Trust, Internet Style: Security, Certificates and Vulnerability

Do you trust this certificate? Well, do ya, punk?

The news circulating about the IT industry is about a Man in the Middle attack against Google users in Iran. Mainstream media has not yet touched this issue, probably because its confusing, as indeed Internet security is wont to be.

#Google users in that country who used SSL (HTTPS) connections to access their email and other sensitive data got spoofed by unknown hackers with bogus Certificates that allowed them to view decrypted data as it passed between the victims and Google. No one has yet claimed responsibility.

What is a Man in the Middle attack? Basically, its a hacker insinuating himself into the conversation between you and a trusted server, in this case, Google. By fooling your computer into thinking that they’re Google – and by fooling Google into thinking they’re you – the hacker can observe as messages pass back and forth, sending them along to their intended targets so that neither you nor Google is the wiser. Basically, its the digital equivalent of eavesdropping.

MITM attacks are a very serious type of attack – and one which this blog has warned its readers about in the past. Far more worrisome in this case is the fact that the MITM attacks took place on secure, SSL-encrypted connections. The hacker is in this case privy to otherwise private information such as reading your email, accessing your friends list on Google+ or seeing the documents you marked private on Google Documents.

“But wait,” you say, “doesn’t using SSL connections prevent this type of attack? Isn’t that why you told us to use SSL for our social networking sites?” Well, the simple answer is “yes.” But as you might have expected, there are exceptions to every rule. In particular, as our world becomes more and more networked, the particularly-dangerous exception is that powerful entities like governments or service providers can short-circuit the security that SSL is meant to provide. While no one is claiming responsibility for the Iranian attack, security experts seem to agree that such a scheme is only possible for a government or “rogue” ISP.

How does any of this happen, you may wonder? Here is what I hope will be a readable Cliff’s Notes version of my Security+ Certification training for you on the subject. Its not an exhaustive discussion of the topic by any means, just what a person with a toe in the water of Security can tell you:

Secure Sockets Layers use Certificates

What makes browsing your bank account any safer than browsing Fark.com? If it is possible for someone to intercept traffic between you and any other server, why do banks and other institutions with sensitive information allow you to access it online?

The answer is that Secure Sockets Layers (SSL) create an encrypted “tunnel” of information passing back and forth. Someone absolutely could intercept this information as its passed. But the trouble (for them) is that the information is not readable without access to the “key” used to encrypt the data. Its sort of like the old Scantron sheets you used in high school to take tests: someone grabbing one of these sheets would have all the right answers to the test, but without a key to tell them what those answers are and what test they belong to, its just a card with pencil marks on it.

In the case of communications encrypted with SSL, the interceptor has even less information than that. They just have a scramble of code. But in the seemingly-paranoid world of computer security, there remains a question: how does one go about getting a secure key with which to encrypt data? And how do we know that the entity handing us a key is legitimate? That they’re not a hacker, too?