Researchers find, analyze forged SSL certs in the wild
A group of researchers from Carnegie Mellon University and Facebook has managed to get a concrete sense of just how prevalent SSL man-in-the-middle attacks using forged SSL certificates are in the wild.
Lead by Lin-Shung Huang, PhD candidate at Carnegie Mellon University and, during the research, an intern with the Facebook Product Security team, they have created a new method for websites to detect these attacks on a large scale: a widely-supported Flash Player plugin was made to enable socket functionalities not natively present in current browsers, so that it could implement a distinct, partial SSL handshake to capture forged certificates.
This detection method was deployed on Facebook’s website, and the result was as follows: of nearly 3.5 million SSL connections analyzed, 6,845 (0.2%) of them were forged SSL certificates.
These certificates are not authorized by the website owners, but most browsers will “accept” them, i.e. they will warn users of the error, but will allow them to choose whether they will continue on to the (potentially insecure) website.
The overwhelming majority of the subjects of the forged certificates were, expectedly, tied to the wildcard domain *.facebook.com. When it comes to the bogus issuers of the certificates, most were apparently security companies: Bitdefender, ESET, BullGuard, Kaspersky Lab, etc, as some security solutions can intercept and analyze SSL connections in order to protect users from fake, insecure ones.
“The second most popular category of forged certificates belongs to commercial network security appliances that perform web content filtering or virus scanning on SSL traffic. As observed in the certificate subject fields, Fortinet was one of the issuers that manufactures devices for web content filtering with support for HTTPS deep inspection,” they noted.
Other instances of forged certificates were issued by an adware-peddling company. Finally, the researchers also noticed an unknown issuer named IopFailZeroAccessCreate on a number of occasions, and managed to tie it to SSL man-in-the-middle attacks by malware around the world.
More information about the research can be found in the very interesting paper published by the researchers. The group is set to present their research at the 35th IEEE Symposium on Security and Privacy later this month.