SSL security issue caused by the Iranian government: Answers to your Questions
Okay, here is the second volume of my assessment over the security issue caused by the Iranian government. This is following the previous post of this blog entitled: SSL Security Issue caused by the Iranian government: In depth Look! , in case you are lost!
In this writing, I am going to mainly focus on the questions that I have been asked since yesterday, some of which I have personally answered so far.
Okay, one of the frequently asked questions was:
Does the invalid SSL certificate in fact redirect the victim to another computer apart from the sender and the intended receiver?
The answer to this question is, No. SSL certificate does not have the ability to redirect you. It is your Internet Service Provider that redirects your connection to super computer. What SSL does (or is supposed to do) is to encrypt your data, so no computer other than the intended receiver is going to be able to open it.
What does exactly happen in that “Super Computer” that enables them, supposedly the government, to be able to steal the data?
As I mentioned in the previous entry, by accepting an invalid certificate, you are accepting the risk of acknowledging another computer as your destination (intended receiver). By doing so, you are allowing that fake receiver to open the header containing the key to the encryption of your data made by your SSL encryptor. Once opened, it gets recorded or spying purposes, and then gets forwarded to the intended receiver. Whereas the intended receiver recognises the request as if it is sent mainly from that computer (the fake receiver), it then automatically recognises it as the true sender of the request. In which case, the respond to the request shall therefore be sent to it, instead of you. Once this fake receiver receives the information, it then records it, and forwards it to your computer, which allows you to see the information you had requested leaving you unaware that you data as been monitored.
It can make a better sense if you have look at figure 1 .
It is in fact unnecessary to direct data through a computer. The switches and routers are well capable of redirecting the data to the intended receivers without requiring any further involvements of computers (as we call them). In which case, the data transfer should normally take place via the RED connected in figure 1, whereas it is now taking place via the BLUE connection.
Can antivirus software, or firewalls be of any assistance?
No, to my knowledge, there is no antivirus that or firewall software that can control what is happening beyond the Application layer in OSI model. And firewall devices (which of course are not used in home networks) do not recognise this unless they are programmed accordingly.
Would updating our Operating Systems, browsers, or other medium software help?
It would help you having an up-to-date database of the accepted and valid certificates. But it will NOT prevent nor stop the event. You will still face invalid certificates and it is YOU who must remain cautious not to mistakenly accept an invalid certificate.
I have already accepted an invalid certificate, what shall I do now? Am I all gone?
I cannot say if your data has been retrieved from the server or not. Nor can I suggest if you have been monitored or not. But what you can do now is to open the certificate library of your operating system, Windows, Linux, Mac OS X, Unix, BSD, Solaris, whatever it is. Open it, find all the invalid / expired certificates, and manually delete them. Once accomplished, attempt to change all your security credentials, passwords, security questions and so forth. AVOID accepted any invalid certificates. Following this, you may be sure that you are no more being monitored.
Are VPNs Safe?
No, they are mostly not. VPN, or Virtual Planned Network, is a secure way of connecting to an internetwork. VPNs usually use SSL certificates, and for financial reasons, and the fact that they are private networks; validated certificates are NOT used within them. In which case, the VPN users are left with no option but accepting an invalid certificate. Some operating systems even have the option of “Accept the SSL Certificate” set on them and marked as default. So no matter what, they get accepted. Upon the acceptance, you would face the same issue, however, in an even wider aspect. You are risking your own computer data getting monitored.
Is there any way at all to avoid accepting the certificate?
Yes, there are three methods, out of which 2 can be done through normal users. However, the third requires power user who has in-depth knowledge in the operating system level networking.
1- You may use proxy servers. However, you should be careful to use only the proxy servers that work completely indirectly. So you requested website, in fact, gets loaded in the host server of the proxy service provider, and then a link from their server is appeared at your URL bar. So for instance, if you attempt to open “https://www.gmail.com/” you do not see any sign of “gmail” or “google” or anything identical to them in your URL bar. (as seen in figure 2.)
FIGURE 2 (Click on the photo to enlarge).
2- Use IP / Port redirection system. Although there is no guarantee in it, it is very likely that the data going out of your computer (or coming in) form any ports other than 80 / 8080 don’t get monitored. Because monitoring over 64000 ports from each computer connected to the internet in a country wouldn’t be so pleasant to the ISP, even for a super computer. Please note that all you need to redirect is you HTTPS traffic. You don’t need to redirect everything since it reduces your speed of browsing, as shown in figure 3. (sorry I don’t have Windows on any of my computers, but it’s not difficult to find where these settings are placed).
3- This is the difficult solution. What you need to do, is to find a valid certificate of the website you are willing to use, and set it as the default SSL certificate for that website. But this needs to be done manually, and is not particularly the easiest thing to do. Specially in Windows, where it must be done through registry system. So, no matter what, the computer will stick to that certificate for that website. An example on the OS X would be as follows in Figure 4.
This will conclude this question/answer session. Please do not hesitate to leave comments, make questions and enquiries, or otherwise email me.
Thank you for spending time on my blog.