Who and how is using forged SSL certificates worldwide?

Pierluigi Paganini May 13, 2014

Who is abusing of forged SSL certificates in MITM attacks worldwide? A team of researchers implemented a new detection technique to detect the abuses.

A team of researchers at Carnegie Mellon University and engineers at Facebook have designed a detection technique for man-in-the-middle attacks over SSL on a large-scale. They analyzed the data extracting useful information, including the data related to digital certificates presented, about the methods used the attacks.

The researchers analyzed nearly 3.5 million SSL connections made to Facebook during a four-month period started in December 2013. They discovered that 6,845, corresponding to 0.2 percent of all connections used fake SSL certificates with the intent to syphon data. This data is just related to Facebook, this means that something quite similar is happening for connections to other popular websites.

It is a common practice of cyber criminal ecosystem to use fake SSL certificates for bogus websites impersonating legitimate web services like e-commerce, payment platform and social networks. The attackers usually use self-signed digital certificates or stolen certificate that is accepted as valid by most browsers.

As explained in the paper the group of expert used a Flash Player plug-in to capture forged SSL certificates:
” We utilized the widely-supported Flash Player plugin to enable socket functionalities not natively present in current browsers, and implemented a partial SSL handshake on our own to capture forged certificates. We deployed this detection mechanism on an Alexa top 10 website, Facebook, which terminates connections through a diverse set of network operators across the world. We analyzed 3;447;719 real-world SSL connections and successfully discovered at least 6;845
(0:2%) of them were forged SSL certificates” report the paper related to the research.
Principal browsers display a warning message when encountering errors during SSL certificate validation, but users anyway can decide to proceed. This is the typical scenario for fake SSL connections which triggers a certificate warning, mostly caused by server mis-configurations, but the alert is often ignored by users that trust forged SSL certificates.
In this scenario, an attacker can impersonate any legitimate website performing an SSL man-in-the-middle attack in order to eavesdrop encrypted communication.

fake digital SSL certificates detection MITM
In the following image the website loads a client-side applet, that performs the SSL handshake over a Flash-based socket connection to observe SSL certificates. On the other end attackers may restrict Flash-based sockets by blocking the socket policy request (for example, whitelisting TCP ports 80 and 443 to only allow web traffic), thus not allowing the Flash Player to retrieve a valid socket policy file from socket policy servers (over port 843) used by researchers.
fake digital SSL certificates detection
Attackers use to forge SSL certificates with name of legitimate issuer organizations, such as VeriSign, Comodo.
As described in the study, many organizations issue forge certificates for their operations like Antivirus (e.g. Bitdefender, ESET, BullGuard, Kaspersky Lab), Firewall and Parental Control Software.
“However, if any antivirus software enabled SSL interception by default, we would expect a higher number of their forged certificates observed. Note that the observed antivirus-related certificate
counts are not representative of the general antivirus usage share of the website’s users, since SSL interception is often an optional feature in these products. However, if any antivirus software enabled SSL interception by default, we would expect a higher number of their forged certificates observed. 
Supposing that these users intentionally installed the antivirus software on their hosts, and deliberately turned on SSL scanning, then these antivirus-generated SSL certificates would be less alarming. However, one should be wary of professional attackers that might be capable of stealing the private key of the signing certificate from antivirus vendors, which may essentially allow them to spy on the antivirus’ users (since the antivirus’ root certificate would be trusted by the client). Hypothetically, governments could also compel antivirus vendors to hand over their
signing keys.”
The researchers also noticed self-signed digital certificates generated by malicious code, it is the case of a digital certificate named as ‘IopFailZeroAccessCreate’, which was generated by some malware and using as name of Certificate issuer VeriSign Class 4 Public Primary CA.
“This was obviously a malicious attempt to create a certificate with an issuer name of a trusted CA. These variants provide clear evidence that attackers in the wild are generating certificates with forged issuer attributes, and even increased their sophistication during the time frame of our study.” said the researchers.
Malware forges ‘IopFailZeroAccessCreate’ digital certificates were discovered 112 man-in-the-middle attacks in more than 45 different countries, mainly United States, Mexico and Argentina.
fake digital SSL certificates detection malware


“This shows that the particular SSL man-in-the-middle attack is occurring globally in the wild. While it is possible that all of these attacks were amateur attackers individually mounting attacks (e.g. at their local coffee shop), it is certainly odd that they happened to use forged certificates with the same subject public key,” the researchers wrote. “However, this is not so unreasonable if these attacks were mounted by malware.”

The paper suggests different mitigations methods that browser vendors could implement to mitigate the cyber threat, including the adoption of HTTP Strict Transport Security, Public Key Pinning, TLS Origin Bound Certificates, and the validation of certificates with notaries.

“Our data suggest that browsers could possibly detect many of the forged certificates based on size characteristics, such as checking whether the certificate chain depth is larger than one,” the report said. “We strongly encourage popular websites, as well as mobile applications, to deploy similar mechanisms to start detecting SSL interception.”

Pierluigi Paganini

(Security Affairs –  SSL certificates, Man-In-The-Middle)

you might also like

leave a comment