My advisor and I finally formalized a topic for my senior project next semester. He is a graduate student studying SSL vulnerabilities (a copious amount), and I contacted him because I have an interest in security. My background in security is not as concrete as others, and mostly consists of war games, CTFs, and online research. I wanted to finally dive into security in a formal setting, mentored by peers much more knowledgeable than I am and so instead of a dull project (creating a website), I wanted to challenge and step outside of my comfort zone.
There are many issues with SSL that has been harped on by more well-informed members of the community, but the biggest one being SSL is a trust-based security protocol. Man in the middle attacks are relatively easy and can produce catastrophic results. For instance, if Alice is trying to connect to PayPal, well, I can intercept her packets before hitting PayPal. This is because before an HTTPS connection is established, she sends an HTTP request to PayPal for a certificate - which can be easily sniffed since it is not secure. That way, I can send a request to PayPal, get a certificate, and send to Alice so she thinks she’s talking to PayPal, but in reality, I’m the one talking to PayPal and she’s talking to me. In turn, I’m stealing her credit card information to buy textbooks (they’re so goddamn expensive!). There are many other flaws including certificate chaining, key pinning, etc.
Moxie Marlinspike decided to create a CA alternative, Convergence which is an amazing tool that allows for a third party to request a certificate for you to verify if both, yours and Convergence’s, certificates are the same. He also went on to creating TACK. [His talk at BlackHat was fantastic]
Does That Mean That There Are No More SSL Vulnerabilities?
Some people might think that these CA alternatives are the deus ex machina for a more secure protocol - but obviously there are more vulnerabilities being frequently found (Heartbleed and POODLE distinctly come to mind) that CA alternatives cannot help. That’s why I wanted to take on analyzing the integrity of these CA alternatives.
Initial Design & Though Process
There are some initial questions that came to mind, such as what determines robustness, what is the grounded truth, and many others that I have yet to hash out. But my general design plan consists of integrating CA alternatives with CertShim (a lightweight retrofit to SSL implementations that protects against SSL vulnerabilities), passively scanning across multiple domains, and store the results into a database. Then I can statistically analyze the results to provide a detailed conclusion.
That’s basically what I have so far. I need to peruse more literature in order to help bolster my project, as well as, fine tuning my design.
What I Expect To Gain
I really hope that this will be beneficial for the security community and for me to become more educated on SSL as a whole.