0

As someone who is not an InfoSec professional, I am surprised that the wider security community very rarely discusses the inadequacies of HTTPS/TLS.

In my opinion, insecurity of HTTPS/TLS against MITM attacks is a giant elephant in the room.

Could somebody please confirm that I am correct in thinking that modern HTTPS/TLS is very insecure against MITM attacks on ISP/Proxy Service level, and there exists a potential solution?

Why HTTPS/TLS is insecure

While your connection to a server may be encrypted and tamper-proof, anyone with adequate resources can place a MITM machine between you and the public website's server.

So long as MITM machine has a valid certificate chain, it can then show your browser a fake version of the website, or even modify the data being sent back and forth.

This issue is exacerbated by the fact that there are now free certificates available from companies like Cloudflare and Let's Encrypt. So, it very easy for MITM machines to get valid certificate chains.

Potential Solution

All networked computers should record the history of received TLS certificates per public website and send it to a public database for attestation. This would allow users to compare the fingerprints of certificates by different geolocations and potentially uncover any MITM attacks. Although this is not a complete solution, it would at least give users some indication of whether or not they have been the victim of a MITM attack.

Questions

Am I correct in my assessment of HTTPS/TLS being insecure against MITM attacks on ISP/Proxy Service level?

Is there any third-party that provides such TLS certificate attestation service? I find it hard to believe that nobody has created a certificate attestation SaaS, what am I missing here?

Alkan
  • 1
  • 1
    `So long as MITM machine has a valid certificate chain` - this is easier said than done. Most CA's whose root certs are trusted by the major browsers do an adequate (albeit not perfect) job of ensuring that an attacker can not get a valid cert for a site that they do not own, but there have been exceptions (e.g. Diginotor). WRT `TLS certificate attestation service`, there have been attempts at this, e.g. Perspectives and Convergence. See https://moxie.org/2011/04/11/ssl-and-the-future-of-authenticity.html for some interesting reading on this subject. – mti2935 Jun 17 '22 at 17:16
  • 1
    Also regarding your "potential solution", you're basically describing [certificate transparency](https://certificate.transparency.dev/). – Ajedi32 Jun 17 '22 at 17:59
  • mti2935 & Ajedi32 thank you for your comments. I think TLS is still vulnerable to MITM, it is just that CA needs to be attacked. So, it is harder than I thought but definitely not impossible. I guess main issue is the gigantic CAs that control most of the web. If you can compromise Cloudflare, then you can control most of the information flow in the internet. – Alkan Jun 17 '22 at 22:04

2 Answers2

4

TLS security is not discussed because isn't an issue.

There are several misconceptions on your question:

While your connection to a server may be encrypted and tamper-proof, anyone with adequate resources can place a MITM machine between you and the public website's server.

Adequate resources: several hundred times the computing power of the entire planet combined.

So long as MITM machine has a valid certificate chain, it can then show your browser a fake version of the website, or even modify the data being sent back and forth.

Valid certificate: a certificate trusted by your computer. They are either signed by a public CA, audited and trusted by the entire world, or installed by hand on your computer by your employer's IT team, your college/school, or an attacker tampering with it.

This issue is exacerbated by the fact that there are now free certificates available from companies like Cloudflare and Let's Encrypt.

It's not a problem. I have to prove ownership of a domain to be able to being issued a certificate. I cannot have Let's Encrypt issue me a certificate for example.com.

Am I correct in my assessment of HTTPS/TLS being insecure against MITM attacks on ISP/Proxy Service level?

No, you are not. TLS Key Exchange plus CA-signed certificates means even a hostile ISP cannot do anything against your connection except denying service. Unless you are behind a company-wide interception proxy (very common on enterprise environments, very rare on home users), nobody can intercept the cleartext on anything.

Is there any third-party that provides such TLS certificate attestation service?

Certificate Transparency Logs.

Your proposed solution creates a single point of failure: the attestation server. It takes one DDoS attack on it to take offline HTTPS for everybody. It changes the check of a certificate validity from the clients (distributed) to a centralized server. It would increase the latency to much that in some cases would make navigation unusable.

First remediation: more than one attestation server. Next problem: validate the attestation server identity. It would have to be done locally (like the current TLS certification process), or you would have to talk to a second server to identify the first. It would create the issue to validate the second server and you know where this is going.

ThoriumBR
  • 51,983
  • 13
  • 131
  • 149
  • "TLS security is not discussed because isn't an issue." Well, TLS security is widely discussed in academic papers, websites, etc. (and a lot of issues related to TLS have been found in the past). The OP just did not read/find those. – ysdx Jun 17 '22 at 20:26
  • I mean it's not discussed as OP think it should. CORS, XSS, SQLI, buffer overflows and things like that got a lot of discussion, but few people think TLS is not resistant against MitM, and when it's vulnerable it's because of a well defined set of reasons. – ThoriumBR Jun 17 '22 at 20:33
  • @ThoriumBR How about the following case though: Firefox approximately trusts 140 Root CAs. What are the chances that one of these CAs are already breached and attackers can issue certificates that can MITM any website that uses HTTPS? I still believe that HTTPS and current CA system is fundamentally broken and provides minimal security against MITM type attacks. I suppose a decentralized scheme would be far more secure. – Alkan Jun 19 '22 at 02:51
  • Do you know that a compromised CA means an out of business CA? With Certificate Transparency, an attacker can issue just a few certificates until the breach is detected by someone and the certificates revoked, and the CA distrusted and probably banned. Ask Google about DigiNotar. – ThoriumBR Jun 19 '22 at 11:30
0

You seem to be missing the part that the CA certs must be trusted. Generally, if a CA wants their cert trusted they need to apply to the OS manufacturer (Apple, MS, etc) to get their Certs pre-installed into the OS's trust store. Many government CAs have been removed from OS trust stores due to bad behavior on this account.

Now some organizations install their own CA cert onto their machines in order to do MITM filtering on traffic into/out of the organization. Obvious answer, Don't do private stuff on your work machine.

Alternatively some ISPs ask you to install a "Security Cert". Personally I'd avoid doing this. Unfortunately, avoiding this will make usage of that IPS nearly impossible.

But the simple fact is you have control over who's certs enter or stay in your device's trust stores. Educate yourself about who you're trusting to sign other certs & Exorcise your control.

tjd
  • 803
  • 5
  • 6