Security Experts:

LinkedIn Responds to Criticism of its SSL Implementation

LinkedIn said that a majority of its users are not affected by the SSL issue reported by security company Zimperium.

According to Zimperium, an attacker could launch a man-in-the-middle [MITM] attack leveraging a SSL stripping technique to steal a user's credentials and gain control of a victim's account due to the way LinkedIn implements SSL.

"We used our own implementation of SSL Strip and MITM with zANTI, our Mobile Pentesting Toolkit," explained Zimperium CEO Zuk Avraham. "The toolkit tests for several vulnerabilities, and unfortunately, this particular attack is simple and can be done by the most amateur hackers. We have detected many MITM attacks in-the-wild with Zimperium Mobile IPS - and I am afraid that this issue is endangering many users. Since we have reported the attack over a year ago, we wanted to bring this threat to the attention of the users who are still at risk."

The company said it reported the situation to LinkedIn six times during the past year, and that LinkedIn responded twice - most recently in December by stating it was putting together a timeline for full SSL on-by-default deployment.

The social networking site began to transition to HTTPS by default last year, starting with users in the Netherlands. Members have had the ability to opt in to access the site using HTTPS since early 2012.

"LinkedIn is committed to protecting the security of our members," spokesperson Nicole Leverich said in a statement. "In December 2013 we started transitioning the LinkedIn site to default HTTPS and just last week announced that we are serving all traffic to all users in US and EU by default over HTTPS. This issue does not impact the vast majority of LinkedIn members given our ongoing global release of HTTPS by default."

There are a several different ways to prevent SSL stripping, Avraham told SecurityWeek. LinkedIn for example could change the default connection settings to HTTPS only and ensure the cookie is set to HTTPS only and cannot be accessed via JavaScript (HttpOnly). The other solution is to integrate a combination of security services that protect desktop and mobile devices from attacks like this, he said.

Mike Shema, director of engineering at Qualys, said he suspects many other sites are equally vulnerable - not to mention all those sites that don't bother with HTTPS in the first place.

"The important point here is that adopting HTTPS can't be done as a half-measure," he said. "It must be on all the time for all the resources. Otherwise, users will be exposed to SSL stripping-types of attacks. The HTTP Strict Transport Security (HSTS) headers are intended to help sites enforce this for browsers."

"But as the Qualys SSL Labs team has found, only about one percent of sites surveyed implement it. One good thing for the future is that protocols like SPDY and HTTP 2.0 are adopting encrypted transport by default," he said. "The catch is that, like HSTS, these protocols need to become well-accepted standards and supported by browsers before we start to see any real benefit from them."

view counter