Dozens of rogue self-signed SSL certificates used to impersonate high-profile sites

February 13, 2014 – 5:40 PM

Dozens of self-signed SSL certificates created to impersonate banking, e-commerce and social networking websites have been found on the Web. The certificates don’t pose a big threat to browser users, but could be used to launch man-in-the-middle attacks against users of many mobile apps, according to researchers from Internet services firm Netcraft who found the certificates.

“The fake certificates bear common names (CNs) which match the hostnames of their targets (e.g.,” the Netcraft researchers said Wednesday in a blog post. “As the certificates are not signed by trusted certificate authorities, none will be regarded as valid by mainstream web browser software; however, an increasing amount of online banking traffic now originates from apps and other non-browser software which may fail to adequately check the validity of SSL certificates.”

Among the self-signed certificates found by Netcraft were certificates for domain names belonging to Facebook, Google, Apple, Russian bank Svyaznoy and  large Russian payment services provider

If an application doesn’t properly validate the authenticity of certificates it encounters, attackers can use self-signed certificates that are not issued by legitimate certificate authorities (CAs) to launch man-in-the-middle attacks against that application’s users.

Such attacks involve intercepting the connections between targeted users and SSL-enabled services and re-encrypting the traffic with fake or forged certificates. Unless victims manually check the certificate details, which is not easy to do in mobile apps, they would have no idea that they’re not communicating directly with the intended site.

In order to pull-off man-in-the-middle attacks, hackers need to gain a position that would allow them to intercept traffic. This is relatively easy to do on wireless networks using techniques like ARP spoofing, but can also be done by compromising a router or by hijacking the victim’s DNS settings.


You must be logged in to post a comment.