The vulnerabilities of HTTPS and SSL/TLS

• April 7, 2014
• General

• Comment
• Facebook
• Google+
• Twitter
• Reddit
• LinkedIn

We have spent a lot of time championing HTTPS connections as one of the most basic browsing habits for good privacy protection. However, there is always a risk when talking up a security protocol: a false sense of security. With that in mind, let’s talk about the ways in which HTTPS and the SSL/TLS encryption process that makes it secure come up short.

Your main risks are related to browsing. You have reasonable assurance that from you to the website you are visiting, all the information transfer is safe. Now you just have to hope that website is 1. who you think it is and 2. will take care of the data you send them. There is never complete certainty in this regard, at least as far number 2 goes.

Even Google, the biggest internet company in the world, saw its secure user data get snooped on by the NSA without Google’s permission (not to say they didn’t sometimes also give permission, but in this case they had no clue it was going on). As far as number 1 goes, you have to employ a mixture of discretion and common sense. Just because you were sure Google was Google, you wouldn’t just turn over your most sensitive information for no particular reason. The key here is not to get a false sense of security just because you have secured your communications from hackers.

Security experts, even before the Internet, would point out the true weakness in this process. There is a third party in the process! This third party, the certificate authority, can completely undermine your security if they aren’t trustworthy. Everything can be immune to cryptographic attacks, you and the website you visit can be totally virtuous, and the certificate authority could betray things so badly that all the precautions were a waste of time. Here’s a simplified diagram of what’s going on.

We mentioned the NSA already, but it should be stated outright that governments can compel certificate authorities to issue false certificates. This whole system is designed to detect false certificates, but that system is built around the credibility of certificate authorities. Much of the NSA scandal involved data collection of HTTP traffic, since that was low-hanging fruit. This is much less possible today than it was a few years ago due to a new measure implemented by Google in Chrome, which has since been a part of Firefox and Internet Explorer.

See, the way the certificate authority “tells” you that the certificate is legitimate is actually rather indirect. Your web browser has to have familiarity with the reputable certificate authorities and what their certificates look like. So, in reality the certificate authority isn’t sending the certificate each time you interact with a website. The website sends the authority-issued certificate to you themselves and your browser checks it against its list of reputable providers. Here’s a revised, slightly more complex chart.

In 2011, a certificate authority was hacked by what is believed to be an attacker from the Iranian government. With this access, the hacker used the completely valid credentials of the webmaster to create completely valid certificates for forging a website and taking user information. It worked. The attacker then became a “man in the middle” and was able to send valid certificates to the user, making it possible to decrypt the encrypted information _and _make the user unaware that somebody other than the desired website had received their information.

There were some other factors involved, too, so it wasn’t necessarily an attack that any wiz kid in his or her parents’ basement could pull off. It isn’t exactly easy to hack a certificate authority and the compromised account was that of a southern European partner that was not an official arm of the company, but just affiliated. What Google implemented was that before a certificate could be fully trusted, it needed:

• To be “signed” by a trusted certificate authority
• To be sent from the same domain that the certificate was issued to (I can’t send Google.com certificates)
• Google has seen it on the web before while it indexes for its search engine

This is important because the aforementioned attack only satisfied the first two conditions, which were the only two original conditions. The third condition, added by Google, provides an extra layer of security. In the certificate authority hack, the certificates were valid but they didn’t have administrative access to Google, Yahoo, Skype, Mozilla, and Hotmail (these are the places the certificates were issued for). Had the third aspect been there before the attack, it wouldn’t have worked. The browser would have red-flagged the certificate because it had never been published on the web before. It basically requires both the certificate authority and the website for which the certificate is issued to endorse the certificate.

The only way to pull off an attack like this would be to hack both the certificate authority and the website whose certificate you want to fake. If hacking the website was that easy, the attacker wouldn’t be bothering with fake certificates or man in the middle attacks. The information sent to the website is what they’re looking for, after all! The Electronic Frontier Foundation, a group to which Getting Things Tech donates and supports, had spoken publicly about this vulnerability in 2010, a year before the attack. It would be a good idea to check in with them to always stay up to date on these issues.

Another point of vulnerability regards parts of this process that just take for granted. Some of the NSA revelations revealed a more novel way that surveillance agencies were performing “man in the middle” attacks, possibly due to the changes in the way certificates are accepted by browsers. Apparently, the NSA was able to hack into routers of specific people or perhaps the lines delivering home internet service to multitudes of people. From there, they would direct the internet traffic of their targets to their man in the middle and impersonate internet giants like Google, Yahoo, and Microsoft.

It isn’t clear how they managed to get a valid security certificate based on the leaks; it may have been before those changes in how browsers validate certificates. Perhaps it is the case that they had compromised a certificate authority. Most speculation is that the NSA was interested in infiltrating the Tor network in these operations, but that remains just speculation. Either way, one must keep in mind that HTTPS alone isn’t going to secure you from an entity with as much sway as the US federal government.

All in all, these flaws still represent a huge upgrade over HTTP. Hopefully, humanity continues to demand privacy on the internet and these important holes are patched, whether that is by improving upon HTTPS or replacing it entirely. Until then, choose HTTPS, but do it wisely.

Featured image by Chad Cooper (Flickr).

• browser
• internet
• privacy

COMMENTS