{"id":19283,"date":"2015-01-07T20:29:17","date_gmt":"2015-01-08T01:29:17","guid":{"rendered":"http:\/\/ssgreenberg.name\/PoliticsBlog\/?p=19283"},"modified":"2015-01-12T12:57:14","modified_gmt":"2015-01-12T17:57:14","slug":"gogo-serving-fake-ssl-certificates-to-block-streaming-sites","status":"publish","type":"post","link":"https:\/\/ssgreenberg.name\/PoliticsBlog\/2015\/01\/07\/gogo-serving-fake-ssl-certificates-to-block-streaming-sites\/","title":{"rendered":"Gogo Serving Fake SSL Certificates to Block Streaming Sites"},"content":{"rendered":"<p><em>PC Magazine<\/em> has the article and video <a title=\"PC Magazine article\" href=\"http:\/\/www.pcmag.com\/article2\/0,2817,2474664,00.asp?mailingID=64941E898B0E11EE8022634DFABCF59A?mailing_id=1142097\" target=\"_blank\">Gogo Serving Fake SSL Certificates to Block Streaming Sites<\/a>.<\/p>\n<blockquote><p>Mile-high Web provider Gogo appears to be running man-in-the-middle attacks on its own customers.<\/p>\n<p>Based on a report by Google engineer Adrienne Porter Felt, Gogo Inflight Internet is serving SSL certificates from Gogo instead of site providers\u2014a big no-no in online security.<\/p><\/blockquote>\n<p>Will someone please explain to me why this isn&#8217;t one of the biggest security flaws in the entire design of the secure sockets layer of internet data transport?\u00a0 Surely people who designed and implemented the system considered this form of attack, didn&#8217;t they?\u00a0 Surely PC magazine could explain how to protect yourself from this, can&#8217;t they?<\/p>\n<p>If GoGo can do this, who is to say who else might not try this?<\/p>\n<p>I cannot even comprehend how the security expert who discovered this could calmly say &#8220;serving SSL certificates from Gogo instead of site providers\u2014a big no-no in online security.&#8221;\u00a0 How could a security expert conceive of a secure system whose security depended on people not cheating?\u00a0 I thought the whole point of security was to stop people from cheating.\u00a0 If you design a system to stop people from cheating that depends on people not cheating, then you must be a fool.<\/p>\n<p>Now, let me step back and try to consider this rationally.\u00a0 If you follow the links in the article, you will eventually see what the discoverer of this fakery saw.<\/p>\n<div style=\"text-align: center;\"><a href=\"https:\/\/twitter.com\/__apf__\/status\/551083956326920192\/photo\/1\"><img decoding=\"async\" class=\"alignnone\" src=\"https:\/\/pbs.twimg.com\/media\/B6XX7wvIIAEmZuR.png:large\" alt=\"Indication of security problem\" width=\"95%\" \/><\/a><\/div>\n<pre><\/pre>\n<p>If you look at the, you will see it say &#8220;<span style=\"color: #ee0000;\">This certificate was singed by an untrusted issuer.<\/span>&#8221;\u00a0 The lesson learned is to never trust an untrusted issuer, duh!\u00a0 However, I have to ask that if every browser is automatically set up to boldly issue such a warning, why haven&#8217;t millions of people in the flying public been screaming about this already?\u00a0 Even if most people wouldn&#8217;t know what to do with such a message, there must be enough techies flying the friendly skies that many of them would have complained about this before.\u00a0 I am definitely going to research this issue more.\u00a0 This looks like a big, honking hole in internet security.<\/p>\n<p>Some people wonder why we refuse to fly since I have retired.\u00a0 Add this one to the list of reasons.<\/p>\n<p>I would only be flying for pleasure, anyway.\u00a0 So the risk to me is that I might &#8220;only&#8221; be giving away access to all my financial and health data.\u00a0 Think about all the business travelers who are compromising their companies&#8217; secret information while all along they think they are protecting it.<\/p>\n<hr style=\"border-color: #000000;\" \/>\n<p>CertificateTransparency.org has the article <a title=\"certificatetransparency.org article\" href=\"http:\/\/www.certificate-transparency.org\/what-is-ct\" target=\"_blank\">What is Certificate Transparency?<\/a>\u00a0 They first explain the issue:<\/p>\n<blockquote><p>Thanks to modern cryptography, browsers can usually detect malicious websites that are provisioned with forged or fake SSL certificates. However, current cryptographic mechanisms aren\u2019t so good at detecting malicious websites if they\u2019re provisioned with mistakenly issued certificates or certificates that have been issued by a certificate authority (CA) that\u2019s been compromised or gone rogue.<\/p><\/blockquote>\n<p>They prescribe certificate transparency as the solution.\u00a0 Read about it, and see if you feel any safer.\u00a0 Obviously this flaw is well known to anybody who wants to cheat the system.<\/p>\n<p><em>ZDnet<\/em> published the article <a title=\"ZDnet article.\" href=\"http:\/\/www.zdnet.com\/article\/how-the-nsa-and-your-boss-can-intercept-and-break-ssl\/\" target=\"_blank\">How the NSA, and your boss, can intercept and break SSL<\/a> in June 2013..<\/p>\n<blockquote><p>Blue Coat, the biggest name in the SSL interception business, is far from the only one offering SSL interception and breaking in a box.<\/p><\/blockquote>\n<p>If the punctuation of that quote is misleading, let me reword it slightly.\u00a0 For a fee, you can buy an SSL interception application without the need to know anything about how that application accomplishes the feat.\u00a0 That&#8217;s not even the most disturbing part of what is in the article.<\/p>\n<p>As I think about the description of the interception in the above article, I wonder how GoGo could have been so sloppy that it allowed the browser to detect that &#8220;\u201c<span style=\"color: #ee0000;\">This certificate was singed by an untrusted issuer.<\/span>\u201d\u00a0 The only thing I can guess is that the Google engineer who detected this had independent means of checking the authenticity of the certificate that purported to come from YouTube (which is owned by Google.)<\/p>\n<hr style=\"border-color: #000000;\" \/>\n<p>January 12, 2015<\/p>\n<p><em>The Hacker News<\/em> has the article <a href=\"http:\/\/thehackernews.com\/2014\/09\/new-firefox-32-adds-protection-against.html\" title=\"Hacker News article\" target=\"_blank\">New Firefox 32 Adds Protection Against MiTM Attack and Rogue Certificates<\/a>.  I am still not convinced.<\/p>\n<p><em>Stackexchange<\/em> has the Q &#038; A <a href=\"http:\/\/security.stackexchange.com\/questions\/18946\/how-do-rsa-fingerprints-protect-from-mitm-attacks\/79032#79032\" title=\"Stackexchange Q and A\" target=\"_blank\">How do RSA fingerprints protect from MITM attacks?<\/a><\/p>\n<p>I posed the following questions to that Q &#038; A:<\/p>\n<blockquote><p>\nWhat about a Man in the middle attack that fakes the public key and the fingerprint of the secure server.  In other words, the MITM gives you a public key to use that it has the private key for.  It then forwards your message on to the actual recipient by re-encoding your decrypted message with the real public key.  It does the same fakery for the message coming back from the secure server.<\/p>\n<p>How do you really know that the public key you are getting is the actual public key of the server you intended to talk to?  Yes their are certificate authorities, but if the MITM can fake the public key of your intended target, why can&#8217;t it fake what you get from the certificate authority?\n<\/p><\/blockquote>\n<p>I am still not entirely convinced.  All the methods that I have read about a secure exchange of information to ensure a secure exchange of information all seem circular to me.  If you could have a secure exchange of information to set up a secure exchange of information, then why couldn&#8217;t that method be your method of secure exchange?  Adding more layers to the protocol may increase the number of things the MITM attacker has to fake, but it is nowhere near the size of the mathematical difficulty that adding more binary bits to the code would present if you could only know for sure that you had a valid public key.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>PC Magazine has the article and video Gogo Serving Fake SSL Certificates to Block Streaming Sites. Mile-high Web provider Gogo appears to be running man-in-the-middle attacks on its own customers. Based on a report by Google engineer Adrienne Porter Felt, Gogo Inflight Internet is serving SSL certificates from Gogo instead of site providers\u2014a big no-no [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[166],"tags":[],"class_list":{"0":"post-19283","1":"post","2":"type-post","3":"status-publish","4":"format-standard","6":"category-stevegsposts","7":"czr-hentry"},"_links":{"self":[{"href":"https:\/\/ssgreenberg.name\/PoliticsBlog\/wp-json\/wp\/v2\/posts\/19283","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ssgreenberg.name\/PoliticsBlog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ssgreenberg.name\/PoliticsBlog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ssgreenberg.name\/PoliticsBlog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/ssgreenberg.name\/PoliticsBlog\/wp-json\/wp\/v2\/comments?post=19283"}],"version-history":[{"count":12,"href":"https:\/\/ssgreenberg.name\/PoliticsBlog\/wp-json\/wp\/v2\/posts\/19283\/revisions"}],"predecessor-version":[{"id":19350,"href":"https:\/\/ssgreenberg.name\/PoliticsBlog\/wp-json\/wp\/v2\/posts\/19283\/revisions\/19350"}],"wp:attachment":[{"href":"https:\/\/ssgreenberg.name\/PoliticsBlog\/wp-json\/wp\/v2\/media?parent=19283"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ssgreenberg.name\/PoliticsBlog\/wp-json\/wp\/v2\/categories?post=19283"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ssgreenberg.name\/PoliticsBlog\/wp-json\/wp\/v2\/tags?post=19283"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}