![]() Security vendors justify their SSL/TLS interception practices through a legitimate need to protect users from all threats, including those served over HTTPS. ![]() "We were able to come up with alternative attacks that still worked and Kaspersky resolved it quickly," Ormandy said in an advisory made public Wednesday. This makes attacks harder, but not impossible. For example, Ormandy found that the valid certificate used by has the same 32-bit key calculated by Kaspersky Anti-Virus as the certificate for .Īccording to the researcher, Kaspersky Lab pointed out that there is an additional check being performed on the domain name in addition to the 32-bit key. The 32-bit key is so weak that certificate collisions would also occur naturally during normal browsing. However, since the browser will actually see the interception certificate generated by Kaspersky Anti-Virus for, and not the original one, it will establish the connection without any error. Under normal circumstances the browser should display a certificate error, because the certificate for does not match the domain accessed by the client. That server hosts and presents a certificate for a domain called. This implies that the attacker - Mallory in Ormandy's example - has a man-in-the-middle position on the network that allows him to redirect the user accessing via DNS to a rogue server under his control. Now mallory redirects DNS for to, Kaspersky starts using their cached certificate and the attacker has complete control of ." ![]() On the next connection, Mallory sends you a colliding valid certificate with key 0xdeadbeef, for any commonName (let's say ). ![]() Mallory sends you the real leaf certificate for, which Kaspersky validates and then generates it's own certificate and key for. He described a possible attack as follows: "Mallory wants to intercept traffic, for which the 32bit key is 0xdeadbeef. The problem, according to Ormandy, is that a 32-bit key is very weak and an attacker could easily craft a certificate that matches the same key, creating a collision. This allows the product to present the cached leaf certificate when the user visits the same website again instead of regenerating it. Ormandy found that whenever the product generates an interception certificate it calculates a 32-bit key based on the serial number of the original certificate presented by the website and caches this relationship.
0 Comments
Leave a Reply. |