The TOR team have discovered a fake certificate in the wild. The certificate, issued by a US company called Cyberoam, was used in an attempt to trick a user in Jordan into believing that her/his connection to the TOR website, was private and secure, though in fact it was being spied upon by a Cyberoam device. Cyberoam makes "deep packet inspection" software, used in mass surveillance of Internet traffic, and as TOR's Runa Sandvik and OpenSSL's Ben Laurie investigated the matter, they discovered that all Cyberoam devices share a common vulnerability related to their handling of certificates. The company was notified of this on June 30, and told that the vulnerability would be made public today.
Last week, a user in Jordan reported seeing a fake certificate for torproject.org. The user did not report any errors when browsing to sites such as Gmail, Facebook, and Twitter, which suggests that this was a targeted attack. The certificate was issued by a US company called Cyberoam. We first believed that this incident was similar to that of Comodo and DigiNotar, and that Cyberoam had been tricked to issue a fake certificate for our website.
After a bit of research, we learned that Cyberoam make a range of devices used for Deep Packet Inspection (DPI). The user was not just seeing a fake certificate for torproject.org, his connection was actually being intercepted by one of their devices. While investigating this further, Ben Laurie and I found a security vulnerability affecting all Cyberoam DPI devices.
Examination of a certificate chain generated by a Cyberoam DPI device shows that all such devices share the same CA certificate and hence the same private key. It is therefore possible to intercept traffic from any victim of a Cyberoam device with any other Cyberoam device - or to extract the key from the device and import it into other DPI devices, and use those for interception.
Security vulnerability found in Cyberoam DPI devices (CVE-2012-3372)
In 2012, Google rolled out Certificate Transparency, a clever system to spot corrupt “Certificate Authorities,” the entities who hand out the cryptographic certificates that secure the web. If Certificate Authorities fail to do their jobs, they put the entire electronic realm in danger — bad certificates could allow anything from eavesdropping on financial transactions to […]
Troy Hunt, proprietor of the essential Have I Been Pwned (previously) sets out the hard lessons learned through years of cataloging the human costs of breaches from companies that overcollected their customers’ data; undersecured it; and then failed to warn their customers that they were at risk.
A security researcher has published a vulnerability and proof-of-concept exploits in Google’s Internet of Things security cameras, marketed as Nest Dropcam, Nest Dropcam Pro, Nest Cam Outdoor and Nest Cam Indoor; these vulnerabilities were disclosed to Google last fall, but Google/Nest have not patched them despite the gravity of the vulnerability and the long months […]
The Raspberry Pi Foundation has done outstanding work packing a fully capable desktop computer into a package the size of a deck cards—especially one that only costs $35. But if you already have a working laptop, why should you care? Oh, how much you have to learn. Besides operating well as a compact digital media hub, […]
Custom coffee vessels are the perfect piece of office flair, but it’s just a matter of time before your VOTE FOR PEDRO mug will start to lose its relevant wit. Why not have a new one every day, with whatever silly nonsense you want sticking off the sides? You can save big on your novelty […]
The Lightning port has thus far resisted the cruel fate that befell the headphone jack, and despite rumors that it may be disappearing come iPhone 8, for the present and foreseeable future, Lightning cables are a hot commodity for iPhone users. As such, we must make do in this strange time in which long, glorified […]