Slashdot Mirror
Malvertising Campaign Used a Free Certificate From Let's Encrypt (csoonline.com)
itwbennett writes: On Wednesday, Trend Micro wrote that it discovered a cyberattack on Dec. 21 that was designed to install banking malware on computers. The cybercriminals had compromised a legitimate website and set up a subdomain that led to a server under their control, wrote Joseph Chen, a fraud researcher with Trend. The subdomain used an SSL/TLS (Secure Sockets Layer/Transport Layer Security) certificate issued by Let's Encrypt, the first large-scale project to issue free digital certificates. which is run by the ISRG (Internet Security Research Group) and is backed by Mozilla, the Electronic Frontier Foundation, Cisco, and Akamai, among others. The incident has sparked disagreement over how to deal with such abuse, writes Jeremy Kirk.
This style of attack would have been able to get an SSL cert from most cheap cert providers, as most of the cheap ones only require you to dump a particular file in the right place on the website for verification, so why the emphasis on "Lets Encrypt"? Because they are "cheaper than cheap"?
You give people free shit, and they make shit out of it!
You can try to impose your moral fucking bullshit on your free shit, but then it won't be free anymore, now will it?
Fucking hypocritical morons.
I think that one way to deal with this would be in the browser.
Currently, EV certs will turn the address bar green or have some other indication above and beyond the normal "lock" icon.
Perhaps we need to have a different color or indication for each kind of cert.
Also, perhaps have a warning in the browser if the last known certificate is from a different CA and/or has a different validation level from the certificate currently being presented by the same domain.
Other than that, I am not sure what could be done on the server side of things. The system is meant to be free and open... which, by definition, means it is going to be abused.
My eyes reflect the stars and a smile lights up my face.
This article looks like a really good response to the issue: https://unmitigatedrisk.com/?p=552
The problem here seems to be that people are assuming that a certificate means more than it actually does. The certificate certifies the identity of the site and gives no information about the contents or reliability of the site.
The ad brokers do not care that bad ads slipped in as they make money on any, so they have zero incentive to remove malvertising other than a cursory effort to appease the lawyers and government.
This is why I install adblocks on all customer machines now (and we process a large amount). To an end user advertising of of limited utility, and comes with at minimum high annoyance and at worst malware/fraud/id theft.
Case in point, I was trying to find news information on a police standoff near my house, and one of the official local news stations ads were targeting nexus 6 with a scam 'free iPad' redirect. This only occurred on my Nexus 6, not a PC or LG phone. This is just normal day to day browsing, and I could not even read the news.
The state of affairs when it comes to online advertising and scams is very bad and will kill the industry very soon if changes are not made. Unfortunately it will likely bring down many good sites for real content with it.
Silence is a state of mime.
The Java browser plugin infected millions, loaded bloatware, and generally has been a nuisance for years.
It eventually was blacklisted from browsers.
Let's not pretend SSL certs were supposed to do things they're not. You can be certain no one is imitating the malware site. And that's all a SSL cert means.
Why the hell do ads need to be able to run arbitrary 3rd party scripts? Give them an image, some text, etc. and they stick it in their ad format. There's no reason to let random people on the internet inject scripts from totallynotmalwarenoreally.ru into ads on the New York Times' site.
I don't see why this is news at all. Let's Encrypt is a great way to allow any webmaster to offer a TLS-protected connection between his users and his server.
As a user, seeing a website using a Let's Encrypt or StartSSL certificate does not tell me anything about the legitimacy of that website. All it does is guarantee that my connection won't be intercepted through a MITM attack. Personally, I never "just trust" the little lock icon in my address bar: I click it and see who signed it. Then I make a decision on whether or not I trust that website with my information.
If they were able to create a subdomain, that means the attackers controlled all traffic to that subdomain.
Since most certificate authorities only verify via email to the domain for which the certificate is requested, the attackers would have gotten a certificate from virtually any CA.
There are additional verification steps required for EV certificates that should thwart this sort of attack, but singling out Let's Encrypt for issuing a certificate in this case is disingenuous.
The real problem lies with the DNS registrar that accepted an unauthorized subdomain registration request. (Or maybe the client's account was compromised, in which case the victim is to blame.)
Either way, the submission titles makes it seem this is a problem with Let's Encrypt when it most certainly is not.
---
According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
CA's have no business judging the validity of content. A cert indicates no more or less than that the content came from the person you think it came from. Malware/spyware/hacking tools are subjective concepts.
Fighting hacking/spam is the duty of police enforcement according to local law not CA's and technical companies. What next, a CA base in China or Russia refusing to grant "gays" certs for their sites as immoral? There is no line, everything is over the line, a CA should exercise zero discretion with regard to content just as an ISP should not.
What needs fixed is the standard. All certficates should be "wildcard" certficates by default and cover subdomains no matter the depth. Whoever has the cert for the domain should then be able to issue subdomain certs. This is how the certs should work because it is how the dns system works. The owner of xyz.com owns bob.xyz.com maleware.florida.xyz.com etc. The only purpose for doing otherwise is so that cert vendors can charge more making you buy certs for each of your sub domains.
Why the hell do ads need to be able to run arbitrary 3rd party scripts? Give them an image, some text, etc. and they stick it in their ad format.
Because only scripts can animate "an image" and "some text" on a <canvas> element. Ideally, the advertiser would author the animation and export a set of data that represents keyframes, and a publicly auditable script hosted by the ad network would use this data to present the animation. But to my knowledge, there is as of yet no such standardized format to represent canvas animations.
Firstly, the attackers here had enough control to alter the site's DNS data. If they've got that much control, likely they also have access to the SSL private keys for the site. Even if they don't, they've enough control that they can do anything they want anyway by using subdirectories on existing servers. So, any changes Let's Encrypt might make still won't protect against this attack. SSL server certificates insure you're talking to the host you think you're talking to, they say nothing about whether that server's controlled by who you think it is or whether it's content can be trusted.
That said, Let's Encrypt should at least verify control of the domain a certificate's being requested for before issuing it. There's several options: give the user a random nonce and confirm they can add a TXT record with the nonce in it (at either the hostname requested or higher up in the hierarchy, they can then request certificates for any hostname at or below the point they could add the record at), have the user add that nonce as an HTTP header or HTML meta header on the root page of the site, send the nonce by e-mail to an administrative mailbox for the domain and require the user to enter it (showing they at least have access to an administrative e-mail account in the domain)... there's probably more options. I think it's non-controversial that being able to get a valid trusted SSL certificate for a host in someone else's domain without the participation of that someone else is a Bad Thing.
They already do confirm you have control over the domain. The only difference is that it's (as good as) fully automated through the ACME protocol. You can verify it by hosting a website on that domain, you can verify it by sending an e-mail to the domain. Any other CA (even VeriSign) does the same thing unless it's StartSSL or an EV domain for which you have to actually submit paperwork that you are the business owner.
Custom electronics and digital signage for your business: www.evcircuits.com
Good old-fashioned gifs can animate without use of a script.
Each frame of an animated GIF has to include all pixels that have changed since the last frame. They can't compensate for motion, which means text fading in or sliding in from the side will bloat the file larger than a script+keyframes approach would. And with ad networks recognizing the realities of a pay-per-bit market for Internet access, advertisers will prefer a format that fits a more attractive ad into the same file size.
There's a difference between privacy and trust, but browsers don't make that clear to the user in a consistent or even useful matter. That said, nothing will ever completely fix a layer 0 issue except education.
Eagles may soar, but weasels don't get sucked into jet engines.
Devices running the Comodo Dragon browser visibly distinguish DV from OV certificates. I don't know if it still does, but it at least used to present an interstitial page for DV certificates that resembles other browsers' interstitial for an unknown CA.
Lets encrypt does the checks for control of domain like the other certificate authorities.
And really people should use DNS Certification Authority Authorization(RFC 6844) to only allow the certificate authorities they want to use. Though I am not sure if all certificate authorities follow it yet, but at least most do so it is risk mitigation.
If it is only a small part of data, that actually needs encryption — the password and the credit card number — you can do that (using the well-known and studied protocols) in JavaScript.
What you describe is similar to what Tloz proposes in the question "How to replace SSL/TLS?". But using client-side script to encrypt passwords has three drawbacks:
But for some reason, the interwebs is somehow different
It is different. On the web, unlike in print, advertisers demand accurate view counts and accurate click counts. A web publisher that hosts advertisers' ads on its own site has an incentive to fraudulently inflate these. An ad network, on the other hand, is theoretically a neutral party and competing with other ad networks to offer analytics that are no less accurate than those of other ad networks. So how likely is an advertiser to trust reach statistics provided by a publisher compared to those provided by a well-known ad network?
The certificates for www.google.com, facebook.com, and www.amazon.com aren't EV either.
In theory, certificates of full-time for-profit companies ought to be at least organization-validated. But apart from Comodo Dragon, most browsers don't do much to distinguish a domain-validated certificate from an organization-validated one.
StartSSL does domain verification by sending e-mail to an administrative address (pulled from WHOIS data) (for their Class 1 certificates anyway).
Green bar is safe, the rest is not.
By that metric, Google, Facebook, Amazon, SourceForge, and GNU are unsafe because they're not EV. (I just checked.) Twitter, GitHub, Mozilla, and Outlook/Hotmail are safe though. eBay has a green bar on those few pages it does serve with HTTPS, but it's unsafe because many pages redirect from HTTPS to HTTP.
But can a site run as a hobby, as opposed to a full-time business, be made "safe"?
The problem is that a criminal set out to defraud people, and used whatever tools he could get his hands on.
Blaming the tools is not going to solve the problem of breeding people to be criminals, just like blaming the guns won't stop gun crime.
A criminal will just buy a fucking $30 certificate if they have to, so attacking free certificate providers is a red herring fallacy.
The 'free' SSL certificates, yes, but I don't think you can use them for business. Their 'verified' SSL certificates require paperwork.
Custom electronics and digital signage for your business: www.evcircuits.com
But this sort of thing should be expected from DV certs, especially when they're offered at no cost. A paywall wouldn't prevent this, but it would reduce incidence.
Just because the bar is green does not mean it is safe. Everyone wanted to run from self-singed certificates because it prompted the user with a warning. You know what? That weird ass name on the cert also helps verify where it comes from. Instead we replaced certificates and trained people to look for a lock that was already easy to spoof.
I didn't even go so far as to say no scripts, I said 3rd party scripts.
I misunderstood your post. Others have used the term "third-party scripts" to include any script not on the same domain as the page itself, such as the script for serving ads itself.
You can make all the stupid animated punch the duck ads you want, and give the script to the ad network to audit and host.
A third-party script hosted by the ad network is unlikely to get audited well unless it's used by a substantial number of different advertisers. That's what I meant by a "standardized format to represent canvas animations": an ad network could afford to put effort into auditing a script that plays such a format.
Why does it need to be hosted on an unknown 3rd party domain, subject to being replaced at a whim with exploit code?
The exploit code is actually an obfuscated part of the original ad itself, hosted by the ad network, because the ad network did a half-donkeyed job of auditing it.
This headline is as pointless as saying "Burglar walked into unlocked home who used a deadbolt."
This is just ridiculous. The problem here is that the attacker was able to create a new DNS sub-domain. The Let's Encrypt angle is just a red herring from a company (Trend Micro) that wants to make money selling SSL certificates.
If your company offers free/cheap certs that he hackers are using; then we blacklist those providers. It's not fair to them; but it's not fair to us to have to worry about this crap either. It's why I run ad-blocking; not because I hate ads; but most drive-by infections come from ad networks that don't care enough to not sell malicious ad space. I'm not infecting my computer because some web developer needs to make a little money. If you have zero integrity; then you get zero respect. I'm already starting to reject certs from free/lo-cost certification issuers; the same way I reject ads from ad-networks.