This Week in SSL – Mozilla Revokes 1024-bit Roots Certs, Two-Factor Under Attack, Chinese MITM Attacks

Let’s take a look at some of the more intriguing news articles this week about SSL Certificates and network security.

Security Growing Pangs Loom For 100K+ Sites with Newly Untrusted Certificates

Ericka Chickowski of InformationWeek Dark Reading reveals that last week Mozilla revoked a number of root certificates using 1024-bit keys. These root certificates chained up to over 100,000 websites that are now left untrusted. Chickowski reports that, “According to Mozilla, the company is forcing migration away from 1024-bit certificate in phases, so at the moment it has only revoked select certificates from Entrust, SECOM, GoDaddy, EMC/RSA, Symantec/VeriSign, and NetLock. It will wait until early 2015 to revoke similar certificates from Thawte, VeriSign, Equifax, and GTE Cybertrust that are operated by Symantec and Verizon Certificate Services.” Having tens of thousands of websites left without functioning SSL is clearly a problem, although the article points out that many of the certificates in question were likely already expired.

Blackphone SSL security flaw was patched within days, says CEO

The Blackphone ultra-secure Android smartphone was recently discovered to have a serious flaw in its implementation of SSL security. John E. Dunn of Techworld reports that this vulnerability opened some of its apps up to potential Man-in-the-Middle (MTM) attacks. “The researchers were able to load their own SSL root certificate on the phone, tricking all four into revealing their credentials in the clear. It’s disappointing that such a basic flaw should appear on this kind device although it has been patched by implementing SSL pinning, a way of hardcoding certificates between the app and the server.” A key takeaway is that this vulnerability was eliminated quickly, which is good news for users who shelled out the money for what is billed as a secure smartphone. The research team also noticed other peculiarities, including the fact that the certificate store on the device includes over 150 root certificates, including one described as being for undetermined “Government” use that can only be disabled manually.

The Way to Beat “Two-Factor” Attacks

Researchers at TrendMicro have discovered an exploit that can be used to defeat some forms of two-factor authentication. John Zurawski at explains how it works: A hacker first deploys malware after a target clicks on a malicious link in a phishing email. The malware changes the DNS settings of the computer to point to a server controlled by the hacker. A rogue SSL root certificate is installed, ensuring that the hacker’s HTTPS servers will be trusted and not trigger warnings. When the target attempts to log into their account, the DNS redirect points to the hacker’s server with a copy of the bank website. On the site the user is told to download an Android app to generate one-time passwords. The app instead redirects the SMS messages, allowing the hacker to harvest usernames, passwords and account numbers.

China Attacks Google, Strengthens the Great Firewall

Summer Hirst of VPN Creative reports that the Chinese government is apparently using sophisticated man-in-the-middle attacks targeting Chinese users of the China Education and Research Network (CERNET) who use Google for search purposes. The anti-censorship website reports that these attacks resemble others that took place in January 2013 against developer site Github.

Rewind to March 2012 when Google enforced HTTPS, thereby encrypting queries between users and Google. Chinese officials were unhappy with this move, which prevented them from blocking specific Google searches. As a result the government blocked Google, but left access open for users of CERNET. Fast forward to today and Chinese users of CERNET are now seeing a certificate expiration page. Researchers speculate that “the devices that are performing the attack are probably injecting packets near the outer border of CERNET, the place where it peers with external networks. Netresec said that it’s difficult to find out how the attack was planned, but DNS spoofing was certainly not used. There’s a chance that the IP hijacking method was involved, and it could be BGP prefix hijacking or a packet injection. Whatever method was used by them, they are certainly able to inspect the traffic going out to Google.”

CERNET users are encouraged not to bypass the certificate warning since the attackers could steal their Google information and access their email accounts. Chrome and Firefox are recommended browsers for these users since they do not allow you to bypass the certificate expiration warning page.