Silviu Posted May 12, 2014 Report Posted May 12, 2014 Visiting a website certified with an SSL certificate doesn’t mean that the website is not bogus. Secure Sockets Layer (SSL) protect the web users in two ways, it uses public key encryption to encrypt sensitive information between a user’s computer and a website, such as usernames, passwords, or credit card numbers and also verify the identity of websites.Today hackers and cyber criminals are using every tantrum to steal users’ credentials and other sensitive data by injecting fake SSL certificates to the bogus websites impersonating Social media, e-commerce, and financial websites as well.DETECTING FAKE DIGITAL CERTIFICATES WIDELYA Group of researchers, Lin-Shung Huang , Alex Ricey , Erling Ellingseny and Collin Jackson, from the Carnegie Mellon University in collaboration with Facebook have analyzed [PDF] more than 3 million SSL connections and found strong evidence that at least 6;845 (0:2%) of them were in fact tampered with forged certi?cates i.e. self-signed digital certificates that aren’t authorized by the legitimate website owners, but will be accepted as valid by most browsers.They utilized the widely-supported Flash Player plug-in to enable socket functionality and implemented a partial SSL handshake on our own to capture forged certi?cates and deployed this detection mechanism on an Alexa top 10 website, Facebook, which terminates connections through a diverse set of network operators across the world.Generally Modern web browsers display a warning message when encountering errors during SSL certi?cate validation, but warning page still allows users to proceed over a potentially insecure connection.Fake SSL connections can argue that certi?cate warnings are mostly caused by server mis-con?gurations. According to usability survey, many users actually ignore SSL certi?cate warnings and trusting forged certificates could make them vulnerable to the simplest SSL interception attacks.This means that a potential hacker can successfully impersonate any website, even for secure connections i.e. HTTPS, to perform an SSL ma-in-the-middle attack in order to intercept encrypted connections.FAKE DIGITAL CERTIFICATES SIGNED WITH STOLEN KEYS FROM ANTIVIRUSResearchers observed most of the forged SSL certi?cate are using same name as original Digital Certificate issuer organizations, such as VeriSign, Comodo.Some Antivirus software such as Bitdefender, ESET, BullGuard, Kaspersky Lab, Nordnet, DefenderPro etc., has ability to intercept/Scan SSL connection on Clients’ system in order to defend their users from Fake SSL connections. These Antivirus products generate their own certi?cates that would be less alarming than other Self-signed digital certificates."One should be wary of professional attackers that might be capable of stealing the private key of the signing certificates from antivirus vendors, which may essentially allow them to spy on the antivirus users (since the antivirus root certificate would be trusted by the client)," the researchers explained. "Hypothetically, governments could also compel antivirus vendors to hand over their signing keys."Similar capabilities are observed in various Firewall, Parental Control Software and adware software those could be compromised by hackers in order to generate valid, but fake digital certificates.DIGITAL CERTIFICATES GENERATED BY MALWAREResearchers also noticed another interesting self-signed digital certificate, named as ‘IopFailZeroAccessCreate’, which was generated by some malware on client-end systems and using same name as trusted Certificate issuer “VeriSign Class 4 Public Primary CA.”“These variants provide clear evidence that attackers in the wild are generating certi?cates with forged issuer attributes, and even increased their sophistication during the time frame of our study,” they said.Detected statistics shows that the clients infected with same malware serving ‘IopFailZeroAccessCreate’ bogus digital certificates were widespread across 45 different countries, including Mexico, Argentina and the United States.Malware researchers at Facebook, in collaboration with the Microsoft Security Essentials team, were able to con?rm these suspicions and identify the speci?c malware family responsible for this attack.DETECTION AND ATTACK MIGRATION TECHNIQUESAttackers may also restrict Flash-based sockets by blocking Flash socket policy traffic on port 843 or can avoid intercepting SSL connections made by the Flash Player in order to bypass detection techniques used by the researchers. To counter this, websites could possibly serve socket policy ?les over ?rewall-friendly ports (80 or 443), by multiplexing web traf?c and socket policy requests on their servers.In Addition, researchers have discussed migration techniques in the paper such as HTTP Strict Transport Security (HSTS), Public Key Pinning Extension for HTTP (HPKP), TLS Origin-Bound Certi?cates (TLS-OBC), Certi?cate Validation with Notaries and DNS-based Authentication of Named Entities (DANE), those could be used by servers to enforce HTTPS and validate digital certificates. Sursa: http://thehackernews.com Quote
