Risks of SSL
Home

 

 

 

On November 2011 the Wall Street Journal published the ‘Surveillance Catalog’ and  the WikiLeaks organization provided a list of International surveillance companies and their equipments on the ‘WikiLeaks Spy Files’ publication. Some examples from the brochures that describe the properties of the equipments: “It can also decrypt SSL traffic if installed in MITM (man-in-the-middle) configuration  ...”; “Track the suspect’s encrypted communication using Gmail, Hush mail etc., Track the suspects banking transactions etc.”; “Intercept any communication within Secure Socket Layer (SSL) or Transport Layer Security (TLS) sessions. Once in place, devices have the capability to become a go-between for any TLS or SSL connections ... users are lulled into a false sense of security afforded by web, e-mail or VoIP encryption.”;”But with a ‘man in the middle,’ the … technology is able to intercept the traffic and the certificate and send along its own fake certificate to the computer, making the computer think traffic is flowing normally.” Read below a detailed explanation of how this is possible.

The weakest link in SSL is the Certificate Authority infrastructure.

When a user connects to a HTTPS - SSL or TLS server, the server sends a certificate to the user which ensures to the user that he really is connecting to the wanted server. How can a certificate do that? The owner of the server has – before starting his services - contacted a Certificate Authority (CA) and proved to him that he owns and controls the server.  The owner of the server has sent a public key of the server to the CA and the CA has signed this public key using the private key of the CA. When a user receives the certificate his web browser checks that the CA’s signature is valid using the stored public keys of the well known CA. There are about 600 CAs and current web browsers store their public keys and also update them if that is needed. When the CA’s signature has been checked then the user’s browser checks that the data coming from the server has a valid signature which is signed by the public key of the server (which is in the certificate).

Note that currently any CA can issue a certificate for any website. If the CA decides so it can write a certificate for any website and can use any public key as the public key of the server – this is against the rules but no one can prevent the CA from actually doing this. It may also happen that no one notices these actions – certificates are not normally shown neither are they stored for later inspection. There is special equipment available that is designed to use these kinds of certificates –they can even create the certificates as a need arises1. The equipment is placed in the middle of the communication between the victim and the server.

 

Following attacks are known:

 

1. CA (established for the purposes of intelligence gathering for a country A’s intelligence agency) issues a certificate for a server in a country B to a public key of this intelligence agency.

2. CA has been hacked. The attacker has obtained the private key of the CA and can issue certificates which the user’s web browser decides to be valid.2

3. CA has been forced (by an order from the country’s authorities) to issue a certificate for the public key of the attacker (law enforcement).

4. The user’s web browser still allows certificates which use the MD5 hash function. Security researches have demonstrated that they can create certificates for any website using the weakness of the MD5 hash function.

5. The attacker has used some weakness in the user’s web browser and can run java script code on the browser which uses a certain weakness in the SSL protocol when used with a block cipher in CBC mode. Microsoft issued a fix (KB2585542) for this problem on January 2012. However there are still many web servers that are vulnerable to this attack, only 25% of web sites examined by Trustworthy Internet Movement were protected against the BEAST3 on a study published on April 25, 2012.

In the abovementioned attacks 1-4 the attacker must be able to mimic the real server and/or do a man in the middle attack where he gets the data from the user and sends it to the real server and also sends the server’s response back to the user. The attack allows the attacker to see and modify all the user’s traffic to/from the server in unencrypted form. Note that in the attacks 1-4 the attacker does not need access to user’s computer or to the server. One has to consider also the possibility that also non law enforcement parties may have obtained the equipment for the man in the middle handling and can use it in the attacks. The attack number 1 is challenging because the traffic needs to be routed via another country, it is however possible to change the routing tables of Internet to achieve this.

 

The SSL attack can be applied on ‘normal’ SSL or TLS based email and webmail solutions and on email encryption solutions that are web-based. There are also Virtual Private Network solutions that use the web browser and SSL. These systems can be attacked always when the SSL connection is done. The vulnerable systems usually use marketing argument that no software is needed on user’s computer because only a web browser is needed. If the traffic between sender’s and recipient’s email server is encrypted using SSL/TLS then it can be decrypted using the man-in-the-middle attack, there can even be many attacks going on at the same time.

 

One of the equipments is advertised to be able to decrypt web based Hushmail emails – which are OpenPGP encrypted. On a client machine Hushmail user’s browser downloads the OpenPGP Java applet when a session starts. It seems that the surveillance company has developed a modified applet and delivers it to the victim. It is admitted in Hushmail’s documentation that a condition for secure operation is that the user is using a legitimate copy of the applet.  We have to remember that the attacker can deliver to the user an entire different web page that the browser has ordered – only the name and appearance are the same.

 

EndCryptor encrypts the message before contacting an email server; even a successful SSL attack cannot expose the message. In case of EndCryptor the attacker thus can only gain the userid and password to the email server. EndCryptor also stores every certificate it receives, they can later be analyzed if an SSL attack is suspected. EndCryptor can be configured so that when it connects to an email server using SSL it accepts only certain already received certificates – this prevents the attack, the dishonest certificate has not been seen before and is rejected.

 

To find news concerning the attacks search the web using phrases:

 

1.  a) Google ssl proposal  b) How China swallowed 15% of 'Net traffic for 18 minutes

2.      Certificate Authority hacked

3.      compelled certificate creation attack

4.      impersonate any website on the Internet

5.      ssl protocol attack beast

The man-in-the-middle attack is also explained in our tutorial on public keys.

Notes:

1.  Certificate Authority Trustwave admitted on February 4, 2012 that they had given one private customer a device with a skeleton certificate inside a special machine which generated certificates for any website. This was done to decipher and monitor all company’s online SSL/TLS communication regardless whether the devices used were company provided or not.

2.       Certificate Authorities can be targeted by viruses, e.g. Duqu - which is currently viewed as the most advanced virus seen so far - targeted certificate authorities and used stolen and forged certificates for its purposes.

3.  SSL Pulse is now tracking 198,216 web sites with valid certificates, which represent substantially all SSL sites in the Alexa top one million list. See SSL Pulse. These attacks studied by SSL Pulse are mainly of concern to solutions that use web browser to access data on a web server.

Last updated on May 4, 2012.

Home