Black Hat and DEF CON Follow-up
Here is a follow-up to my earlier post SSL Security Silly Season. Black Hat USA 2010 and DEF CON 18 conferences held at the end of July had three presentations that addressed SSL issues. Here is a quick summary and where you can get more information.
Internet SSL Survey 2010 by Ivan Ristic
In this study, Qualys SSL Labs searched large numbers of internet domain names for HTTPS servers and used their assessment engine to collect statistics about SSL usage. In total, they found 867,361 unique certificate chains offered by HTTPS servers. By their estimate, this accounts for 25-50% of all commercial certificates. Issues found were incomplete certificate chains, chains that are too long, certificates presented in the wrong order, and certificates with Debian weak keys.
HTTPS Can Byte Me by Robert Hansen and Josh Sokol
This presentation was about the flaws in the browser implementation of HTTPS or rather flaws that can be exploited even when the user is connecting to a site over HTTPS. The researchers focused on 24 issues all related to man-in-the-middle (MitM) attacks. They concluded that some of the attacks were hard or flakey and that there are better ways to exploit people and learn their vital information. In Hansen and Sokol’s associated white paper, they state: “Using proper tab isolation, better cookie management in the browser and better ‘white-noise’ generation in the SSL stream could help prevent the majority of these attacks presented.”
An Observatory for the SSLiverse by Peter Eckersley and Jesse Burns
Electronic Frontier Foundation (EFF) SSL Observatory collected x.509 Certificates used for HTTPS on the internet. They looked for odd behavior and were basically checking up on CAs. They were able to identify “trusted” intermediaries (foreign, security agencies, companies) and found many “weird, wonderful and suspicious certificates.” They will be opening their data to the public for further review.