-1

Assuming these hypotheses:

1) Your account isn't hacked (hacker has not entered your account directly)

2) Gmail encrypts via SSL end-to-end

3) The hacker is not Gmail or Google

4) There is no access to the machine from the hacker - he cannot install anything in your machine (no certificates, no keyloggers, etc.)

It is just your personal house: computer -> router -> ISP -> Google.

Is it possible for a person with some kind of program (via man in the middle or other method), to decrypt and read messages?

Maybe the password wasn't strong enough and in fact, it was hacked via brute force or social engineering?

I have confirmation that this action happened to a person, but I really do not understand how this can be done (maybe faking the SSL certificate?).

schroeder
  • 125,553
  • 55
  • 289
  • 326
voskyc
  • 85
  • 6
  • 1
    This is the whole point behind MITM - you get in the middle of the traffic and offer a fake certificate so that you get the unencrypted messages. – schroeder Jul 08 '15 at 20:51
  • I have edited the post adding a 4 condition: 4)There is no access by the hacker to your PC, neither your net. I have also read the duplicate, it assume, that employer have access. In this case it is not about an employer. It is just your personal-house computer->router->ISP->googole. – voskyc Jul 08 '15 at 20:58
  • Same thing applies - you'll get a certificate warning, but if you accept it, then you've allowed access. – schroeder Jul 08 '15 at 21:09
  • So, for that person that have confirmation of being hacked (in the 4 hypothesis), it is a NECESSARY and sufficient condition to have received a warning in the gmail certificate, previous of the hacking? – voskyc Jul 08 '15 at 21:16
  • For almost all browsers, if you MITM an encrypted connection, the target will see a warning saying that the certificate doesn't match the site (but you can still accept the certificate). If you are using an app on your phone, there might not be any warning at all ... – schroeder Jul 08 '15 at 21:39
  • Ok thanks. Let me give you a inside, the person that hacked is an EX-intelligent government (south America, not USA, do not worry), employer. That even when ex-employe, he still has "a program" (according his words) to read mails. He is/was a friend of this persona hacked and show proof "just for fun, I hacked you"... (yes, kinda psycho): This person use gmail (via chrome), the hacker never had access to the network (at least not internal), neither machine. So, do you see any other way that this man could achieve this, besides de Hacked confirmed a false certificate? Thanks a lot – voskyc Jul 08 '15 at 21:54
  • Let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/25642/discussion-between-voskyc-and-schroeder). – voskyc Jul 08 '15 at 22:35

1 Answers1

0

Yes it is possible, but would require the user to be using an obscure web browser that links to OpenSSL.

With another valid TLS leaf certificate the CA flag can be bypassed and that certificate used to sign a certificate for any site:

https://community.rapid7.com/community/infosec/blog/2015/07/09/cve-2015-1793-openssl-certificate-authority-impersonation

Internet Explorer, Safari, Chrome, and Firefox are not vulnerable since they don't use OpenSSL.

UPDATE: correct error in identifying Chrome and Firefox as vulnerable. They aren't.

Alain O'Dea
  • 1,635
  • 9
  • 13
  • What should we do to prevent this?, what patch should we check for?, for example on windows 7 ? – voskyc Jul 27 '15 at 03:08
  • Internet Explorer doesn't use OpenSSL, so it isn't affected by CVE-2015-1793 (this specific vulnerability). In general you would check for patches by searching for the CVE ID and the product name. A good basic defense (akin to hand washing in hygiene) is to apply all available updates to all third-party browsers and apply all security updates provided by Windows Update. – Alain O'Dea Jul 27 '15 at 11:00
  • Correction: all major browsers are unaffected. This is only possible if the client is using a browser with an affected OpenSSL version which is incredibly unlikely. – Alain O'Dea Jul 27 '15 at 11:19