Researchers Quantify Fake Certificates Used in SSL Connections

Engineers at Facebook and Carnegie Mellon University quantified the number of forged certificates used in 3.5 million SSL connections with Facebook during a four-month period.

An attacker with a forged SSL certificate is quite the Internet villain these days, be he a criminal or government spy. In possession of such a cert, an attacker can easily decrypt and monitor traffic, steal credentials and other sensitive information from a network.

And with sensitivity over intelligence agency surveillance at an all-time high, any research quantifying just how bad the problem is seems to be a worthwhile exercise.

A team of engineers at Facebook along with researchers at Carnegie Mellon University did just that by designing a new detection technique for man-in-the-middle attacks over SSL on a large-scale, and then extracting data about the methods used in those attacks, including the digital certificates presented.

Of the 3.5 million SSL connections made to Facebook during a four-month period starting last December, the team determined that 6,845, or 0.2 percent, used a phony certificate. While the number is relatively small, this is just one sample on a top 10 website, indicating this might be happening on a much larger scale.

Most of the forged certificates were pretending to be antivirus and other security software firms, including firewall vendors.

“One should be wary of professional attackers that might be capable of stealing the private key of the signing certificate from antivirus vendors, which may essentially allow them to spy on the antivirus’ users (since the antivirus’ root certificate would be trusted by the client),” the researchers wrote in their report: “Analyzing Forged SSL Certificates in the Wild.” “Hypothetically, governments could also compel antivirus vendors to hand over their signing keys.”

A number of malware campaigns were also responsible for the forged certificates. The researchers called out a CA issuer called IopFailZeroAccessCreate; five forged certificates were found sharing the same public key purportedly from VeriSign.

“This was obviously a malicious attempt to create a certificate with an issuer name of a trusted CA,” the report said. “These variants provide clear evidence that attackers in the wild are generating certificates with forged issuer attributes, and even increased their sophistication during the time frame of our study.”

Most of these certificates were found in Mexico, the U.S. and Argentina; 112 man-in-the-middle attacks in all, in 45 countries, the report said.

“This shows that the particular SSL man-in-the-middle attack is occurring globally in the wild. While it is possible that all of these attacks were amateur attackers individually mounting attacks (e.g. at their local coffee shop), it is certainly odd that they happened to use forged certificates with the same subject public key,” the researchers wrote. “However, this is not so unreasonable if these attacks were mounted by malware.”

The report says that Facebook and Microsoft malware researchers were able to identify the malware family used in the attack, the affected users were notified and given a malware scan and repair instructions.

The researchers also found that certain parental control software packages were being used in forged certificates, in particular Qustodio and ParentsOnPatrol.

The paper also suggest a number of mitigations that browser vendors could deploy in order to stem the effects of such attacks; those include the use of HTTP Strict Transport Security, Public Key Pinning, TLS Origin Bound Certificates, and the validation of certificates with notaries among others.

“Our data suggest that browsers could possibly detect many of the forged certificates based on size characteristics, such as checking whether the certificate chain depth is larger than one,” the report said. “We strongly encourage popular websites, as well as mobile applications, to deploy similar mechanisms to start detecting SSL interception.”

Suggested articles