Slashdot Mirror
Perfect MITM Attacks With No-Check SSL Certs
StartCom writes "In a previous article I reported about Man-In-The-Middle attacks and spotlighted an example showing that they really happen. MITM attacks just got easier. In the attack described previously, untrusted certificates from an unknown issuer were used. Want to make the attack perfect with no error and a fully trusted certificate? No problem, just head over to one of Comodo's resellers. Screenshots and disclosure provided at the link."
While the link is already being slashdotted ...
I hope the article author understands that unless he's really lucky, he is in deep legal trouble already. It's not the first time that the messenger was slaughtered, although the message was honorable.
Gotta think over the SSL certs one more. I never really liked the mechanism behind it, i like it even less now.
I'd tell you the chances of this story being a dupe, but you wouldn't like it.
All the links are down... One of the down sides of seeing a story when it is new I guess.
Looks interesting though! Might get more interesting when their web server stops spitting out flames...
The example cited is "RESOLVED INVALID". The link to the "perfect attack" seems to be slashdotted. And at the time I started writing this comment, there have been no comments whatsoever.
Does this mean that Slashdotters have all swarmed the link trying to find out how to execute the perfect attack? Are we seeing a new trend here, with people actually reading TFAs?
Or is it that too many people have Greasemonkey scripts filtering out kdawson's posts?
Ignore this signature. By order.
It had "0" comments when I started and I still could not RTFA
I never liked the notion of "trusted" certs. I have always built my own certs. While I can't read the article, I would say it is an obvious vulnerability in host naming.
SSL/TLS is mathematically secure. I mean, yes, it really is. You can trust that aspect of it. It breaks down in practice where secrets need to be kept secret or in areas where strict adherence to good practices are vital but not done.
Getting your own certs isn't hard. My test firm has both SSL Certs and Code Signing Certs.
There's only one way the CA system can work: Responsibility and repercussions. If a certificate authority signs forged certificates, then it can no longer be trusted and must be removed from the list of trusted CAs. To trust an untrustworthy CA is a security bug and should trigger updates from all browser developers which remove the offending CA. Make the CAs work for their money.
slashdotted-and then you wonder why I don't RTFA :-)
There isn't a whole lot of info.
While the original blog is slashdotted, please enjoy this link to Google Groups: http://groups.google.com/group/mozilla.dev.tech.crypto/browse_thread/thread/9c0cc829204487bf?pli=1
my guess it is either phishing, a router compromise, someone taken over their DNS or a transparent proxy somewhere that is redirecting to alternate sites with a valid cert. This is not news people if your upstream is compromised.
What's so perfect about the attack listed? It clearly shows up that the certificate is not trusted. With the new and improved, (and for me, irritating) screens of Firefox, where you are clearly warned, this should not be such a big problem.
What I don't get is that they do not try and locate the idiot trying to do this. Because that is one of the problems with these kind of man in the middle attacks - a single person that does actively goes after you can do some damage. This makes such attacks harder to perform, even if they are technically feasible.
Maybe they should make it even clearer that you should not use self signed certificates for banks and such, but this is far away from the IE bug that let leaf certificates (with some missing key usages) sign other certificates with any URL.
I've created one of those attacks on a corporate LAN (just for show, using a proxy) ages ago. Guess that made me a script kiddie :)
This is a very old, already solved IE bug, sorry if that's confused anyone.
In the perfect attack, the certificate is issued by a trusted certificate authority, so no warning is shown. It truly is a perfect MITM attack. We do know exactly who is issuing certificates without verifying the identify of the individuals requesting them. It's time for browser makers to remove some trusted CAs from their lists so users can be secure.
What a fool believes, he sees, no wise man has the power to reason away.
CAcert certificates are pretty nice because they are FREE!!! even if they need to become a little more responsible in the near future. The cool thing about "Free" is the value is in innovation, because it's the only way to survive being free in the first place. Maybe tie CAcerts to an OpenID??? Honestly, you get what you pay for... friends... hookers... etc.
the response here is sensationalist and irresponsible; this is a real attack possible due to a CA that is violating contracts and trust
actually, simply 'removing' a ca isn't quite sufficient, i think we're better served by remembering the ca with a note that it is NOT trusted.
otherwise a user can just go back and add it again.
Mod parent +1 funny grandparent -6 loser.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Something about being issued a certificate for a domain you don't own sounds real familiar.
Oh yeah, I got issued some fake certs by startcom last time there was a story about SSL and firefox. Certs that would have allowed a perfect MITM attack against FF users.
So perhaps startcom should be looking again at their free SSL certs instead of posting lines like this on the previous blog posting:
"Dear beloved Mozilla community and brave know-all, freedom-loving geeks, please get yourself legitimate SSL certificates for your sites - you can get them freely from StartCom without paying a dime."
Anyone pulling off MITM attacks in the first place could easily target the startcom servers so that emails to microsoft.com actually end up in the attackers inbox. They only need that one email to receive the fake cert. Not as easy as simply asking for the cert, sure, but it's hardly a secure way to issue certs.
To make it a perfect attack you need to either compromise DNS / BGP or sit in the middle of the data stream. I'm guessing the authors example does not do these things, so firefox and any other browser should complain. But if you were to setup a server with the fake mozilla.org cert and then redirect mozilla.org to this server via your hosts file, your browser would not complain at all.
09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
Which CA is this, and how do I disable it in safari?
If a CA doesn't properly validate who you are and cuts you a cert for anyone else, its a problem with CA, not the underlying codebase(s).
I want to delete my account but Slashdot doesn't allow it.
The dude found out that you can have self-signed certificates or certificates signed with whatever CA you want. Here's another MITM angle: you can set up your own root CA (http://www.onlamp.com/pub/a/onlamp/2003/02/06/linuxhacks.html) and you can even become an intermediary (Secondary) CA authority by paying Verisign, Equifax or Thawte. Heck, if you pay enough money to Microsoft, Mozilla or Opera and adhere to certain standards they will include your servers in their set of root certificates.
SSL is not supposed to be preventing MITM nor is it supposed to be for identifying purposes. We have other technologies for that like PGP but the internet relies on anonymity so you're never 100% sure that you're going to talk to the correct persons. Even with PGP, your initial communications will have to be trusted (eg. you personally hand over or get a key) or any subsequent communications will be compromised. SSL doesn't even go that far because every communication is viewed as an initial communication. If the certificate is re-signed or changed to another CA the next day, your browser will not complain as long as that CA is in it's trusted root certificates.
I personally think it's the government's fault that PGP didn't break through as a good authentication scheme because of their export limitations on firearms and it took a while before it was circumvented by opening up the standard. It's the browsers fault and the CA's as well (with VeriSign the biggest) by asserting that SSL certificates can be used to authenticate an entity rather than a communications. Lately there came to be the SSL-extensions but it's a) too little too late b) bolted on c) not a solution since that information can also be falsified using the exact same methods as described in the article since all it takes is a 'rogue' SSL signer that doesn't do it's job (or somebody impersonating the entity)
Custom electronics and digital signage for your business: www.evcircuits.com
Put the certificate fingerprint in DNS. I lookup a domain name and get an IP address and fingerprint, allowing me to be certain that I am talking to whom I think I am talking to. No CA needed. (Of course, we need DNSSEC for this to really work.)
How does it help for an organization in Africa to certify that a given certificate is "legitimate"? What does that mean, anyway?
When I visit the SSL server with the "compromised" certificate at 192.116.242.23, Firefox tells me:-
Secure Connection Failed
Peer's Certificate has been revoked.
(Error code: sec_error_revoked_certificate)
Unfortunately, a lot of applications do not check for revocation by default, and there are even some CA's who do not provide an online certificate revocation service, which is another weak link.
The article is confusing, and the author declines to name the certificate issuer that's the problem. But the screenshot gives the details. It's PositiveSSL. He really did get PositiveSSL to issue him a Comodo-authorized cert in the name of "www.mozilla.com". Try this link and look at the certificate details.
It looks like certificates with this issuer information need to be rejected:
I loaded all current Comodo certificate revocation lists, and this bogus certificate has not been revoked.
Some Comodo CA root certificate needs to be removed from the approved list.
Governments have a vested interest in keeping things insecure; they want MitM to be achievable, and making CAs answer to government means you can't trust them as introducers. Go ahead and have government-regulated CAs, if you want, but we need the capacity to have multiple signers for any identity so that we don't depend on that inevitable single point of failure.
Switch to OpenPGP and you have a situation analogous to using the best bank/insurer/doctor. If one is untrustworthy, the other signatures remain. No government can possibly match that level of integrity. But they could become a part of it.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Looking at this cert further, it's a very wierd certificate. "Issuer" of ""www.mozilla.com" has "O=Comodo CA Limited". That's descended from "Positive SSL CA", for which "Issuer" has "O = The USERTRUST Network". That's descended from "UTN-USERFirst-Hardware", for which Issuer has "O = AddTrust AB". That's descended from "AddTrust External CA Root". Why is a Comodo cert being issued under AddTrust? Comodo is a root CA itself, with its own root certs in major browsers. Something is not right here.
So who's AddTrust? Their web site says "Under Reconstruction". This does not look good. Checking the Internet Archive, we find "JOIN THE ADDTRUST FAMILY Gain an edge over your competitors by providing co-branded PKI services"
AddTrust went beyond using resellers. They apparently allowed subordinate CAs to issue certs in AddTrust's name: AddTrust's rapid Trust Service Provider (Licensee) start-up package allows you to deliver cutting-edge public key infrastructure (PKI) services cost-effectively and in a way that best complements your business model. Literally within months you can start selling pre-packaged outsourced PKI services allowing your customers ...
AddTrust's globally recognized PKI brand is designed for co-branding with companies recognized for high-quality IT services and products. ... Rather than relying on external certification authorities, you can easily provide high-end certificates yourself by becoming an AddTrust-licensed Trust Service Provider. This allows you to decide how much of the underlying secure infrastructure you want to run and invest in yourself.
The relationship between Comodo and AddTrust is mentioned in this email. Robin Aldin of Comodo wrote: There is no ongoing relationship with AddTrust AB, Sweden. I'm not even sure if AddTrust AB still exists as a company. I think AddTrust may exist now only as a brand of ScandTrust AB. Sweden - although Comodo does have the right to continue using the root CA certificates which we purchased from them and which bear the AddTrust name.
So the party ultimately responsible for this certificate is out of business?
WTF are we paying CAs for if they are going to sit on their fat asses and do nothing???
These CAs not only put their own customers in danger they put all CAs and the entire PKI infustructure in danager.
If Comodo does not immediatly add their reseller to the revocation list we should do it for them by operating our own recovation lists containing CA's that are known to not be trustworthy.
There need to be consequences. CAs that are not trustworthy need to be yanked from the trusted third party list at the very least. This is **serious business**.
If their community won't do it we should opperate a recovation list or browser plugins to show relevent incidents known for the CA so the end user can make an informed decision.
What we should really do is get away from the CA vendor racket completely - use the domain registration systems to automatically issue and accept CSRs from those authorized to manage a domain and all this crap goes away overnight.
This subject is being discussed by Firefox developers, Comodo CA people, the person who reported the problem, and somebody named "Patricia" from CertStar, the issuer, here.
Robert Alden of Comodo says they "have suspended Certstar's reseller activities until our investigation has been completed." The CertStar site now says "Due to technical issues we are unable to process orders at this time. We are working hard to resolve the issue and apologize for any convenience caused. Please check back later."
The Mozilla team is discussing revoking some root CA keys.
The company that I worked at used a MITM attack with self signed certificates to read everyone's HTTPS stuff during the financial crisis. I was quite surprised to find that my bank and my broker's certificates were rejected by my Firefox, and that, upon inspection, the issuer was actually my company. IE, company issued, didn't warn me, and neither did Chrome, and I have to confess that when Firefox complained, I would often switch to Chrome, because it didn't. Then, one day I looked at the certificate in Firefox, and I discovered just what that warning meant. My company was spying on me.
This is my sig.
That would be correct. The thing is, that you CAN compromise some of the other needed stuff as well (which would be the MItM part...) and this CA that isn't following official stated procedures would be all you'd need to cover up the fact that it'd been done.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
Certifying Authority keys are assets, and thus capable of being transferred. The original name might be out of business, but the keys still exist.
I don't know if there's an ongoing audit requirement in that case, though.
Certifying Authority keys are assets, and thus capable of being transferred.
That in itself is an interesting question. A "signature" is not normally considered a transferable asset. Also, there's a "relying party" liability associated with certificates. Signing carries with it obligations. Did Comodo acquire that liability?
Here is my idea. Add an SSL record to DNS similar to the MX record. Have the browser check the DNS SSL record for authorized CAs for the domain. This way, I can set up my own CA server, but I can only issue certs for my domain. I could issue a microsoft.com cert, but if there is no SSL record for my server in Microsoft's DNS, the browser will tell you it is an unauthorized cert.
Tools->Options-> Advanced Icon Tab, Encryption Sub-Tab, View Certificates.
Find the offending certificate and hit delete... not sure which so I just wiped them off the list completely, though I'm sure there higher value certificates are still fine.
Is this widely implemented? I've never heard of it before, although I'm by no means claiming any expertise. How does one go about setting it up?
I did some Googling but perhaps I'm searching under the wrong terms; nothing seems to come up besides people mentioning that it exists in the spec. Or is that all that exists right now?
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Or at least they should. SSL certs, I think, are one area best served by government.
SSL certificates are the online version of your drivers license or your passport. We entrust our governments to provide us with reliable, trustworthy forms of identification. We know that if we see a drivers license or a passport, we can be reasonably certain the person holding said identification is who they claim.
Not so with SSL certs as they exist to day. Since private industry issues them, there are no standards. A $20 SSL cert from Godaddy is just as valid of identification as a $500 one from verisign. What is the difference? You'd have to ask nerds like us for an explanation, it isn't something anybody can grasp. As far as most people are concerned, both make the "key" at the bottom of their browser lock.
Ideally you should be able to walk into your DMV or whatever state or federal agency you register your business with and for a modest fee, get a government issued SSL certificate.
Letting the government deal with this has many extra benefits. For starters, we could make SSL certificates fall under the same kinds of laws that govern passports or drivers licenses. If you forge one, or enter fake information, you could be charged under the same laws that faking a drivers license fall under. For second, if done right, good governments would issue these for virtually nothing and maybe protocols like S/MIME would finally get widespread adoption.
What about open source projects who currently cannot afford SSL certs? Well, if the government does it, they could file as a non-profit and get one for free (or reduced cost).
How would this work from a technical standpoint? How would browsers deal with a long list that has every countries certificate authority? Dunno, but it seems it wouldn't be a big problem.
What international agency would regulate this? Who regulates passports? Dunno, but seems to me we already have a long history of internationally recognized identification--both for business and personal use. Why not task those guys with SSL certificates?
Bottom line, I know we all seem to hate more government, but SSL certificates are one thing governments should be doing, not private industries.
SSL certificates are a form of identification just like a passport is. Seems to me the passport guys figured this stuff out. SSL certificates can't be much different in terms of treaties or regulation.
The "push" method of financial transactions is definitely the way to go.
Outside the U.S., and particularly in German-speaking Europe, the push system is fairly common even for paper-based transactions. Instead of writing a check -- which is a "demand instrument," basically a pull-initiated transfer -- a merchant gives you a little slip with their account number on it, which you sign and is sent to your bank, which then transfers the money to them. It would not be hard to do this electronically.
Let's say you go to buy something online. On the checkout page, rather than being prompted for your financial information so the merchant can draw against your account, the merchant instead gives you their account info, and some sort of unique transaction identifier. You open a new browser window and go to your bank's page, and enter the amount and transaction ID, then submit the transaction. When the merchant receives the money, they execute your order; if they don't get it within some period of time (24 hours or so), it's simply dropped.
The backend infrastructure exists for this already, in the form of direct deposits. With an ABA routing and account number, you can send money into an account at most banks, but (in theory, if the bank isn't stupid) can't withdraw it; thus there's no harm to a merchant in exposing this information. It's an intrinsically safer model than one where knowing an account number lets you arbitrarily draw money from it, as credit cards do.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
I think this problem highlights in my opinion a related issue in the Mozilla/Firefox certificate authority mechanism.
There doesn't seem to be a way to mass deploy (or, in this case, remove) a CA from it.
If I'm wrong, please enlighten me. The closest thing I have found is a Firefox extension that you can install that adds the CAs you choose (which I can't find a link to right now :( )
I hold it, that a little rebellion, now and then, is a good thing. -- Thomas Jefferson
Well, there's some acquired liability...
Now that I know Comodo is responsible for at least some of the certs coming from the AddTrust key, I'm disabling AddTrust and Comodo.
Hey, the bogus Mozilla cert I got from StartCom has the following chain of issuers, starting with the cert itself:
So PositiveSSL's cert was issued by USERTRUST, and USERTRUST's cert was issued by USERTRUST. I don't see AddTrust in the loop.
Here's the bogus cert that I saw.
You should never trust anyone you haven't met.
And you should never trust most of the people you have met, except in specific contexts.
And you should not really want anyone to trust you, except in specific contexts (in other words, where you have made contracts, whether explicit or implicit).
There are some emergency conditions when you have to override the above statements of fact (not rules, statements of fact), but, if you think about it, there is an implicit social contract that covers emergency cases. The rarity or commonality of the good Samaritan in a society is just a reflection on that society's penchant for breaking contracts, rather than evidence that trust does not require contracts. (There is an implicit social contract that we enter at birth, although there are some who make that contract out to be broader than it is.)
This whole business is at the center of what I have against Bill Gates and his crowd, and against Microsoft. The enabled the global ponzi schemes, if you think about it. (And we can rest assured, there will be more of them uncovered in the next year or so.)
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
For the entirety of today I forgot about this project. Only now did I remember after seeing some comments on Reddit.
Multiple "notaries" who report what key they've seen and when they've seen it.
Check it out: Perspectives
You don't even have to replace your oligarchy of trusted companies (keys, rather), you could just use this tool in conjunction.
The primary (and legitimately, the only) purpose of the certificate is to verify the site's Internet address. i.e. that the site you are now talking to is the one that successfully applied for that domain name or IP in the first place.
So checking for A) the lock and B) correct domain in the address bar at the same time should strongly validate in your mind that there is no MITM, even if DNS is being attacked. This is all providing that C) no cert warnings appeared. If any one of those three 'legs' is missing, then the security table falls down... you cannot trust the connection.
If CA's backing up the above process is not good enough for you, then consider contacting the site operator "out of band" such as over telephone (heck, maybe in person) and verify their certificate's fingerprint. If it matches then you can safely import their certificate into your browser and be assured of a secure connection.
The only thing more secure than the above is having the operator give you a copy of their certificate in person.
And all of the above is predicated on both yours and the site's systems not being compromised with malware or unauthorized access.
Frankly I'm disgusted by the all the layers of profit oriented bureaucracy involved in provisioning essential internet 'metadata' which really could just as easily be made freely available (and once was). Want a domain name? Pay a registrar, and not just once, but on a recurring basis annually though their action on your behalf is a quasi one time affair. It could just as easily be $0 or $10 one time fee for 50 years to cover the (minor) administrative costs for the typical basic cases.
Want IP address space like an actually routable, transportable (between ISPs) class C CIDR IP block? Good luck with that, and if you can get it, again, be prepared to pay dearly on a recurring basis. This, like domain name services was once (not long ago) free; AFAICT the only reason it now is 'expensive' is pure greed. A domain name registration, SSL cert, or CIDR block delegation costs nothing more than a few kilobits of space in a couple of database records, and a few kilobytes per month of internet traffic to serve out the records in response to queries. In contrast a typically free of cost email account like gmail / mail.live.com gives you GIGABYTES of storage space, gigabytes per month of free network bandwidth to access the content, and is even more complicated to administer in many ways than a DNS zone or IP delegation or CA. It's senseless that we have free email and such and uber expensive IP delegations, CA certs, domain registrations, et. al.
Getting to the point of my 'modest proposal', IMHO all accredited domain name registrars should also typically be accredited / trusted CAs who have authority (at least) to issue trusted certificates for all domains within the TLD pool they're registrars for. Further, I think that when they register a domain for a customer a basic "moderate validation" SSL / code signing / identity type signing certificate should be given out for any registered domain included in the cost of that domain registration. That is simple assurance that if you're actually allowed to have / maintain the domain name, you have the simple and affordable mechanism to use that domain for SSL or email or DNS or whatever you need to do that is typically backed up by a certificate based identity reassurance. If you don't pay for / renew the domain, transfer it, or get it legally taken away due to illegal actions on the part of the operators then the current certificates get revoked at the same time by the registrar; very simple. This would go a long way (in convenience, affordability, simplicity) toward getting people to use things like DNSSEC, HTTPS, digitally signed email / MTAs, et. al. which would be of immense benefit to the entire internet's security. Typically the registrar will have some kind of reasonable assurance of who their customer is since they've paid for or at least filed the domain registration, and there'd be no question of party A improperly getting a valid CA cert for party B's domain which they don't even own / control in this situation.
If someone wants truly extended validation of the certificate then of course it'd be reasonable to pay nominal costs for the non-automated administrative costs of validating the organization's credentials manually or in person or whatever.
Furthermore, it seems like a reasonable proposal that any financial processor doing commerce / e-commerce related functions (think bank, credit card company, credit card processor, et. al.) which maintains financial accounts for customers should also 'freely' (as part of the basic cost of having such an account at all) issue digital signing / OpenID / SSL whatever certificate signatures indicating that person / organization X currently has a commercial account in good standing with the provider. If they close the account, they can revoke their signature. Thus if you're processing e-commerce credit cards and receiving payments into your Bank Of America merchant account, you'd have a 'free' Bank of America CA signature to use on your site's SSL cert or whatever for however long you had that
I wrote a similiar article back in 2003 for 2600 magazine.
I copied it here to my blog right now (so you don't need to find it in paper edition of 2600 magazine):
http://jooray.soup.io/post/10105517/State-of-art-certificates-Whom-do-you
Seems nothing has changed in five years.
They might not have been spying on you. Maybe they were much more interested in securing the corporate network by detecting threats like accidentally or intentionally downloaded malware and hack tools and/or drive by downloads via HTTPS. Because, if you want your corporate AV scanners at your perimeter to be able to detect such threats you have to break up the encrypted HTTPS traffic in order to protect against it.
Of course, they could also have been worried about "extrusion prevention" and feared that internal documents might get uploaded via HTTPS or that trojans might be able to phone home without the possibility of detecting them.
The company that I worked at used a MITM attack with self signed certificates to read everyone's HTTPS stuff during the financial crisis. I was quite surprised to find that my bank and my broker's certificates were rejected by my Firefox, and that, upon inspection, the issuer was actually my company. IE, company issued, didn't warn me, and neither did Chrome, and I have to confess that when Firefox complained, I would often switch to Chrome, because it didn't. Then, one day I looked at the certificate in Firefox, and I discovered just what that warning meant. My company was spying on me.
There are some other uses too. De-encrypting at proxy and then re-encrypting it with own cert before passing to client gives you ability to run plain traffic through network protection tools like antivirus and attack-detection/prevention scanners. Iirc squid can do this almost out of the box.
Encrypted traffic is an efficient attack vector into corporate LAN and the attacker has to only penetrate the last line of defence, local antirus software running on workstation.
And yes, it can also be used for spying you.