Fake SSL Certificates

Popularity:

7

Simplicity:

8

Impact:

8

Risk Rating:

8

Until now in this chapter, we've discussed performing MITM attacks on HTTP-based connections, making the assumption that HTTPS encrypted connections were secure. This is not necessarily the case since SSL relies on weakly bound public key certificates, as well as on the user to cancel the connection if a browser security warning is presented.

When a user requests a website over HTTPS, the server will send the user's browser its SSL certificate that is signed by a trusted Certificate Authority (CA). The browser then checks this SSL certificate against its own database of trusted CAs to determine whether the website should be trusted.

If an attacker is performing an ARP spoofing attack on the local LAN, and an HTTPS connection is started by one of the users on the network, the attacker is able to intercept the request and produce a false SSL certificate to the user claiming that the attacker is the requested site.

Since this SSL certificate has not been signed by a trusted CA, then the web browser will display a dialog box warning the user that a possible attack is being carried out. Thanks to the trust relationship that users have with their web applications, both internal and external, most users will simply accept any warnings that a web browser displays, ultimately allowing this type of attack.

At this stage the attacker's machine then acts as a transparent proxy between the user and the real website, decrypting the communications in between allowing the HTTPS traffic to be analyzed in clear text, enabling usernames, passwords, and other sensitive information to be enumerated. This process is demonstrated in Figure 13-15.

Was this article helpful?

0 0
The Ultimate Computer Repair Guide

The Ultimate Computer Repair Guide

Read how to maintain and repair any desktop and laptop computer. This Ebook has articles with photos and videos that show detailed step by step pc repair and maintenance procedures. There are many links to online videos that explain how you can build, maintain, speed up, clean, and repair your computer yourself. Put the money that you were going to pay the PC Tech in your own pocket.

Get My Free Ebook


Post a comment