New Security Flaw Found in HTTPS Connections

A group of analysts and computer scientists from Facebook and Carnegie Mellon University have published a report that claims that a small, but sizable number of connections on the Internet are being made using forged certificates designed to fool the ubiquitous web security provided by HTTPS.


Photo: concept w / Shutterstock

HTTPS is the go-to standard for encrypting connections between users and servers on the open web, and has been a crucial piece of the overall puzzle that keeps the rest of us safe while we browse online.

When querying close to 3.45 million connections to Facebook on an average day of use, the team behind the report concluded that 6,845 of them, or 0.2 percent, were somehow using fraudulent credentials to fool the method of protection that is usually difficult to be unfazed.

But don’t let that number fool you. Despite the small sample size, this threat is actually something to worry about. One need only be reminded that 0.2 percent of a billion users is not exactly a small amount of people who are actively using forged certificates to connect to a site that claims to ward off threats of this kind with supposed 100 percent efficacy.

Perhaps even more concerning than the hole in Facebook was the second most popular use for the faux credentials: fooling adware and malware detection programs into accepting content from less-than-reputable sources based on the data contained within the forged certificate.

“One should be wary of professional attackers that might be capable of stealing the private key of the signing certificate from antivirus vendors, which may essentially allow them to spy on the antivirus users (since the antivirus root certificate would be trusted by the client),” the researchers explained. “Hypothetically, governments could also compel antivirus vendors to hand over their signing keys.”

The programs in question include popular solutions such as Eset, Bitdefender, and Norton, all of which tested positive for the bug and for allowing improperly scripted credential requests to slip by unnoticed to and from the affected user’s machines.

One issuer of TLS and SSL certificates in particular, named IopFailZeroAccessCreate, is apparently responsible for a variety of bug reports that came in across several different platforms, including one made to the Chromium team which alleged that the protection protocol may not be functioning as efficiently or completely as it was originally designed to.

Not one to present a problem without a solution, the team has also created a handy tool for webmasters and server operators to use to test whether or not any TLS connections coming into their sites might not be on behalf of who they say they are. The flash-based applet is capable of tracking the traffic of any given domain and providing real-time results back to the owners which details the number of connections coming in, the nature of their link, and the content being viewed which might be vulnerable to this specialized type of exploit.

For now the problem only seems to affect desktops and laptops, with none of the mobile devices tested sending back any data that could suggest they suffer from the same issues.