Hacked in a public space? Thanks, HTTPS

Kali Linux, laptop, coffee - hack on!


Have you ever bothered to look at who your browser trusts? The padlock of a HTTPS connection doesn't mean anything if you can't trust the other end of the connection and its upstream signatories. Do you trust CNNIC (China Internet Network Information Centre). What about Turkistan trust or many other “who are they” type certificate authorities?

Even if you do trust whoever issued the certificate it doesn't mean much if the network cannot be trusted. A lot of experts claim “HTTPS is broken” and here is one small example of why. If you sit in a coffee shop and go surfing you can quite easily end up being the victim of a man-in-the-middle (MitM) attack. All a potential attacker needs is a copy of Kali Linux, a reasonably powerful laptop and coffee!

But wait, you cry, aren't certificates supposed to protect us from exactly this type of thing? Yes but... essentially in our coffee-shop scenario the connection can be forced to run via the MitM laptop using a program called SSLstrip to copy the data as it is passed back and forth to Gmail. We get the traffic from the victim by poisoning the ARP cache and pretending to be the router. SSLStrip forces a victim's browser into communicating via an attacker’s laptop in plain-text over HTTP, with the adversary proxies the modified content from an HTTPS server.

Of course, you need to hack the coffee shop's router, too.

The HTTPS between Gmail and you is now readable because you get the decrypted plain text data before it is encrypted and sent to Gmail.

It isn't just coffee shops that present this risk. Frequently, SSL inspection is used in offices of larger companies to monitor staff web activity. Several companies such as FireEye and Bluecoat provide specialised appliances to do this at wirespeed, essentially rendering them unnoticeable. Governments can also do the same using FinFisher or other tools running on ISP networks.

This is one of the main reasons I tell people not to check their web mail on their work computer. Employers probably have the right do that written into their employment terms and conditions. Companies do, however, have other more legitimate reasons for breaking SSL scanning for malware-related traffic and data loss prevention (DLP being the new hot ticket item). If you couldn't look inside an encrypted packet you would have no idea what's flowing across the network most of the time other than source and destination.

What are the mitigations against all these for the average Joe user? In reality not a lot. Use your common sense when connecting to a Wi-Fi hotspot. Ask yourself:

  1. Do I know I am connecting to the correct Wi-Fi hotspot?
  2. Do I trust that hotspot and its owners?
  3. Where possible use a VPN thereby somewhat mitigating against MitM attacks

On a larger scale there are a few things that can be done but require effort. If a site provides only HTTPS then sslstrip would fail as it can't fall back to HTTP. Also browsers are becoming better at dealing with these types of issues.

Some browsers such as Chrome use a new technique called certificate pinning. This technique creates a digital fingerprint for each HTTPS site visited and afterwards compares it to the certificate being presented. It will warn the user if things don’t look as they should. Another method that site owners can use to protect their clients is HSTS. This tells the browser on first visit that the site is HTTPS only and therefore the browser should only ever connect to via HTTPS for a determined length of time.

Any attempt to redirect the browser to an HTTP version of the site will be stopped by the browser. The one weakness with this technology is that the browser has to have first visited the genuine site to receive the HSTS response. But if you make sure you've visited a site that supports HSTS on a trusted network, your browser will then ensure it is never redirected to HTTP.

A site owner who knows they will only ever use HTTPS and uses HSTS (HTTP Strict Transport Security) can have their website added to a HSTS preloaded list in the Chromium project. Getting your site added to that list means that Chromium will never allow an unencrypted connection to your site.

A lot of companies who deploy monitoring will often install their own root certificates on company computers. This lets the proxy devices to self-sign certificates for any domain and be trusted by the computers.

HTTPS is not the silver-bullet online defence shield a lot of users believe it to be on public networks, meaning activities such as online banking and shopping are done at their own risk.

While there are some additional steps you can take, you should - therefore - continue to exercise caution when using a network you don’t control and think about the type of information that you may be sharing with people you may not want to. ®

Similar topics


Other stories you might like

  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading
  • Inside the RSAC expo: Buzzword bingo and the bear in the room
    We mingle with the vendors so you don't have to

    RSA Conference Your humble vulture never liked conference expos – even before finding myself on the show floor during a global pandemic. Expo halls are a necessary evil that are predominatly visited to find gifts to bring home to the kids. 

    Do organizations really choose security vendors based on a booth? The whole expo hall idea seems like an outdated business model – for the vendors, anyway. Although the same argument could be made for conferences in general.

    For the most part, all of the executives and security researchers set up shop offsite – either in swanky hotels and shared office space (for the big-wigs) or at charming outdoor chess tables in Yerba Buena Gardens. Many of them said they avoided the expo altogether.

    Continue reading
  • 1Password's Insights tool to help admins monitor users' security practices
    Find the clown who chose 'password' as a password and make things right

    1Password, the Toronto-based maker of the identically named password manager, is adding a security analysis and advice tool called Insights from 1Password to its business-oriented product.

    Available to 1Password Business customers, Insights takes the form of a menu addition to the right-hand column of the application window. Clicking on the "Insights" option presents a dashboard for checking on data breaches, password health, and team usage of 1Password throughout an organization.

    "We designed Insights from 1Password to give IT and security admins broader visibility into potential security risks so businesses improve their understanding of the threats posed by employee behavior, and have clear steps to mitigate those issues," said Jeff Shiner, CEO of 1Password, in a statement.

    Continue reading

Biting the hand that feeds IT © 1998–2022