Dear Software Vendors: Please Stop Trying to Intercept Your Customers’ Encrypted Traffic
Over the past week many more details have emerged about the HTTPS-breaking Superfish software that Lenovo pre-installed on its laptops for several months. As is often the case with breaking security incidents, most of what we know has come from security engineers volunteering their time to study the problem and sharing their findings via blogs and social media.
Unfortunately, the security implications have gone from bad to worse the more we’ve learned. For instance, researchers have determined that the software library Superfish uses to intercept traffic—developed by a company known as Komodia—is present in more than a dozen other software products, including parental control software and (supposed) privacy-enhancing/ad-blocking software. All of these products have the same vulnerability that Superfish does: anyone with a little technical know-how could intercept and modify your otherwise secure HTTPS traffic.
What’s worse is that these attacks are even easier than researchers originally thought, because of the way Komodia’s software handles invalid certificates: it alters the part of the certificate which specifies what website the certificate is for—for example changing www.eff.org to verify_fail.www.eff.org—and then signs the certificate and sends it on to your browser. Since the website listed on the certificate (verify_fail.www.eff.org) doesn’t match the website the user is actually visiting (www.eff.org), the browser shows a warning to the user.
But certificates have another field, called the Subject Alternative Name, which is used to list alternative domain names for which the certificate can be used (so that website operators can re-use the same certificate across all of their domain names). EFF, for example, uses the same certificate for eff.org, www.eff.org, and *.eff.org. Even if the “main” domain name listed in the certificate doesn’t match the domain name of the website the user is browsing, the certificate will still be accepted as long as one of the alternative names match. And because Komodia’s software signs the certificate (and tells your browser that it should trust certificates it signs if they’re otherwise valid), the certificate will pass all the browser’s checks, and come up smelling like roses.
This means that an attacker doesn’t even need to know which Komodia-based product a user has (and thus which Komodia private key to use to sign their evil certificate)—they just have to create an invalid certificate with the target domain as one of the alternative names, and every Komodia-based product will cause it to be accepted.
Evidence of Man-in-the-Middle Attacks in the Decentralized SSL Observatory
We searched the Decentralized SSL Observatory for examples of certificates that Komodia should have rejected, but which it ended up causing browsers to accept, and found over 1600 entries. Affected domains included sensitive websites like Google (including mail.google.com, accounts.google.com, and checkout.google.com), Yahoo (including login.yahoo.com), Bing, Windows Live Mail, Amazon, eBay (including checkout.payments.ebay.com), Twitter, Netflix, Mozilla’s Add-Ons website, www.gpg4win.org, several banking websites (including mint.com and domains from HSBC and Wells Fargo), several insurance websites, the Decentralized SSL Observatory itself, and even superfish.com.1
While it’s likely that some of these domains had legitimately invalid certificates (due to configuration errors or other routine issues), it seems unlikely that all of them did. Thus it’s possible that Komodia’s software enabled real MitM attacks which gave attackers access to people’s email, search histories, social media accounts, e-commerce accounts, bank accounts, and even the ability to install malicious software that could permanently compromise a user’s browser or read their encryption keys.
To make matters worse, Komodia isn’t the only software vendor that’s been tripped up by this sort of problem. Another piece of software known as PrivDog is also vulnerable. Ostensibly, PrivDog is supposed to protect your privacy by intercepting your traffic and substituting ads from “untrusted sources” with ads from a “trusted” source, namely AdTrustMedia. Like Komodia’s software, PrivDog installs a root certificate when it’s installed, which it then uses to sign the certificates it intercepts. However, a bug in certain versions of PrivDog cause it to sign all certificates, whether they’re valid or not. Simply put, this means that any certificate your browser sees while PrivDog is installed could be the result of a man-in-the-middle attack, and you’d have no way of knowing. The Decentralized SSL Observatory has collected over 17,000 different certificates from PrivDog users, any one of which could be from an attack. Unfortunately, there’s no way to know for sure.
So what can we learn from this Lenovo/Superfish/Komodia/PrivDog debacle? For users, we’ve learned that you can’t trust the software that comes preinstalled on your computers—which means reinstalling a fresh OS will now have to be standard operating procedure whenever someone buys a new computer.
But the most important lesson is for software vendors, who should learn that attempting to intercept their customers’ encrypted HTTPS traffic will only put their customers’ security at risk. Certificate validation is a very complicated and tricky process which has taken decades of careful engineering work by browser developers.2 Taking certificate validation outside of the browser and attempting to design any piece of cryptographic software from scratch without painstaking security audits is a recipe for disaster.
Let the events of the last week serve as a warning: attempting to insert backdoors into encryption as Komodia attempted to do (and as others have called for in other contexts) will inevitably put users’ privacy and security at risk.
- 1. Based on the “verify_fail” pattern, we also found certificates that purport to be from five pieces of software which, to our knowledge, haven’t yet been identified as using Komodia’s proxy software. The issuer fields for these certificates were: "O=Sweesh LTD, L=Tel Aviv, ST=Tel Aviv, C=IL, CN=Sweesh LT", "O=Kinner lake Gibraltar, L=My Town, ST=State or Providence, C=GI, CN=Kinner lake Gibraltar", "C=US, ST=California, L=SanDiego, O=EdgeWave.com, OU=Security, CN=EdgeWave.com/emailAddressfirstname.lastname@example.org", "O=NordNet/emailAddressemail@example.com, L=HEM, ST=HEM, C=FR, CN=Nordnet.fr", and "O=PSafe Tecnologia S.A./emailAddressfirstname.lastname@example.org, L=Rio de janeiro, ST=Rio de janeiro, C=BR, CN=PSafe Tecnologia S.A.". While we were unable to identify any organizations associated with the first two certificates, EdgeWave, NordNet, and PSafe appear to sell antivirus or web filtering products.
- 2. Just last year, for example, researchers found a number of bugs in certificate validation libraries [PDF] through fuzz testing.
Recent DeepLinks Posts
Jul 22, 2016
Jul 21, 2016
Jul 21, 2016
Jul 21, 2016
Jul 21, 2016
- Abortion Reporting
- Analog Hole
- Anti-Counterfeiting Trade Agreement
- Bloggers' Rights
- Broadcast Flag
- Broadcasting Treaty
- Cell Tracking
- Coders' Rights Project
- Computer Fraud And Abuse Act Reform
- Content Blocking
- Copyright Trolls
- Council of Europe
- Cyber Security Legislation
- Defend Your Right to Repair!
- Development Agenda
- Digital Books
- Digital Radio
- Digital Video
- DMCA Rulemaking
- Do Not Track
- E-Voting Rights
- EFF Europe
- Electronic Frontier Alliance
- Encrypting the Web
- Export Controls
- Fair Use and Intellectual Property: Defending the Balance
- FAQs for Lodsys Targets
- File Sharing
- Fixing Copyright? The 2013-2016 Copyright Review Process
- Free Speech
- Genetic Information Privacy
- Government Hacking and Subversion of Digital Security
- Hollywood v. DVD
- How Patents Hinder Innovation (Graphic)
- International Privacy Standards
- Internet Governance Forum
- Know Your Rights
- Law Enforcement Access
- Legislative Solutions for Patent Reform
- Locational Privacy
- Mandatory Data Retention
- Mandatory National IDs and Biometric Databases
- Mass Surveillance Technologies
- Medical Privacy
- Mobile devices
- National Security and Medical Information
- National Security Letters
- Net Neutrality
- No Downtime for Free Speech
- NSA Spying
- Offline : Imprisoned Bloggers and Technologists
- Online Behavioral Tracking
- Open Access
- Open Wireless
- Patent Busting Project
- Patent Trolls
- PATRIOT Act
- Pen Trap
- Policy Analysis
- Public Health Reporting and Hospital Discharge Data
- Reading Accessibility
- Real ID
- Search Engines
- Search Incident to Arrest
- Section 230 of the Communications Decency Act
- Social Networks
- SOPA/PIPA: Internet Blacklist Legislation
- State-Sponsored Malware
- Student Privacy
- Stupid Patent of the Month
- Surveillance and Human Rights
- Surveillance Drones
- Terms Of (Ab)Use
- Test Your ISP
- The "Six Strikes" Copyright Surveillance Machine
- The Global Network Initiative
- The Law and Medical Privacy
- TPP's Copyright Trap
- Trade Agreements and Digital Rights
- Trans-Pacific Partnership Agreement
- Travel Screening
- Trusted Computing
- UK Investigatory Powers Bill
- Video Games