How the NSA, and your boss, can intercept and break SSL

How the NSA, and your boss, can intercept and break SSL.

 

The title is a bit misleading. Outside of a work environment, you would also have to ignore a certificate security warning for the interception to take place.

 

Why would there be this proxies' cert in my browser?

Rhetorical question, this is fine for employers and well known, but this doesn't apply to home users unless people have access and can install certs.

Good reminder though, thanks.

PD

PS: Gibson set up a site where you can test if this is happening to you.

 

Seems to me that the cert that ultimately burns you could be:

1) One that is installed by default, intended for mischief or compromised
2) A hidden one built into software
3) One that somebody else was able to explicitly/manually install through access to the machine. Such as a work admin, someone else in the household, etc.
4) One that was installed by software the user installed, where either a) the user wasn't presented with a prompt to allow it, or b) they were presented with such a prompt and they allowed it.

I may have asked about this before but I don't recall anyone answering. Have any of you seen 4a in practice? Some AV programs do cert based MITM and if you installed one of those you should... ideally speaking... have been explicitly prompted to allow the cert install. There are also command line tools for manipulating OS and browser stores, and one could argue that those too should trigger the same type of prompt unless a configuration option has been changed to allow such silent installs. I suspect that this "prompt when other software attempts to install certs" safeguard may not be in place, but I haven't done my own homework to try to verify it.

 

Cybercriminals using digitally signed Java exploits to trick users

 

Any title that uses three letter acronyms is too much of a fad.
Mrk

 

@Dogbiscuit: I'm not sure if/how that relates to 4a. That link seems to describe the use of signed java exploits for purposes of bypassing more alarming warnings and possibly other restrictions. I meant 4a to describe a case where software running on the local machine programmatically installs a CA certificate which could then be used to MITM traffic. I haven't used java for ages and don't know whether that possibility would exist in that environment and whether it relates to what you posted.

One example I could point to, merely because I read of it recently, is Avast 8. As mentioned at http://public.avast.com/~tuma/techinfo/, Avast 8 inserts CA certificates in various certificate stores. Ideally speaking, I think we would NOT want it (or some other application) to be able to do so without an explicit allow/deny prompt. Perhaps the best example would be Firefox since it is a standalone application and uses its own certificate store. Some time ago Mozilla made some changes, which I assume are still in place, whereby if software programmatically attempts to install an addon Firefox will ask the user if they wish to allow the installation. It could do the same thing to protect its certificate store. Whether it does or not I don't know. Anyone who uses it and installed Avast 8 afterwards would know I think.

 

If you think that is bad. Apparently some if not all the major ISP and how many corporation...who knows...are being deceptive with so called SSL encryption.

HTTPS Deception
https://www.grc.com/fingerprints.htm

Private institutions—corporations, schools, and other organizations—have responded to this “loss of visibility” into every detail of their employees' and students' Internet usage by deploying new technology known as “HTTPS Proxy Appliances”. These devices circumvent our most basic assumption and guarantee of Internet browser privacy and security.

Internet providers, public and private, cannot control what
they cannot see . . . so they insist upon seeing everything.