SSL is completely broken, be afraid!
Here is another small security lesson I learned a few days ago that I think I should share with you.
A colleague of mine asked me if there was a specific DHCP setting available on the router I use at home. Having activated remote administration via HTTPS I opened a new tab and opened the admin interface. We looked through it but couldn't find what he was looking for. Also having access to the router at my mom's house the same way I also checked this one but found nothing. Case closed, I thought.
A few days later over lunch he says: "So you have the same password set on both routers?" and before thinking about it I said "well, yes". Then it suddenly clicked. This wasn't a question, this was a statement. But wait, I used HTTPS! Even if he sniffed my traffic (we are on a switched LAN) he would have seen nothing but encrypted garbage. So I said: "Wait, if you man-in-the-middled me I would have received an SSL warning." and he asked "Well, did you?". In fact, I didn't. Re-thinking the situation reminded me that I did't receive a warning although both routers use self-signed certificates and I didn't have their certs imported into Firefox.
After letting me sweat for a while he showed me that he had spoofed the gateway's MAC address successfully. However, that didn't explain the SSL situation. He must have found some way to make my browser trust him as a man-in-the-middle. Then I remembered a talk from 25C3 (hacker congress in Berlin) were some guys presented an expired rogue CA certificate that they created and used to sign MITM certificates. The only warning people got where the timestamps. Not hostname or trust chain.
Then he finally told me: "I have a valid rogue CA certificate". Of course my question was: "How did you get it?". All he said was "You need 500 bucks and an AWS account". When he was intercepting my traffic his system was generating SSL certificates on-the-fly and signed it with his rogue CA. The browser, of course, totally fell for it.
So long story short: SSL is completely broken. If you trust any CA that issues or issued MD5 certificates you are vulnerable to the same kind of attack. Watch out, those rogue certs are out there!
A colleague of mine asked me if there was a specific DHCP setting available on the router I use at home. Having activated remote administration via HTTPS I opened a new tab and opened the admin interface. We looked through it but couldn't find what he was looking for. Also having access to the router at my mom's house the same way I also checked this one but found nothing. Case closed, I thought.
A few days later over lunch he says: "So you have the same password set on both routers?" and before thinking about it I said "well, yes". Then it suddenly clicked. This wasn't a question, this was a statement. But wait, I used HTTPS! Even if he sniffed my traffic (we are on a switched LAN) he would have seen nothing but encrypted garbage. So I said: "Wait, if you man-in-the-middled me I would have received an SSL warning." and he asked "Well, did you?". In fact, I didn't. Re-thinking the situation reminded me that I did't receive a warning although both routers use self-signed certificates and I didn't have their certs imported into Firefox.
After letting me sweat for a while he showed me that he had spoofed the gateway's MAC address successfully. However, that didn't explain the SSL situation. He must have found some way to make my browser trust him as a man-in-the-middle. Then I remembered a talk from 25C3 (hacker congress in Berlin) were some guys presented an expired rogue CA certificate that they created and used to sign MITM certificates. The only warning people got where the timestamps. Not hostname or trust chain.
Then he finally told me: "I have a valid rogue CA certificate". Of course my question was: "How did you get it?". All he said was "You need 500 bucks and an AWS account". When he was intercepting my traffic his system was generating SSL certificates on-the-fly and signed it with his rogue CA. The browser, of course, totally fell for it.
So long story short: SSL is completely broken. If you trust any CA that issues or issued MD5 certificates you are vulnerable to the same kind of attack. Watch out, those rogue certs are out there!
Working on CCNP: [X] SWITCH --- [ ] ROUTE --- [ ] TSHOOT
Goal for 2014: RHCA
Goal for 2015: CCDP
Goal for 2014: RHCA
Goal for 2015: CCDP