Steve Gibson's Fingerprint service detects SSL man in the middle spying

1 2 Page 2
Page 2 of 2
" ... a major priority for web browser developers since this infrastructure was introduced by the Netscape Corporation in 1994 was to reassure users that it was safe to use their credit cards to shop online -- and, correspondingly, to hide the complexity of the cryptography from the user. Thus, browsers chose to accept digital certificates absolutely and unquestioningly ..."  

FINGERPRINTING

Finally, all this leads us back to Steve Gibson's new digital certificate Fingerprint service

What Gibson does is let you compare the digital certificate in your web browser  with one retrieved by his server. There are two main aspects to this. 

First, the certificate he gets is very likely to be legitimate because his server is directly connected to the Internet backbone, bypassing the middleman (an Internet Service Provider or a large corporation) most of connect through. He gets his data straight from the horse's mouth. 

The other thing he does is make the comparison relatively easy. 

As noted earlier, a digital certificate is a file, and it contains many data fields. Eyeballing the differences is not realistic. But the fingerprint Gibson uses (some browsers refer to it as a "thumbprint") lets us compare certificate files using just the one field.

Looked at another way, Gibson does not know whether VeriSign is supposed to be issuing certificates for the Bank of America or not. No one does. But he can tell you whether the certificate he got for the bank is that same as the one you got.

The fingerpirnt for a certificate is a long string of hexadecimal characters. As an example, if your web browser reports that the fingerprint for Paypal's certificate is 

DA:AA:A4:9B:AD:0C:1E:A3:29:71:D8:CC:62:BA:72:D1:A4:DC:94:9F

but Gibson reports that it should be 

E4:7E:24:84:86:D2:BE:66:C0:4D:41:A1:C2:0F:06:96:56:B9:8E:EC

then think of Obi-Wan Kenobi -- this is not the certificate you're looking for. 

More technical details are available from Steve Gibson, who provides a fairly long and detailed explanation of his new service. 

I suspect that some may have a hard time with the notion that Big Brother can spy on encrypted HTTPS web pages. After all, we've been told time and time again that SSL makes everything safe.

Symantec says so. So does the Bank of America, Chase and Citibank. Popular retailers such as Lands End, Zappos, Sears and Barnes and Noble say so. United Airlines says so. PayPal says their "site is highly secure".  A recent article in PC World on The 5 biggest online privacy threats of 2013 didn't even mention SSL/HTTPS interception. 

Yet, this isn't news at all. 

Even back in 2004, Computerworld reported on SSL spying

U.S. universities are struggling with a flare-up of dangerous spyware that can snoop on information encrypted using Secure Sockets Layer (SSL). Experts are warning that the stealthy software, called Marketscore, could be used to intercept a wide range of sensitive information ... IT departments at a number of universities issued warnings about problems caused by the Marketscore software, which promises to speed up Web browsing. The program ... routes all user traffic through its own network ... Columbia University ... and Pennsylvania State University are among those noting an increase in the number of systems running Marketscore software ...

At a time when many Internet users were on dial-up, the lure of a faster connection was enticing indeed. But, the Marketscore software modified the web browser, adding itself to the list of trusted Certificate Authorities.

The 2010 paper Certified Lies: Detecting and Defeating Government Interception Attacks Against SSL by Christopher Soghoian and Sid Stamm got a lot of publicity. It's what alerted me to the subject.

In 2011, Dan Goodin of The Register wrote How is SSL hopelessly broken? Let us count the ways

Earlier this year, Ms. Smith wrote in Network World that

... an eavesdropping attacker who can obtain a fake digital certificate can successfully impersonate every encrypted website you visit without you knowing that you are not on the genuine site. By using a fraudulent certificate, an eavesdropper can quietly launch a man-in-the-middle (MITM) attack to watch or record all encrypted web traffic while the user is clueless that it's happening. In other words, there is nothing private or secure about your encrypted web browsing.

In January 2013 a security researcher found that Nokia was intercepting HTTPS web pages on his Nokia Series 40 Asha phone. The stated purpose was to compress data to reduce bandwidth.

Update: added April 15, 2013  

Michael Coates, the Director of Security Assurance for Mozilla recently wrote that

An attacker armed with a fraudulent SSL certificate and an ability to control their victim’s network could impersonate websites in a way that would be undetectable to most users. Such certificates could deceive users into trusting websites appearing to originate from the domain owners ...

And a number of earlier links in this article are to writings by the EFF that warn about SSL insecurities.

To be clear, none of these issues are operating system related. None require a virus or malicious software running on your computer/tablet/smartphone. Normally safe Apple users, on both iOS and OS X, are vulnerable. Heck, even Linux and Chromebook users are vulnerable.

Using an app on a tablet? Then you don't get any certificate information, making you the most vulnerable of all.

The security issues around SSL encrypted web pages are not news. But Steve Gibson's Fingerprint service is, so give it a try.

Copyright © 2013 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
Download: EMM vendor comparison chart 2019
  
Shop Tech Products at Amazon