HTTPS Security and Spoofing – Who is that Man in the Middle?

HTTP stands for Hyper Text Transfer Protocol and is used widely on the Internet. It was okay during the initial years of the Internet for this protocol to ask login credentials etc. as there was not much danger of people sniffing your data packets to steal your login credentials for different websites. When people sensed the danger, HTTPS (HTTP Secure) was invented, which, encrypts the data exchange between you (the client) and the website you are interacting with.

Read: Difference between HTTP and HTTPS.

Until few years ago, HTTPS was considered foolproof, until a person named Moxie proved it wrong by spoofing HTTPS. This was done using interception of data packets in the middle of communication by someone who spoofed the HTTPS security key to make you believe the connection is still encrypted. This article studies HTTPS spoofing where even well-known companies had employed technique to watch you and to snoop on your activities. Before understanding Man in the Middle attack, you’ll need to know about HTTPS certificate key, which is spoofed to make you believe nothing is wrong.

HTTPS Security and Spoofing

What Is HTTPS Website Certificate Key

There are certain Certificate Authorities that offer “fitness” certificates to websites. There are many factors to determine the “fitness” factor: encrypted connection, virus free downloads and few other things. HTTPS means your data is secure when transacting. Mainly, the HTTPS is used by e-commerce stores and sites that have data/information that is private for you – such as email sites. Social networking sites like Facebook and Twitter too use the HTTPS.

With each certificate, there is a key that is unique to that website. You can view the certificate key of a website by right clicking on its webpage and selecting PAGE INFO. Based on the browser, you will get different types of dialog boxes. Look for CERTIFICATE and then THUMBPRINT or FINGERPRINT. That will be the website certificate’s unique key.

HTTPS Security and Spoofing

Coming back to how safe you are with HTTPS, the certificate key can be spoofed by third parties in middle of client and websites. This technique of prying upon your conversations is called Man in the Middle.

Here is how your browser is sent to HTTPS: Either you click on LOGIN button/link or you type in the URL. In first case, you are sent directly to the HTTPS page. In the second case, where you type in the URL, unless you type in HTTPS, the DNS will resolve to a page that directs you to HTTPS page using auto redirect (302).

The Man in the Middle has certain methods to catch your first request to access the website, even if you typed HTTPS. The Man in the Middle could be your browser itself. Opera Mini and BlackBerry browsers do it to catch the communication from beginning and decrypt it so that they can be compressed for faster browsing. This technique is wrong – in my opinion – as it facilitates eavesdropping but then, the companies say nothing is logged.

When you type in an URL, click a link or bookmark, you ask the browser to make a connection (preferably) with the secure version of the website. The Man in the Middle creates a fake certificate that is hard to be identified as faulty as website certificates have same format irrespective of the Certificate Issuing Authority. The Man in Middle successfully spoofs a certificate and creates a THUMBPRINT that is checked against the “Certificate Authorities that your browser already trusts”. That is, it appears that the certificate was issued by a company that is added to the list of your browsers’ trusted certificate authorities. This makes it believe the certificate key is valid and provides encryption data to the Man in the Middle. Thus, the Man in Middle now has the key to decrypt the information you are sending over that connection. Note that Man in the Middle is also working on the other side by sending your info to the website – sincerely but in a way that it can read it.

This explains Website HTTPS spoofing and how it works. It also indicates that HTTPS is not fully secure. There are a few tools that would let us know that there is a Man in the Middle unless one is highly trained computer expert. For common man, the GRC website offers a method to retrieve THUMBPRINT. You can check out the certificate THUMBPRINT at GRC and then match it with one you retrieved using PAGE INFO. If they match, it is okay. If they do not, there is a Man in the Middle.

Posted by on , in Category General with Tags
Arun Kumar is a Microsoft MVP alumnus, obsessed with technology, especially the Internet. He deals with the multimedia content needs of training and corporate houses. Follow him on Twitter @PowercutIN