facebook

Forged TLS certificates are used in the wild

New Facebook study revealed that 0.2% of TLS connections were tampered with. While many of the forged certificates were created either by corporate SSL man in the middle proxies or antivirus software, few hundred connections were tapped into by attackers.

What’s worrisome, is that Facebook is a high profile site, for many people also an authenticator for other services on the web. And yet 3.4% of those tampered connections would have given certificate errors even in case of where the browser trusted the fraudulent CA. Most other connections probably also triggered certificate warnings. That means that significant number of people ignore certificate warning even for very important sites.

This clearly shows that there is high need for extensions like HTTP Strict Transport Security (HSTS), Trust Assertions for Certificate Keys (TACK), DNSSEC based certificate pinning or extensions like Perspectives for Firefox which make sure that users can’t ignore certificate warnings in cases where they really are under a man in the middle attack.

Opportunistic encryption in SMTP is here (mostly)

Facebook published their outgoing SMTP stats on 13th of May. The situation is much better than what we previously thought.

Few high points:

  • 76% of hosts that Facebook contacted to send email support STARTTLS and correctly negotiated secure connection
  • 56% of outgoing email gets encrypted using TLS
  • out of encrypted email, over 98% used Perfect Forward Secrecy

The bad:

  • only 25% of domains have matching, trusted and still valid certificates
  • this falls down to 6.6% for unique MX hosts
  • and includes 59.6% of all mail
  • nearly 50% of email was transferred using the possibly passively-crackable RC4 cipher
  • the same issue affects close to 20% of domains

In summary, it looks like we are on very good road for strict certificate checking using DANE in SMTP.