Man in the middle attacks — where an attacker uses forged SSL certificates to intercept encrypted connections between clients and servers –aren’t common. But if your organization is the victim of one that isn’t very comforting.
So many IT security professionals will be interested in a test by researchers at Facebook and Carnegie Mellon University of a tool for detecting potential MiM attacks by identifying forged SSL certificates.
Using the technique researchers analyzed more than three million SSL connections to Facebook and found 0.2 percent, or 6,845, contained tampered or forged certificates.
Most of the changes were related to anti-virus software and corporate content filters, with only 121 forged by malware and 330 by adware.
The detection technique they used isn’t new, but the fact that it could scan millions of connections means it can be used at scale for corporate Web sites.
The researchers also warn there are limitations.
“It is important to point out that the goal of our implementation was not to evade the SSL man-in the- middle attacks with our detection mechanism. Admittedly, it would be difficult to prevent professional attackers that are fully aware of our detection method.” They think that’s unlikely.
However, they add, “if more websites become more aggressive about this sort of monitoring, we might get into an arms race, unfortunately.”
“Our data suggest that browsers could possibly detect many of the forged certificates based on size characteristics, such as checking whether the certificate chain depth is larger than one,” the study concludes. “We strongly encourage popular websites, as well as mobile applications, to deploy similar mechanisms to start detecting SSL interception.”