Having SSL Certification doesn't mean that the website you are visiting is not a bogus website. SSL certificates protect web users in two ways, it encrypts sensitive information such as usernames, passwords, or credit card numbers and also verify the identity of websites.
But today hackers and cyber criminals are using every tantrum to steal your credentials by injecting fake SSL certificates to the bogus websites impersonating Social media, e-commerce, and even bank website.
Netcraft Security Researchers have discovered dozens of fake SSL Certificates being used to enact financial institutions, e-commerce site vendors, Internet Service Providers and social networking sites, which allegedly allows an attacker to carry out man-in-the-middle attacks.
When you will visit a bogus website from any popular web browser; having self signed fake SSL Certificate, you will see a foreboding warning in the web browser, but the traffic originates from apps and other non-browser software fail to adequately check the validity of SSL certificates.
The SSL Certificates are not digitally signed by a trusted certificate authority, so if you are accessing a sensitive website from your Smartphone apps or any other non-browser software, then you may be at a great risk.
"Online banking apps for mobile devices are tempting targets for man-in-the-middle attacks, as SSL certificate validation is far from trivial, and mobile applications often fall short of the standard of validation performed by web browsers. 40% of iOS-based banking apps tested by IO Active are vulnerable to such attacks because they fail to validate the authenticity of SSL certificates presented by the server. 41% of selected Android apps were found to be vulnerable in manual tests by the Leibniz University of Hannover and Philipps University of Marburg in Germany. Both apps and browsers may also be vulnerable if a user can be tricked into installing rogue root certificates through social engineering or malware attacks, although this kind of attack is far from trivial on an iPhone." Netcraft researchers said.
Netcraft researchers have discovered many fake SSL certificates that were created by cybercriminals with fraudulent intentions, including fake SSL certificates for facebook.com on some Ukraine based web servers, hosting a Facebook phishing website and also Fake Google's SSL Certificates in Romania, claims to have been issued by America Online Root Certification Authority. Other popular impersonated certificates belong to GoDaddy's POP mail server, Apple's iTunes and YouTube.
Fake SSL certificates themselves are not sufficient to carry out a man-in-the-middle attack, the attacker should be in the same network as of the victim to intercept the communications, and another easiest way is setting up a fake wireless Access Point (AP) to accomplish the attack.
Most of the popular apps, such as Google, Twitter, Facebook and others are using a technique known as 'Certificate Pinning' that automatically rejects the whole connection from sites that offer bogus SSL certificates and ensure you that you are protected against fraudulently issued certificates.
That means, if you access Google.com from your browser, it will trust the certificate if it's signed by Verisign, Digicert or any trusted Certificate Authority, but if you will connect to a Google server via an app on mobile, it will only trust the certificates signed by Google itself.
While Certificate Pinning makes traffic interception more difficult, but still it can be bypassed in numerous ways and thus should not be considered an end-all solution for Man-in-the-Middle security.
0 comments: