The carrier servers that phones connect to don't present SSL certificates that conform to Internet standards, so TextSecure wouldn't work correctly if it ran validation routines. Marlinspike made a similar observation about a finding involving TextSecure, an Android app he developed to encrypt cellphone messages that use the SMS and MMS protocols. Under those circumstances, the lack of SSL validation doesn't necessarily indicate a significant loss of security, he said. Marlinspike didn't dispute that finding but said that FPS provides its own signature-based authentication protocol and doesn't transmit client credentials, credit card numbers, or bank account information. Invoking the library using the PHP language turns off domain-name checking in FPS, allowing the server running the program to accept connections to non-authorized servers, the paper said. ![]() One such case, Marlinspike said, was a weakness described in the code libraries for the Amazon Flexible Payments Service used to process online payments. But some of the cases that outline don't spell certain death." ![]() "They're very easy to get wrong and people do get them wrong all the time. "These APIs are extremely confusing," said Moxie Marlinspike, the pseudonymous researcher who has repeatedly exposed vulnerabilities in SSL. In other cases, options chosen by app developers inadvertently turn off validation routines that by default are supposed to run. In some cases, the libraries leave it up to individual apps to validate the certificates presented when they connect to a server. The researchers attributed weaknesses to the "terrible design" of the programming interfaces provided in widely used code libraries that implement SSL. "Even a primitive network attacker-for example, someone in control of a malicious Wi-Fi access point-can exploit this vulnerability to harvest the login credentials of Chase mobile banking customers," the paper warned. Similar weaknesses in the Chase mobile banking app for Google's Android operating system also puts users at risk, the researchers said. The AIM client version 1.0.1.2 on Windows also accepts certificates signed by untrusted parties and also fails to verify if the host name on the certificate conforms to the Internet address the app is connected to. Man-in-the-middle attacks on Trillian, depending on the specific setup, can yield login credentials for a variety of third-party services (including Google Talk, AIM, Yahoo!, and Windows Live services). Instant messaging clients Trillian and AIM are among the apps that fail to properly validate SSL certificates before establishing a secure connection, according to the researchers. The research paper, presented last week's Computer and Communications Security conference, came in addition to separate work presented that demonstrated how holes in apps downloaded as many as 185 million times from Google's official Android market left passwords, e-mail, and instant messaging contents vulnerable to theft. The scenario described by the researchers is precisely the attack SSL is intended to protect against. "When presented with self-signed and third-party certificates-including a certificate issued by a legitimate authority to a domain called -they establish SSL connections and send their secrets to a man-in-the-middle attacker." "Our main conclusion is that SSL certificate validation is completely broken in many critical software applications and libraries," a team of researchers wrote in a paper titled The Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser Software. Instead, the apps will trust imposter certificates that are signed by attackers or fail established validity tests for a variety of other reasons. As a result, one of the fundamental guarantees of the SSL-that the computer on the other end of the connection belongs to the party claiming ownership-was fundamentally compromised. ![]() The weak implementations caused the programs to initiate encrypted communications without first assessing the validity of the digital certificates on the other end. Together, the technologies are designed to guarantee the confidentiality and authenticity of communications between end users and servers connected over the Internet. Like the other dozen or so applications identified, the threat stemmed from weak implementations of the secure sockets layer and transport layer security protocols. The Trillian and AIM instant messaging apps and an Android app offered by Chase Bank are three apps identified as vulnerable to so-called man-in-the-middle attacks. Researchers have uncovered defects in a wide range of applications running on computers, smartphones, and Web servers that could make them susceptible to attacks exposing passwords, credit card numbers, and other sensitive data.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |