Fake SSL certificates enable variety of security threats, say experts

Experts say the security industry's 'blind trust' may result in a new wave of security threats caused by fake SSL certificates, including man-in-the-middle and DNS attacks.

Security experts say this week's flap over inflight wireless provider Gogo LLC's use of fake SSL certificates highlights...

the consequences of broader use of private encryption and the unintended consequences, which can include using the technology to conceal malware.

A Google engineer working on digital certificate technology reportedly discovered that the airborne Wi-Fi provider was issuing fake Google SSL certificates, essentially executing a man-in-the-middle (MITM) attack against its own customers.

While it appears the inflight carrier was caught red-handed, Gogo issued a statement stressing that it utilizes several techniques to limit video streaming on planes, adding: "Whatever technique we use to shape bandwidth, it impacts only some secure video streaming sites and does not affect general secure [Internet] traffic."

The incident caught the security industry off-guard, illustrating the growing vulnerability of digital certificates that underpin trust and security on corporate and consumer networks.

Industry experts warn that it must now be assumed that certificates will eventually be compromised.

"We have seen man-in-the-middle attacks for years -- there is no reason to suspect these attacks to lessen despite the ominous warnings the browser manufacturers have put in place concerning 'invalid server certificate,'" said Garret Grajek, CSO at dinCloud Inc., a provider of virtual desktops and cloud security services in Gardena, Calif. "Hackers count on most (or some percentage) of users to just 'click through.'"

Nevertheless, the desire for greater privacy protections online has prompted individuals and companies to adopt SSL encryption and "always-on HTTPS". But some worry that the growing use of "transport encryption"  may pave the way for common use of fake security certificates, which in turn could enable man-in-the-middle attacks, concealed malware or DNS attacks.

Why 'blind spots' highlight SSL certificate threats

Some network security vendors like Blue Coat Systems Inc., based in Sunnyvale, Calif., have warned that pervasive use of SSL/TLS encryption is creating "blind spots" in network traffic that can be used to conceal malware and facilitate attacks. The security vendor said following a recent study that it "routinely observes encrypted traffic used for the delivery of command and control of malware."

Blue Coat warned that, "Malware attacks, using encryption as a cloak, do not need to be complex because the malware operators believe that encryption prevents the enterprise from seeing what they are doing."

The Gogo incident, and recent spate of DarkHotel attacks against Wi-Fi users in Asian hotels, are especially disturbing since "a service provider, not a bad guy, was doing what a bad guy does," noted Kevin Bocek, vice president of security strategy and threat intelligence at Venafi Inc., a security software firm based in Salt Lake City, that specialized in protecting digital certificates.

"Unfortunately, this is not a new risk and is pervasive across the Internet," Bocek added. "It's best if business providers like Gogo don't complicate the matter by creating more confusion and risk with what looks like malicious certificates that could be used to spoof and monitor private communications."

Grajek said it's conceivable that fake SSL certificates could enable DNS attacks. SSL certificates are put in place to ensure that the DNS IP and Web URL match the issued certificate, and the warnings that browsers offer when they don't match are there to alert users to a potential DNS attack. If such mismatches and warnings become common, users may gradually fail to see them as indicative of significant security risks.

Grajek said SSL certificates should be deployed and sites should be designed to support HTTPS. 

"Right now, user education is needed to ensure that users do not 'click through' these warnings," Grajek said. "With Google strongly encouraging SSL for all sites (by rewarding SEO searches), we should see the general public becoming more aware and cognitive of SSL-certificate errors, which could denote a hacker site that the user has been redirected to."

The upshot is that digital certificates that may be valid for as much as a decade can no longer be taken at face value. "We've created too much 'blind trust,'" Bocek said. "This is a technology that comes with an expiration date."

Meanwhile, compromised digital keys and certificates are poised to become the next big marketplace for cybercriminals. In an attempt to address the growing vulnerability of digital certificates, companies like Google Inc. have reduced the validity date on digital certificates to three months.

Venafi estimates that stolen certificates are fetching up to $980 each in Russian underground markets, or 400 times the value of a stolen credit card number.

As the recent Sony hack illustrates, cyber criminals possess the data collection capacity to sweep up digital certificates that would allow them to monetize their operations, Bocek noted.

Executive Editor Eric Parizo contributed to this story.

Dig Deeper on PKI and digital certificates