Paid Advertising
web application security lab

Prior Knowledge Of User’s Cert Warning Behavior

25 posts left…

One of the issues Josh and I talked about at Blackhat was how the SSL certificate warning message can be used to gain information about a user’s behavior and how that can be used against the user. Let’s say a man in the middle causes an error via proxying a well-known owner/subsidiary. For example let’s say which most technical people know belongs to Google and which, incidentally causes SSL/TLS mismatch errors because it’s mis-configured. Experts who see such an error and investigate will think it’s just a dumb (innocent) error. Non-experts will click through immediately, because they always do when they see such things.

By measuring the wait time the attacker can know which type of user the victim is - a technical one, or a novice. If the user is a novice the attacker knows they don’t have to worry anymore - they can deliver their snake oil cert later if the user goes through it “quickly” because that user’s behavior will most likely stay the same. Of course figuring out the timing might be a bit tricky because really new users will be awfully confused by cert warnings and will seem “slow” I’d bet. Anyway, something to investigate further.

5 Responses to “Prior Knowledge Of User’s Cert Warning Behavior”

  1. Angel One Says:

    You’d also have to account for browser type - some browsers take more mouse clicks to accept a cert, so essentially you’d have to track timing for users by browser.

  2. RSnake Says:

    @Angle One - yup, I was thinking the same thing. I think Firefox would be the easiest given the vast number of annoying things you have to do just to accept an invalid cert. It really sucks when you’re testing… man!

  3. Dwayne Litzenberger Says:

    @RSnake Really? I’d think Firefox would be the hardest to attack, since there’s only one additional click between checking vs. ignoring the reason for the certificate warning. (All you do is expand the “Technical Details” section.)

    Cool idea, though. Good work!

  4. Ta Duy Duc Says:

    I was plan to say exactly as Angel One said.

    But since we sent the cert to browser, we can already identify which browser is which.

    There are lot of variables to take into the guessing.

  5. RSnake Says:

    @Dwayne - it took me a while to think through it properly, but I bet you’re right (in the case where people use that method). There’s another method that requires clicking on view details to see it. I don’t know the percentage of how many hackers use it over the method you describe though. I use both, but in the case where I don’t know if it’s bad or not I click the view details because the information is more thorough than that drop-down. Thanks for bringing that up!

    @Ta Duy Duc - agreed, lots of variables, but I bet it could be done against at least some modern browsers.