The last year has produced a rogues’ gallery of vulnerabilities in transport layer security implementations and new attacks on the key protocols, from Heartbleed to the Apple gotofail flaw to the recent POODLE attack. To help developers and security researchers identify applications that are vulnerable to known SSL/TLS attacks and configuration problems, Google is releasing a tool that checks for these problems.
The tool, called nogotofail, allows developers to set up an infrastructure through which they can run known attacks against the target application. It has the ability to execute various attacks that require man-in-the-middle position, which is one of the key components of many of the known attacks on SSL/TLS, including POODLE, BEAST and others.
“The core of nogotofail is the on path network MiTM named nogotofail.mitm that intercepts TCP traffic. It is designed to primarily run on path and centers around a set of handlers for each connection which are responsible for actively modifying traffic to test for vulnerabilities or passively look for issues. nogotofail is completely port agnostic and instead detects vulnerable traffic using DPI instead of based on port numbers. Additionally, because it uses DPI, it is capable of testing TLS/SSL traffic in protocols that use STARTTLS,” the tool’s documentation says.
Google’s security team designed nogotofail to work on essentially any client that connects to the Internet.
“The Android Security Team has built a tool, called nogotofail, that provides an easy way to confirm that the devices or applications you are using are safe against known TLS/SSL vulnerabilities and misconfigurations. Nogotofail works for Android, iOS, Linux, Windows, Chrome OS, OSX, in fact any device you use to connect to the Internet. There’s an easy-to-use client to configure the settings and get notifications on Android and Linux, as well as the attack engine itself which can be deployed as a router, VPN server, or proxy,” Chad Brubaker of the Android security team wrote in a blog post.
Transport layer security protocols such as SSL and TLS are designed to protect the confidentiality of information in transit. The SSL protocol is old and and has been the target of a number of attacks in recent years. TLS is the successor to SSL and is considered more robust and resistant to attack, but the newer versions of TLS are not as widely supported as much older versions of SSL are.
One of the things that makes attacks on SSL/TLS so problematic is that users typically don’t know that the attacks are taking place. An online banking or shopping connection that a user thinks is secure can be compromised quietly by an attacker, who can steal confidential data, such as credentials or payment card information. The Google nogotofail tool will help developers identify the weak spots in their applications’ implementations before an attacker can take advantage.
“We’ve been using this tool ourselves for some time and have worked with many developers to improve the security of their apps. But we want the use of TLS/SSL to advance as quickly as possible,” Brubaker wrote.
The nogotofail tool is on GitHub as an open source project.