LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Pencil, Pencil, and Pencil

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Little things that matter in language design

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Mozilla and CNNIC

Mozilla and CNNIC

Posted Feb 4, 2010 3:53 UTC (Thu) by erwbgy (subscriber, #4104)
Parent article: Mozilla and CNNIC

I know of a company proxy setup that illustrates how the man-in-the-middle attack could work if the browser trusts a dodgy CA.

When using a proxy your web browser makes a connection to the proxy server which then connects to the destination web site on your behalf. When using HTTP the proxy may send back previously cached data, but for HTTPS the traffic is encrypted end-to-end between the client and the server so the proxy just passively passes the encrypted data back and forth, or allows a direct connection. At least that is what is supposed to happen with HTTPS.

In this particular setup the browsers were all configured to trust a new internal CA. Then the proxy was changed to replace every destination SSL server certificate with a new server certificate with the same details signed by the internal CA. As far as the browser is concerned the server certificate is valid: the CN field matches the server hostname and the certificate is signed by a trusted CA.

This change allows the proxy to snoop on all HTTPS traffic without most users being aware. The justification in this case was to be able to scan for malware, and there were assurances that known webmail and banking sites would be excluded from this process.

Something similar could be done by any trusted CA that is able to intercept and modify traffic between the client browser and the destination server.

Another way to achieve this without changing client browsers would be to create a rogue CA certificate like Alexander Sotirov's team did by exploiting MD5 collisions.

(Log in to post comments)

Mozilla and CNNIC

Posted Feb 4, 2010 4:40 UTC (Thu) by jimparis (subscriber, #38647) [Link]

> Then the proxy was changed to replace every destination SSL server
> certificate with a new server certificate with the same details signed by
> the internal CA. As far as the browser is concerned the server certificate
> is valid: the CN field matches the server hostname and the certificate is
> signed by a trusted CA.
>
> Something similar could be done by any trusted CA that is able to
> intercept and modify traffic between the client browser and the
> destination server.

Yes, definitely. That's the main concerned being raised here. But Mozilla's point is that this is a traceable attack -- the end user can simply save a copy of the new, modified certificate as evidence that the proxy/government/whatever was doing it. While it's true that their browser will accept it without complaining, all the user has to do is glance at the issuer to see if it was the rogue CA or not. At that point, you'd send this proof to Mozilla and they would blacklist the CA.

Mozilla and CNNIC

Posted Feb 5, 2010 15:14 UTC (Fri) by __alex (subscriber, #38036) [Link]

How is the attack detectable at all given standard user practices?

HTTPS security is multi-layered and not simply provided by cryptographic
functions. Things such as the pad-lock icon and the EV-SSL green address
bar UI a major components of the system and currently there is no part of that
system designed for detecting a MITM attack from a trusted authority.

Browsers have no standard mechanism for alerting users about changes in
certificates over time and there is no way for a user to tell what authority the
website provider intended to sign their content with.

This is not a reason to distrust CNNIC specifically, simply a weakness of SSL in
general.

Mozilla and CNNIC

Posted Feb 5, 2010 15:48 UTC (Fri) by jimparis (subscriber, #38647) [Link]

I imagine it will happen like this, if it's indeed true that CNNIC is doing bad things:
- Some user manually removes (or doesn't yet have) the CNNIC certificate
- When visiting a normal site like Gmail, they get a certificate error.
- They look at the certificate, notice it was issued by CNNIC, and complain publically.
- Mozilla removes the certificate for everyone.

Mozilla and CNNIC

Posted Feb 4, 2010 10:32 UTC (Thu) by Cato (subscriber, #7643) [Link]

This setup is a lot more common than I realised, just saw this myself recently. Presumably the motivation is often to secure internal sites, but is there any way to tell if the proxy is pulling this trick? At least CertificatePatrol for Firefox should tell you what's happening.

Mozilla and CNNIC

Posted Feb 5, 2010 10:50 UTC (Fri) by cortana (subscriber, #24596) [Link]

Assuming that the proxy does not intercept requests from Certificate Patrol/Perspectives and
friends as well... :)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds