Researchers find, analyze forged SSL certs in the wild
Posted on 13 May 2014.
A group of researchers from Carnegie Mellon University and Facebook has managed to get a concrete sense of just how prevalent SSL man-in-the-middle attacks using forged SSL certificates are in the wild.

Lead by Lin-Shung Huang, PhD candidate at Carnegie Mellon University and, during the research, an intern with the Facebook Product Security team, they have created a new method for websites to detect these attacks on a large scale: a widely-supported Flash Player plugin was made to enable socket functionalities not natively present in current browsers, so that it could implement a distinct, partial SSL handshake to capture forged certificates.


This detection method was deployed on Facebook’s website, and the result was as follows: of nearly 3.5 million SSL connections analyzed, 6,845 (0.2%) of them were forged SSL certificates.

These certificates are not authorized by the website owners, but most browsers will "accept" them, i.e. they will warn users of the error, but will allow them to choose whether they will continue on to the (potentially insecure) website.

The overwhelming majority of the subjects of the forged certificates were, expectedly, tied to the wildcard domain *.facebook.com. When it comes to the bogus issuers of the certificates, most were apparently security companies: Bitdefender, ESET, BullGuard, Kaspersky Lab, etc, as some security solutions can intercept and analyze SSL connections in order to protect users from fake, insecure ones.

"The second most popular category of forged certificates belongs to commercial network security appliances that perform web content filtering or virus scanning on SSL traffic. As observed in the certificate subject fields, Fortinet was one of the issuers that manufactures devices for web content filtering with support for HTTPS deep inspection," they noted.

Other instances of forged certificates were issued by an adware-peddling company. Finally, the researchers also noticed an unknown issuer named IopFailZeroAccessCreate on a number of occasions, and managed to tie it to SSL man-in-the-middle attacks by malware around the world.

More information about the research can be found in the very interesting paper published by the researchers. The group is set to present their research at the 35th IEEE Symposium on Security and Privacy later this month.









Spotlight

The security threat of unsanctioned file sharing

Posted on 31 October 2014.  |  Organisational leadership is failing to respond to the escalating risk of ungoverned file sharing practices among their employees, and employees routinely breach IT policies.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Oct 31st
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //