Certified Lies: Detecting and Defeating Government Interception Attacks Against SSL∗
نویسندگان
چکیده
This paper introduces the compelled certificate creation attack, in which government agencies may compel a certificate authority to issue false SSL certificates that can be used by intelligence agencies to covertly intercept and hijack individuals’ secure Web-based communications. Although we do not have direct evidence that this form of active surveillance is taking place in the wild, we show how products already on the market are geared and marketed towards this kind of use—suggesting such attacks may occur in the future, if they are not already occuring. Finally, we introduce a lightweight browser add-on that detects and thwarts such attacks.
منابع مشابه
Certified Lies: Detecting and Defeating Government Interception Attacks against SSL (Short Paper)
This paper introduces the compelled certificate creation attack, in which government agencies may compel a certificate authority to issue false SSL certificates that can be used by intelligence agencies to covertly intercept and hijack individuals’ secure Web-based communications. Although we do not have direct evidence that this form of active surveillance is taking place in the wild, we show ...
متن کاملPreventing Phishing Attacks Using Trusted Computing Technology
Most secure web sites use the SSL/TLS protocol for server authentication. SSL/TLS supports mutual authentication, i.e. both server and client authentication. However, this optional feature of SSL/TLS is not used by most web sites because not every client has a certified public key. Instead user authentication is typically achieved by sending a password to the server after the establishment of a...
متن کاملSSLINT: A Tool for Detecting TLS Certificate Validation Vulnerabilities
Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols have become the security backbone of the Web and Internet today. Many systems including mobile and desktop applications are protected by SSL/TLS protocols against network attacks. However, many vulnerabilities caused by incorrect use of SSL/TLS APIs have been uncovered in recent years. Such vulnerabilities, many of which ar...
متن کاملTiming Analysis of SSL/TLS Man in the Middle Attacks
M an in the middle attacks are a significant threat to modern e-commerce and online communications, even when such transactions are protected by TLS. We intend to show that it is possible to detect man-in-the-middle attacks on SSL and TLS by detecting timing differences between a standard SSL session and an attack we created.
متن کاملPOSTER: Trust No One Else: Detecting MITM Attacks Against SSL/TLS Without Third-Parties
The Secure Sockets Layer (SSL) protocol and its successor , Transport Layer Security (TLS), have become the de facto means of providing strong cryptographic protection for network traffic. Their near universal integration with web browsers arguably makes them the most visible pieces of security infrastructure for average users. While vulnera-bilities are occasionally found in specific implement...
متن کامل