Risks of SSL

Home

This page is about the risks of relying on TLS/SSL encryption - which is currently the only universal encryption protocol supported by all web browsers when connecting to websites (the web browser typically displays then a lock on the address bar - trying to convince the user of the security of the connection - and may also show the protocol name 'https').  

On march 2017 Wikileaks published leaks from the hacking arsenal of the CIA (Central Intelligence Agency of USA). In some of those documents there are advices to malware writers: 'DO NOT solely rely on SSL/TLS to secure data in transit. Numerous man-in-middle attack vectors and publicly disclosed flaws in the protocol.' and  'Because this outer layer may be decrypted by an attacker (e.g., SSL Man-in-the-Middle) any transport encryption must be used for  traffic blending only and not for secrecy.'.

Previously on November 2011 the Wall Street Journal published the ‘Surveillance Catalog’ and  the WikiLeaks organization provided a list of International surveillance companies and their equipments on the ‘WikiLeaks Spy Files’ publication. Some examples from the brochures that describe the properties of the equipments: “It can also decrypt SSL traffic if installed in MITM (man-in-the-middle) configuration  ...”; “Track the suspect’s encrypted communication using Gmail, Hush mail etc., Track the suspects banking transactions etc.”; “Intercept any communication within Secure Socket Layer (SSL) or Transport Layer Security (TLS) sessions. Once in place, devices have the capability to become a go-between for any TLS or SSL connections ... users are lulled into a false sense of security afforded by web, e-mail or VoIP encryption.”;”But with a ‘man in the middle,’ the … technology is able to intercept the traffic and the certificate and send along its own fake certificate to the computer, making the computer think traffic is flowing normally.”

Read below a detailed explanation of how this is possible.

When a user connects to a HTTPS - SSL or TLS server, the server sends a certificate to the user which ensures to the user that he really is connecting to the wanted server. How can a certificate do that? The owner of the server has – before starting his services - contacted a Certificate Authority (CA) and proved to him that he owns and controls the server.  The owner of the server has sent a public key of the server to the CA and the CA has signed this public key using the private key of the CA. When a user receives the certificate his web browser checks that the CA’s signature is valid using the stored public keys of the well known CA. There are about 600 CAs and current web browsers store their public keys and also update them if that is needed. When the CA’s signature has been checked then the user’s browser checks that the data coming from the server has a valid signature which is signed by the public key of the server (which is in the certificate)

Note that currently any CA can issue a certificate for any website. If the CA decides so it can write a certificate for any website and can use any public key as the public key of the server – this is against the rules but no one can prevent the CA from actually doing this. It may also happen that no one notices these actions – certificates are not normally shown neither are they stored for later inspection. There is special equipment available that is designed to use also intermediate level CA certificates – they can generate the needed certificates as a need arises1. The equipment is placed in the middle of the communication between the victim and the server.

Following are certificate related attacks:

  1. CA (established for the purposes of intelligence gathering for a country A’s intelligence agency) issues a certificate for a server in a country B to a public key of this intelligence agency.

  2. CA has been hacked. The attacker has obtained the private key of the CA and can issue certificates which the user’s web browser decides to be valid.2

  3. CA has been forced (by an order from the country’s authorities) to issue a certificate for the public key of the attacker (law enforcement). This is called ‘compelled certificate creation attack’3.

  4. The private key of the SSL server has been exposed. If the server has not been configured to use Perfect Forward Secrecy (PFS) the recorded old SSL sessions can be decrypted. If PFS is used a man-in-the-middle attack is required at session time for decryption of the traffic. The attack is now easier to do since no additional fake certificate is needed since server’s private key is known4. The Heartbleed vulnerability in OpenSSL that was found in April 2014 exposed server’s memory (private keys etc.). The bug was undetected in the code for 2 years but even older recorded SLL sessions  (without PFS) can be opened using an exposed private key5.

5.  The attacker uses a vulnerability in some software and then installs the attacker created certificate into a trusted certificate store on victim's computer - this enables the attacker to perform man-in-the-middle attack on victim's SSL/TLS web browsing sessions.  The attacker needs no software on victim's machine - the installed certificate enables the attack6

In the abovementioned attacks 1-3 and 5 the attacker must be able to do a man in the middle attack where he gets the data from the user and sends it to the real server and also sends the server’s response back to the user. The attack allows the attacker to see and modify all the user’s traffic to/from the server in unencrypted form. Note that in these attacks the attacker does not need access to user’s computer or to the server. One has to consider also the possibility that also non law enforcement parties may have obtained the equipment for the man in the middle handling and can use it in the attacks. The attack number 1 is challenging because the traffic needs to be routed via another country, it is however possible to change the routing tables of Internet or hacked routers to achieve this.

The SSL attack can be applied on ‘normal’ SSL or TLS based email and webmail solutions and on email encryption solutions that are web-based. There are also Virtual Private Network solutions that use the web browser and SSL. These systems can be attacked always when the SSL connection is done. The vulnerable systems usually use marketing argument that no software is needed on user’s computer because only a web browser is needed. If the traffic between sender’s and recipient’s email server is encrypted using SSL/TLS then it can be decrypted using the man-in-the-middle attack, there can even be many attacks going on at the same time.

One of the equipments is advertised to be able to decrypt web based Hushmail emails – which are OpenPGP encrypted. On a client machine Hushmail user’s browser downloads the OpenPGP Java applet when a session starts. It seems that the surveillance company has developed a modified applet and delivers it to the victim. It is admitted in Hushmail’s documentation that a condition for secure operation is that the user is using a legitimate copy of the applet.  We have to remember that the attacker can deliver to the user an entire different web page that the browser has ordered – only the name and appearance are the same.

EndCryptor encrypts the message before contacting an email server; even a successful SSL attack cannot expose the message. In case of EndCryptor the attacker thus can only gain the userid and password to the email server. EndCryptor also stores every certificate it receives, they can later be analyzed if an SSL attack is suspected. EndCryptor can be configured so that when it connects to an email server using SSL it accepts only certain already received certificates – this prevents the attack, the dishonest certificate has not been seen before and is rejected. This technique is called certificate pinning.

There are also devices and software that do SSL DPI (SSL Deep Packet Inspection, another term used is ‘SSL bridging’) inside a specific company using the man-in-the-middle method to decrypt SSL traffic flowing in and out of the company. Also some firewalls, antivirus and parental control programs can be configured so that they decrypt and re-encrypt the SSL traffic in order to examine the decrypted traffic. In these settings an intermediate level certificate is placed into the man-in-the-middle device or software and its root certificate created by the company is placed into company’s computers7- thus only this company’s traffic can be monitored without users noticing anything. If the user’s computer does not contain company’s certificate then user’s web browser issues a warning – which the user, however, may choose to bypass (this depends on the browser and its settings)8. On mobile devices certain browsers (Nokia’s Xpress Browser and Opera Mini browser) use man-in-the-middle technique to decrypt and re-encrypt SSL/TLS traffic in a proxy server, the motivation is to compress data and lessen the computing resources needed on the mobile device.

The man-in-the-middle attack is also explained in our tutorial on public keys.


Notes:

1. Certificate Authority Trustwave admitted on February 4, 2012 that they had given one private customer an intermediate certificate authority certificate inside a special machine which generated certificates for any website. This was done to decipher and monitor all company’s online SSL/TLS communication regardless whether the devices used were company provided or not – because the certificate was issued by a Certificate Authority no new certificates were needed in users’ computers.

On January 3, 2013 Google reported that they had on December 24, 2012 detected an unauthorized digital certificate for the "*.google.com" domain. The certificate was issued by an intermediate certificate authority linking back to TURKTRUST, a Turkish certificate authority. Intermediate CA certificates carry the full authority of the CA, so anyone who has one can use it to create a certificate for any website they wish to impersonate. See Google’s blog entry. TURKTRUST told Google that in August 2011, they had mistakenly issued two intermediate CA certificates to organizations that should have instead received regular SSL certificates. Please note that this kind of certificate is exactly that kind of certificate that can be used in the man-in-the-middle machines to monitor any intercepted  traffic to any website, the fake certificates generated by this intermediate certificate may have been used during about 16 months.

2. Certificate Authorities can be targeted by viruses, e.g. Duqu targeted certificate authorities and used stolen and forged certificates for its purposes. Electronic Frontier Foundation’s SSL Observatory project report (2011-10-27) that the following reasons for certificate revocations were found in Certificate Revocation Lists:

reason

occurrences

NULL

921683

Affiliation Changed

41438

CA Compromise

248

Certificate Hold

80371

Cessation Of Operation

690905

Key Compromise

73345

Privilege Withdrawn

4622

Superseded

81021

Unspecified

168993

The researchers say (2011-10-27) that: “In at least 248 cases, a CA chose to indicate that it had been compromised as a reason for revoking a cert. Such statements have been issued by 14 distinct CA organizations.” When the statistics from earlier 4 months are compared to above findings: “So, from this data, we can observe that at least 4 CAs have experienced or discovered compromise incidents in the past four months. Again, each of these incidents could have broken the security of any HTTPS website.”

3. The term ‘compelled certificate creation attack’ was introduced by Christopher Soghoian and Sid Stamm in their paper ‘Certified Lies: Detecting and Defeating Government Interception Attacks Against SSL’, Financial Cryptography and Data Security '11 March 2011. 

On December 2013 Google noticed that several unauthorized certificates were issued for Google’s domains. The certificates were issued by a French governmental certificate authority ANSSI who said that the issuing of the certificates was a human error.

On July 8, 2014 Google reported (http://googleonlinesecurity.blogspot.fi/2014/07/maintaining-digital-certificate-security.html) that they had found fake certificates issued for several Google domains and one Yahoo domain and maybe for some other domains also. The issuer of the certicates was India’s National Informatics Centre. India’s Controller of Certifying Authorities said that the issuer’s issuance policies were compromised

On March 23, 2015 Google reported (http://googleonlinesecurity.blogspot.co.uk/2015/03/maintaining-digital-certificate-security.html ) that an intermediate certificate authority based in Egypt had used an intermediate level certificate in a proxy to create certificates for user's SSL  sessions. The used intermediate level certificate was issued by  Chinese certification authority CNNIC.

4. Recent revelations of state level spying have emphasized the importance of PFS and some big service providers have started to use it. Note that PFS is just that what EndCryptor provides in email encryption: future attacks can’t expose old traffic. See discussion of SSL in Electronic Frontier Foundation’s Deeplink post  https://www.eff.org/deeplinks/2013/08/pushing-perfect-forward-secrecy-important-web-privacy-protection and https://www.eff.org/deeplinks/2013/08/one-key-rule-them-all-threats-against-service-provider-private-encryption-keys 

5. See www.heartbleed.com , "We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication."

6. This technique is mentioned in the leaked material of Hacking Team company that sells spyware to governments ad law enforcements who can easily perform the MITM attack by compelling the internet service providers to place the MITM machines at proper places.

7. The Web Debugging Proxy Fiddler uses the same technique to log all HTTPS traffic between a computer and the Internet. Another tool is SSLsniff which is designed to MITM all SSL connections on a LAN, and dynamically generates certificates for the domains that are being accessed on the fly.

8. Citizen Lab’s report Planet Blue Coat: Mapping Global Censorship and Surveillance Tools describes how SSL interception machines intended for legitimate use for monitoring a specific company’s traffic are also used by countries with a history of concerns over human rights.

Last updated on March 22, 2017.

Home