SSL is a crucial technology for assuring confidential communications between computer systems. When properly implemented, SSL is, for the most part, secure but as we saw recently one slight programming error, as with Apple’s SSL/TLS snafu, can make this security an illusion.
In Apple’s case, a duplicated line of code altered the program flow such that the signature within a ServerKeyExchange was never validated but most SSL failures are much easier to understand and exploit. The more typical scenario occurs when a developer fails to validate that a certificate is from a trusted authority thereby allowing traditional SSL man-in-the-middle attacks.
With a web browser, it is generally quite easy to recognize when a third party is tampering with a secure connection. This is due to warning pages presented by browsers when something is fishy with the SSL certificate, such as a certificate that has not been signed by a trusted authority.
Mobile applications, on the other hand, cannot always be counted on to display such a warning or even recognize when something is amiss. This is why I setup an SSL MITM test lab for my Android devices. Although there are many methodologies for confirming whether an app properly validates SSL certificates, my preference is to route traffic through a VPN configured to redirect TCP/443 to Moxie Marlinspike’s excellent and easy-to-use sslsniff utility.
With this approach, I’ve found that apps already running on my phone could be subverted to gain access to my Google account, payment card details, location data, and even my car!
So, without further delay, here is my step-by-step guide:
- Install a Linux distribution of your choice.
(*) I am using Ubuntu 12.04 hosted on Digital Ocean’s $5/month VPS
- Configure the server as a VPN gateway.
(*) PPTP is easy to setup as documented by both Ubuntu & Digital Ocean.
- Install Moxie’s Sslsniff is easy to build from source or install from a repo. (i.e apt-get install sslsniff)
- Per the instructions for sslsniff, enable an iptables rule to redirect SSL traffic
(*) iptables -t nat -A PREROUTING -p tcp –destination-port 443 -j REDIRECT –to-ports 4443
- Run sslsniff as described in the README – running in authoritative mode is a good starting point
(*) sslsniff -a -s 4443 -w /tmp/sslsniff.log -c /usr/share/sslsniff/certs/wildcard
- Connect the Android device to the VPN using the credentials configured in step 2
(*) Typically Settings->Wireless & Networks->More->VPN and touch the ‘+’ at the top right.
- Monitor the sslsniff output specified with the ‘-w’ flag
(*) tail –f /tmp/sslsniff.log
From here, you can test that your setup by opening the browser on your Android device and going to https://www.tripwire.com/ and verifying that a certificate error is presented. The sslsniff log should reflect a failed connection attempt similar to the following:
- 1395677268 DEBUG sslsniff : SSL Accept Failed!
- 1395677268 DEBUG sslsniff : Got exception: Error with SSL connection…
The test environment is now ready. When running an app that is vulnerable to SSL MITM, you will see complete requests and responses logged by sslsniff. Should you find an app that exposes sensitive information, please be kind and report the issue to the app developer so it can be addressed.
- Put Your Critical Data on Ice: Using Cold Storage
- Security Solutions that Fight for the Same Resources
- Lessons Learned from the OpenSSL Hack
- Chromejacking – Or How I Learned to Stop Worrying and Love Chromium Sync
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Title image courtesy of ShutterStock