« previous 1 2 3

Putting things into perspective

Students at the Carnegie Mellon School of Computer Science have dreamed up a new way to help end users get secure internet connections. The basic point is that current browsers very often quibble about certificates that only in the rarest cases actually conceal an attack, so the plan is to detect those rare cases and confine the warnings to them.

Eavesdropping on encrypted data transmissions is usually done with a "man-in-the-middle" (MITM) attack, in which the interloper insinuates himself into the connection between user and web site. He can do this without being noticed by the user if the browser doesn't do a proper check on the identity of the web site.

MITM attacks normally require the attacker to divert the connection via himself, and this is usually only possible locally, by ARP spoofing on a company network or WLAN, for example, or with domain name system (DNS) cache poisoning for users of a poisoned DNS server. Users elsewhere on the internet will continue to see the regular site and its certificate.

If several "notaries" see the same key over a prolonged period, you can be fairly certain there's no man in the middle. The Perspectives project relies on observers spread around the internet, who can identify such local manipulations by comparing the fingerprints of the certificates currently offered by the site with each other, and with those of recent days.

Specifically, Perspectives offers a Firefox add-on that consults four "network notary servers" about certificates that Firefox deems invalid. These notaries are special servers now being operated by American universities. If at least three of them see the same certificate as the user, the add-on assumes it's correct, creates a temporary exception, and skips the browser's warning. That exception rule is discarded when the browser session ends.

Once a web site has been queried, it is monitored continuously so that constancy over time, after the initial phase, becomes part of the analysis. We should say clearly here that this idea isn't the answer to everything, because it skips error messages without a further check even if, for example, a compromised certificate has been blocked by its issuer. Paradoxically, Perspectives may warn of an attack just when the server operator replaces an insecure certificate with a new and more secure one.

Furthermore, this add-on facilitates phishing attacks with camouflaged SSL. That's because acquiring a valid SSL certificate is to some extent a barrier, and this is lost if a licence is granted to globally visible certificates. But if, like most users, you practically always ignore errors in certificates, you'll be better off with the Perspectives add-on, because you can at least ask for an outside opinion first. If you also disable the handy, but risky, automatic skipping of browser error messages, you'll get a real gain in security.

Revocation

It turns out in practice that the system for barring certificates doesn't actually work. For a year and a half, due to an error in the cryptographic library, Debian systems generated SSL certificates whose keys are easy to guess. This has led to thousands of servers using weak SSL certificates, and their operators have had to revoke them when the problem became known.

Since version 3, Firefox by default checks the status of certificates that display a URL for the online certificate status protocol (OCSP). Unfortunately, as our tests have shown, these are still in the minority. One of the biggest German CAs, for example, the Deutsche Telekom T-Systems Trust Center, is still issuing new certificates without an OCSP URL. Although they contain a URL for the CA's certificate revocation list (CRL distribution point), Firefox can't do anything with it.

Only Internet Explorer 7 running under Vista analyses CRLs by default. With Firefox, you now have to locate each individual CRL and enter it by hand, which is practically impossible. The fact that Mozilla's developers still haven't incorporated a test for weak certificates is also a real deficiency, because even revoked certificates can still be misused by faked web sites if they show no OCSP URL.

Using a weak revoked T-Systems certificate, heise Security was able to intercept the transmission of a credit-card number to T-Pay, without the user seeing a warning from Firefox 3. Into this breach jumps the SSL Blacklist add-on by Màrton Anka, which detects and reports on weak certificates. As an add-on, it has no handle on setting up the SSL connection, but only comes into play after data have already been sent, i.e. after the horse may have bolted. A clean solution would have to be integrated into Mozilla's cryptographic infrastructure, i.e. network security services (NSS). But Anka's Blacklist add-on also shows up certificates that use the untrustworthy MD5 hash algorithm.

Nearly a year after the Debian debacle, shops are still using weak SSL certificates.

So the three-point plan for secure online shopping with Firefox 3 goes like this: install SSL Blacklist with local Blacklist databases. Although this involves a 30-MB download, it's more secure than a DNS lookup. Second, set up Perspectives and disable automatic skipping of security warnings. That enables you to find additional information about certificate errors and, where appropriate, create exceptions with a clear conscience. The third step, to make it easier for you to recognize encrypted connections, is to enable improved SSL site identification. All of this should be combined with a healthy helping of distrust – especially of things that are too good to be true.

(ju)

This article originally appeared in c't 20/08 p. 162

« previous 1 2 3