SSL Can provide a false sense of security: Man-In-The-Middle attack on SSL

Written by
Published
Topics
  • how to
  • Tech

How SSL works

SSL(HTTPS) is a protocol that provides secure connection to the website you’re connecting to. Unlike the normal HTTP protocol,all an attacker can see on the cable is which IP and port you are connected to, roughly how much data you are sending, and what encryption and compression is used. He can also terminate the connection, but both sides will know that the connection has been interrupted by a third party.

secure https

SSL can provide a false sense of security

Yet SSL is currently providing people with false sense of security, because nobody knows how to use it properly. SSL Spoofing is one of the problems that’s facing SSL.  Spoofing SSL is easy to do, since the attacker wont be attacking the SSL it self, but the transition from non encrypted to encrypted communications.

So basically the attacker gets your request to non secure version, redirect it to a fake secure version (which is generated by his computer) and send the bate to you to steal your information.

sslstrip

Improved attack

Yet with my recent research, I found out that even secured SSL connections can be spoofed. Yesterday I tried to visit the secured version of Google at my university, Firefox warned me that Google’s certificate is not valid, and when the page loaded i found out that my university’s IT, has replaced Google with a message saying its blocked.

How did that happen?What if the attacker has an organization Valid SSL?

HijackingCommunication

The attacker can easily know the site you’re visiting and manipulate the content to steal your login information, however you can still know when you’re being “hacked”, when the browser tells you the certificate is not valid.

But unfortunately, a valid organization ssl can be bought online, which means an SSL that is valid can be used by the attacker, so he could potentially replace the certificate and maintain a secure connection, to trick you into thinking that the page is secured.

Tor might not be as secure as you think it is.

Sadly the issue with certificates also happens on Tor, I can’t know when the ssl is being forged(nobody can) but I noticed that the SSL certificate on Facebook.com wasn’t valid in tor Browser. Tor has exposed many trials from governments to spy on the network.

 

Net Craft :Fake SSL certificates deployed across the internet

“Netcraft has found dozens of fake SSL certificates impersonating banks, ecommerce sites, ISPs and social networks. Some of these certificates may be used to carry out man-in-the-middle attacks against the affected companies and their customers. Successful attacks would allow criminals to decrypt legitimate online banking traffic before re-encrypting it and forwarding it to the bank. This would leave both parties unaware that the attacker may have captured the customer’s authentication credentials, or manipulated the amount or recipient of a money transfer.Online banking apps for mobile devices are tempting targets for man-in-the-middle attacks, as SSL certificate validation is far from trivial, and mobile applications often fall short of the standard of validation performed by web browsers.

40% of iOS-based banking apps tested by IO Active are vulnerable to such attacks because they fail to validate the authenticity of SSL certificates presented by the server. 41% of selected Android apps were found to be vulnerable in manual tests by Leibniz University of Hannover and Philipps University of Marburg in Germany. Both apps and browsers may also be vulnerable if a user can be tricked into installing rogue root certificates through social engineering or malware attacks, although this kind of attack is far from trivial on an iPhone.” source: NetCraft

Preventing SSL Spoofing

  • Be careful about where you use secure sites.
  • Make sure that your internet connection is secure, that only people you trust has access to your router/WiFi.
  • Don’t use sensitive information when you’re connection to work or public WiFi.
  • Ensure you are using secure connections. Always Look for the HTTPS. Click on the certificate icon in the browser, make sure it’s valid and that it belongs to the site you’re visiting.

Secure your machine: Install an antivirus and Firewall.