[clug] SSL Man-in-the-Middle attack - by "Law Enforcement"?
daniel at rimspace.net
Thu Mar 25 17:35:28 MDT 2010
steve jenkin <sjenkin at canb.auug.org.au> writes:
> steve jenkin wrote on 25/03/10 1:21 PM:
> Thanks for everyone's input.
> Round 2:
> Is this a malware vector that BlackHats could leverage?
Yes, the MD5-collision forged CA certificate was public evidence that this
is a practical attack.
> By its nature, a highly targeted attack...
No more targeted than fake eBay "you won this" messages, and perhaps less,
since you can attack *any* SSL secured site in the world, since the browser
will trust *any* CA cert equivalently.
The biggest disclosure risk for the attacker is that a poorly coded
interception could actually make a self-signed certificate look like a real
commercial cert, and show the "all validated" sign rather than the warning. ;)
> What would it take?
> - Certificates
Possible to generate, though probably not cost-effective yet.
> - servers or Zombies to run the M-t-M relay. Need exposed IP Nr.
...or to control the end machine, and want to transparently intercept SSL
communication without injecting code into the browser itself.
Still, doing this on any shared network, like the wildly popular public
wireless stuff, or on any network choke-point, like an ISP where you control a
server, is practical.
> - some way to get groups of browsers to go via them
> - compromise ISP's (hard without inside help)
...not that hard, honest. They live in the same sort of security environment
most of the rest of us do, and they run code supplied by untrusted users on at
least some systems as part of their web hosting stuff. :)
> - resetting browser proxies?
> - spoof DNS?
> This is closer to Identity Theft than wide-scale malware.
> But given 5+ years, you'd expect it, wouldn't you?
None of it is a great surprise, really. The crypto people have been warning
about this sort of mistake-of-trust design flaw for years.
✣ Daniel Pittman ✉ daniel at rimspace.net ☎ +61 401 155 707
♽ made with 100 percent post-consumer electrons
More information about the linux