Iranian Hackers Claim They Compromised NASA SSL Digital Certificate

Discussion in 'privacy general' started by Trooper, May 21, 2012.

Thread Status:
Not open for further replies.
  1. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    2,825
    Story here.

    Apologies if someone posted this already.
     
  2. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    Just another example of how badly broken SSL is. And the guys who did this and the Comodo hack are amatuer script kiddies.
     
  3. EncryptedBytes

    EncryptedBytes Registered Member

    Joined:
    Feb 20, 2011
    Posts:
    449
    Location:
    N/A
    To be fair NASA has an abysmal track record when it comes to cyber security. Something like this wouldnt surprise me.
     
  4. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Based on what?
     
  5. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    Based on Moxie Marlinspike's outing of the Comdo hacker. Comdo released a statement saying it was a "very sophisticated attack from Iran, we suspect the Iranian government." Comodo released the IP addresses of the people involved to prove to everyone that it really was Iran. You know, they wanted to prove that only a sophisticated state actor could ever hack their very awesome security.

    Marlinspike is a well known SSL researcher (and critic) and author of various SSL hacking tools like sslstrip and sslsniff. He checked his weblogs and discovered that the exact IP address Comodo released had visited his site the day after Comodo was hacked. What did this IP address do? It downloaded sslsniff. He checked his referrer log to see what webpages this IP was on before it visited his site and found that the person had just visited a YouTube video on "how to hack SSL." The video recommended sslstrip, so the guy went to Marlinspike's website to download it. Other interesting things is that the guy was running Windows XP and had his browser language set to English.

    Moxie told this story at Black Hat 2011 and the crowd basically was ROFL'ing the entire time. He proved that the Comodo hack was not done by some sophisticated Iranian government crew, but by a kid who was literally a script kiddie (the very definition of a script kiddie actually).

    So what does it say when one of the world's largest CA's gets hacked by a kid running Windows XP who watches hacker training videos on YouTube? It says we have major problems in trusting these CA's to give a **** about anything other than turning a quick profit.

    You can watch the entire talk he gave about this on YouTube here:

    https://www.youtube.com/watch?v=Z7Wl2FW2TcA

    It is pretty awesome and well worth the hour. He talks about the Comodo hack and then discusses how SSL was invented and who invented it (a very interesting story in itself). Then he talks about how badly it sucks and proposes a Firefox add-on he wrote to help mitigate the issues.

    I recommend starting the video at 5 minutes in because he is telling jokes until then.
     
  6. hashed

    hashed Registered Member

    Joined:
    May 5, 2012
    Posts:
    53
    I presume you are referring to "Convergence"? Do you actually run it? I uninstalled it because it just didn't work for me at all. I am using Perspectives instead, even though, it's not perfect either.

    ~h
     
    Last edited: May 26, 2012
  7. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Great, thanks. I hadn't heard anything about this.
     
  8. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    How can I get 1 source of reliable digital certificates?
     
  9. focus

    focus Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    276
    Location:
    USA
    +1. Also, how can I verify the ones already on my system (there are a lot) are "good"?
     
  10. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses

    Exactly, short of posting what's on my IE and on FF I have no idea how to verify existing ones.

    What authority is responsible for this allocation of powers to issue security certificates to vendors like Microsoft and Comodo etc?

    Where does the power lie?
     
  11. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    The power lies with the CA's of which there are over 600. If any CA goes rogue or gets hacked, any cert it issues can be used to MiTM any website on the Internet (as long as your browser recognizes that CA as a legit one). That's why SSL is broken -- all it takes is one CA to be compromised to ruin SSL for everyone.

    As for which CA's your browser accepts, that is up to the browser vendors and they differ. Microsoft is very liberal with IE and allows a lot more CA's in its trusted store than what Mozilla or Google do.

    The best protection is to use Convergence. It will use various computers around the world to make sure that all of them see the same cert (and you have the choice of picking which remote machines you trust to do this). Then it stores the cert locally on your machine and checks to make sure it doesn't change the next visit (so that it doesn't have to waste bandwidth to check each time). This is good protection against MiTM or rogue certs, and about as close to 100% protection you can get.
     
  12. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses

    Thanks very interesting.

    Can you provide more information on Convergence? a link? who else uses them? ISP's?

    My question was poorly written. Let me retry. There are 600 CA approx.

    Who do they/me/you apply to to have this ability to become a CA? That must be where the power lives.:doubt:
     
  13. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Becoming a CA would be incredibly expensive because
    1) No one's going to trust you at first, so browsers and OS vendors won't list you

    2) You actually need to pay people to check out the websites and files

    Convergence changes the system. Instead of checking a single CA for the validity of a website/ certificate you check multiple repositories, which means your trust doesn't have to rely on one single entity anymore.

    It also means that attacks like SSLStripper fall flat. An attacker can spoof a certificate but with convergence you'll know it's different.
     
  14. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    Yep. I wont say it's 100% but it is close enough. It will certainly foil hackers with stolen certs, etc. It would probably even foil some government spying. But it might not work against, say, NSA who has their hooks at the backbone of the Internet and can pretty much MiTM anyone anywhere (see AT&T scandal -- NSA pretty much has access to every bit that flows over the net). So, even if you use convergence, it might be possible for them to MiTM the convergence notaries and you at the same time. Granted this probably isn't likely, but an organization with their money, influence and technical people could probably pull it off.

    The only way to be 100% sure is to know the website owner personally and physically check his certificate fingerprint (sort of like you would do when signing PGP keys).
     
  15. treehouse786

    treehouse786 Registered Member

    Joined:
    Jun 6, 2010
    Posts:
    1,388
    Location:
    Lancashire
    i added Convergence to firefox and it blocked/alerted me on 50%~ of websites which i tried to login too (gmail etc). bug or expected behavior?
     
  16. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    It does this to me sometimes. Usually when I reload the page it works. I think what happens is the notaries are overwhelemed by traffic and sometimes time-out before they are able to verify.
     
Loading...
Thread Status:
Not open for further replies.