The U.S. Computer Emergency Readiness Team (US-Cert) issued a warning last week stating HTTPS interception weakens TLS security. As the use of encryption for privacy has increased, the security industry has responded by intercepting and decrypting SSL sessions to perform deep-packet inspection (DPI).
The ongoing Apple versus the FBI debate has me thinking more about the implications of encryption. Whether or not national governments around the globe choose to go down the path of further regulating encryption key lengths, requiring backdoors to encryption algorithms, mandating key escrow for law enforcement purposes, or generally weakening the implementations of encrypted communications and data storage in consumer technologies, the use of encryption will increase – and in parallel – network visibility of threats will decrease.
The recent Superfish debacle is yet another reminder that as security professionals we live in an inherently post-prevention world. Increasingly everyone must assume that despite all our best efforts, users on our networks are may already compromised. While the focus is often on the many ways that a user can be infected with malware, Superfish is a reminder that a device can be compromised before it ever comes out of the box.
As a quick recap, Superfish is software that acts as an SSL man-in-the-middle in order to control the ads a user sees while browsing the Web – it’s “adware” which pretends to provide a service you would want. To break SSL encryption without triggering a browser warning, Superfish installs a signed root certificate on the machine. More specifically, the software installs the exact same root cert on a series of laptops, and researchers (and attackers) are able to quickly extract the cert. Rob Graham at Errata Security provides a nice write-up on how he was able to do this.