Article

Nate Vickery
Nate Vickery 4 April 2018
Categories Innovation & Trends

A TLS/SSL Certificates Flaw Leads to Covert Data Transfer

Researchers continue to test cybersecurity measures and show us time and again that cyber threats can come from anywhere. Even a simple flaw in a security protocol, such as TLS/SSL can be exploited to breach security and steal sensitive information.

Cybersecurity is the top concern for anyone who operates in the digital world. Nowadays, cyber threats are more sophisticated and more common than ever. So much in fact, that even governments have difficulties protecting themselves from such attacks. A recent discovery in cybersecurity revealed that there's a flaw in X.509 certificates that are common in TLS (Transport Layer Security) and SSL (Secure Socket Layer) cryptographic protocols, which are the foundation of HTTPS (Hypertext Transfer Protocol - Secure).  

X.509 is the standardized format that defines public key certificates in cryptography, used for securing Internet communications. This flaw enables covert data exchange and can also be used to breach the security, by bypassing the security measures that check for certificate values. Jason Reaves, threat research principal engineer at Fidelis Security pointed out that there's indeed a flaw in how certificates are being exchanged, which can lead to them being compromised and taken possession of for command and control (CnC) of the communication.

A proof of concept

In his research, Jason Reaves created a proof of concept that explains how TLS/SSL protocols alongside X.509 certificates have means to hide data from security measures in order to send or receive arbitrary data. The way it works is that certificates are being exchanged before the TLS handshake. That means, that data located in certificates is actually exchanged before the secured connection is established. With that in mind, data can be inserted in the certificate extensions and transferred from client to server or otherwise without being detected.

As Jason stated: "X.509 certificates have many fields where strings can be stored...The fields include version, serial number, Issuer Name, validity period and so on. The certificate abuse...takes advantage of this fact to hide data transfer inside one of these fields. Since the certificate exchange happens before the TLS session is established, there appears to never have been a data transfer, when in reality the data was transferred within the certificate exchange itself."

Put simply, it's a flaw in the certificate exchange that can be used for covert data transition, but it can also be used by hackers to breach security and to seize the control of communications. However, there are no reported attacks using this method, but it could prove as a potential threat to many companies and individuals in the online world.

A potential threat

Using X.509 certificates for covert data transfer isn't exactly a revelation. As a matter of fact, it was proposed that adding data to ICMP (Internet Control Message Protocol) should be used as means of transfer back in 2005, while first mentions of covert channels were in government publications in 1993.

However, as data transfer itself may not sound as a big concern, the fact that malicious software can also be transferred using these means proves as a potential threat. Fidelis Security researchers also created a proof of concept, where they simulated a transfer of malicious ransomware called Mimikatz, similar to WannaCry ransomware that was detected worldwide in May 2017, via certificate extensions.  Mimikatz, also known as Bad Rabbit is a Petya type malware that hit Russia and Ukraine back in 2017. The ransomware hit various Russian media outlets, airport in Odessa and metro in Kiev, where attackers demanded 0.05 Bitcoin in ransom for the stolen data.

As mentioned before, there are still no reported attacks using this method, but it does mean that many online businesses can be compromised. The fact of the matter is that many websites implement HTTP with TLS/SSL protocols. What's more, many online businesses that implement SEO (Search Engine Optimization) strategies use HTTPS, in order to improve their rankings. Back in 2014 Google announced that TLS/SSL protocols will be included as ranking signals, in order to urge websites to implement additional security. You can read this comprehensive resource if you want more information about SSL and HTTPS, as well as their role in search ranking. It's safe to say that it's a good thing that the flaw was first found by researchers and that no website was compromised.

A remedy

Even though this flaw can turn into a major threat, there is, however, a way for online business and individuals to protect themselves from this covert data transfers. By simulating an attack through certificate extensions, Fidelis Security researchers have also build a framework that will help users detect covert data transfers and implement security measures to protect themselves.

The framework shows the detailed process on how to detect and block unwanted certificate extensions. For instance, if there are executables in certificate data, it's a first sign that it's quite likely compromised. Moreover, users should block self-signed certificates as well, in order to prevent these hidden data transfers.

Researchers continue to test cybersecurity measures and show us time and again that cyber threats can come from anywhere. Even a simple flaw in a security protocol, such as TLS/SSL can be exploited to breach security and steal sensitive information. Not only that, but it can compromise an entire system. One thing is for sure, if we want to be safe online, we must continue to improve our cybersecurity and be aware of its weaknesses.

Please login or register to add a comment.

Contribute Now!

Loving our articles? Do you have an insightful post that you want to shout about? Well, you've come to the right place! We are always looking for fresh Doughnuts to be a part of our community.

Popular Articles

See all
‘Complainer marketing’ – should we harness rage to promote brands?

‘Complainer marketing’ – should we harness rage to promote brands?

As marketers, we're always looking to get the best results for our clients. But should we highjack the emotions of their customers to do so? No, as I explain in this post, you're better than that.

Tom Chapman
Tom Chapman 18 July 2018
Read more
How to Review a Website — A Guide for Beginners

How to Review a Website — A Guide for Beginners

Whether you're a startup or an established business, the company website is an essential element of your digital marketing strategy. The most effective sites are continually nurtured and developed in line with...

Digital Doughnut Contributor
Digital Doughnut Contributor 7 January 2020
Read more
7 reasons why social media marketing is important for your business

7 reasons why social media marketing is important for your business

Social media is quickly becoming one of the most important aspects of digital marketing, which provides incredible benefits that help reach millions of customers worldwide. And if you are not applying this profitable...

Sharron Nelson
Sharron Nelson 6 February 2018
Read more
10 Factors that Influence Customer Buying Behaviour Online

10 Factors that Influence Customer Buying Behaviour Online

Now is an era where customers take the center stags influencing business strategies across industries. No business can afford to overlook factors that could either break the customer experience or even pose a risk of...

Edward Roesch
Edward Roesch 4 June 2018
Read more
Infographic: The State of Product Discovery 2023

Infographic: The State of Product Discovery 2023

New research from London Research and Attraqt explores the latest trends around product discovery in digital commerce, covering site search, merchandising and personalisation.

Linus Gregoriadis
Linus Gregoriadis 25 May 2023
Read more