Abstract
Although recent compromises and admissions have given new credibility to claimed encounters of Man-in-the-middle (MitM) attacks on SSL/TLS, very little proof exists in the public realm. In this paper, we report on the development and deployment of Crossbear, a tool to detect MitM attacks on SSL/TLS and localise their position in the network with a fair degree of confidence. MitM attacks are detected using a notary approach. For the localisation, we use a large number of traceroutes, conducted from so-called hunters from many positions on the Internet. Crossbear collects this data, orchestrates the hunting from a central point and provides the data for analysis. We outline the design of Crossbear and analyse the degree of effectivity that Crossbear achieves against attackers of different kinds and strengths. We also explain how analysis can make use of out-of-band sources like lookups of Autonomous Systems and geo-IP-mapping. Crossbear is already available, and 150 hunters have been deployed on the global PlanetLab testbed.
Chapter PDF
References
Mozilla Security Blog: DigiNotar removal follow up (2011), https://blog.mozilla.com/security/2011/09/02/diginotar-removal-follow-up/ (last retrieved in April 2012)
Engert, K.: Man-In-The-Middle experience in Warsaw. Blog entry (June 2011), https://kuix.de/blog/comments.php?y=11&m=06&entry=entry110616-171707 (last retrieved in April 2012)
Eckersley, P.: A Syrian man-in-the-middle attack against Facebook (May 2011), https://www.eff.org/deeplinks/2011/05/syrian-man-middle-against-facebook (last retrieved in April 2012)
Borhani, A.: Is This MITM Attack to Gmail’s SSL? Forum post (August 2011), https://www.google.com/support/forum/p/gmail/thread?tid=2da6158b094b225a&hl=en (last retrieved in April 2012)
Vratonjic, N., Freudiger, J., Bindschaedler, V., Hubaux, J.P.: The inconvenient truth about Web certificates. In: 10th Workshop on Economics of Information Security, WEIS 2011 (June 2011)
Holz, R., Braun, L., Kammenhuber, N., Carle, G.: The SSL landscape – a thorough analysis of the X.509 PKI using active and passive measurements. In: Proc. 11th Annual Internet Measurement Conference (IMC 2011), Berlin, Germany. ACM, Sheridan (2011)
Eckersley, P., Burns, J.: Burns: Is the SSLiverse a safe place? Talk at 27C3 (2010), https://www.eff.org/files/ccc2010.pdf (last retrieved in April 2012)
Sunshine, J., Egelman, S., Almuhimedi, H., Atri, N., Cranor, L.F.: Crying wolf: an empirical study of SSL warning effectiveness. In: Proc. 18th USENIX Security Symposium, pp. 399–416 (2009)
Soghoian, C., Stamm, S.: Certified Lies: Detecting and Defeating Government Interception Attacks against SSL (Short Paper). In: Danezis, G. (ed.) FC 2011. LNCS, vol. 7035, pp. 250–259. Springer, Heidelberg (2012)
Electronic Frontier Foundation: The Sovereign Keys project (2011), https://www.eff.org/sovereign-keys (last retrieved in April 2012)
Laurie, B., Langley, A.: Certificate transparency (2012), http://www.certificate-transparency.org/ (last retrieved in April 2012)
Wendlandt, D., Andersen, D.G., Perrig, A.: Perspectives: Improving SSH-style host authentication with multi-path probing. In: Proc. USENIX 2008 Ann. Techn. Conf. (ATC) (2008)
Thoughtcrime Labs/IDS: Convergence (2011), http://convergence.io (last retrieved in April 2012)
Advanced Network Technology Center, University of Oregon: Route views project (2012), http://www.routeviews.org/ (last retrieved in April 2012)
Riedmaier, T., Holz, R.: Crossbear repository, https://github.com/crossbear/Crossbear (last retrieved in April 2012)
Filastò, A., Appelbaum, J.: OONI: Open observatory of network interference. In: Proc. 2nd USENIX Workshop on Free and Open Communications on the Internet (FOCI 2012) (August 2012)
Teixeira, R., Shaikh, A., Griffin, T., Rexford, J.: Dynamics of hot-potato routing in IP networks. In: Proc. Joint Int. Conf. on Measurement and Modeling of Computer Systems (SIGMETRICS), pp. 307–319. ACM, New York (2004)
Qiu, S., McDaniel, P., Monrose, F.: Toward valley-free inter-domain routing. In: Proc. IEEE Int. Conf. on Communications (ICC), pp. 2009–2016 (June 2007)
Hepner, C., Zmijewski, E.: Defending against BGP man-in-the-middle attacks. Talk at BlackHat (2009), https://www.renesys.com/tech/presentations/pdf/blackhat-09.pdf (last retrieved in April 2012)
Spring, N., Mahajan, R., Wetherall, D.: Measuring ISP topologies with Rocketfuel. In: Proc. ACM SIGCOMM, pp. 133–145. ACM, Pittsburgh (2002)
Alexa Internet Inc.: Top 1,000,000 sites (updated daily) (2009-2011), http://s3.amazonaws.com/alexa-static/top-1m.csv.zip (last retrieved in April 2012)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Holz, R., Riedmaier, T., Kammenhuber, N., Carle, G. (2012). X.509 Forensics: Detecting and Localising the SSL/TLS Men-in-the-Middle. In: Foresti, S., Yung, M., Martinelli, F. (eds) Computer Security – ESORICS 2012. ESORICS 2012. Lecture Notes in Computer Science, vol 7459. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-33167-1_13
Download citation
DOI: https://doi.org/10.1007/978-3-642-33167-1_13
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-33166-4
Online ISBN: 978-3-642-33167-1
eBook Packages: Computer ScienceComputer Science (R0)