Forum for Science, Industry and Business

Sponsored by:     3M 
Search our Site:

 

Spoofed Web Certificates

12.09.2018

Fraunhofer research team demonstrates how to subvert the most popular method for issuing web certificates

A research team at the Fraunhofer Institute for Secure Information Technology SIT in Darmstadt, Germany, has found a way to issue fraudulent website certificates that are used to ensure trustworthiness of Internet domains.


The team lead by Dr. Haya Shulman has shown that the weakness in the domain validation can be exploited in real life and that the security of Internet infrastructures needs to be improved. To do so the researchers have informed Web CAs (Certificate Authorities) and suggest a new method and implementation that Web CAs may use to mitigate the attack. Further information at https://www.sit.fraunhofer.de/en/dvpp/

Web certificates are the basis of the SSL/TLS protocol which protects most web sites, such as online mail and office apps, online retailing and online banking. If a web site presents a valid certificate, the user’s browser will signal to the user that the web site’s identity is verified and can be trusted, e.g. by showing a green padlock.

The research team at Fraunhofer SIT showed that this trust is actually ill-founded and users can easily be tricked into sending their secret passwords and data to fraudulent phishing web sites.

Certificates are issued by so-called Web CAs, and virtually all popular Web CAs are using a method called Domain Validation (DV) to verify a web site’s identity before issuing a certificate to that web site. The Fraunhofer team demonstrated that Domain Validation is fundamentally flawed, and consequently they could trick many Web CAs into issuing fraudulent certificates.

A cybercriminal could use this attack to obtain a fraudulent certificate, e.g., for a popular online retailer, set up a web site that perfectly mimics that online retailer’s store, and then phish usernames and passwords.

The Fraunhofer team led by Dr. Haya Shulman exploited a number of well known vulnerabilities in the Domain Name System (DNS), which is the Internet’s yellow pages mapping domain names to Internet addresses. Cybersecurity researchers were well aware of these vulnerabilities in the DNS and their potential impact on Domain Validation, but so far this was considered a rather theoretical risk and something only very powerful, e.g., nation state-level attackers could exploit.

The team demonstrated for the first time that this risk is actually very real. “While the details of our attack are technically quite sophisticated, executing the attack does not require any specific compute power or any capability to intercept Internet traffic. Nothing more is needed than a laptop and an Internet connection.” says Dr. Haya Shulman of Fraunhofer SIT.

The team informed German security authorities and Web CAs. As a mitigation the researchers developed an improved version of DV, called DV++, which could replace DV without any further modifications and which is provided free of charge here: https://www.sit.fraunhofer.de/en/dvpp/ . A research paper describing the details of this attack as well as DV++ will be presented at the ACM Conference on Computer and Communications Security (ACM CCS) in Toronto, Canada, in October 2018.

Wissenschaftliche Ansprechpartner:

Dr. Haya Shulman, Prof. Michael Waidner

Oliver Küch | Fraunhofer-Institut für Sichere Informationstechnologie SIT
Further information:
http://www.sit.fraunhofer.de/

More articles from Information Technology:

nachricht Predictive touch response mechanism is a step toward a tactile internet
24.01.2020 | The Optical Society

nachricht The easy route the easy way: New chip calculates the shortest distance in an instant
23.01.2020 | Tokyo University of Science

All articles from Information Technology >>>

The most recent press releases about innovation >>>

Die letzten 5 Focus-News des innovations-reports im Überblick:

Im Focus: Integrate Micro Chips for electronic Skin

Researchers from Dresden and Osaka present the first fully integrated flexible electronics made of magnetic sensors and organic circuits which opens the path towards the development of electronic skin.

Human skin is a fascinating and multifunctional organ with unique properties originating from its flexible and compliant nature. It allows for interfacing with...

Im Focus: Dresden researchers discover resistance mechanism in aggressive cancer

Protease blocks guardian function against uncontrolled cell division

Researchers of the Carl Gustav Carus University Hospital Dresden at the National Center for Tumor Diseases Dresden (NCT/UCC), together with an international...

Im Focus: New roles found for Huntington's disease protein

Crucial role in synapse formation could be new avenue toward treatment

A Duke University research team has identified a new function of a gene called huntingtin, a mutation of which underlies the progressive neurodegenerative...

Im Focus: A new look at 'strange metals'

For years, a new synthesis method has been developed at TU Wien (Vienna) to unlock the secrets of "strange metals". Now a breakthrough has been achieved. The results have been published in "Science".

Superconductors allow electrical current to flow without any resistance - but only below a certain critical temperature. Many materials have to be cooled down...

Im Focus: Programmable nests for cells

KIT researchers develop novel composites of DNA, silica particles, and carbon nanotubes -- Properties can be tailored to various applications

Using DNA, smallest silica particles, and carbon nanotubes, researchers of Karlsruhe Institute of Technology (KIT) developed novel programmable materials....

All Focus news of the innovation-report >>>

Anzeige

Anzeige

VideoLinks
Industry & Economy
Event News

11th Advanced Battery Power Conference, March 24-25, 2020 in Münster/Germany

16.01.2020 | Event News

Laser Colloquium Hydrogen LKH2: fast and reliable fuel cell manufacturing

15.01.2020 | Event News

„Advanced Battery Power“- Conference, Contributions are welcome!

07.01.2020 | Event News

 
Latest News

Protective protein in the eye lens affects protein oxidation: Guardian angel of the eye

29.01.2020 | Life Sciences

Pollination is better in cities than in the countryside

29.01.2020 | Architecture and Construction

Single-cell sequencing of leukemia therapy: Shared genetic program, patient-specific execution

29.01.2020 | Life Sciences

VideoLinks
Science & Research
Overview of more VideoLinks >>>