dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
25
share rss forum feed


gme

@ada5ab81.net
reply to cdru

Re: Simple solution

Google may have a very valid SSL certificate (from VeriSign even), but the way an SSL MiTM attack works is that the SSL proxy intercepts your HTTPS request, breaks it, and then forwards it on to Google (for example).

What the proxy sends to YOU (and your browser) is a completely separate encrypted SSL page, and your little lock still shows, because the SSL proxy is using a certificate that is trusted in your certificate store.

Countries like Saudi Arabia, Iran, and China, can do this because their country-level CAs are in everyone's browser (bring up certmgr.msc if you're on Windows).

Since the root is universally trusted, the root CAs can issue bogus intermediate certs via their own CAs, forging the legitimate certs to your browser.

You mention the breakdown of eCommerce as we know it, and you're absolutely correct.

SSL has been the worst thing to happen to the Internet.

Not because of the technology, but because of the false sense of security it provides.


Matt3
All noise, no signal.
Premium
join:2003-07-20
Jamestown, NC
kudos:12
said by gme :

Google may have a very valid SSL certificate (from VeriSign even), but the way an SSL MiTM attack works is that the SSL proxy intercepts your HTTPS request, breaks it, and then forwards it on to Google (for example).

What the proxy sends to YOU (and your browser) is a completely separate encrypted SSL page, and your little lock still shows, because the SSL proxy is using a certificate that is trusted in your certificate store.

Countries like Saudi Arabia, Iran, and China, can do this because their country-level CAs are in everyone's browser (bring up certmgr.msc if you're on Windows).

Since the root is universally trusted, the root CAs can issue bogus intermediate certs via their own CAs, forging the legitimate certs to your browser.

You mention the breakdown of eCommerce as we know it, and you're absolutely correct.

SSL has been the worst thing to happen to the Internet.

Not because of the technology, but because of the false sense of security it provides.

This is a very good explanation and is inline with what I have read about SSL man-in-the-middle attacks. The crux seems to be that in most modern certificate stores (be it Firefox's internal or the one in Windows) there are simply too many trusted root/intermediate certificates that are valid for 10+ years.

All it takes is one relatively common cert to be exploited and you could build a spying business off it ... while working on the next one to compromise to extend your business another 10 years.


rchandra
Stargate Universe fan
Premium
join:2000-11-09
14225-2105
Even more to the point, validity checking of certs relies on valid DNS results. Without widespread DNSSEC client implementations and validations, and zone signatures, it is likewise MitM vulnerable.