Perfect MITM Attacks With No-Check SSL Certs

← Back to Stories (view on slashdot.org)

Perfect MITM Attacks With No-Check SSL Certs

Posted by kdawson on Tuesday December 23, 2008 @01:07AM from the stuck-in-the-middle-with-you dept.

StartCom writes "In a previous article I reported about Man-In-The-Middle attacks and spotlighted an example showing that they really happen. MITM attacks just got easier. In the attack described previously, untrusted certificates from an unknown issuer were used. Want to make the attack perfect with no error and a fully trusted certificate? No problem, just head over to one of Comodo's resellers. Screenshots and disclosure provided at the link."

4 of 300 comments (clear)

Min score:

Reason:

Sort:

OK, which CA must leave the trusted list? by Anonymous Coward · 2008-12-23 01:37 · Score: 5, Interesting

There's only one way the CA system can work: Responsibility and repercussions. If a certificate authority signs forged certificates, then it can no longer be trusted and must be removed from the list of trusted CAs. To trust an untrustworthy CA is a security bug and should trigger updates from all browser developers which remove the offending CA. Make the CAs work for their money.
1. Re:OK, which CA must leave the trusted list? by timeOday · 2008-12-23 03:48 · Score: 5, Interesting
  
  I guess this is my fault for mentioning libertariansm in the first place. For the record, I think it's a great idea in an imaginary perfect world where everybody has complete access to all information, dishonesty is abolished, natural resources are infinite (so each of us can breathe our own air, etc), and everybody starts life on equal footing (access to education, proclivity to illness, etc). Which is to say, it's exactly as practical as Communism and every other idealization that never seems to get fully proven or disproven because it can never actually exist.
Re:Don't do this at home by TheLink · 2008-12-23 02:42 · Score: 4, Interesting

And they don't care about security (nor do the users).
That's why self-signed certs aren't really more risky than CA signed certs in practice.
http://it.slashdot.org/comments.pl?sid=1041927&cid=25890305
http://ask.slashdot.org/comments.pl?sid=534356&cid=23199022
I've probably posted others, but I bet "everyone" is still going to leave the dozens of CA certs in their browsers, and Mozilla and friends aren't going to do the SSH style thing - warn user if the cert changes for whatever reason- even if it's a valid cert.
I'd like to know if my bank's cert suddenly changed from the old cert to some cert signed by some CA in Elbonia. :)
--
- Too many replies beneath your current threshold
Firefox is right to warn. by tjstork · 2008-12-23 06:16 · Score: 4, Interesting

The company that I worked at used a MITM attack with self signed certificates to read everyone's HTTPS stuff during the financial crisis. I was quite surprised to find that my bank and my broker's certificates were rejected by my Firefox, and that, upon inspection, the issuer was actually my company. IE, company issued, didn't warn me, and neither did Chrome, and I have to confess that when Firefox complained, I would often switch to Chrome, because it didn't. Then, one day I looked at the certificate in Firefox, and I discovered just what that warning meant. My company was spying on me.

--
This is my sig.