Security Experts:

Another SSL Hack - A Deadly Internet Trend

"If China Wants Your Data, They'll Get It. Just Substitute Any Government You Want (including the U.S.) for China and You Can See Into the Future."

It had to happen sometime. After years of restoration on my 1968 Ford Mustang, my wife gave me the ‘car or her’ ultimatum. Although the car had been with me longer than my 18-year marriage and with a little more body work, a new engine, and a backseat it would be ready to take to the road, I picked my wife. Off to Craigslist I went.

An advertisement on Craigslist brought me a few potential buyers, the first of which I shrugged off due to lack of trust. The next guy, dressed in a white leisure suit, negotiated me down to lower than my asking price. This guy was good - coming back the next day with a certified check for the full amount and a pickup truck for the boxes of parts. Never one to be fooled, I take a look at the certified check and call the bank that the check was issued against. Caroline (the car’s name, long story) is carted away and I’m thinking I can get a pretty nice leisure suit for $135.

When I took my check to my bank, the nice lady behind the counter told me the check was bad. The name of the bank, address and phone number (the one I called) on the check were all fake. This is not something I want to share with my wife.

As you might hope, this story is not really about my dream car, but rather about the financial and security safeguards that surround us, and our naive trust of them. We live in a time when most of us would not take a personal check from a stranger, regardless of how honest they appear, but have grown used to trusting the apparent safeguards that surround us. The legitimate looking certified check seemed solid; even the phone number checked out. Someone a lot smarter than me has a great scam going on.

SSL CertificatesThe common acceptance of certified checks is a great analogy to the Secure Sockets Layer (SSL) certificates (more below) we all depend on. The majority of us have the same implicit trust in a certified check as we do SSL verified web security. Unfortunately, as we saw from my car story above, our trust is not always justified.

Let’s spend a bit of time extending the certified check analogy into its Internet counterpart. In order for certified check to work, there needs to an independent bank that will guarantee the payment for the check; one that we are absolutely sure will pay up when presented with the check. In a similar fashion, in order for Internet secure data transfer to work, there needs to be independent Internet entity that will guarantee the security of the data transfer, independent of the user and website. Since the Internet is basically just a means of sending data between computers, with the help of many in-between computers, there is a need to protect data so that it cannot be seen by those in-between computers. Think about shouting out your credit card number at the mall the next time you make a purchase instead of quietly sliding it thought the card reader.

Let’s look at a simple Internet bank transaction. You, of course, would want your bank information to be protected (encrypted) as your browser communicates with the bank’s website. In order for you to be fully protected, however, each user needs to have a unique encryption code for your transitions, or you and those thousands of other on-line bank customers would be able to see each other’s private banking data. You can of course, come up with a secret encryption code that only you and the bank knows – but how do you let the bank know you are using your own encryption code, 17842 for example, without someone on those in-between computers picking up the code (keep in mind the fact that you would be exchanging the 17842 code in clear text before you began encrypting data)?

Here’s where the magic occurs. There are companies, SSL certification agencies, whose role it is to act as the middle man, whispering unique encryption codes (SSL certificates) to you and your bank so that only the two of can decipher the information passing back and forth. When your browser starts a bank website conversation, it talks to one of these SSL certification agencies to get a unique encryption code that only you and the bank website can use.

This is truly the technological brilliance that has allowed the Internet to become the financial and retail juggernaut that is now – a trusted Internet entity whose only job it is to give unique encryption codes to users and banks. There are several trusted Internet entities (SSL certification agencies) across the world (VeriSign being a well known one here in the United States) that supplies unique encryption codes (SSL certificates) to banks (and stores and any Internet entity that needs secure communication).

In addition to encrypting transmitted data, SSL certificates are used to verify the identity of a person or device, authenticate a service or encrypt files, allowing a fraudulent certificate to spoof web content (present fake web pages), perform phishing attacks (maliciously act as a legitimate website) and perform man-in-the-middle attacks (spy on all information passed between a browser and its target server).

However, one more step and we can see the potentially devastating flaw in the entire Internet SSL system described above. What if a fake or compromised SSL certification agency enters the picture? What if the entity that is whispering secret encryption codes to you and the bank cannot be trusted, and is able to look at the encrypted data (because they know the unique encryption code) passed between you and a seemingly secure website?

Unfortunately, there have been several cases recently where the unthinkable (the compromising of SSL certification agencies) has happened. The two recent SSL certification agency compromises that have occurred in recent months included Comodo, a New Jersey based company with offices around the world, and DigiNotar, a Dutch-based certificate authority. In March of this year, hackers gained access to Comodo's SSL certificate generation system to fabricate nine fraudulent credentials for big name sites like Google, Yahoo, Skype and Microsoft's Hotmail. On a larger scale, DigiNotar suffered a July, 2011 breach that resulted in 530 false certificates including domains like the U.S. Central Intelligence Agency (CIA), the UK's MI6 and Israel's Mossad. As you might imagine, the ramifications of breaching these two certification agencies are far larger than just a few stolen bank account numbers. Even more interesting are the real uses these falsified SSL certificates are put to.

The majority of us think of Internet security use as being required for very domestic purposes such as banking and online shopping. Not so obvious is the fact that a lot of world’s communication happens over websites like Google Gmail and Skype. While your email to your brother in Idaho might not have any significance to anyone, think about the political and personal privacy concerns that would arise if a repressive country government, such as Iran, had access to every Google email or Skype conversation within its borders.

In fact, it is Iran’s desire to spy on its population’s electronic communication as the real reason for the breaches at Comodo and DigiNotar. Many protesters in the Middle East, including dissenters in Iran and throughout the Middle East, trusted the Google, Yahoo, Skype and Hotmail websites, resulting in Iran’s ability to read every email sent over these sites. It is believed that as many as 300,000 Iranians may have had their online communications tapped into as a result Comodo’s and DigiNotar’s falsified SSL certificates.

While the hacker behind these two breaches has been reported to be a 21 year-old Iranian student calling himself Comodohacker, it is not clear what connection Comodohacker really has with the Iranian government. In an email exchange between Comodohacker and the New York Times, Comodohacker wrote:

“My country should have control over Google, Skype, Yahoo, etc. …I’m breaking all encryption algorithms and giving power to my country to control all of them. …I’m totally independent …I just share my findings with some people in Iran. They are free to do anything they want with my findings and things I share with them, but I’m not responsible.”

An additional indication of Iran’s involvement in these breaches is the fact that the majority of the attacking servers appear to be found in Iran.

The good news is that breaches like those at Comodo and DigiNotar are rare and that there are many checks and balances to spot and nullify such breaches when they occur. The bad news is that the world’s expectations of breach-proof SSL certification agencies have been shattered. As expected all of the ruling bodies that control the Internet have rallied to identify the root causes of these breaches and are working on future preventable mechanisms. What the public is left with, however, is the realization that there will be more certification agencies breaches in the future and no system is immune from attack.

The fact that the Iranian government may be behind these attacks is a good indicator of the magnitude of the resources that will be brought to bear against target IT systems. As I have said several times in various posts, if China wants your data, they will get it. Just substitute any government you want (including the United States) for China and you can see into the future.

Finally, with a Pollyanna view on life, I will say that even a flawed SSL security system is better than no system. The current SSL certificate system serves us well and will continue to do so, even as state supported hackers attempt to find its flaws.

Suggested Reading: The Intersecting Worlds of Fraud Prevention and Counter Terrorism

Subscribe to the SecurityWeek Email Briefing
view counter
Alan Wlasuk is a managing partner of 403 Web Security, a full service, secure web application development company. A Bell Labs Fellow award-winner with 18+ years of experience building secure web applications, Wlasuk is an expert in web security - from evaluation to web development and remediation.
view counter