"What do you mean Flash Object approaching? Open Fire, All Weapons. Send out HTML5 Ajax to bring back it's body."
Re: (Score:2)
its* body
it's = it is
Learn this.
Re: (Score:2)
By all means, give me a better way to enable websockets on the majority of browsers out there. Flash is horrible, but most people have it installed and enabled. The same can't be said for much anything else.
Re: (Score:2)
Flash is horrible, but most people have it installed and enabled
I don't think many phones or tablets (other than Windows 8 x86 tablets, which are comparatively new) have Adobe Flash Player.
Re: (Score:2)
As I said, give me an alternative that is supported.
Web Sockets is in all major browsers (Score:2)
Re: (Score:2)
Too bad they didn't implement their validation tool as a normal browser plugin (or a suite of such for FF/Chrome/Safari/IE).
WTF? Really? How many users would actually install that plugin? How many of those users wouldn't already be paying attention to the warning the browser prints out on bad certs? Using a very widely deployed technology (flash) means they write it once, deploy via the website, and it runs almost everywhere, and it can report back to them (as opposed to the browser warning, which is client side only).
I'd be a little surprised if it wasn't possible to script this up in javascript, but that would probably only wo
Re: (Score:2)
Snort, great solution there. Flash is going down the tubes and is installed on fewer and fewer systems -- starting with people who refuse the unnecessary security hassle it has become.
If you want to create a browser plugin for the security conscious, you don't do in an environment that has been proven to be insecure time after time. If possible, you create it in in an environment that will continue to exist in a few years when even Chrome abandons it.
As to how many people are using TFA's plugin, people usin
Re: (Score:2)
Too bad you didn't read the summary properly: The flash object sits on the website, not the browser. The browser just runs it.
For this to work on a wide scale, you can't make everyone install a browser addon. That's just stupid and as bad as flash is, proprietary addons are worse.
Re: (Score:2)
Too bad you don't understand that the browser cannot run it if flash is not installed as a plugin on the user's browser (which it isn't if the person behind the browser has a clue & doesn't NEED it.
For this to be widely deployed, people would have to care enough to install it, yet clearly that is not the case for over 99% of the people browsing the web. For the remaining people with a clue (aka the security conscious), a browser plugin (akin to Browser Patrol in Firefox) would be amply sufficient.
Re: (Score:2)
So what you're saying is, Flash is a stupid idea because people have to install it, but a browser addon is a better idea because people have to install it.
Re: (Score:2)
Clearly, both reading comprehension & web security are too complicated for you.
Let me use small words to make it easier for you:
Both Flash plus their flash plugin & a browser plugin need to be installed. A plugin would add no vulnerabilities. Adding Flash to a machine does.
I leave you to your browser with 10 toolbars, unexplained slowdowns & redirects to porn sites.
Re: (Score:2)
For someone banging on about security, this statement is laughable:
Flash is a plugin.
Re: (Score:2)
Just because Flash is a plugin & insecure, that doesn't make all plugins insecure. You'd have to be really stupid to make that assumption but you seem dumb enough...
Re: (Score:2)
I'm not making any assumptions, but you seem determined to make blanket statements.
Re: (Score:1)
No assumptions? Yeah, right, you only assume that all browser plugins are as insecure as flash is.
Anyone who makes an assumption that dumb is an idiot -- statement of fact, not a blanket statement
Re:Another foreign PhD at an American University (Score:4, Informative)
It's very common for research universities to take students from around the globe. This isn't unique to the US, either. For example, here's some Oxford's PhD students in CS:
http://www.cs.ox.ac.uk/people/... [ox.ac.uk]
It's a very positive thing, actually. Provincialism doesn't improve research.
Interesting technique and results... (Score:1)
Re: (Score:1)
Should they flag them? No, flagging too much will cause the users to just ignore the messages. And for most facebook communication http traffic will be just as good as https traffic.
But it should note that the security is as good as http traffic, in other words, do not display a lock.
By the way, think about it, security devices. Security for you? Did you pay those devices? No, it is security for those who pay for the devices.
Just business doing what business does (Score:2, Informative)
Many businesses implement a man in the middle server that allows them to REGEXP the HTTPS searches and connections. Generally its a proxy out with a requirement to accept the certificate which is then applied to your local to the proxy connection, but remotely your handing the company the keys to any accounts/connections used across the board.
There is a thought of trust your admin not to log your password/financial data etc... Its all quite bizarre but someone thought it was a good idea, or didn't unde
Re: (Score:3)
They can't. These are certs that are added by the companies IT department, not certs that ship by default. In some places, like United States libraries, internet filters are mandated. So these places have a few choices, let the public potentially view naughty images via Google image search, downgrade all connections to http, or MITM everything. Guess which one of the three the politicians don't like.
The big thing those IT departments have to worry about is certificate pinning, which is where the browser
Re: (Score:1)
Why can't a business do what it wants on its own networks to monitor their own computers?
Do not like it? Then don't work. Plain and simple as you are paid to work and not create hostile work environments or infect their networks. They have a right to protect themselves legally and liability wise. Companies are liable for what their employees do at all times.
They create their own self signed certs to do this so no biggie.
Re: (Score:2)
Generally it's* a proxy out
it's = it is
Learn this.
Bluecoat and other security products (Score:4, Interesting)
I'm behind a Bluecoat proxy at work. The software plays man-in-the-middle when I access my mailbox or online bank.
I never understood where my employer got the right to impersonate gmail or xyz-bank with their own certificates.
Re: (Score:1)
I never understood why my employees use company resources for private business.
Re: (Score:1)
Not much of a leader or thinker then are you?
Hint - your employees are at the office more than they are not.
Re: (Score:2)
Yeah, these 13 hr days, 7 days a week really suck.
Re: (Score:1)
...
Before I tear your lying post apart, lets get one thing clear. In the US, if you don't like your job, there are PLENTY of others you can choose from. Its fairly trivial to get employment and make enough money to survive. Now if you've gotten yourself buried in debt and can't afford to work a different problem, thats still your stupid fucking problem.
Second, when at work, you work. You do not dick around and do personal shit during your time there ... and then bitch because they aren't catering to you
Re: (Score:2)
Your phone DO have a data plan with GBs unused at the end of each month, right?
If my job paid me $336 more per year (difference between cheapest dumbphone plan and cheapest smartphone plan on my current carrier), I might have a phone with a data plan. But because it doesn't, I have a dumbphone.
Good luck coming close to $84/yr (Score:2)
Re: (Score:1)
You probably also don't understand that your employees are in fact people who occasionally need to get things organized during the day, and the fact that you are paying them some form of remuneration does not grant you power to dictate every facet of their existence while they work.
If you don't like it, maybe you should hire robots instead. I'm sure that will work very well for you. You'll just need a maintenance cre--... oh damn.
What's the world coming to when you can't run a business without these annoyin
Re: (Score:2)
You probably also don't understand that your employees are in fact people who occasionally need to get things organized during the day
Meh.
Businesses have legitimate reasons for monitoring the use of their equipment and networks. Employees have legitimate reasons for doing some personal stuff at work. The obvious compromise is exactly what happens: Businesses monitor and employees can decide whether they're okay with their personal stuff being monitored. If not, they have other options like doing it at home, or on their smartphone.
That said, I do appreciate that my employer doesn't monitor my traffic.
Re: (Score:3)
you don't know if they're using it for private business without breaching their telecommunications in a manner which should be( and actually in many western countries is) illegal - no matter if you built the road used for delivering the letter...
of course you probably don't understand all the possible insider and outsider complications that come from having some personnel (no matter if it's some bofh or you) with expressed ability to read everybodys mail and banking details - and from the ability that they
Re: (Score:2)
You jest, but I've seen exactly that. I was on a short contract early on in my career with a company that occupied an office in a typical large corporate center. Each floor had two sets of bathrooms shared between all companies occupying space on that floor. For the office I was contracting with, you had to swipe to get in or out. Any time spent "out" was considered personal time, and that included trips to the shared bathrooms. If you spent five minutes in the bathroom one day, you'd better work an extra f
Re: (Score:1)
I'm behind a Bluecoat proxy at work. The software plays man-in-the-middle when I access my mailbox or online bank. I never understood where my employer got the right to impersonate gmail or xyz-bank with their own certificates.
This is something many corporate security products do, so they can inspect and control SSL traffic for security threats. The argument for doing this is that if they didn't, then a large portion of the traffic would be bypassing some of the security defenses. You should never trust SSL for personal info when inside the company firewall.
Re: (Score:2)
I never understood where my employer got the right to impersonate gmail or xyz-bank with their own certificates.
They got the right by providing you with the network connection at work which you choose to use for your personal banking and e-mail.
Re: (Score:2, Interesting)
If you're using OS X, a secure outside connection is as simple as:
ssh -D127.0.0.1:1080 user@machine
That establishes a SOCKS proxy on port 1080 which tunnels connections to the remote machine. Then change your network settings to point your browser at port 1080.
I'm pretty sure PuTTY on Windows supports SOCKS proxies, too.
Warning: if using Firefox you need to disable local DNS resolving (so that the domain name is resolved on the other end). I forgot what the config name is, but Google will help you.
Of course
One more reason Flash sucks (Score:1)
And needs to be retired to the bit bucket. Need I say more?
Re:One more reason Flash sucks (Score:5, Insightful)
Flash is evil and should be destroyed, I agree. But this story is about how researchers did something cool with flash to detect forged SSL certs.
In this one case Flash isn't the security issue, it's the useful software helping to find the security issue.
Re: (Score:2, Redundant)
Flash isn't a villain here, it was used as a research tool. The researchers are using Flash to detect forged SSL Certs.
Re: (Score:2)
... meet it is I set it down
That one may smile, and smile, and be a villain
Flash is always a villain. You may use it's power intending to do good, but in the end you will do only evil.
Idiotic slashdotters man... (Score:2, Insightful)
You idiots, this guy is presenting about a much larger concern of the overall insecurity of this stupid trust model we call SSL CA Cert and all you morons talk about is how much flash sucks. You guys are fuckin nuts for brains man...
Re: (Score:1)
Not really a good sign (Score:3)
(Error code: ssl_error_no_cypher_overlap)
Yes, I turned off all weak ciphers in my browser. Including most 128bit ones.
Re: (Score:2)
It's using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256. That's not exactly a weak cipher, especially since AES256 is putatively not much stronger than AES128.
I think the issue you're seeing originates on your end.
This is not what I consider "forged" (Score:2)
This isn't really all that interesting. I will be more interested when researchers find a way to detect certs created with stolen root certificates. You know, the kind that don't make the browser throw up a warning.
Re: (Score:2)
Did you read the paper? I did. That's what the research does. It turns out that there isn't a lot of malicious MITM out there, and what little does exist is done by malware on the same machine. The other MITM "attacks" are things like corporate proxies, etc.
The most interesting thing about this research is that it rather decimates the oft-repeated meme that SSL is broken and gets busted all the time. The data doesn't show that.
Re: (Score:2)
Re: (Score:2)
I had not read the paper. Now I have. I stand by my statement that this is not what I consider "forged". All of the detected certificates mentioned in the paper were detected by noticing inconsistencies in the public certificate. In most cases an outsider attacker would trigger at least a browser warning unless they had gotten their certificate authority registered on the victim computer as a trusted authority. In the case of the opFailZeroAccessCreate malware, "VeriSign Class 4 Public Primary CA" whic