The AdaptiveMobile Blog
Keeping The “Secure Channel” Secure
When we talk about “secure channel” we mean a HTTPS or SSL/TLS connection that is primarily used for high value sites such as banks and ecommerce sites. This type of connection is certificate-based, which means not only is it a credible website, but any sensitive data provided will get safely to the intended location. This ensures users’ identities are safe from prying eyes, including the ISP, mobile operators or Government.
With the rise of online hacking and an erosion of privacyfrom the Government, secure channels are more important than ever. Any site can provide such a secure channel – all the owner needs is a cryptographic certificate signed by a global trusted third party.
Researchers recently suggested that the secure sockets layer (SSL) and transport layer security (TLS) encryption protocol, used by millions of websites to secure web communications via HTTPS, is vulnerable to attack. This does not appeared to have worried browser developers, however this has probably accelerated the overhaul of the SSL ecosystem. It seems there is a more serious vulnerability with SSL however that is going to cause more than just security concerns – the Government. With the rise of online hacking and the use of social media for organised crime such as the recent riots, the Government and authorities are increasingly looking to know what is inside the channel, which will likely open up the browsers to even more exploits.
To circumvent country specific restrictions, conceal IP address or location people often use anonymous proxy web sites, but introducing measures to detect the use of these is a trivial exercise for mobile operators and ISPs. Introduce HTTPS into that and all that can be seen is that the user is accessing an IP address and the data is encrypted.
So what is the solution? Many experts will propose that the ISP or mobile operator should provide the cryptographic certificate on behalf of the web site the user is trying to access. This will allow the request to the anonymous proxy site to be viewed once again and the end user protected. However in this process, the once secure channel becomes viewable. This solution is commonly referred to as a man-in-the-middle attack, where the ISP or mobile operator is posing as the issuer of the certificate.
It should be noted that this doesn’t work, especially if you are attentive to browser warnings. The ISP or mobile operator does not have the authority to issue a certificate on behalf of the secure web site you are accessing and your browser will complain. This sort of solution will only lead to the weakening of the secure channel. If an ISP or mobile operator is required to issue fake certificates so that authorities can view or control web browsing, users will be constantly required to accept and eventually ignore the browser warnings. This will mean legitimate sites such as banks will become susceptible to being spoofed by hackers who manage to compromise DNS servers or home computer DNS caches. To the user, it will appear they are going to their secure bank, but they will in reality be accessing the hacker’s bank.
So what can we do about it? We need to ensure that certificates are valid and heed the browser warning. In fact an ISP or mobile operator has the capabilities to ensure that only valid certificates are passed to users, and this can be done without any risky invasion of privacy or compromise in security. Malicious or illegal web sites should be blocked, even if they are HTTPS, by denying the certificate issued by the malicious site from being downloaded and stopping the web site from being accessed.
Most importantly, we shouldn’t try to look into the secure channel at all. The Governments plans to filter social media to prevent any further outbreaks of violence and crime will cause more damage than good, only leading to a watering down of web security.