Article

Nate Vickery
Nate Vickery 4 April 2018
Categories Innovation & Trends

A TLS/SSL Certificates Flaw Leads to Covert Data Transfer

Researchers continue to test cybersecurity measures and show us time and again that cyber threats can come from anywhere. Even a simple flaw in a security protocol, such as TLS/SSL can be exploited to breach security and steal sensitive information.

Cybersecurity is the top concern for anyone who operates in the digital world. Nowadays, cyber threats are more sophisticated and more common than ever. So much in fact, that even governments have difficulties protecting themselves from such attacks. A recent discovery in cybersecurity revealed that there's a flaw in X.509 certificates that are common in TLS (Transport Layer Security) and SSL (Secure Socket Layer) cryptographic protocols, which are the foundation of HTTPS (Hypertext Transfer Protocol - Secure).  

X.509 is the standardized format that defines public key certificates in cryptography, used for securing Internet communications. This flaw enables covert data exchange and can also be used to breach the security, by bypassing the security measures that check for certificate values. Jason Reaves, threat research principal engineer at Fidelis Security pointed out that there's indeed a flaw in how certificates are being exchanged, which can lead to them being compromised and taken possession of for command and control (CnC) of the communication.

A proof of concept

In his research, Jason Reaves created a proof of concept that explains how TLS/SSL protocols alongside X.509 certificates have means to hide data from security measures in order to send or receive arbitrary data. The way it works is that certificates are being exchanged before the TLS handshake. That means, that data located in certificates is actually exchanged before the secured connection is established. With that in mind, data can be inserted in the certificate extensions and transferred from client to server or otherwise without being detected.

As Jason stated: "X.509 certificates have many fields where strings can be stored...The fields include version, serial number, Issuer Name, validity period and so on. The certificate abuse...takes advantage of this fact to hide data transfer inside one of these fields. Since the certificate exchange happens before the TLS session is established, there appears to never have been a data transfer, when in reality the data was transferred within the certificate exchange itself."

Put simply, it's a flaw in the certificate exchange that can be used for covert data transition, but it can also be used by hackers to breach security and to seize the control of communications. However, there are no reported attacks using this method, but it could prove as a potential threat to many companies and individuals in the online world.

A potential threat

Using X.509 certificates for covert data transfer isn't exactly a revelation. As a matter of fact, it was proposed that adding data to ICMP (Internet Control Message Protocol) should be used as means of transfer back in 2005, while first mentions of covert channels were in government publications in 1993.

However, as data transfer itself may not sound as a big concern, the fact that malicious software can also be transferred using these means proves as a potential threat. Fidelis Security researchers also created a proof of concept, where they simulated a transfer of malicious ransomware called Mimikatz, similar to WannaCry ransomware that was detected worldwide in May 2017, via certificate extensions.  Mimikatz, also known as Bad Rabbit is a Petya type malware that hit Russia and Ukraine back in 2017. The ransomware hit various Russian media outlets, airport in Odessa and metro in Kiev, where attackers demanded 0.05 Bitcoin in ransom for the stolen data.

As mentioned before, there are still no reported attacks using this method, but it does mean that many online businesses can be compromised. The fact of the matter is that many websites implement HTTP with TLS/SSL protocols. What's more, many online businesses that implement SEO (Search Engine Optimization) strategies use HTTPS, in order to improve their rankings. Back in 2014 Google announced that TLS/SSL protocols will be included as ranking signals, in order to urge websites to implement additional security. You can read this comprehensive resource if you want more information about SSL and HTTPS, as well as their role in search ranking. It's safe to say that it's a good thing that the flaw was first found by researchers and that no website was compromised.

A remedy

Even though this flaw can turn into a major threat, there is, however, a way for online business and individuals to protect themselves from this covert data transfers. By simulating an attack through certificate extensions, Fidelis Security researchers have also build a framework that will help users detect covert data transfers and implement security measures to protect themselves.

The framework shows the detailed process on how to detect and block unwanted certificate extensions. For instance, if there are executables in certificate data, it's a first sign that it's quite likely compromised. Moreover, users should block self-signed certificates as well, in order to prevent these hidden data transfers.

Researchers continue to test cybersecurity measures and show us time and again that cyber threats can come from anywhere. Even a simple flaw in a security protocol, such as TLS/SSL can be exploited to breach security and steal sensitive information. Not only that, but it can compromise an entire system. One thing is for sure, if we want to be safe online, we must continue to improve our cybersecurity and be aware of its weaknesses.

Please login or register to add a comment.

Contribute Now!

Loving our articles? Do you have an insightful post that you want to shout about? Well, you've come to the right place! We are always looking for fresh Doughnuts to be a part of our community.

Popular Articles

See all
Digital Marketing Vs. Traditional Marketing: Which One Is Better?

Digital Marketing Vs. Traditional Marketing: Which One Is Better?

What's the difference between digital marketing and traditional marketing, and why does it matter? The answers may surprise you.

Julie Cave
Julie Cave 14 July 2016
Read more
7 reasons why social media marketing is important for your business

7 reasons why social media marketing is important for your business

Social media is quickly becoming one of the most important aspects of digital marketing, which provides incredible benefits that help reach millions of customers worldwide. And if you are not applying this profitable...

Sharron Nelson
Sharron Nelson 6 February 2018
Read more
Top 10 B2B Platforms to Help your Business Grow Worldwide

Top 10 B2B Platforms to Help your Business Grow Worldwide

Although the trend of a Business to Business portal is not new but the evolution of technology has indeed changed the way they function. Additional digital trading features and branding has taken the place of...

Salman Sharif
Salman Sharif 7 July 2017
Read more
Collection Of The Best Email Testing Tools Online

Collection Of The Best Email Testing Tools Online

Don’t be afraid of email testing. There are many free or freemium tools online that can help you with testing your SPAM score, deliverability and even the rendering of your email. We feature 30 email testing tools in...

Roland Pokornyik
Roland Pokornyik 31 October 2016
Read more
4 Important Digital Marketing Channels You Should Know About

4 Important Digital Marketing Channels You Should Know About

It goes without saying that a company can't do without digital marketing in today's world.

Digital Doughnut Contributor
Digital Doughnut Contributor 5 November 2014
Read more