EFF: SSL Records Show Superfish Attacks in the Wild

 

EFF researchers say they have evidence of man in the middle attacks in the wild that use the same technology as the Superfish adware used by Lenovo.
EFF researchers say they have evidence of man in the middle attacks in the wild that use the same technology as the Superfish adware used by Lenovo.

In-brief: The Electronic Frontier Foundation warned that it has evidence of man-in-the-middle attacks that take advantage of the same encryption-busting technology that Lenovo and Superfish implanted on consumer laptops.

The imbroglio over Lenovo’s stealthy partnership with adware maker Superfish, a visual search engine, took a new turn this week, with the Electronic Frontier Foundation warning that it has evidence of man-in-the-middle attacks that take advantage of the same encryption-busting technology that Lenovo and Superfish implanted on consumer laptops – all the better to serve ads to their owners.

Writing on Wednesday, EFF staff members Joseph Bonneau and Jeremy Gillula said that a peculiarity of the way the SSL-busting Komodia library that is licensed by Superfish makes it easy for attackers to get web browsers to accept certificates in which the name of the domain listed in the certificate is different from the name of the website the user is browsing: a pre-requisite of “man in the middle” and “drive by download” attacks.

EFF researchers searched a listing of SSL certificates in that organization’s Decentralized SSL Observatory and found evidence for 1,600 SSL certificates that had such a mismatch. These are sites that Komodia should have rejected, but which it ended up causing browsers to accept. The group says it is effectively evidence for Komodia-powered shenanigans in the wild.

The web domains involved included high-profile properties like Google (mail.google.com, accounts.google.com, and checkout.google.com), Yahoo (including login.yahoo.com), Bing, Windows Live Mail, Amazon, eBay (including checkout.payments.ebay.com), Twitter, Netflix, Mozilla’s Add-Ons website and so on. Banking websites including Intuit’s mint.com and domains from HSBC and Wells Fargo showed up, as did the website for the Superfish search engine.

The Decentralized SSL Observatory gathers data from users of the SSL Everywhere browser plugin.  When enabled, the plugin sends anonymous copies of certificates for HTTPS websites to EFF’s SSL Observatory database. There, researchers study them, looking for problems with the web’s cryptographic and security infrastructure, EFF said.

Some of the 1,600 domains likely had real certificate problems and were not being used in a malicious attack. But EFF argues that it is unlikely that all 1,600 incidents were cases of legitimate certificate configuration problems.

“Thus it’s possible that Komodia’s software enabled real MiTM (man in the middle) attacks which gave attackers access to people’s email, search histories, social media accounts, e-commerce accounts, bank accounts, and even the ability to install malicious software that could permanently compromise a user’s browser or read their encryption keys,” EFF wrote.

Read more via Dear Software Vendors: Please Stop Trying to Intercept Your Customers’ Encrypted Traffic | Electronic Frontier Foundation.