How to prevent SSL sniffing through fake certificate injection attack?

SSL stands for Secure Socket Layer and is an encryption protocol used to secure the communication on a network. SSL is used to encrypt the segment of network connections and it uses several methods to encrypt the data, depending on the goal which needs to be achieved: asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. A certificate injection attack misuses the first type of cryptography algorithms: asymmetric cryptographic algorithms. Asymmetric cryptography  system requires two separate keys, one to lock or encrypt the plaintext, and one to unlock or decrypt the cyphertext. Neither key will do both functions. One of these keys is published or public and the other is kept private. If the lock/encryption key is the one published then the system enables private communication from the public to the unlocking key’s owner. If the unlock/decryption key is the one published then the system serves as a signature verifier of documents locked by the owner of the private key. Although in this latter case, since encrypting the entire message is relatively expensive computationally, in practice just a hash of the message is encrypted for signature verification purposes. In order to be able to decrypt the communication in a non-expensive way, an attacker has two possibilities: to steal the private key or to intercept and fake the communication between the two parties involved in the encrypted communication.
Such a method to intercept the communication is called a Man-in-the-Middle (MITM) attack. Using this technique the MITM would save the communication in plain text between the Client and Server.

The most effective technique used by hackers to make MITM attacks successful, especially if they are geographically dislocated from the victim, is using the DNS cache poisoning attack.
Faking the DNS entries would allow an attacker to impersonate legitimate websites without raising too much suspicions to the client. Using bots (remotely controlled malware) this method began to be quite easy to be done in the last years.
No matter how the impersonation is being implemented, there is one last step which has to be done in order to have the MITM method in operation: the client must accept the fake certificate (generated by the hacker with his key). Usually, the clients, in our case web browsers, display a popup warning the user that the certificate is not signed by a trusted certificate authority.

As we can see, no technology is 100% secure because at the very last step comes the human factor. If the user blindly trusts the certificate, then all is lost. Lately, browsers are being delivered with a repository of trusted certificates which get permanently updated. But, even this security measure is not being used today to completely block the connection to suspicious websites. The reason for this is that a lot of legitimate websites which use self generated certificates would be blocked.

As a comparison, this is how a trusted certificate looks like:
View of a certificate using Chrome

In order to check whether the certificate is trustworthy or not, you must click on the green lock and
– check that the company owning the certificate is the company which owns the website and
– that the certificate is validated by a certificate authority such as Verisign.

View of a valid certificate using Internet Explorer

When visiting a website such as PayPal, eBay, Amazon and the websites of banks or other financial institutions always type the address and never click on links coming from other websites or emails. They might be faked and you will become a victim of a phishing attack.
Do not forget that running an antivirus software is a must these days because it might be the only thing which provides protection against trojans, viruses, worms and keyloggers.
Last but not least, stay alert, because there is no such thing as the perfect security software.

© Copyright Sorin Mustaca, All rights Reserved. Written For: Sorin Mustaca on Cybersecurity

Check for seeing the consulting services we offer.

Visit for latest security news in English
Besuchen Sie für IT Sicherheits News auf Deutsch

About the Author

Sorin Mustaca
Sorin Mustaca, (ISC)2 CSSLP, CompTIA Security+ and Project+, is working since over 20 years in the IT Security industry and worked between 2003-2014 for Avira as Product Manager for the known products used by over 100 million users world-wide. Today he is CEO and owner of Endpoint Cybersecurity GmbH focusing on Cybersecurity, secure software development and security for IoT and Automotive. He is also running his personal blog Sorin Mustaca on Cybersecurity and is the author of the free eBook Improve your security .
%d bloggers like this: