Researchers Find, Analyze Forged SSL Certs In the Wild

← Back to Stories (view on slashdot.org)

Researchers Find, Analyze Forged SSL Certs In the Wild

Posted by timothy on Tuesday May 13, 2014 @01:27AM from the they're-out-there dept.

An anonymous reader writes "A group of researchers from Carnegie Mellon University and Facebook has managed to get a concrete sense of just how prevalent SSL man-in-the-middle attacks using forged SSL certificates are in the wild. Led by Lin-Shung Huang, PhD candidate at Carnegie Mellon University and, during the research, an intern with the Facebook Product Security team, they have created a new method (PDF) for websites to detect these attacks on a large scale: a widely-supported Flash Player plugin was made to enable socket functionalities not natively present in current browsers, so that it could implement a distinct, partial SSL handshake to capture forged certificates."

56 of 86 comments (clear)

Min score:

Reason:

Sort:

More secure browsing... by Anonymous Coward · 2014-05-13 01:32 · Score: 3, Funny

brought to you by the Adobe Flash plugin!
1. Re:More secure browsing... by clay_shooter · 2014-05-13 01:57 · Score: 1
  
  As opposed to regular browsing where you have no way of detecting these types of activities?
2. Re:More secure browsing... by Anonymous Coward · 2014-05-13 02:19 · Score: 1
  
  Some things are just to freaking hard to exterminate!
  Windows... XP.... Flash... browsers...
3. Re:More secure browsing... by Anonymous Coward · 2014-05-13 02:21 · Score: 1
  
  As opposed to regular browsing where you have no way of detecting these types of activities?
  You mean other than the browser warning the article discusses?
  "These certificates are not authorized by the website owners, but most browsers will "accept" them, i.e. they will warn users of the error, but will allow them to choose whether they will continue on to the (potentially insecure) website."
  Yep, no way to tell.
4. Re:More secure browsing... by ChadL · 2014-05-13 02:39 · Score: 2
  
  Where there is an IT team to provide support using SSL client certificates will prevent (and detect via server SSL logs and client errors) fake certificates.
  When enabled the client will sign (using their client cert, generally with a site-specific internally managed CA) all the communications after the key negotiation finishes, so if there is a middle-man that modified the certificate/keys the server will see the clients signature of the communications as incorrect (as the client and server wouldn't agree on what the communications were) even if the user overrides the SSL certificate warning or an attacker (or employer, or user, or vender) adds a fake/compromised CA to the trust store.
  Doesn't work for sites without a support team to work with users and investigate failures or in cases where the internal CA is compromised, but for the highest of security needs its more effective then using Flash.
5. Re:More secure browsing... by neokushan · 2014-05-13 03:54 · Score: 1
  
  Why would you exterminate browsers? Do you really want/need an app for everything?
  
  --
  +1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
Flash? I removed Flash to avoid problems! by phayes · 2014-05-13 01:41 · Score: 1, Troll

Flash has had too many security breaches & just isn't useful enough for me to justify it's continued existence on my main browsers.
When I need flash for a few select sites I use Chrome & for the rest I use a windows VM that is regularly wiped back to a clean config using snapshots.
Too bad they didn't implement their validation tool as a normal browser plugin (or a suite of such for FF/Chrome/Safari/IE).

--
Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
1. Re:Flash? I removed Flash to avoid problems! by timeOday · 2014-05-13 01:51 · Score: 1
  
  Do those alternatives to Flash allow the developer to enable socket functionalities not natively present in current browsers"? That's the sort of open-ended capability that tends to make Flash a security risk in the first place.
  FlashBlock works great for me, all the advantages of disabling flash, but it's only a click away when desired.
2. Re:Flash? I removed Flash to avoid problems! by oodaloop · 2014-05-13 02:00 · Score: 2, Funny
  
  Why would you remove the savior of the universe?
  
  --
  Tic-Tac-Toe, Global Thermonuclear War, and relationships all have the same winning move.
3. Re:Flash? I removed Flash to avoid problems! by CronoCloud · 2014-05-13 02:27 · Score: 1, Funny
  
  "What do you mean Flash Object approaching? Open Fire, All Weapons. Send out HTML5 Ajax to bring back it's body."
4. Re:Flash? I removed Flash to avoid problems! by phayes · 2014-05-13 03:00 · Score: 1
  
  Do those alternatives to Flash allow the developer to enable socket functionalities not natively present in current browsers"?
  Are low level socket functions beyond what is available to Browser plug-ins absolutely necessary to perform the function? I don't know, which was pretty much the point of my post.
  
  --
  Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
5. Re:Flash? I removed Flash to avoid problems! by unrtst · 2014-05-13 03:43 · Score: 1
  
  Too bad they didn't implement their validation tool as a normal browser plugin (or a suite of such for FF/Chrome/Safari/IE).
  WTF? Really? How many users would actually install that plugin? How many of those users wouldn't already be paying attention to the warning the browser prints out on bad certs? Using a very widely deployed technology (flash) means they write it once, deploy via the website, and it runs almost everywhere, and it can report back to them (as opposed to the browser warning, which is client side only).
  I'd be a little surprised if it wasn't possible to script this up in javascript, but that would probably only work in recent browsers with full web sockets support. That may be good _in_addition_to_ this flash method, but the flash method is going to work with the largest number of users, giving them the sample size they need.
  Why in the world would they write multiple plugins, greatly limitting the number of subjects, incurring additional development overhead, removing the ability for them to disable it later at any time, and resulting in a useless sample size and unmanagable install base? Coopting flash for this purpose is perfect.
  If you really want a plugin, go write one... I'm willing to bet their methods are clearly laid out.
  If this post had started with them writing browser plugins, tons of people here would be saying how no one would install those and they should have used something else (javascript, flash, java, etc).
6. Re:Flash? I removed Flash to avoid problems! by neokushan · 2014-05-13 03:58 · Score: 1
  
  Too bad you didn't read the summary properly: The flash object sits on the website, not the browser. The browser just runs it.
  For this to work on a wide scale, you can't make everyone install a browser addon. That's just stupid and as bad as flash is, proprietary addons are worse.
  
  --
  +1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
7. Re:Flash? I removed Flash to avoid problems! by neokushan · 2014-05-13 03:59 · Score: 1
  
  By all means, give me a better way to enable websockets on the majority of browsers out there. Flash is horrible, but most people have it installed and enabled. The same can't be said for much anything else.
  
  --
  +1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
8. Re:Flash? I removed Flash to avoid problems! by tepples · 2014-05-13 08:11 · Score: 1
  
  Flash is horrible, but most people have it installed and enabled
  I don't think many phones or tablets (other than Windows 8 x86 tablets, which are comparatively new) have Adobe Flash Player.
9. Re:Flash? I removed Flash to avoid problems! by neokushan · 2014-05-13 08:25 · Score: 1
  
  As I said, give me an alternative that is supported.
  
  --
  +1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
10. Re:Flash? I removed Flash to avoid problems! by azav · 2014-05-14 04:45 · Score: 1
  
  its* body
  it's = it is
  Learn this.
  
  --
  - Zav - Imagine a Beowulf cluster of insensitive clods...
11. Re:Flash? I removed Flash to avoid problems! by phayes · 2014-05-16 00:51 · Score: 1
  
  Snort, great solution there. Flash is going down the tubes and is installed on fewer and fewer systems -- starting with people who refuse the unnecessary security hassle it has become.
  If you want to create a browser plugin for the security conscious, you don't do in an environment that has been proven to be insecure time after time. If possible, you create it in in an environment that will continue to exist in a few years when even Chrome abandons it.
  As to how many people are using TFA's plugin, people using obsolete browser versions (aka your widely deployed tech) are NOT the target audience! The target is people using plugins like certificate patrol to avoid blindly accepting any/all certificate changes presented to their browser.
  I have other things to do than write browser plugins, thanks. You seem to to have some experience in flash development. Any chance you are a flash dev that has been seeing less work and are just knee-jerking in reaction to my pointing out that Flash is insecure?
  If TFA had presented a browser add-on instead of a flash plugin the clueless might have been whining about "what about MY browser", but at least it would be usable by people with at least half a clue.
  
  --
  Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
12. Re:Flash? I removed Flash to avoid problems! by phayes · 2014-05-16 00:58 · Score: 1
  
  Too bad you don't understand that the browser cannot run it if flash is not installed as a plugin on the user's browser (which it isn't if the person behind the browser has a clue & doesn't NEED it.
  For this to be widely deployed, people would have to care enough to install it, yet clearly that is not the case for over 99% of the people browsing the web. For the remaining people with a clue (aka the security conscious), a browser plugin (akin to Browser Patrol in Firefox) would be amply sufficient.
  
  --
  Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
13. Re:Flash? I removed Flash to avoid problems! by neokushan · 2014-05-16 01:15 · Score: 1
  
  So what you're saying is, Flash is a stupid idea because people have to install it, but a browser addon is a better idea because people have to install it.
  
  --
  +1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
14. Re:Flash? I removed Flash to avoid problems! by phayes · 2014-05-16 06:27 · Score: 1
  
  Clearly, both reading comprehension & web security are too complicated for you.
  Let me use small words to make it easier for you:
  Both Flash plus their flash plugin & a browser plugin need to be installed. A plugin would add no vulnerabilities. Adding Flash to a machine does.
  I leave you to your browser with 10 toolbars, unexplained slowdowns & redirects to porn sites.
  
  --
  Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
15. Re:Flash? I removed Flash to avoid problems! by neokushan · 2014-05-16 06:40 · Score: 1
  
  For someone banging on about security, this statement is laughable:
  
  A plugin would add no vulnerabilities.
  Flash is a plugin.
  
  --
  +1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
16. Re:Flash? I removed Flash to avoid problems! by phayes · 2014-05-16 07:00 · Score: 1
  
  Just because Flash is a plugin & insecure, that doesn't make all plugins insecure. You'd have to be really stupid to make that assumption but you seem dumb enough...
  
  --
  Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
17. Re:Flash? I removed Flash to avoid problems! by neokushan · 2014-05-16 07:17 · Score: 1
  
  I'm not making any assumptions, but you seem determined to make blanket statements.
  
  --
  +1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
18. Re:Flash? I removed Flash to avoid problems! by phayes · 2014-05-16 08:08 · Score: 1
  
  No assumptions? Yeah, right, you only assume that all browser plugins are as insecure as flash is.
  Anyone who makes an assumption that dumb is an idiot -- statement of fact, not a blanket statement
  
  --
  Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
Interesting technique and results... by clay_shooter · 2014-05-13 01:56 · Score: 1

It would be interesting to see what they would find if they could run this on a bigger scale. The biggest offender appears to be security appliances. Should the browsers flag security appliances?
1. Re:Interesting technique and results... by leuk_he · 2014-05-13 02:26 · Score: 1
  
  Should they flag them? No, flagging too much will cause the users to just ignore the messages. And for most facebook communication http traffic will be just as good as https traffic.
  But it should note that the security is as good as http traffic, in other words, do not display a lock.
  By the way, think about it, security devices. Security for you? Did you pay those devices? No, it is security for those who pay for the devices.
Just business doing what business does by Anonymous Coward · 2014-05-13 01:58 · Score: 2, Informative

Many businesses implement a man in the middle server that allows them to REGEXP the HTTPS searches and connections. Generally its a proxy out with a requirement to accept the certificate which is then applied to your local to the proxy connection, but remotely your handing the company the keys to any accounts/connections used across the board.
There is a thought of trust your admin not to log your password/financial data etc... Its all quite bizarre but someone thought it was a good idea, or didn't understand the fully risk of the implementation.
Just business doing what business does when its unbridled and government rules are written by that same business.
1. Re: Just business doing what business does by EmperorArthur · 2014-05-13 03:35 · Score: 2
  
  They can't. These are certs that are added by the companies IT department, not certs that ship by default. In some places, like United States libraries, internet filters are mandated. So these places have a few choices, let the public potentially view naughty images via Google image search, downgrade all connections to http, or MITM everything. Guess which one of the three the politicians don't like.
  The big thing those IT departments have to worry about is certificate pinning, which is where the browser stores the actual per website cert, and displays an error if it's changed. This is what Chrome does/is planning to keep people from MITMing Google in particular. I can see both Chrome and Mozilla being proactive, while IE focuses on the corporate clients and if anything becomes less secure.
  
  --
  So lets pretend that we've just completed writing this code, as opposed to having just completed sabotaging it -Altera
2. Re:Just business doing what business does by azav · 2014-05-14 04:47 · Score: 1
  
  Generally it's* a proxy out
  it's = it is
  Learn this.
  
  --
  - Zav - Imagine a Beowulf cluster of insensitive clods...
Bluecoat and other security products by Anonymous Coward · 2014-05-13 02:03 · Score: 4, Interesting

I'm behind a Bluecoat proxy at work. The software plays man-in-the-middle when I access my mailbox or online bank.
I never understood where my employer got the right to impersonate gmail or xyz-bank with their own certificates.
1. Re:Bluecoat and other security products by Anonymous Coward · 2014-05-13 02:05 · Score: 1
  
  I never understood why my employees use company resources for private business.
2. Re:Bluecoat and other security products by Anonymous Coward · 2014-05-13 02:11 · Score: 1
  
  Not much of a leader or thinker then are you?
  Hint - your employees are at the office more than they are not.
3. Re:Bluecoat and other security products by Anonymous Coward · 2014-05-13 02:28 · Score: 1
  
  I'm behind a Bluecoat proxy at work. The software plays man-in-the-middle when I access my mailbox or online bank. I never understood where my employer got the right to impersonate gmail or xyz-bank with their own certificates.
  This is something many corporate security products do, so they can inspect and control SSL traffic for security threats. The argument for doing this is that if they didn't, then a large portion of the traffic would be bypassing some of the security defenses. You should never trust SSL for personal info when inside the company firewall.
4. Re:Bluecoat and other security products by NatasRevol · 2014-05-13 02:45 · Score: 1
  
  Yeah, these 13 hr days, 7 days a week really suck.
  
  --
  There are two types of people in the world: Those who crave closure
5. Re:Bluecoat and other security products by Anonymous Coward · 2014-05-13 03:19 · Score: 1
  
  You probably also don't understand that your employees are in fact people who occasionally need to get things organized during the day, and the fact that you are paying them some form of remuneration does not grant you power to dictate every facet of their existence while they work.
  If you don't like it, maybe you should hire robots instead. I'm sure that will work very well for you. You'll just need a maintenance cre--... oh damn.
  What's the world coming to when you can't run a business without these annoying "people" everywhere?
6. Re:Bluecoat and other security products by gl4ss · 2014-05-13 03:47 · Score: 2
  
  you don't know if they're using it for private business without breaching their telecommunications in a manner which should be( and actually in many western countries is) illegal - no matter if you built the road used for delivering the letter...
  of course you probably don't understand all the possible insider and outsider complications that come from having some personnel (no matter if it's some bofh or you) with expressed ability to read everybodys mail and banking details - and from the ability that they lose totally the possibility of knowing if there's some other mitm happening too. basically any security product your company buys is then supposed to stop you from eavesdropping, so you can't use any of that since you _want_ to eavesdrop and do your own extrajudical investigations into affairs which should be investigated by the police if you suspect foul play..
  but now if they(your employees) suspect foul play relating to their id coming from being hacked.. ..you're the first suspect.
  
  --
  world was created 5 seconds before this post as it is.
7. Re:Bluecoat and other security products by swillden · 2014-05-13 06:17 · Score: 1
  
  You probably also don't understand that your employees are in fact people who occasionally need to get things organized during the day
  Meh.
  Businesses have legitimate reasons for monitoring the use of their equipment and networks. Employees have legitimate reasons for doing some personal stuff at work. The obvious compromise is exactly what happens: Businesses monitor and employees can decide whether they're okay with their personal stuff being monitored. If not, they have other options like doing it at home, or on their smartphone.
  That said, I do appreciate that my employer doesn't monitor my traffic.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
8. Re:Bluecoat and other security products by BitterOak · 2014-05-13 06:23 · Score: 1
  
  I never understood where my employer got the right to impersonate gmail or xyz-bank with their own certificates.
  They got the right by providing you with the network connection at work which you choose to use for your personal banking and e-mail.
  
  --
  If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
9. Re:Bluecoat and other security products by Anonymous Coward · 2014-05-13 08:12 · Score: 2, Interesting
  
  If you're using OS X, a secure outside connection is as simple as:
  ssh -D127.0.0.1:1080 user@machine
  That establishes a SOCKS proxy on port 1080 which tunnels connections to the remote machine. Then change your network settings to point your browser at port 1080.
  I'm pretty sure PuTTY on Windows supports SOCKS proxies, too.
  Warning: if using Firefox you need to disable local DNS resolving (so that the domain name is resolved on the other end). I forgot what the config name is, but Google will help you.
  Of course, you could use some paid VPN service. But they usually require you to install a local client, and I refuse to run any such software unless it's FOSS. The only apps I run are native from the vendor, or FOSS.
  If you really want to be elite, you run OpenBSD and setup an L2TP or PPTP tunnel over IPSec. OpenBSD only recently gained reliable, native L2TP/PPTP support, so I haven't had a chance to play around with that. But both OS X and Windows support that natively, at least as a client. Linux of course requires some kind of convoluted setup. On OpenBSD it should be pretty easy to configure, because they make configuring IPSec a breeze (as in an order of magnitude simpler than OpenVPN, which many consider to be pretty easy). Although, they may not have had time yet to simplify the L2TP/PPTP configuration. In any event, with IPSec+PPTP, it should be much easier to switch it on and off compared to SSH tunneling.
10. Re:Bluecoat and other security products by tepples · 2014-05-13 08:16 · Score: 1
  
  Your phone DO have a data plan with GBs unused at the end of each month, right?
  If my job paid me $336 more per year (difference between cheapest dumbphone plan and cheapest smartphone plan on my current carrier), I might have a phone with a data plan. But because it doesn't, I have a dumbphone.
11. Re:Bluecoat and other security products by rainmaestro · 2014-05-13 09:24 · Score: 1
  
  You jest, but I've seen exactly that. I was on a short contract early on in my career with a company that occupied an office in a typical large corporate center. Each floor had two sets of bathrooms shared between all companies occupying space on that floor. For the office I was contracting with, you had to swipe to get in or out. Any time spent "out" was considered personal time, and that included trips to the shared bathrooms. If you spent five minutes in the bathroom one day, you'd better work an extra five minutes some other time to make up for it, or you'd get a nastygram for not being at your desk for the full expected time (the worst I personally saw was one employee being chastised for coming up three minutes short).
Idiotic slashdotters man... by Anonymous Coward · 2014-05-13 02:11 · Score: 2, Insightful

You idiots, this guy is presenting about a much larger concern of the overall insecurity of this stupid trust model we call SSL CA Cert and all you morons talk about is how much flash sucks. You guys are fuckin nuts for brains man...
1. Re:Idiotic slashdotters man... by clay_shooter · 2014-05-13 03:06 · Score: 1
  
  I'd love to trade my poorly articulated comments how people are complaining about the wrong thing for mod points t mod up parent.
Re:One more reason Flash sucks by 1s44c · 2014-05-13 02:23 · Score: 5, Insightful

Flash is evil and should be destroyed, I agree. But this story is about how researchers did something cool with flash to detect forged SSL certs.
In this one case Flash isn't the security issue, it's the useful software helping to find the security issue.
Re:Another foreign PhD at an American University by moof1138 · 2014-05-13 02:26 · Score: 3, Informative

It's very common for research universities to take students from around the globe. This isn't unique to the US, either. For example, here's some Oxford's PhD students in CS:
http://www.cs.ox.ac.uk/people/...
It's a very positive thing, actually. Provincialism doesn't improve research.

--

Hyperbole is the worst thing ever.
Re:One more reason Flash sucks by moof1138 · 2014-05-13 02:29 · Score: 1, Redundant

Flash isn't a villain here, it was used as a research tool. The researchers are using Flash to detect forged SSL Certs.

--

Hyperbole is the worst thing ever.
Re:One more reason Flash sucks by lgw · 2014-05-13 02:59 · Score: 1

... meet it is I set it down
That one may smile, and smile, and be a villain

Flash is always a villain. You may use it's power intending to do good, but in the end you will do only evil.

--
Socialism: a lie told by totalitarians and believed by fools.
Not really a good sign by Kirth · 2014-05-13 03:33 · Score: 2

(Error code: ssl_error_no_cypher_overlap)
Yes, I turned off all weak ciphers in my browser. Including most 128bit ones.

--
"The more prohibitions there are, The poorer the people will be" -- Lao Tse
1. Re:Not really a good sign by chihowa · 2014-05-13 05:34 · Score: 1
  
  It's using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256. That's not exactly a weak cipher, especially since AES256 is putatively not much stronger than AES128.
  I think the issue you're seeing originates on your end.
  
  --
  If you want a vision of the future, imagine a youtube comments section scrolling - forever.
Web Sockets is in all major browsers by tepples · 2014-05-13 08:39 · Score: 1

The "Web Sockets" spec is implemented in all current major browsers: IE 10+, Firefox 11+, Chrome 14+, Safari 6+ on both OS X and iOS, and current versions of Chrome and Firefox for Android. Among devices running the latest browser version available for the particular operating system, you're missing only IE on Windows Server 2003 (IE 8), IE on Windows Vista (IE 9), Safari on ancient iDevices, and Android before 4.
This is not what I consider "forged" by RatherBeAnonymous · 2014-05-13 09:10 · Score: 1

This isn't really all that interesting. I will be more interested when researchers find a way to detect certs created with stolen root certificates. You know, the kind that don't make the browser throw up a warning.
1. Re:This is not what I consider "forged" by IamTheRealMike · 2014-05-13 11:49 · Score: 1
  
  Did you read the paper? I did. That's what the research does. It turns out that there isn't a lot of malicious MITM out there, and what little does exist is done by malware on the same machine. The other MITM "attacks" are things like corporate proxies, etc.
  The most interesting thing about this research is that it rather decimates the oft-repeated meme that SSL is broken and gets busted all the time. The data doesn't show that.
2. Re:This is not what I consider "forged" by cryptizard · 2014-05-13 12:00 · Score: 1
  
  True, although it's worth noting that this approach only works through obscurity. As soon as attackers know about it, they can block the flash app or alter it to make everything look fine.
3. Re:This is not what I consider "forged" by RatherBeAnonymous · 2014-05-15 05:18 · Score: 1
  
  I had not read the paper. Now I have. I stand by my statement that this is not what I consider "forged". All of the detected certificates mentioned in the paper were detected by noticing inconsistencies in the public certificate. In most cases an outsider attacker would trigger at least a browser warning unless they had gotten their certificate authority registered on the victim computer as a trusted authority. In the case of the opFailZeroAccessCreate malware, "VeriSign Class 4 Public Primary CA" which it apparently used on some of its public certs, does not exactly match any trusted CA registered on my computer. The same goes for "thawte Extended Validation SSL CA". That would suggest that the malware is merely faking an official sounding names to make it look good.
  We know that there are truly forged certs out in the wild. CA's have been hacked to steal their root certs or other wised tricked into issuing bogus certs in the past. The paper goes on at length about this. But based on their results, I am dubious of them actually finding any such fraudulent certificates or of their methodology being capable of detecting such certificates. My feeling is that if a criminal (or government) had some perfect fraudulent cert they would not use it for hacking random bank transactions from a Starbucks wireless hotspot, but I could be wrong. It may be quite common. I don't believe this article sheds much light either way.
Good luck coming close to $84/yr by tepples · 2014-05-14 04:13 · Score: 1

My current dumbphone plan with Virgin costs 7 USD per month, and I can't switch countries. Which carrier should I use that will leave me with "GBs unused at the end of each month" without bloating my bill by hundreds per year?