certificate warnings

Forged TLS certificates are used in the wild

New Facebook study revealed that 0.2% of TLS connections were tampered with. While many of the forged certificates were created either by corporate SSL man in the middle proxies or antivirus software, few hundred connections were tapped into by attackers.

What’s worrisome, is that Facebook is a high profile site, for many people also an authenticator for other services on the web. And yet 3.4% of those tampered connections would have given certificate errors even in case of where the browser trusted the fraudulent CA. Most other connections probably also triggered certificate warnings. That means that significant number of people ignore certificate warning even for very important sites.

This clearly shows that there is high need for extensions like HTTP Strict Transport Security (HSTS), Trust Assertions for Certificate Keys (TACK), DNSSEC based certificate pinning or extensions like Perspectives for Firefox which make sure that users can’t ignore certificate warnings in cases where they really are under a man in the middle attack.