• tauonite@lemmy.world
    link
    fedilink
    arrow-up
    27
    ·
    10 months ago

    Tell me more about SSL certificate forgery. As far as I know, for a device to trust it, it needs to be signed by a trusted CA. You’d either need to compromise a CA and create your own certificate for the website or make the target device trust a custom CA. In the case of a custom CA, the user explicitly needs to perform an action to trust it. How is this not enough on a public network?

    • redcalcium@lemmy.institute
      link
      fedilink
      arrow-up
      6
      arrow-down
      1
      ·
      edit-2
      10 months ago

      There are cases of malicious/incompetent CAs issuing certificates to parties who don’t own the domains. DigiNotar was the most famous one, and recently there was a Chinese CA (I forgot the name) booted from the list as well. Once they’re detected (browsers report SSL certs they see back to mothership for audit) they would be removed from trusted lists though, so chance that they’re only used for high value targets and can’t be used that often.

    • Nibodhika@lemmy.world
      link
      fedilink
      arrow-up
      1
      arrow-down
      4
      ·
      edit-2
      10 months ago

      There are several ways, most common is to MITM the address to redirect to a different but similar one, which is unlikely to get noticed since you know you typed the address correctly or you clicked from a trusted link/favourite, then that wrong address has it’s own valid SSL certificate. Another way is to use self-signed certificates, which browsers would warn people about, but apps are not likely to. Also you can MITM the CA themselves, whole you wouldn’t be able to actually pass by them you can do an exhaustion attack and essentially block all certificate exchanges, yes your site won’t have a valid certificate, but neither will any real site, so most people will just ignore the message the browser is showing them because it’s showing it for every site.

      None of these methods would fool an attentive educated person, but they might fool someone in a rush. Also even if the attack doesn’t succeed in stealing information it 100% succeeds in blocking access, while I might not be as concerned about blocking my Facebook, blocking my bank might prevent me from doing important stuff, and worse people who need to get into their bank are likely to just wave security warnings out of the way without reading them, especially if they’ve been getting them for everything else and nothing had a problem.

      Edit: I also forgot to mention the other ways, there are leaks from CAs constantly, which allow you to either impersonate them or sign other certificates. Sure these get patched rather quickly once found, but after you have the signed certificate from them it’s game over. Also what I was referring in the other post is self-signed certificates, most browsers show a warning about them nowadays, but again you can win by exhaustion.

      • emptiestplace@lemmy.ml
        link
        fedilink
        arrow-up
        5
        ·
        10 months ago

        You went from “MITM TLS is child’s play” to “there are some ways we can social engineer our way around it if the stars align just right” in like one post. You’re clearly not qualified here, stop with the FUD bullshit.