Internet Security Proven Vulnerable
At the Blackhat security conference in Las Vegas last week, security researchers were able to demonstrate how they can successfully execute a man-in-the-middle attack by exploiting a flaw in the way SSL (Secure Sockets Layer) certificates are handled by web browsers. The attack enables them to spoof or fake a legitimate server and eavesdrop on network communications or hijack traffic and redirect it to a malicious site while maintaining the appearance of a secure Internet connection.
Users are aware that there are shady sites on the Internet and they know they should avoid doing business with sites they can’t trust. They have been conditioned to look for things like the ‘https’ rather than the standard ‘http’ at the beginning of a URL that indicates their connection with that site is protected by SSL. They know to look for the little locked padlock icon as ‘evidence’ that the communication between them and their bank or the ecommerce site they are shopping on is secure.
Three different security researchers (Dan Kaminsky, Len Sassaman, and Moxie Marlinspike) all presented essentially the same conclusion which they each reached independently. In a nutshell, by exploiting the way that web browsers interpret null characters in an SSL certificate address an attacker can convince the web browser that the SSL certificate is from a legitimate, trusted site.
Mozilla has stated that the latest version of Firefox already resolved some of the issues being exploited and that they plan to release a fix within the next week to close the rest of the gaps. Verisign, one of the largest and most respected SSL certificate vendors, claims that their certificates are not vulnerable as well. Microsoft is investigating the issue further to determine how these issues affect the Internet Explorer web browser.
The attack is not all that technically sophisticated, so a spike in such attacks should be expected- especially now that the flaw is public knowledge. It is notable that an attacker would need to first break into the victim network they want to target in order for the attack to work. But, if three different security researchers all arrived at the same conclusion independently it begs the question of how many others have more questionable moral fiber may also have stumbled onto this flaw.
August 2nd, 2009 at 10:39 pm
[...] Internet Security Proven Vulnerable | Essential Computer Security | Tony Bradley. [...]
August 3rd, 2009 at 6:04 pm
I think (can’t prove, don’t have the knowledge) I have been a victim of a man-in-the-middle attack on at least three levels: my email and my VoIP phone service are the first two. But it’s the third that has done the greatest damage. I first noticed something was amiss at the end of April 09. I became more and more certain that my communications were being intercepted, redirected, spoofed, and eavesdropped upon. The stress mounted as my business and personal relationships were being badly damaged. I reported my concerns to my doctor. She had me _arrested_ on a mental health warrant, and committed to the psychiatric ward–against my will–on the grounds that I was delusional. She does not believe such attacks are possible and would not hear a word to the contrary. (She kept asking me to “prove” it had happened.) I was confined for three weeks, and am now being “treated”–against my will–with anti-psychotic medication (400mg of Seroquel daily). I am in my late 40s, and have never had a mood disorder in my life. If I complain, I risk being confined again, for continued “paranoid ideation.” I was discharged last week, and would like to enjoy some summer while I can. I’d give you my real name if I wasn’t so embarrassed by it all.
August 3rd, 2009 at 6:20 pm
Wow. Your situation sounds very extreme. I am sorry for what you have had to go through. It may have been some form of man-in-the-middle attack. It could also have been any number of rootkit, spyware, keystroke logging, or other malicious software. If you experience such issues in the future I would suggest performing a comprehensive scan with up to date antivirus software. Good luck in the future. Feel free to post here for help/guidance if you feel you are experiencing computer security issues you can not resolve.
August 7th, 2009 at 4:47 pm
Thanks, Tony. Yep, extreme is the word alright. I have to be careful what I say in a public forum–the sanitized version is that I was doing all the right things to prevent attacks from the outside-in, and I don’t believe they failed me. Suffice to say that my trust was violated far more severely than my privacy. (And I’m not referring to the doc in that statement.) I found an “unknown Trojan” and was reviewing all kinds of oddities in the Windows Event Log before my enforced hiatus. Thanks for the good wishes, and the invitation. I’ll take you up on it at some point, I’m sure of it. Meantime, I’m trying to batten down the e-hatches and psyching myself up to blog about the whole experience.