dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
33
share rss forum feed


cdru
Go Colts
Premium,MVM
join:2003-05-14
Fort Wayne, IN
kudos:7
reply to Matt3

Re: Simple solution

said by Matt3:

They can easily act as a man-in-the-middle SSL proxy and your browser would be none the wiser. You have to go much lower on the OSI model to prevent this type of hijacking, think network or transport layer, not the session or application layer.

Can you please elaborate? I won't say that you're wrong, but I don't think your right.

Taking google for instance, presuming that google has a properly installed certificate, the certificate is signed by a trusted CA, and you are actually visiting the correct URL (and haven't been redirected to g00g1e.com, I don't see how a MITM attack would be possible. The presentation of any spoofed certificates would not be signed by a CA and/or match up to the host name, all up to date modern browsers would alert you to this immediately.

If this was possible, it would mean the break down of the entire eCommerce infrastructure due to the insecurity of the transactions.


gme

@ada5ab81.net
Google may have a very valid SSL certificate (from VeriSign even), but the way an SSL MiTM attack works is that the SSL proxy intercepts your HTTPS request, breaks it, and then forwards it on to Google (for example).

What the proxy sends to YOU (and your browser) is a completely separate encrypted SSL page, and your little lock still shows, because the SSL proxy is using a certificate that is trusted in your certificate store.

Countries like Saudi Arabia, Iran, and China, can do this because their country-level CAs are in everyone's browser (bring up certmgr.msc if you're on Windows).

Since the root is universally trusted, the root CAs can issue bogus intermediate certs via their own CAs, forging the legitimate certs to your browser.

You mention the breakdown of eCommerce as we know it, and you're absolutely correct.

SSL has been the worst thing to happen to the Internet.

Not because of the technology, but because of the false sense of security it provides.


Matt3
All noise, no signal.
Premium
join:2003-07-20
Jamestown, NC
kudos:12
said by gme :

Google may have a very valid SSL certificate (from VeriSign even), but the way an SSL MiTM attack works is that the SSL proxy intercepts your HTTPS request, breaks it, and then forwards it on to Google (for example).

What the proxy sends to YOU (and your browser) is a completely separate encrypted SSL page, and your little lock still shows, because the SSL proxy is using a certificate that is trusted in your certificate store.

Countries like Saudi Arabia, Iran, and China, can do this because their country-level CAs are in everyone's browser (bring up certmgr.msc if you're on Windows).

Since the root is universally trusted, the root CAs can issue bogus intermediate certs via their own CAs, forging the legitimate certs to your browser.

You mention the breakdown of eCommerce as we know it, and you're absolutely correct.

SSL has been the worst thing to happen to the Internet.

Not because of the technology, but because of the false sense of security it provides.

This is a very good explanation and is inline with what I have read about SSL man-in-the-middle attacks. The crux seems to be that in most modern certificate stores (be it Firefox's internal or the one in Windows) there are simply too many trusted root/intermediate certificates that are valid for 10+ years.

All it takes is one relatively common cert to be exploited and you could build a spying business off it ... while working on the next one to compromise to extend your business another 10 years.


rchandra
Stargate Universe fan
Premium
join:2000-11-09
14225-2105
Even more to the point, validity checking of certs relies on valid DNS results. Without widespread DNSSEC client implementations and validations, and zone signatures, it is likewise MitM vulnerable.