IETF Logo Mail Archive

[wpkops] fyi: Analyzing Forged SSL Certificates in the Wild

=JeffH <Jeff.Hodges@KingsMountain.com> Wed, 14 May 2014 22:16 UTC

Return-Path: <Jeff.Hodges@kingsmountain.com>
X-Original-To: wpkops@ietfa.amsl.com
Delivered-To: wpkops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7807F1A032E for <wpkops@ietfa.amsl.com>; Wed, 14 May 2014 15:16:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.803
X-Spam-Level: *
X-Spam-Status: No, score=1.803 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_SORBS_WEB=0.77, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5tGontdeW_Hp for <wpkops@ietfa.amsl.com>; Wed, 14 May 2014 15:16:09 -0700 (PDT)
Received: from gproxy5-pub.mail.unifiedlayer.com (gproxy5-pub.mail.unifiedlayer.com [67.222.38.55]) by ietfa.amsl.com (Postfix) with SMTP id 5056C1A032C for <wpkops@ietf.org>; Wed, 14 May 2014 15:16:09 -0700 (PDT)
Received: (qmail 17730 invoked by uid 0); 14 May 2014 22:16:01 -0000
Received: from unknown (HELO CMOut01) (10.0.90.82) by gproxy5.mail.unifiedlayer.com with SMTP; 14 May 2014 22:16:00 -0000
Received: from box514.bluehost.com ([74.220.219.114]) by CMOut01 with id 1yFx1o00d2UhLwi01yG0J3; Wed, 14 May 2014 16:16:00 -0600
X-Authority-Analysis: v=2.1 cv=EOmVjTpC c=1 sm=1 tr=0 a=9W6Fsu4pMcyimqnCr1W0/w==:117 a=9W6Fsu4pMcyimqnCr1W0/w==:17 a=cNaOj0WVAAAA:8 a=f5113yIGAAAA:8 a=4eyjf-e663kA:10 a=xojvF6Qnh0oA:10 a=3NT3xRclEPMA:10 a=N659UExz7-8A:10 a=ieNpE_y6AAAA:8 a=XYUc-DgfXtMA:10 a=vS7MmSmxvPQA:10 a=pE7ifguLAAAA:8 a=1XWaLZrsAAAA:8 a=3vSUqmUqjfIkEuI9opIA:9 a=pILNOxqGKmIA:10
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=kingsmountain.com; s=default; h=Content-Transfer-Encoding:Content-Type:Subject:To:MIME-Version:From:Date:Message-ID; bh=JqEYdk2rMmSHXuhweeTY63LqJt9wc/gev2XxQAr2gtQ=; b=JCjRr71nUijWndIq4KJBx6JQe0NkrfLkvODtPxJt1XrvJNq1SkiKAD/jFyfDvNIypR6FxlVy/Xl/9zdBQgcJdup88VimutCn18U60bPYZ/HY1PEZGppHe85XSzb8LKqX;
Received: from [216.113.168.128] (port=55434 helo=[10.244.137.220]) by box514.bluehost.com with esmtpsa (TLSv1:DHE-RSA-CAMELLIA256-SHA:256) (Exim 4.82) (envelope-from <Jeff.Hodges@KingsMountain.com>) id 1WkhSv-0001ow-G5; Wed, 14 May 2014 16:15:57 -0600
Message-ID: <5373EB1B.9000906@KingsMountain.com>
Date: Wed, 14 May 2014 15:15:55 -0700
From: =JeffH <Jeff.Hodges@KingsMountain.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130330 Thunderbird/17.0.5
MIME-Version: 1.0
To: wpkops@ietf.org, trans@ietf.org
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: quoted-printable
X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 216.113.168.128 authed with jeff.hodges+kingsmountain.com}
Archived-At: http://mailarchive.ietf.org/arch/msg/wpkops/56mow8zJUwnuggrs_PC1z-L32pU
Subject: [wpkops] fyi: Analyzing Forged SSL Certificates in the Wild
X-BeenThere: wpkops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <wpkops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/wpkops>, <mailto:wpkops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/wpkops/>
List-Post: <mailto:wpkops@ietf.org>
List-Help: <mailto:wpkops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/wpkops>, <mailto:wpkops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 May 2014 22:16:10 -0000

Analyzing Forged SSL Certificates in the Wild
Lin-Shung Huang, Alex Ricey, Erling Ellingseny, Collin Jackson

Abstract—The SSL man-in-the-middle attack uses forged SSL
certificates to intercept encrypted connections between clients
and servers. However, due to a lack of reliable indicators, it is
still unclear how commonplace these attacks occur in the wild. In
this work, we have designed and implemented a method to detect
the occurrence of SSL man-in-the-middle attack on a top global
website, Facebook. Over 3 million real-world SSL connections
to this website were analyzed. Our results indicate that 0.2%
of the SSL connections analyzed were tampered with forged
SSL certificates, most of them related to antivirus software and
corporate-scale content filters. We have also identified some SSL
connections intercepted by malware. Limitations of the method
and possible defenses to such attacks are also discussed.

https://www.linshunghuang.com/papers/mitm.pdf


news coverage..

https://news.google.com/news?ncl=dCtyuKtyM9cSNPM9nzTnp15Wfnh4M&q=IopFailZeroAccessCreate&lr=English&hl=en&sa=X

v2.23.0 | Report a Bug | By Email