Some funny SSL stuff

Author: Martin Voelk
February 13, 2016

Everyone knows that you shouldn’t use self-signed certificates because they are not trusted by browsers natively and generate an error message. If users get used to accept untrusted certificates, they won’t know the difference between a self-signed and a man-in-the-middle attack. I think most Admins are clear about that. This is why there are CAs like Verisign, Comodo, Godaddy and so on.

But when it comes to Google everything is funny. Many people don’t know that Google runs their own CAs and so it must be natively trusted right because it’s Google?!? This is unfortunately, what the Internet has become. A company just needs to grow big enough and then form their own trusted CA and every browser trusts natively. German Telecom is the same thing.

No user would trust company X with a self-signed certificate over their portal login. Yet if it’s Google or Youtube, all is nicely signed by themselves and the little green lock shows in the browser. All good and safe 🙂 Happy Internet

Screen Shot 2016-02-12 at 22.52.32

Share

SSL and Man in the Middle (MITM)

Author: Martin Voelk
November 27, 2014

Businesses and individuals seems to think HTTPS = SSL = SECURE. Truth couldn’t be further from that. If you see a green lock in your browser, all that says it’s a validated “good” certificate. It doesn’t mean that you are actually connecting to the server you expect to connect to. There could be a nice SSL interception proxy between your browser and the actual server. A classic company providing those appliances is BlueCoat. The BlueCoat will then do the SSL connection with the actual destination server whereas your browser is only doing the SSL to the BlueCoat unknowingly. If your company has set up the proxy correctly you won’t know anything is off because they’ll have arranged to have the proxy’s internal SSL certificate registered on your machine as a valid certificate.

So you can guess what happens in the middle? Clear text and all your data is visible. Who can install those boxes? Service Providers, Governments, your company. Pretty much anyone in the middle of that connection. Whilst the ordinary hackers can’t just set up ISPs and deploy BlueCoat SSL proxies, hackers increasingly target networks to hack into those BlueCoat boxes. Others have purchased the equipment and deployed it for them.

This is the real risk, especially when those networks are easy to enter, as we unfortunately find in many of our Penetration Tests.  Surveillance is questionable but has its need when it comes to combat terrorism and the likes. However it’s important that the surveillance appliances are secured from Hackers because then the data could really get into the wrong hands.

Share