Search the Community
Showing results for tags 'certificate'.
Found 4 results
Microsoft has blacklisted a phony SSL certificate that’s been making the rounds and is in the process of warning the general public that the certificate could be leveraged to stage man-in-the-middle attacks. In a security advisory published yesterday the company stressed that an improper certificate for the domain “live.fi” could also be used to spoof content or carry out phishing attacks, but stopped short saying it could issue other certificates, impersonate other domains, or sign code. The certificate, which corresponds to one of the company’s Live entities, was revoked by its issuer, certificate authority Comodo, and Microsoft has updated its Certificate Trust List (CTL) to reflect the instability. The company maintains an often in-flux Certificate Trust List as a running tally of trusted entities that are rooted to verifiable certificates. Microsoft blamed the botched certificate on a misconfigured privileged email account on the live.fi domain. It sounds like unauthorized third party was able to register an email account on the domain with a “privileged username,” and in turn used it to request a bogus certificate for live.fi. In a FAQ on its site, Comodo claims that all of its certificates must pass through Domain Control Validation (DCV) before they’re issued. It appears the aforementioned third party used an email (admin@, administrator@, postmaster@, etc.) to prove ownership of the domain and subsequently the certificate. Windows 8, 8.1, RT, RT 8.1, Server 2012 and Server 2012 R2 all contain an automatic updater that takes note of revoked certificates. The company warns that users who either opt not to run that automatic updater or run older setups, including Server 2003, should run the manual update KB2917500 to blacklist the certificate. It’s expected both Google Chrome and Mozilla Firefox will block the certificate over the next several days or so. In the very near future Firefox is expected to loop in a new feature, OneCRL, that will supersede the dated Online Certificate Status Protocol (OCSP) and improve upon the process in which the browser reviews and revokes certificates. Source
The shoddy state of SSL certificate validation on the Internet again floated to the surface, this time by the Superfish mess, which continues to get worse. The Electronic Frontier Foundation on Wednesday released a report based on data scoured from the Decentralized SSL Observatory which it maintains shows the number of certificates that were improperly validated by the Komodia library at the core of the Superfish fiasco has climbed to over 1,600. While it’s impossible to determine, EFF researchers say it’s probable that Komodia software did enable some real-world man-in-the-middle attacks. The Komodia software, which was built into the Superfish adware pre-installed on Lenovo computers, contains a vulnerability that breaks HTTPS connections and allows an attacker to pull off man-in-the-middle attacks. EFF staff technologists Jeremy Gillula and Joseph Bonneau said that some of the domains affected by Komodia include Google’s mail domain, Yahoo log-in domains, Bing, Windows Live Mail, Amazon, eBay checkout and Superfish.com among many others. “While it’s likely that some of these domains had legitimately invalid certificates (due to configuration errors or other routine issues), it seems unlikely that all of them did,” Gillula and Bonneau wrote in their report. “Thus it’s possible that Komodia’s software enabled real MitM attacks which gave attackers access to people’s email, search histories, social media accounts, e-commerce accounts, bank accounts, and even the ability to install malicious software that could permanently compromise a user’s browser or read their encryption keys.” Komodia’s behavior of adding a new root certificate and dubious alterations to a computer’s network stack, validates certificates that should otherwise raise a browser warning. “This means that an attacker doesn’t even need to know which Komodia-based product a user has (and thus which Komodia private key to use to sign their evil certificate)—they just have to create an invalid certificate with the target domain as one of the alternative names, and every Komodia-based product will cause it to be accepted,” they wrote. Gillula told Threatpost that contextually the situation is not surprising given that the certificate system has been teetering on disaster for some time, a situation that’s complicated by the sheer number of Certificate Authorities at work on the Internet, many of which could also be interdicted by law enforcement or repressive government. “The most egregious thing is the idea that companies think it’s OK to interfere with people’s encrypted traffic even on their own machines,” Gillula said. “That they think it’s OK to install a root cert and go to town on it.” Gillula said he was compelled by reports related to Superfish that pointed out that an attacker would have a relatively easy time sliding an invalid certificate into legitimate traffic by inserting the domain they wanted to use in a man-in-the-middle attack into the Subject Alternative Name field. “It would go right on through,” Gillula said. Searching for that scenario in the Decentralized SSL Observatory was also relatively simple, Gillula said. It required a query that searched for certificates that contained a unique string called verify_fail[domain name] in the Subject Alternative Name field used by one of the software applications identified as running the Komodia SSL Digester proxy. “Lo and behold, we discovered that a lot of these certs when they hit the proxy are invalid, but Komodia changes them and because of the alternative name, ended up being valid when they hit the browser,” Gillula said, adding that Komodia wipes away any traces of a potential man-in-the-middle attack making it impossible to determine whether an attack occurred or a merely a misconfigured certificate popped up in the search. The real problem, however, are the practices of third-party vendors such as adware purveyors like Superfish who build tools to intercept traffic and manipulate certificate validation, moving it outside the browser. “The lesson for vendors is that they should stop trying to man-in-the-middle SSL connections on customer machines,” Gillula said. “Unless they’re willing to put in a lot of significant engineering effort to verify they are doing things correctly, chances are there’s going to be a bug and it’s a dangerous thing to do.” Source
A pretty shocking thing came to light this evening – Lenovo is installing adware that uses a “man-in-the-middle” attack to break secure connections on affected laptops in order to access sensitive data and inject advertising. As if that wasn’t bad enough they installed a weak certificate into the system in a way that means affected users cannot trust any secure connections they make – TO ANY SITE. We trust our hardware manufacturers to build products that are secure. In this current climate of rising cybercrime, if you cant trust your hardware manufacturer you are in a very difficult position. That manufacturer has a huge role to play in keeping you safe – from releasing patches to update software when vulnerabilities are found to behaving in a responsible manor with the data the collect and the privileged access they have to your hardware. When bad guys are able to get into the supply chain and install malware it is devastating. Often users find themselves with equipment that is compromised and are unable to do anything about it. When malware is installed with the access a manufacturer has it buries itself deep inside the system often with a level of access that often takes it beyond the reach of antivirus or other countermeasures. This is why it is all the more disappointing – and shocking – to find a manufacturer doing this to its customers voluntarily. Lenovo has partnered with a company called Superfish to install advertising software on it’s customer’s laptops. Under normal circumstances this would not be cause for concern. However Superfish’s software has quite a reputation. It is a notorious piece of “adware”, malicious advertising software. A quick search on Google reveals numerous links for pages containing everything from software to remove Superfish to consumers complaining about the presence of this malicious advertising tool. Superfish Features: Hijacks legitimate connections. Monitors user activity. Collects personal information and uploads it to it’s servers Injects advertising in legitimate pages. Displays popups with advertising software Uses man-in-the-middle attack techniques to crack open secure connections. Presents users with its own fake certificate instead of the legitimate site’s certificate. This presents a security nightmare for affected consumers. Superfish replaces legitimate site certificates with its own in order to compromise the connections so it can install its adverts. This means that anyone affected by this adware cannot trust any secure connections they make. Users will not be notified if the legitimate site’s certificate has been tampered with, has expired or is bogus. In fact they now have to rely on Superfish to perform that check for them. Which it does not appear to do. Because Superfish uses the same certificate for every site it would be easy for another hostile actor to leverage this and further compromise the user’s connections. Superfish uses a deprecated SHA1 certificate. SHA1 has been replaced by SHA-256 because attacks against SHA1 are now feasible with ordinary computing hardware. This is insult on top of injury. Not only are they compromising peoples SSL connections but they are doing it in the most cavalier, insecure way possible. Even worse, they use crackable 1024-bit RSA! The user has to trust that this software which has compromised their secure connections is not tampering with the content, or stealing sensitive data such as usernames and passwords. If this software or any of its control infrastructure is compromised, an attacker would have complete and unrestricted access to affected customers banking sites, personal data and private messages. Below is a photo showing Superfish on an affected laptop presenting a fake certificate instead of the legitimate “Bank of America” certificate. As you can see the user is presented with the fake Superfish certificate instead of the legitimate BoA certificate. The only way a user would know this has happened is if they check the certificate’s details. Something most ordinary users are unlikely to do to a certificate which to all other appearances is valid and secure. As mentioned above the certificate used by Superfish is a deprecated SHA1 certificate that uses 1024-bit RSA. This is particularly obnoxious because they have installed into the system certificates as an unrestricted trusted root certificate. To put it into context they gave it the same level of trust and authority as Microsoft’s own root certificate. Users affected by this can go to any site on the internet, and so long as it presents this certificate they will be fooled into thinking they have a secure connection. Since this certificate uses SHA1 it is feasible that an attacker could break it and hijack it. This means an attacker could create a bogus certificate that every one of these users would trust. This is unbelievably ignorant and reckless of them. Its quite possibly the single worst thing I have seen a manufacturer do to its customer base. At this point I would consider every single one of these affected laptops to be potentially compromised and would reinstall them from scratch. Lenvo’s response? Typical of companies caught with their hand in the cookie jar, they try to play it down while at the same time saying they have disabled it until it can be “fixed”: https://forums.lenovo.com/t5/Lenovo-P-Y-and-Z-series/Lenovo-Pre-instaling-adware-spam-Superfish-powerd-by/m-p/1863174#M79882 However its hard to see how they could “fix” this software. It’s core functionality undermines the security of SSL rendering the last decade or so of work making the web secure completely irrelevant. Source