This paper introduces a new attack, the compelled certificate creation attack, in which government agencies compel a certificate authority to issue false SSL certificates that are then used by intelligence agencies to covertly intercept and hijack individuals’ secure Web-based communications. We reveal alarming evidence that suggests that this attack is in active use. Finally, we introduce a lightweight browser add-on that detects and thwarts such attacks.

I have no problem with law enforcement agencies using their powers to deal with the bad guys, but this truly alarms me. If you read the paper, you’ll see why. Heck, just read this excerpt from the paper’s Introduction:

A pro-democracy dissident in China connects to a secure web forum hosted on servers outside the country. Relying on the training she received from foreign human rights groups, she makes certain to look for the SSL encryption lock icon in her web browser, and only after determining that the connection is secure does she enter her login credentials and then begin to upload materials to be shared with her colleagues. However, unknown to the activist, the Chinese government is able to covertly intercept SSL encrypted connections. Agents from the state security apparatus soon arrive at her residence, leading to her arrest, detention and violent interrogation. While this scenario is fictitious, the vulnerability is not.

Guess what? There’s an appliance being marketed to help facilitate this attack. The brochure is included in the report. But, there’s good news. These guys have developed a Firefox add-on (see the screen shot above):

In an effort to significantly reduce the impact of this attack upon end-users, we have created Certlock, a lightweight add-on for the Firefox browser. Our solution employs a Trust-On-First-Use(TOFU) policy, reinforced with enforcement that the country of origin for certificate issuing does not change in the future. Specifically, our solution relies upon caching CA information, that is then used to empower users to leverage country-level information in order to make common-sense trust evaluations.

Read the paper. Realize its implications. Then, change your habits accordingly. Believe me, until this add-on is released, I’m going to be very suspicious of any SSL connection.

Consider this (based on an actual incident): You’re employed by a financial firm; you have a Facebook page; you’re the coordinator for the annual company picnic; and, many of your co-workers also have Facebook pages and are in your group of friends. Sounds OK, right? Just a gathering of co-workers on a social network.

Well, think again. The cyber-criminals had a field day with it.

The crooks noticed this social circle, noting that they all worked for a firm that might be a good target. Attempts to hack the Facebook accounts were rewarded with a successful attempt against the person I mentioned above. The criminals now were able to impersonate the victim. The crooks sent messages out to the victim’s friends with a subject similar to “Look who I caught on camera at the company picnic.” The messages contained what looked like a link to some photos, but was really a link to a malicious site that contained malware in the form of a keylogger program.

You’re a friend of the victim, and you get a message from them. No problem, they’re your friend on Facebook and a co-worker whom you trust. Naturally, you think it’s safe, so you open the email and click on the link. You’re infected with a keylogger program. On your company laptop. That you use to access the corporate VPN at home and on the road.

Tonight, you have a report that’s due and you’ve just finished it, so you log into the VPN, access the secure data repository and upload your file. The bad guys have a complete recording of everything you just did…

The criminals managed to log in to the corporate VPN and spent the better part of two weeks mapping the network to see what they could steal. The good news is that the slime bags were discovered, but not before they had already compromised two of the central database servers and had taken full control of them.

Trust no one and never click links until you are sure where they lead.