Watchfire Application Security Insider

Lately I've been messing around with SSL validation dialogs and I've found that they may help in conducting a phishing attack under certain circumstances.

When an SSL site with a valid certificate includes an external resource (such as an iframe) which provides an invalid certificate (e.g: an expired certificate), IE6 or Firefox2 will pop up a dialog-box which to the naive user seems related to the browsed site, and not to an external content.

So how can this be exploited you ask? Let's assume the attacker wants to impersonate to https://www.some.site/ , which happens to have an expired certificate. The attacker will then register https://www.some.s1te/ (or any other URL which is similar to www.some.site) and will get a valid certificate for it (this is not an easy task though). Then he will embed a hidden iframe which sources from https://www.some.site/.

When the victim browses to https://www.some.s1te/  the browser will pop up a dialog message saying that the certificate has expired, but the Common Name of the certificate will be www.some.site!, This may convince the victim that he actually has surfed to www.some.site.

This video demonstrates the issue under Internet Explorer 6:

This video demonstrates the issue under Firefox 2.x.x:

The problem is more severe under Internet Explorer 6 because it states that the remote peer is valid, and when you examine the certificate you notice that the Common Name is indeed the one that attacker is attempting to  impersonate.

In Firefox 2.x the pop-up dialog does not state that the Common Name is valid, but if you know the internals of the certificate validation test you also know that the Common Name is checked before the certificate's expiration, so if Firefox pops up a window regarding the expiration invalidity, it means that the Common Name has passed the validation test, and when one examines the certificate, it will indeed contain the impersonated one, as illustrated in the above video.

This problem is in fact inherent in the way the browsers present the error message. They don't distinguish between a failure of an external content's certificate validation test and a failure of the site's certificate validation test.  I would expect them to explicitly indicate that the certificate check is against an external source. Internet Explorer 7 actually does that, as illustrated below.

This image illustrates a failure of a certificate validation check in IE7 against an external source cert:

This image illustrates a failure of a certificate validity check in IE7 against the browsed site's cert:

I really like IE's solution because they could have implemented it by simply adding the missing information to the original dialog . The fact that they have two completely different error dialog windows makes the chance of a user mistakenly regarding the failure of an external certificate test as a failure of the browsed site certificate test minute or even zero.

• 20 years of Anti-Virus software and I still have to patch my machine at least once a month
• 20 years of Anti-Virus software and I still have to update my Anti-Virus with yesterday's signatures
• 20 years of Anti-Virus software and I still need a personal firewall
• 20 years of Anti-Virus software and you still expect Mom & Pop to know if SVCHOST.EXE should be allowed to access the Internet or not
• 20 years of Anti-Virus software and when my Outlook decides suddenly to send my entire address book to some bloke in China, you can't figure out that I'm not doing this on purpose?!
• 20 years of Anti-Virus software and when my sister is tempted to double click on the cute "Dancing Pigs" file she got in her mail, her Registry gets corrupted, and files are installed in her C:\Windows\System32 directory
• 20 years of Anti-Virus software, and virus writers can still override operating system files without sweating
• 20 years of Anti-Virus software, and the first program to get infected is my Anti-Virus itself
• 20 years of Anti-Virus software and I still need to install the following: Anti-Virus, Personal Firewall, Adaware, Spybot, HijackThis, Windows Defender, etc. and at the end of the day, I'm still infected
• 20 years of Anti-Virus software and you still see new vendors entering this market, and even they can't figure out how to do it right
• 20 years of Anti-Virus software, and some snot-nosed kid who write a VBS file can outsmart the entire virus research teams combined
• 20 years of Anti-Virus software, and when I'm infected, I have to restart windows in "Safe-Mode", download some special infection removal tool from my Anti-Virus vendor, disable Windows System Restore, edit my registry manually, reboot and pray to the "Force" that this trick nailed it. Usually it doesn't
• Wait Wait Wait, I have to repeat the last one - "Infection Removal Tool"???? from the same Anti-Virus vendor???? if you know how to remove it, why didn't you handle it in the first place?!@#!
• 20 years of Anti-Virus software, and every time I visit my parents' house, their computer is a part of a new botnet, and my dad is asking me: "How come I got infected, if I updated my Anti-Virus yesterday, and I didn't click on any malicious file?!"

Folks, if after 20 years of Anti-Virus software, all of the above is correct, I think it's safe to say that this industry has failed us (it didn't fail the vendors, since they are making a lot of money every year). The one thing I seriously don't understand is why we keep paying for Anti-Virus software, for our gateways and for our endpoints, if eventually we have to sit and decide if it is safe to click on some file that someone sent us.

Could it be that Anti-virus software became just a bullet on the CISO's checklist of must-haves? could it be that through FUD, we are forced to buy Anti-Virus software, that doesn't solve the problem for us?

What has the Anti-Virus industry been doing for the past 20 years except for updating signatures and counting the subscription money we pay them?

Let's hope that other security market segments will do better after 20 years...

See you at the 40th. anniversary.

-Ory