SSL and man-in-the-middle misunderstanding

by

Man-in-the-middle attacks on SSL are really only possible if one of SSL’s preconditions is broken, here are some examples;

  • The server key has been stolen – means the attacker can appear to be the server, and there is no way for the client to know.

  • The client trusts an untrustworthy CA (or one that has had it’s root key stolen) – whoever holds a trusted CA key can generate a certificate pretending to be the server and the client will trust it. With the number of CAs pre-existing in browsers today, this may be a real problem. This means that the server certificate would appear to change to another valid one, which is something most clients will hide from you.

  • The client doesn’t bother to validate the certificate correctly against its list of trusted CA’s – anyone can create a CA. With no validation, “Ben’s Cars and Certificates” will appear to be just as valid as Verisign.

  • The client has been attacked and a fake CA has been injected in his trusted root authorities – allows the attacker to generate any cert he likes, and the client will trust it. Malware tends to do this to for example redirect you to fake banking sites.

Especially #2 is rather nasty, even if you pay for a highly trusted certificate, your site will not be in any way locked to that certificate, you have to trust all CAs in the client’s browser since any of them can generate a fake cert for your site that is just as valid. It also does not require access to either the server or the client.

More Related Contents:

  1. With HTTPS, are the URL and the request headers protected as the request body is?
  2. SSL Error: unable to get local issuer certificate
  3. curl – Is data encrypted when using the –insecure option?
  4. Keygen tag in HTML5
  5. How does the SQL injection from the “Bobby Tables” XKCD comic work?
  6. Are HTTP cookies port specific?
  7. Salt Generation and open source software
  8. Is “double hashing” a password less secure than just hashing it once?
  9. Authentication versus Authorization
  10. Where to store JWT in browser? How to protect against CSRF?
  11. Has reCaptcha been cracked / hacked / OCR’d / defeated / broken? [closed]
  12. What is the purpose of base 64 encoding and why it used in HTTP Basic Authentication?
  13. Differences Between Rijndael and AES
  14. Why are porn sites appearing in my Google Analytics data?
  15. Keystore type: which one to use?
  16. Is there any possible ways to bypass cloudflare security checks?
  17. Send mail via Gmail with PowerShell V2’s Send-MailMessage
  18. Is JSONP safe to use?
  19. Using Symfony2’s AccessDeniedHandlerInterface
  20. Is it safe to enable ”Access-Control-Allow-Origin: *“ (wildcard) for a public and readonly webservice?
  21. Why not use HTTPS for everything?
  22. Where is the PEM file format specified?
  23. Difference between CSRF and X-CSRF-Token
  24. MD5 security is fine? [closed]
  25. SSO with CAS or OAuth?
  26. Best practices for server-side handling of JWT tokens [closed]
  27. How do I secure REST API calls?
  28. What are best practices for securing the admin section of a website? [closed]
  29. How can I hash passwords in postgresql?
  30. Has Hardware Lock Elision gone forever due to Spectre Mitigation?

Leave a Comment