By Ryan Singel
March 24, 2010
That little lock on your browser window indicating you are communicating
securely with your bank or e-mail account may not always mean what you
think its means.
Normally when a user visits a secure website, such as Bank of America,
Gmail, PayPal or eBay, the browser examines the website's certificate to
verify its authenticity.
At a recent wiretapping convention, however, security researcher Chris
Soghoian discovered that a small company was marketing internet spying
boxes to the feds. The boxes were designed to intercept those
communications - without breaking the encryption - by using forged
security certificates, instead of the real ones that websites use to
verify secure connections. To use the appliance, the government would
need to acquire a forged certificate from any one of more than 100
trusted Certificate Authorities.
The attack is a classic man-in-the-middle attack, where Alice thinks she
is talking directly to Bob, but instead Mallory found a way to get in
the middle and pass the messages back and forth without Alice or Bob
knowing she was there.
The existence of a marketed product indicates the vulnerability is
likely being exploited by more than just information-hungry governments,
according to leading encryption expert Matt Blaze, a computer science
professor at University of Pennsylvania.
"If the company is selling this to law enforcement and the intelligence
community, it is not that large a leap to conclude that other, more
malicious people have worked out the details of how to exploit this,"
The company in question is known as Packet Forensics, which advertised
its new man-in-the-middle capabilities in a brochure handed out at the
Intelligent Support Systems (ISS) conference, a Washington, D.C.,
wiretapping convention that typically bans the press. Soghoian attended
the convention, notoriously capturing a Sprint manager bragging about
the huge volumes of surveillance requests it processes for the
Register now for HITBSecConf2010 - Dubai, the premier
deep-knowledge network security event in the GCC,
featuring keynote speakers John Viega and Matt Watchinski!