Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Researchers Find, Analyze Forged SSL Certs In the Wild

timothy posted about 5 months ago | from the they're-out-there dept.

Security 86

An anonymous reader writes "A group of researchers from Carnegie Mellon University and Facebook has managed to get a concrete sense of just how prevalent SSL man-in-the-middle attacks using forged SSL certificates are in the wild. Led by Lin-Shung Huang, PhD candidate at Carnegie Mellon University and, during the research, an intern with the Facebook Product Security team, they have created a new method (PDF) for websites to detect these attacks on a large scale: a widely-supported Flash Player plugin was made to enable socket functionalities not natively present in current browsers, so that it could implement a distinct, partial SSL handshake to capture forged certificates."

cancel ×

86 comments

Sorry! There are no comments related to the filter you selected.

More secure browsing... (3, Funny)

Anonymous Coward | about 5 months ago | (#46988751)

brought to you by the Adobe Flash plugin!

Re:More secure browsing... (1)

clay_shooter (1680300) | about 5 months ago | (#46988955)

As opposed to regular browsing where you have no way of detecting these types of activities?

Re:More secure browsing... (-1)

Anonymous Coward | about 5 months ago | (#46989059)

I like to shove a carrot all the way up my ass. Then i can crap it out later and it's like an extra bonus! Then i eat it. Yum yum!

Re:More secure browsing... (1)

Anonymous Coward | about 5 months ago | (#46989157)

As opposed to regular browsing where you have no way of detecting these types of activities?

You mean other than the browser warning the article discusses?

"These certificates are not authorized by the website owners, but most browsers will "accept" them, i.e. they will warn users of the error, but will allow them to choose whether they will continue on to the (potentially insecure) website."

Yep, no way to tell.

Re:More secure browsing... (2)

ChadL (880878) | about 5 months ago | (#46989353)

Where there is an IT team to provide support using SSL client certificates will prevent (and detect via server SSL logs and client errors) fake certificates.
When enabled the client will sign (using their client cert, generally with a site-specific internally managed CA) all the communications after the key negotiation finishes, so if there is a middle-man that modified the certificate/keys the server will see the clients signature of the communications as incorrect (as the client and server wouldn't agree on what the communications were) even if the user overrides the SSL certificate warning or an attacker (or employer, or user, or vender) adds a fake/compromised CA to the trust store.
Doesn't work for sites without a support team to work with users and investigate failures or in cases where the internal CA is compromised, but for the highest of security needs its more effective then using Flash.

Re:More secure browsing... (1)

Anonymous Coward | about 5 months ago | (#46989131)

Some things are just to freaking hard to exterminate!
Windows... XP.... Flash... browsers...

Re:More secure browsing... (1)

neokushan (932374) | about 5 months ago | (#46990209)

Why would you exterminate browsers? Do you really want/need an app for everything?

Spyware in your spyware (-1)

Anonymous Coward | about 5 months ago | (#46988819)

Yo dog, we put spyware in your spyware to catch some spyware.

Flash? I removed Flash to avoid problems! (1, Troll)

phayes (202222) | about 5 months ago | (#46988835)

Flash has had too many security breaches & just isn't useful enough for me to justify it's continued existence on my main browsers.

When I need flash for a few select sites I use Chrome & for the rest I use a windows VM that is regularly wiped back to a clean config using snapshots.

Too bad they didn't implement their validation tool as a normal browser plugin (or a suite of such for FF/Chrome/Safari/IE).

Re:Flash? I removed Flash to avoid problems! (1)

timeOday (582209) | about 5 months ago | (#46988917)

Do those alternatives to Flash allow the developer to enable socket functionalities not natively present in current browsers"? That's the sort of open-ended capability that tends to make Flash a security risk in the first place.

FlashBlock works great for me, all the advantages of disabling flash, but it's only a click away when desired.

Re:Flash? I removed Flash to avoid problems! (1)

phayes (202222) | about 5 months ago | (#46989569)

Do those alternatives to Flash allow the developer to enable socket functionalities not natively present in current browsers"?

Are low level socket functions beyond what is available to Browser plug-ins absolutely necessary to perform the function? I don't know, which was pretty much the point of my post.

Re:Flash? I removed Flash to avoid problems! (2, Funny)

oodaloop (1229816) | about 5 months ago | (#46988981)

Why would you remove the savior of the universe?

Re:Flash? I removed Flash to avoid problems! (1, Funny)

CronoCloud (590650) | about 5 months ago | (#46989233)

"What do you mean Flash Object approaching? Open Fire, All Weapons. Send out HTML5 Ajax to bring back it's body."

Re:Flash? I removed Flash to avoid problems! (1)

azav (469988) | about 5 months ago | (#47000281)

its* body

        it's = it is

Learn this.

Re:Flash? I removed Flash to avoid problems! (0)

Anonymous Coward | about 5 months ago | (#46989097)

Obviously they assume browsers with flash enabled are the most likely to be victims of forged SSL. Naturally being security experts they are completely aware of people disabling java, flash and other security hazards.

Maybe the important part here is "Facebook Product Security team". If they research facebook users only, then flash is likely enabled. Security isn't in the mind of people who put their entire life online anyway.

Re:Flash? I removed Flash to avoid problems! (1)

neokushan (932374) | about 5 months ago | (#46990273)

By all means, give me a better way to enable websockets on the majority of browsers out there. Flash is horrible, but most people have it installed and enabled. The same can't be said for much anything else.

Re:Flash? I removed Flash to avoid problems! (1)

tepples (727027) | about 5 months ago | (#46993145)

Flash is horrible, but most people have it installed and enabled

I don't think many phones or tablets (other than Windows 8 x86 tablets, which are comparatively new) have Adobe Flash Player.

Re:Flash? I removed Flash to avoid problems! (1)

neokushan (932374) | about 5 months ago | (#46993277)

As I said, give me an alternative that is supported.

Web Sockets is in all major browsers (1)

tepples (727027) | about 5 months ago | (#46993419)

The "Web Sockets" spec is implemented in all current major browsers [caniuse.com] : IE 10+, Firefox 11+, Chrome 14+, Safari 6+ on both OS X and iOS, and current versions of Chrome and Firefox for Android. Among devices running the latest browser version available for the particular operating system, you're missing only IE on Windows Server 2003 (IE 8), IE on Windows Vista (IE 9), Safari on ancient iDevices, and Android before 4.

Re:Flash? I removed Flash to avoid problems! (1)

unrtst (777550) | about 5 months ago | (#46990085)

Too bad they didn't implement their validation tool as a normal browser plugin (or a suite of such for FF/Chrome/Safari/IE).

WTF? Really? How many users would actually install that plugin? How many of those users wouldn't already be paying attention to the warning the browser prints out on bad certs? Using a very widely deployed technology (flash) means they write it once, deploy via the website, and it runs almost everywhere, and it can report back to them (as opposed to the browser warning, which is client side only).

I'd be a little surprised if it wasn't possible to script this up in javascript, but that would probably only work in recent browsers with full web sockets support. That may be good _in_addition_to_ this flash method, but the flash method is going to work with the largest number of users, giving them the sample size they need.

Why in the world would they write multiple plugins, greatly limitting the number of subjects, incurring additional development overhead, removing the ability for them to disable it later at any time, and resulting in a useless sample size and unmanagable install base? Coopting flash for this purpose is perfect.

If you really want a plugin, go write one... I'm willing to bet their methods are clearly laid out.

If this post had started with them writing browser plugins, tons of people here would be saying how no one would install those and they should have used something else (javascript, flash, java, etc).

Re:Flash? I removed Flash to avoid problems! (1)

phayes (202222) | about 4 months ago | (#47016615)

Snort, great solution there. Flash is going down the tubes and is installed on fewer and fewer systems -- starting with people who refuse the unnecessary security hassle it has become.

If you want to create a browser plugin for the security conscious, you don't do in an environment that has been proven to be insecure time after time. If possible, you create it in in an environment that will continue to exist in a few years when even Chrome abandons it.

As to how many people are using TFA's plugin, people using obsolete browser versions (aka your widely deployed tech) are NOT the target audience! The target is people using plugins like certificate patrol to avoid blindly accepting any/all certificate changes presented to their browser.

I have other things to do than write browser plugins, thanks. You seem to to have some experience in flash development. Any chance you are a flash dev that has been seeing less work and are just knee-jerking in reaction to my pointing out that Flash is insecure?

If TFA had presented a browser add-on instead of a flash plugin the clueless might have been whining about "what about MY browser", but at least it would be usable by people with at least half a clue.

Re:Flash? I removed Flash to avoid problems! (1)

neokushan (932374) | about 5 months ago | (#46990249)

Too bad you didn't read the summary properly: The flash object sits on the website, not the browser. The browser just runs it.
For this to work on a wide scale, you can't make everyone install a browser addon. That's just stupid and as bad as flash is, proprietary addons are worse.

Re:Flash? I removed Flash to avoid problems! (1)

phayes (202222) | about 4 months ago | (#47016689)

Too bad you don't understand that the browser cannot run it if flash is not installed as a plugin on the user's browser (which it isn't if the person behind the browser has a clue & doesn't NEED it.
For this to be widely deployed, people would have to care enough to install it, yet clearly that is not the case for over 99% of the people browsing the web. For the remaining people with a clue (aka the security conscious), a browser plugin (akin to Browser Patrol in Firefox) would be amply sufficient.

Re:Flash? I removed Flash to avoid problems! (1)

neokushan (932374) | about 4 months ago | (#47016831)

So what you're saying is, Flash is a stupid idea because people have to install it, but a browser addon is a better idea because people have to install it.

Re:Flash? I removed Flash to avoid problems! (1)

phayes (202222) | about 4 months ago | (#47019677)

Clearly, both reading comprehension & web security are too complicated for you.

Let me use small words to make it easier for you:
Both Flash plus their flash plugin & a browser plugin need to be installed. A plugin would add no vulnerabilities. Adding Flash to a machine does.

I leave you to your browser with 10 toolbars, unexplained slowdowns & redirects to porn sites.

Re:Flash? I removed Flash to avoid problems! (1)

neokushan (932374) | about 4 months ago | (#47019769)

For someone banging on about security, this statement is laughable:

A plugin would add no vulnerabilities.

Flash is a plugin.

Re:Flash? I removed Flash to avoid problems! (1)

phayes (202222) | about 4 months ago | (#47019973)

Just because Flash is a plugin & insecure, that doesn't make all plugins insecure. You'd have to be really stupid to make that assumption but you seem dumb enough...

Re:Flash? I removed Flash to avoid problems! (1)

neokushan (932374) | about 4 months ago | (#47020143)

I'm not making any assumptions, but you seem determined to make blanket statements.

Re:Flash? I removed Flash to avoid problems! (1)

phayes (202222) | about 4 months ago | (#47020701)

No assumptions? Yeah, right, you only assume that all browser plugins are as insecure as flash is.

Anyone who makes an assumption that dumb is an idiot -- statement of fact, not a blanket statement

Another foreign PhD at an American University (-1)

Anonymous Coward | about 5 months ago | (#46988939)

Lin-Shung Huang
Wonder which gubmint he's spying for?
(hint: think Chi-Comms)

Re:Another foreign PhD at an American University (3, Informative)

moof1138 (215921) | about 5 months ago | (#46989217)

It's very common for research universities to take students from around the globe. This isn't unique to the US, either. For example, here's some Oxford's PhD students in CS:

http://www.cs.ox.ac.uk/people/... [ox.ac.uk]

It's a very positive thing, actually. Provincialism doesn't improve research.

Foreigners (0)

Anonymous Coward | about 5 months ago | (#46996993)

Seriously? That's what you get from this? I can't even count how many PhD students I know are "foreign" (including myself, mind you -- South African in France). If the local candidate had been the strongest, I'm sure he or she would've been accepted for the position.

Interesting technique and results... (1)

clay_shooter (1680300) | about 5 months ago | (#46988951)

It would be interesting to see what they would find if they could run this on a bigger scale. The biggest offender appears to be security appliances. Should the browsers flag security appliances?

Re:Interesting technique and results... (1)

leuk_he (194174) | about 5 months ago | (#46989221)

Should they flag them? No, flagging too much will cause the users to just ignore the messages. And for most facebook communication http traffic will be just as good as https traffic.

But it should note that the security is as good as http traffic, in other words, do not display a lock.

By the way, think about it, security devices. Security for you? Did you pay those devices? No, it is security for those who pay for the devices.

Just business doing what business does (2, Informative)

Anonymous Coward | about 5 months ago | (#46988973)

Many businesses implement a man in the middle server that allows them to REGEXP the HTTPS searches and connections. Generally its a proxy out with a requirement to accept the certificate which is then applied to your local to the proxy connection, but remotely your handing the company the keys to any accounts/connections used across the board.

There is a thought of trust your admin not to log your password/financial data etc... Its all quite bizarre but someone thought it was a good idea, or didn't understand the fully risk of the implementation.

Just business doing what business does when its unbridled and government rules are written by that same business.

Re: Just business doing what business does (0)

Anonymous Coward | about 5 months ago | (#46989293)

How long before browsers start pulling their certs?

Re: Just business doing what business does (2)

EmperorArthur (1113223) | about 5 months ago | (#46989987)

They can't. These are certs that are added by the companies IT department, not certs that ship by default. In some places, like United States libraries, internet filters are mandated. So these places have a few choices, let the public potentially view naughty images via Google image search, downgrade all connections to http, or MITM everything. Guess which one of the three the politicians don't like.

The big thing those IT departments have to worry about is certificate pinning, which is where the browser stores the actual per website cert, and displays an error if it's changed. This is what Chrome does/is planning to keep people from MITMing Google in particular. I can see both Chrome and Mozilla being proactive, while IE focuses on the corporate clients and if anything becomes less secure.

Re: Just business doing what business does (0)

Anonymous Coward | about 5 months ago | (#46995675)

If I were the browser authors I would start collecting the root traces for these and on the next update hard-pull the cert so that even locally installing it doesn't work. The error message would be "The signing authority providing this certificate has been observed in the wild signing fradulent certificates. For your protection the certificate has been disabled."

Re:Just business doing what business does (0)

Billly Gates (198444) | about 5 months ago | (#46990953)

Why can't a business do what it wants on its own networks to monitor their own computers?

Do not like it? Then don't work. Plain and simple as you are paid to work and not create hostile work environments or infect their networks. They have a right to protect themselves legally and liability wise. Companies are liable for what their employees do at all times.

They create their own self signed certs to do this so no biggie.

Re:Just business doing what business does (0)

Anonymous Coward | about 5 months ago | (#46991655)

Your thoughts assume the people capturing the data for the WHOLE company are just looking at your personal data. What about legal cases where the lawyer is required to keep those legal papers protected. Or executive emails/logins/credentials, how about if you have your 401k linked to your internal website so everyone can login and check their percentages. Or steal company secrets, or government secrets. The list is quite long of things your TRUSTING the current Admin dejour isn't sending off to their underworld friends to make a quick buck or bragging rights.

Many large companies have such high turnover rates or contractor turnover rates you can't tell in 6 months who is in control of the tool.

Oh by the way you just gave the bad guy something that is guaranteed to contain every possibly security connection in the company if they choose to log it.

At best its a double sided sword, careful of the backswing.

Re:Just business doing what business does (1)

azav (469988) | about 5 months ago | (#47000305)

Generally it's* a proxy out

        it's = it is

Learn this.

Bluecoat and other security products (4, Interesting)

Anonymous Coward | about 5 months ago | (#46989003)

I'm behind a Bluecoat proxy at work. The software plays man-in-the-middle when I access my mailbox or online bank.
I never understood where my employer got the right to impersonate gmail or xyz-bank with their own certificates.

Re:Bluecoat and other security products (1)

Anonymous Coward | about 5 months ago | (#46989025)

I never understood why my employees use company resources for private business.

Re:Bluecoat and other security products (1)

Anonymous Coward | about 5 months ago | (#46989087)

Not much of a leader or thinker then are you?

Hint - your employees are at the office more than they are not.

Re:Bluecoat and other security products (1)

NatasRevol (731260) | about 5 months ago | (#46989423)

Yeah, these 13 hr days, 7 days a week really suck.

Re:Bluecoat and other security products (0)

Anonymous Coward | about 5 months ago | (#46989925)

You jest, but in many companies in the US, that is the norm. It is not explicitly mandatory, but if you don't do it, you will be replaced.

I am intentionally unemployed and getting more education right now to work off the emotional and physical damage of a place where 5AM to 7PM shifts were the norm. With a mild commute all you have time for is sleep. The house is never clean, family are strangers, and all your memories consist of work. There is vacation time but it will be stolen away from you the instant you try to schedule its use. It is hell that has not been seen since the robber baron days.

Re:Bluecoat and other security products (0)

BitZtream (692029) | about 5 months ago | (#46990313)

...

Before I tear your lying post apart, lets get one thing clear. In the US, if you don't like your job, there are PLENTY of others you can choose from. Its fairly trivial to get employment and make enough money to survive. Now if you've gotten yourself buried in debt and can't afford to work a different problem, thats still your stupid fucking problem.

Second, when at work, you work. You do not dick around and do personal shit during your time there ... and then bitch because they aren't catering to your agenda. You're nothing more than a selfish asshole who thinks he's entitled.

Now to tear your lying post apart ...

Norm ... no its not, not anywhere that matters.

Name one organization where everyone spends more than 84 hours per week working.

Its not normal in any business in the US, not any legal business anyway. There will be limited stretches where it happens, such as farmers and fisherman, but then they have periods of far less time working.

Where did you work that had you working 5am to 7pm, 7 days a week, all year long? Tell us this evil empire so we can call bullshit.

Re:Bluecoat and other security products (0)

Anonymous Coward | about 5 months ago | (#47006267)

the butthurt is strong in this one

Re:Bluecoat and other security products (0)

Anonymous Coward | about 5 months ago | (#46993289)

I work 60+, and sleep 60. That leaves 60.

Re:Bluecoat and other security products (0)

Anonymous Coward | about 5 months ago | (#46989967)

Irrespective of where someone is, corporate resources are to be used for corporate business only. It is a standard clause in every company's HR policy.

It also makes complete sense. Having had more than one employee who tried to mask criminal behavior by using corporate resources, it is a good and solid policy.

Re:Bluecoat and other security products (0)

Anonymous Coward | about 5 months ago | (#46990047)

Irrespective of where someone is, corporate resources are to be used for corporate business only. It is a standard clause in every company's HR policy.

It also makes complete sense. Having had more than one employee who tried to mask criminal behavior by using corporate resources, it is a good and solid policy.

Some bosses might like to see their employees being able to spend a few minutes dealing with personal stuff instead of taking off an hour early or a long lunch to get it done, but if it's your company you do it your way, I suppose.

Also, your competitors might poach your best people with the promise of a more accommodating workplace, but again, your call.

"Best way to keep 'em on their toes is to keep 'em on their knees."

Re:Bluecoat and other security products (0)

Anonymous Coward | about 5 months ago | (#46990175)

Not much of a leader or thinker then are you?

Hint - your employees are at the office more than they are not.

Which technology backwater country are you from? Why can't you just whip out your smartphone and do whatever you do on the net on it, using the phone's network? Your phone DO have a data plan with GBs unused at the end of each month, right?

Re:Bluecoat and other security products (1)

tepples (727027) | about 5 months ago | (#46993191)

Your phone DO have a data plan with GBs unused at the end of each month, right?

If my job paid me $336 more per year (difference between cheapest dumbphone plan and cheapest smartphone plan on my current carrier), I might have a phone with a data plan. But because it doesn't, I have a dumbphone.

Re:Bluecoat and other security products (0)

Anonymous Coward | about 5 months ago | (#46999911)

If my job paid me $336 more per year (difference between cheapest dumbphone plan and cheapest smartphone plan on my current carrier),

Then switch carriers.

Good luck coming close to $84/yr (1)

tepples (727027) | about 5 months ago | (#46999951)

My current dumbphone plan with Virgin costs 7 USD per month, and I can't switch countries. Which carrier should I use that will leave me with "GBs unused at the end of each month" without bloating my bill by hundreds per year?

Re:Bluecoat and other security products (1)

Anonymous Coward | about 5 months ago | (#46989813)

You probably also don't understand that your employees are in fact people who occasionally need to get things organized during the day, and the fact that you are paying them some form of remuneration does not grant you power to dictate every facet of their existence while they work.

If you don't like it, maybe you should hire robots instead. I'm sure that will work very well for you. You'll just need a maintenance cre--... oh damn.

What's the world coming to when you can't run a business without these annoying "people" everywhere?

Re:Bluecoat and other security products (0)

Anonymous Coward | about 5 months ago | (#46989933)

This. And exactly why I put MY name on the supply closet. I like the post-its most of all. And tape. You never can have enough tape. It's not like I have time in a day to go to Office Depot myself when I have a closet just down the hall with MY name on it.

Re:Bluecoat and other security products (1)

swillden (191260) | about 5 months ago | (#46991847)

You probably also don't understand that your employees are in fact people who occasionally need to get things organized during the day

Meh.

Businesses have legitimate reasons for monitoring the use of their equipment and networks. Employees have legitimate reasons for doing some personal stuff at work. The obvious compromise is exactly what happens: Businesses monitor and employees can decide whether they're okay with their personal stuff being monitored. If not, they have other options like doing it at home, or on their smartphone.

That said, I do appreciate that my employer doesn't monitor my traffic.

Re:Bluecoat and other security products (2)

gl4ss (559668) | about 5 months ago | (#46990143)

you don't know if they're using it for private business without breaching their telecommunications in a manner which should be( and actually in many western countries is) illegal - no matter if you built the road used for delivering the letter...

of course you probably don't understand all the possible insider and outsider complications that come from having some personnel (no matter if it's some bofh or you) with expressed ability to read everybodys mail and banking details - and from the ability that they lose totally the possibility of knowing if there's some other mitm happening too. basically any security product your company buys is then supposed to stop you from eavesdropping, so you can't use any of that since you _want_ to eavesdrop and do your own extrajudical investigations into affairs which should be investigated by the police if you suspect foul play..

but now if they(your employees) suspect foul play relating to their id coming from being hacked.. ..you're the first suspect.

Re:Bluecoat and other security products (0)

Anonymous Coward | about 5 months ago | (#46990473)

I guess you don't have washrooms either and send the employees take care of all their "private business" elsewhere (like at the nearest public washrooms)? And also carefully subtract that time from the time sheets?

Re:Bluecoat and other security products (1)

rainmaestro (996549) | about 5 months ago | (#46993801)

You jest, but I've seen exactly that. I was on a short contract early on in my career with a company that occupied an office in a typical large corporate center. Each floor had two sets of bathrooms shared between all companies occupying space on that floor. For the office I was contracting with, you had to swipe to get in or out. Any time spent "out" was considered personal time, and that included trips to the shared bathrooms. If you spent five minutes in the bathroom one day, you'd better work an extra five minutes some other time to make up for it, or you'd get a nastygram for not being at your desk for the full expected time (the worst I personally saw was one employee being chastised for coming up three minutes short).

Re:Bluecoat and other security products (0)

Anonymous Coward | about 5 months ago | (#46991177)

I never understood why my employer expects me to use personal resources for company business, and to be available 24x7 to satisfy any management whim

Re:Bluecoat and other security products (1)

Anonymous Coward | about 5 months ago | (#46989243)

I'm behind a Bluecoat proxy at work. The software plays man-in-the-middle when I access my mailbox or online bank. I never understood where my employer got the right to impersonate gmail or xyz-bank with their own certificates.

This is something many corporate security products do, so they can inspect and control SSL traffic for security threats. The argument for doing this is that if they didn't, then a large portion of the traffic would be bypassing some of the security defenses. You should never trust SSL for personal info when inside the company firewall.

Re:Bluecoat and other security products (-1, Troll)

BitZtream (692029) | about 5 months ago | (#46990245)

Perhaps you should consider that you're using your employers network and systems for personal business and stop being such a fuckwit about it.

Its not your PC, its not your network, none of those resources are yours, yet you're complaining about using those resources for things other than what they are intended ... and being watched.

Do your personal business on your personal time and shut the fuck up.

Re:Bluecoat and other security products (1)

BitterOak (537666) | about 5 months ago | (#46991933)

I never understood where my employer got the right to impersonate gmail or xyz-bank with their own certificates.

They got the right by providing you with the network connection at work which you choose to use for your personal banking and e-mail.

Re:Bluecoat and other security products (0)

Anonymous Coward | about 5 months ago | (#46997497)

I get that part from the equasion (although they make the choice to offer connection to xyz-bank/gmail and not to dropbox or amazons cloud.) But I'ld assume that xyz bank does not like the fact that someone is claiming to be them to perform a man-in-the-middle. That is the part that I worry about.

Re:Bluecoat and other security products (2, Interesting)

Anonymous Coward | about 5 months ago | (#46993159)

If you're using OS X, a secure outside connection is as simple as:

ssh -D127.0.0.1:1080 user@machine

That establishes a SOCKS proxy on port 1080 which tunnels connections to the remote machine. Then change your network settings to point your browser at port 1080.

I'm pretty sure PuTTY on Windows supports SOCKS proxies, too.

Warning: if using Firefox you need to disable local DNS resolving (so that the domain name is resolved on the other end). I forgot what the config name is, but Google will help you.

Of course, you could use some paid VPN service. But they usually require you to install a local client, and I refuse to run any such software unless it's FOSS. The only apps I run are native from the vendor, or FOSS.

If you really want to be elite, you run OpenBSD and setup an L2TP or PPTP tunnel over IPSec. OpenBSD only recently gained reliable, native L2TP/PPTP support, so I haven't had a chance to play around with that. But both OS X and Windows support that natively, at least as a client. Linux of course requires some kind of convoluted setup. On OpenBSD it should be pretty easy to configure, because they make configuring IPSec a breeze (as in an order of magnitude simpler than OpenVPN, which many consider to be pretty easy). Although, they may not have had time yet to simplify the L2TP/PPTP configuration. In any event, with IPSec+PPTP, it should be much easier to switch it on and off compared to SSH tunneling.

One more reason Flash sucks (0)

RogueWarrior65 (678876) | about 5 months ago | (#46989035)

And needs to be retired to the bit bucket. Need I say more?

Re:One more reason Flash sucks (0)

Anonymous Coward | about 5 months ago | (#46989151)

You do realize that flash was used as a tool to identify the problem and not the cause?

Flash still sucks.

Re:One more reason Flash sucks (5, Insightful)

1s44c (552956) | about 5 months ago | (#46989169)

Flash is evil and should be destroyed, I agree. But this story is about how researchers did something cool with flash to detect forged SSL certs.

In this one case Flash isn't the security issue, it's the useful software helping to find the security issue.

Re:One more reason Flash sucks (1, Redundant)

moof1138 (215921) | about 5 months ago | (#46989253)

Flash isn't a villain here, it was used as a research tool. The researchers are using Flash to detect forged SSL Certs.

Re:One more reason Flash sucks (1)

lgw (121541) | about 5 months ago | (#46989563)

... meet it is I set it down
That one may smile, and smile, and be a villain

Flash is always a villain. You may use it's power intending to do good, but in the end you will do only evil.

Idiotic slashdotters man... (2, Insightful)

Anonymous Coward | about 5 months ago | (#46989081)

You idiots, this guy is presenting about a much larger concern of the overall insecurity of this stupid trust model we call SSL CA Cert and all you morons talk about is how much flash sucks. You guys are fuckin nuts for brains man...

Re:Idiotic slashdotters man... (1)

clay_shooter (1680300) | about 5 months ago | (#46989637)

I'd love to trade my poorly articulated comments how people are complaining about the wrong thing for mod points t mod up parent.

Re:Idiotic slashdotters man... (0)

Anonymous Coward | about 5 months ago | (#46990961)

Welcome to /.

WTF? (0)

Anonymous Coward | about 5 months ago | (#46989449)

they have created a new method for websites to detect these attacks on a large scale: a widely-supported Flash Player plugin was made to enable socket functionalities not natively present in current browsers

Wait, what? In order to work around a security hole with SSL certificates, I'm expected to install a fucking Flash plugin? As in one of the most insecure pieces of shit software on the internet?

Flash has been a security risk for over a decade now, and almost monthly is found it have yet another hole or exploit.

I'm sorry, but for a PhD candidate doing security research, this person is a fucking idiot and apparently clueless about security.

This is like saying in order to prevent rape, women should administer their own roofies in bars.

Fucking moron.

Re:WTF? (0)

Anonymous Coward | about 5 months ago | (#46989557)

Maybe you shold practice duplication of written words so that at least you know what you are commenting on.

Not really a good sign (2)

Kirth (183) | about 5 months ago | (#46989971)

(Error code: ssl_error_no_cypher_overlap)

Yes, I turned off all weak ciphers in my browser. Including most 128bit ones.

Re:Not really a good sign (1)

chihowa (366380) | about 5 months ago | (#46991397)

It's using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256. That's not exactly a weak cipher, especially since AES256 is putatively not much stronger than AES128.

I think the issue you're seeing originates on your end.

Re:Not really a good sign (0)

Anonymous Coward | about 5 months ago | (#46996901)

AES-256 is less secure than AES-128 (counterintuitive, I know, and neither is insecure, but there's a meet-in-the-middle attack largely due to the number of rounds).

The only 256-bit secure ciphers in TLS are ChaCha20-Poly1305, if you support that draft (few do), and Camellia.

The best one to use in general is TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - and indeed, that's UTA's best recommendation for now.

You're doing the right thing by turning off RC4, however.

Perspectives (0)

Anonymous Coward | about 5 months ago | (#46992765)

That is why I use the perspectives add on.

Checks that the cert I got is what most people get, this is how I know that I am not being MITM'd at work. Also it is how I know that google has way too many certs that they issue to various places as perspectives is actually useless on that site.

This is not what I consider "forged" (1)

RatherBeAnonymous (1812866) | about 5 months ago | (#46993693)

This isn't really all that interesting. I will be more interested when researchers find a way to detect certs created with stolen root certificates. You know, the kind that don't make the browser throw up a warning.

Re:This is not what I consider "forged" (1)

IamTheRealMike (537420) | about 5 months ago | (#46994803)

Did you read the paper? I did. That's what the research does. It turns out that there isn't a lot of malicious MITM out there, and what little does exist is done by malware on the same machine. The other MITM "attacks" are things like corporate proxies, etc.

The most interesting thing about this research is that it rather decimates the oft-repeated meme that SSL is broken and gets busted all the time. The data doesn't show that.

Re:This is not what I consider "forged" (1)

cryptizard (2629853) | about 5 months ago | (#46994861)

True, although it's worth noting that this approach only works through obscurity. As soon as attackers know about it, they can block the flash app or alter it to make everything look fine.

Re:This is not what I consider "forged" (1)

RatherBeAnonymous (1812866) | about 5 months ago | (#47010265)

I had not read the paper. Now I have. I stand by my statement that this is not what I consider "forged". All of the detected certificates mentioned in the paper were detected by noticing inconsistencies in the public certificate. In most cases an outsider attacker would trigger at least a browser warning unless they had gotten their certificate authority registered on the victim computer as a trusted authority. In the case of the opFailZeroAccessCreate malware, "VeriSign Class 4 Public Primary CA" which it apparently used on some of its public certs, does not exactly match any trusted CA registered on my computer. The same goes for "thawte Extended Validation SSL CA". That would suggest that the malware is merely faking an official sounding names to make it look good.

We know that there are truly forged certs out in the wild. CA's have been hacked to steal their root certs or other wised tricked into issuing bogus certs in the past. The paper goes on at length about this. But based on their results, I am dubious of them actually finding any such fraudulent certificates or of their methodology being capable of detecting such certificates. My feeling is that if a criminal (or government) had some perfect fraudulent cert they would not use it for hacking random bank transactions from a Starbucks wireless hotspot, but I could be wrong. It may be quite common. I don't believe this article sheds much light either way.

HTTPS Everywhere Add-on Question (0)

Anonymous Coward | about 5 months ago | (#46994173)

Would it help if we all enabled the SSL Observatory function in HTTP Everywhere?

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?