Thought the threat has been recognized in theory for some time, researchers have now found direct evidence that bogus digital certificates not issued and authorized by legitimate site owners have been employed in establishing seemingly secure HTTPS connections.
The findings are significant as they baseline the estimated amount of tampering that affects the HTTPS system that millions of websites employ to authenticate encrypted connections and protect potentially sensitive data from being intercepted in man-in-the-middle (MitM) attacks.
The researchers looked at HTTPS connections to Facebook specifically, sampling some 3.45 million real-world connections made to the social media platform’s servers using the transport layer security (TLS) or secure sockets layer (SSL) protocols.
“Our results indicate that 0.2% of the SSL connections analyzed were tampered with forged SSL certificates, most of them related to antivirus software and corporate-scale content filters. We have also identified some SSL connections intercepted by malware,” the report states.
The researchers found that the majority of unauthorized certificates were offered to systems running antivirus programs from companies such as Eset, Bitdefender, and more, while commercial firewall and network security appliances were found to be the second most common source of the bogus certificates detected.
“Since the attacker’s certificates were signed by trusted CAs, standard browsers cannot simply distinguish the attacker’s intercepting server from the legitimate server (unless the forged certificate is later revoked). Hypothetically, some governments may also compel CAs to issue trusted SSL certificates for spying purposes without the website’s consent,” the researchers noted.
“One should be wary of professional attackers that might be capable of stealing the private key of the signing certificate from antivirus vendors, which may essentially allow them to spy on the antivirus users (since the antivirus root certificate would be trusted by the client). Hypothetically, governments could also compel antivirus vendors to hand over their signing keys.”
The researchers also found forged certificates were being issued by adware and malware in an effort to expose user login credentials and inject illicit banner ads into what is expected to be encrypted traffic connections, which typically don;t trigger warnings because the certs were installed by malware that makes administer-level changes to targeted systems.
Read More Here…