The shoddy state of SSL certificate validation on the Internet again floated to the surface, this time by the Superfish mess, which continues to get worse.
The Electronic Frontier Foundation on Wednesday released a report based on data scoured from the Decentralized SSL Observatory which it maintains shows the number of certificates that were improperly validated by the Komodia library at the core of the Superfish fiasco has climbed to over 1,600. While it’s impossible to determine, EFF researchers say it’s probable that Komodia software did enable some real-world man-in-the-middle attacks.
The Komodia software, which was built into the Superfish adware pre-installed on Lenovo computers, contains a vulnerability that breaks HTTPS connections and allows an attacker to pull off man-in-the-middle attacks. EFF staff technologists Jeremy Gillula and Joseph Bonneau said that some of the domains affected by Komodia include Google’s mail domain, Yahoo log-in domains, Bing, Windows Live Mail, Amazon, eBay checkout and Superfish.com among many others.
“While it’s likely that some of these domains had legitimately invalid certificates (due to configuration errors or other routine issues), it seems unlikely that all of them did,” Gillula and Bonneau wrote in their report. “Thus it’s possible that Komodia’s software enabled real MitM attacks which gave attackers access to people’s email, search histories, social media accounts, e-commerce accounts, bank accounts, and even the ability to install malicious software that could permanently compromise a user’s browser or read their encryption keys.”
Komodia’s behavior of adding a new root certificate and dubious alterations to a computer’s network stack, validates certificates that should otherwise raise a browser warning.
“This means that an attacker doesn’t even need to know which Komodia-based product a user has (and thus which Komodia private key to use to sign their evil certificate)—they just have to create an invalid certificate with the target domain as one of the alternative names, and every Komodia-based product will cause it to be accepted,” they wrote.
Gillula told Threatpost that contextually the situation is not surprising given that the certificate system has been teetering on disaster for some time, a situation that’s complicated by the sheer number of Certificate Authorities at work on the Internet, many of which could also be interdicted by law enforcement or repressive government.
“The most egregious thing is the idea that companies think it’s OK to interfere with people’s encrypted traffic even on their own machines,” Gillula said. “That they think it’s OK to install a root cert and go to town on it.”
Gillula said he was compelled by reports related to Superfish that pointed out that an attacker would have a relatively easy time sliding an invalid certificate into legitimate traffic by inserting the domain they wanted to use in a man-in-the-middle attack into the Subject Alternative Name field.
“It would go right on through,” Gillula said.
Searching for that scenario in the Decentralized SSL Observatory was also relatively simple, Gillula said. It required a query that searched for certificates that contained a unique string called verify_fail[domain name] in the Subject Alternative Name field used by one of the software applications identified as running the Komodia SSL Digester proxy.
> It’s probable that Komodia software did enable some real-world man-in-the-middle attacks. via @Threatpost > > Tweet
“Lo and behold, we discovered that a lot of these certs when they hit the proxy are invalid, but Komodia changes them and because of the alternative name, ended up being valid when they hit the browser,” Gillula said, adding that Komodia wipes away any traces of a potential man-in-the-middle attack making it impossible to determine whether an attack occurred or a merely a misconfigured certificate popped up in the search.
The real problem, however, are the practices of third-party vendors such as adware purveyors like Superfish who build tools to intercept traffic and manipulate certificate validation, moving it outside the browser.
“The lesson for vendors is that they should stop trying to man-in-the-middle SSL connections on customer machines,” Gillula said. “Unless they’re willing to put in a lot of significant engineering effort to verify they are doing things correctly, chances are there’s going to be a bug and it’s a dangerous thing to do.”