Incident Response, TDR, Threat Management

Researchers detect SSL MitM attacks, method implemented by Facebook

While interning with the Facebook Product Security team, Lin-Shung Huang, a Carnegie Mellon University graduate student, began developing a method for detecting SSL man-in-the-middle (MitM) attacks, which the popular social media website has now implemented.

But the method could – and should – be implemented everywhere, including on mobile platforms, Collin Jackson, a fellow researcher and Huang's academic advisor, told in a Tuesday email correspondence.

Huang released the report last week, “Analyzing Forged SSL Certificates in the Wild.” It is coauthored by Jackson, as well as Alex Rice and Erling Ellingsen, two Facebook security experts.

Using the detection method, the group analyzed nearly 3.5 million SSL connections to Facebook and determined that almost 7,000 of the connections, or 0.2 percent, were made using tampered SSL certificates – something that Jackson said he found surprising.

“Yes, 0.2 percent is interesting since our research was the first to quantify the prevalence of forged certificates,” Jackson said. “Also, even though the percentage is tiny, a small fraction of billions of internet users would still be a lot of requests.”

Most of the forged SSL certificates discovered by the researchers were generated by anti-virus vendors, such as Bitdefender and ESET, or network security appliances, such as Fortinet and NetSpark, for the purpose of inspecting SSL traffic, Jackson said.

But that is not all.

“We found malware that performed [MitM] attacks on users' encrypted SSL communications to Facebook – we observed infected clients in 45 different countries,” Jackson said, explaining Mexico, Argentina and the United States had the highest number of occurrences.

The detection method utilizes the Flash Player plug-in to enable socket functionalities not native to browsers, and the researchers implemented a partial SSL handshake to capture forged certificates, according to the report.

“The method can be applied in the real world, and it could be implemented immediately,” Jackson said. “Similar mechanisms can be implemented on mobile platforms such as iOS and Android.”

A Facebook spokesperson told in a Wednesday email correspondence that the method for detecting SSL MitM attacks has already been implemented by the popular social media company, and added that continued studying and understanding of the research is important.

Huang and his co-authors will be in California on May 19 to present their research at the 35th IEEE Symposium on Security and Privacy.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.