Dozens of rogue self-signed SSL certificates used to impersonate high-profile sites
The certificates could be used to launch man-in-the-middle attacks against desktop and mobile apps with poor certificate validation
IDG News Service - Dozens of self-signed SSL certificates created to impersonate banking, e-commerce and social networking websites have been found on the Web. The certificates don't pose a big threat to browser users, but could be used to launch man-in-the-middle attacks against users of many mobile apps, according to researchers from Internet services firm Netcraft who found the certificates.
"The fake certificates bear common names (CNs) which match the hostnames of their targets (e.g. www.facebook.com)," the Netcraft researchers said Wednesday in a blog post. "As the certificates are not signed by trusted certificate authorities, none will be regarded as valid by mainstream web browser software; however, an increasing amount of online banking traffic now originates from apps and other non-browser software which may fail to adequately check the validity of SSL certificates."
Among the self-signed certificates found by Netcraft were certificates for domain names belonging to Facebook, Google, Apple, Russian bank Svyaznoy and large Russian payment services provider Qiwi.ru.
If an application doesn't properly validate the authenticity of certificates it encounters, attackers can use self-signed certificates that are not issued by legitimate certificate authorities (CAs) to launch man-in-the-middle attacks against that application's users.
Such attacks involve intercepting the connections between targeted users and SSL-enabled services and re-encrypting the traffic with fake or forged certificates. Unless victims manually check the certificate details, which is not easy to do in mobile apps, they would have no idea that they're not communicating directly with the intended site.
In order to pull-off man-in-the-middle attacks, hackers need to gain a position that would allow them to intercept traffic. This is relatively easy to do on wireless networks using techniques like ARP spoofing, but can also be done by compromising a router or by hijacking the victim's DNS settings.
Web browsers are generally safe against man-in-the-middle attacks if attackers don't use valid certificates obtained illegally by theft or by compromising certificate authorities. That's because over the years the SSL implementations in browsers have been thoroughly tested, patched and strengthened.
If modern browsers encounter a self-signed certificate, they will prompt a hard-to-ignore warning that will force users to either stop or manually confirm that they want to proceed despite the security risks. However, that's not the case with many other desktop or mobile applications.
In 2012 a team of researchers from Stanford University and the University of Texas at Austin investigated the SSL implementations in many non-browser applications, both desktop and mobile. "Our main conclusion is that SSL certificate validation is completely broken in many critical software applications and libraries," they said in their research paper at the time. "When presented with self-signed and third-party certificates -- including a certificate issued by a legitimate authority to a domain called AllYourSSLAreBelongTo.us -- they establish SSL connections and send their secrets to a man-in-the-middle attacker."
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
Red Hat Enterprise Linux - The Original Cloud Operating System
Linux adoption is growing against a number of measures, such as the
number of supercomputers that run Linux and the size of the contributing...
- OpenStack Hype vs. Reality: CIO Quick Pulse Open-source architecture can enable IT departments to build infrastructure-as-a-service (IaaS) clouds running on standard hardware.
- Building a Bridge to the Next Generation Data Center Selecting a widely adopted operating system is a foundational component of a standardization strategy.
- OpenStack and Red Hat: IDC White paper Most OpenStack deployments are by public cloud providers that are early adopters of technology and use OpenStack in a do-it-yourself deployment and support...
- Webinar: Building a Big Data solution that's production-ready Big data solutions are no longer just a nice-to-have.
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well... All Encryption White Papers | Webcasts