Forum for Science, Industry and Business

Sponsored by:     3M 
Search our Site:

 

Spoofed Web Certificates

12.09.2018

Fraunhofer research team demonstrates how to subvert the most popular method for issuing web certificates

A research team at the Fraunhofer Institute for Secure Information Technology SIT in Darmstadt, Germany, has found a way to issue fraudulent website certificates that are used to ensure trustworthiness of Internet domains.


The team lead by Dr. Haya Shulman has shown that the weakness in the domain validation can be exploited in real life and that the security of Internet infrastructures needs to be improved. To do so the researchers have informed Web CAs (Certificate Authorities) and suggest a new method and implementation that Web CAs may use to mitigate the attack. Further information at https://www.sit.fraunhofer.de/en/dvpp/

Web certificates are the basis of the SSL/TLS protocol which protects most web sites, such as online mail and office apps, online retailing and online banking. If a web site presents a valid certificate, the user’s browser will signal to the user that the web site’s identity is verified and can be trusted, e.g. by showing a green padlock.

The research team at Fraunhofer SIT showed that this trust is actually ill-founded and users can easily be tricked into sending their secret passwords and data to fraudulent phishing web sites.

Certificates are issued by so-called Web CAs, and virtually all popular Web CAs are using a method called Domain Validation (DV) to verify a web site’s identity before issuing a certificate to that web site. The Fraunhofer team demonstrated that Domain Validation is fundamentally flawed, and consequently they could trick many Web CAs into issuing fraudulent certificates.

A cybercriminal could use this attack to obtain a fraudulent certificate, e.g., for a popular online retailer, set up a web site that perfectly mimics that online retailer’s store, and then phish usernames and passwords.

The Fraunhofer team led by Dr. Haya Shulman exploited a number of well known vulnerabilities in the Domain Name System (DNS), which is the Internet’s yellow pages mapping domain names to Internet addresses. Cybersecurity researchers were well aware of these vulnerabilities in the DNS and their potential impact on Domain Validation, but so far this was considered a rather theoretical risk and something only very powerful, e.g., nation state-level attackers could exploit.

The team demonstrated for the first time that this risk is actually very real. “While the details of our attack are technically quite sophisticated, executing the attack does not require any specific compute power or any capability to intercept Internet traffic. Nothing more is needed than a laptop and an Internet connection.” says Dr. Haya Shulman of Fraunhofer SIT.

The team informed German security authorities and Web CAs. As a mitigation the researchers developed an improved version of DV, called DV++, which could replace DV without any further modifications and which is provided free of charge here: https://www.sit.fraunhofer.de/en/dvpp/ . A research paper describing the details of this attack as well as DV++ will be presented at the ACM Conference on Computer and Communications Security (ACM CCS) in Toronto, Canada, in October 2018.

Wissenschaftliche Ansprechpartner:

Dr. Haya Shulman, Prof. Michael Waidner

Oliver Küch | Fraunhofer-Institut für Sichere Informationstechnologie SIT
Further information:
http://www.sit.fraunhofer.de/

More articles from Information Technology:

nachricht A platform for stable quantum computing, a playground for exotic physics
06.12.2019 | Harvard John A. Paulson School of Engineering and Applied Sciences

nachricht Developing a digital twin
06.12.2019 | University of Texas at Austin, Texas Advanced Computing Center

All articles from Information Technology >>>

The most recent press releases about innovation >>>

Die letzten 5 Focus-News des innovations-reports im Überblick:

Im Focus: Developing a digital twin

University of Texas and MIT researchers create virtual UAVs that can predict vehicle health, enable autonomous decision-making

In the not too distant future, we can expect to see our skies filled with unmanned aerial vehicles (UAVs) delivering packages, maybe even people, from location...

Im Focus: The coldest reaction

With ultracold chemistry, researchers get a first look at exactly what happens during a chemical reaction

The coldest chemical reaction in the known universe took place in what appears to be a chaotic mess of lasers. The appearance deceives: Deep within that...

Im Focus: How do scars form? Fascia function as a repository of mobile scar tissue

Abnormal scarring is a serious threat resulting in non-healing chronic wounds or fibrosis. Scars form when fibroblasts, a type of cell of connective tissue, reach wounded skin and deposit plugs of extracellular matrix. Until today, the question about the exact anatomical origin of these fibroblasts has not been answered. In order to find potential ways of influencing the scarring process, the team of Dr. Yuval Rinkevich, Group Leader for Regenerative Biology at the Institute of Lung Biology and Disease at Helmholtz Zentrum München, aimed to finally find an answer. As it was already known that all scars derive from a fibroblast lineage expressing the Engrailed-1 gene - a lineage not only present in skin, but also in fascia - the researchers intentionally tried to understand whether or not fascia might be the origin of fibroblasts.

Fibroblasts kit - ready to heal wounds

Im Focus: McMaster researcher warns plastic pollution in Great Lakes growing concern to ecosystem

Research from a leading international expert on the health of the Great Lakes suggests that the growing intensity and scale of pollution from plastics poses serious risks to human health and will continue to have profound consequences on the ecosystem.

In an article published this month in the Journal of Waste Resources and Recycling, Gail Krantzberg, a professor in the Booth School of Engineering Practice...

Im Focus: Machine learning microscope adapts lighting to improve diagnosis

Prototype microscope teaches itself the best illumination settings for diagnosing malaria

Engineers at Duke University have developed a microscope that adapts its lighting angles, colors and patterns while teaching itself the optimal...

All Focus news of the innovation-report >>>

Anzeige

Anzeige

VideoLinks
Industry & Economy
Event News

The Future of Work

03.12.2019 | Event News

First International Conference on Agrophotovoltaics in August 2020

15.11.2019 | Event News

Laser Symposium on Electromobility in Aachen: trends for the mobility revolution

15.11.2019 | Event News

 
Latest News

Solving the mystery of carbon on ocean floor

06.12.2019 | Earth Sciences

Chip-based optical sensor detects cancer biomarker in urine

06.12.2019 | Life Sciences

A platform for stable quantum computing, a playground for exotic physics

06.12.2019 | Information Technology

VideoLinks
Science & Research
Overview of more VideoLinks >>>