US govt left vulnerable by expired SSL certs

By on
US govt left vulnerable by expired SSL certs

Users trained to click through warnings.

Concerns are being raised that the large number of expired Secure Sockets Layer (SSL) certificates employed by United States government web sites may help attackers perform otherwise difficult to accomplish man-in-the-middle interception attacks.

SSL and its successor Transport Layer Security (TLS) let hosts on the Internet exchange X.509 digital certificates to verify their identities and to encrypt the data flows between them, so as to secure communications. A valid certificate is required for communications security to be complete.

Web analysts Netcraft said that partly as a consequence of the US government shutdown, over two hundred official sites now use expired SSL certificates. 

As access to information is necessary for US government employees and ordinary people, Netcraft believes users are effectively being trained to ignore and click through the warning messages. 

Once a user treats the SSL warning message as normal, attackers have a chance to utilise bogus, untrusted certificates to trick users into trusting a site that may be hostile.

Research from University of California [PDF] shows that people are very likely to click through SSL warning messages. Depending on the web browser used, between 57 per cent and 87 per cent of expired certificate or error messages were dismissed by users.

Google Chrome warning for the expired SSL certificate for a US government site
Google Chrome warning for the expired SSL certificate of a US government site

Making the situation worse, common web browsers do not properly warn users of serious problems with SSL certificates, Netcraft says.

"When an SSL error occurs, some browsers only display a single error message, sometimes not the most serious, or even a generic error message for all types of SSL error. An attacker can exploit this vulnerable browser behaviour on SSL sites with expired certificates to perform an almost seamless man-in-the-middle attack.

"By signing his or her own expired SSL certificate for a US government website, the SSL error message displayed for the attacker's SSL certificate is indistinguishable (in some browsers) from the error message produced by the real SSL certificate belonging to the US Government," warned Netcraft.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
certificates government shutdown infosec mitm security ssl united states

Most Read Articles

Telstra sets $65 a month as minimum spend to get 5G access

Telstra sets $65 a month as minimum spend to get 5G access
Woolworths pays record $1m fine for spamming customers

Woolworths pays record $1m fine for spamming customers
Siemens chases Telstra customers over alleged cracked software use

Siemens chases Telstra customers over alleged cracked software use
Australia Post to expand its network transformation

Australia Post to expand its network transformation
You must be a registered member of iTnews to post a comment.
| Register

Whitepapers from our sponsors

Get IT, finance and business on the same page
Get IT, finance and business on the same page
Why is DevSecOps important to your business?
Why is DevSecOps important to your business?
Architecting Hybrid IT & Edge for Digital Advantage
Architecting Hybrid IT & Edge for Digital Advantage
Organizations Increasing Their Adoption of NFV
Organizations Increasing Their Adoption of NFV
Modernise IT by Reducing Your Reliance on AD
Modernise IT by Reducing Your Reliance on AD

Events

Log In

Username / Email:
Password:
  |  Forgot your password?