SSL encrypted connection is not necessarily safe, do not use online banking transactions public network.

Posted by on
Premier Jiang Yi Hua (China) recently sent a letter to public servants not to use LINE, WhatsApp and other messaging software, to public servants use ITRI developed mobile communications software broke SSL certificate authentication problems, so Malicious attackers can use the-middle attacks to steal the user's smart materials. 
The-Middle Attack
The-Middle Attack
Although the institute emergency modify App, was back on the shelves on the 1st, but it also reveals the handset App SSL certificate on the development of risk for the general are concerned, the phone is often the most confidential information secret accounts on the phone and online financial transaction information.
HTTPS or SSL
HTTPS or SSL

When HITCON Taiwan hackers annual Forum will be held on the 6th, reminding Mobile App developers pay special attention to the development, often overlooked SSL processing, as well as the three major loopholes in Android WebView system (note).

4.0.X and 4.1.X versions of Android system is the hardest hit, across three WebView vulnerabilities, developers do not underestimate each vulnerability, three vulnerabilities add up, endangering not be underestimated.

"Is not to secure the connection with SSL encryption, to check whether the security certificate." Phenomenon is widespread network connections, lack of data layer transport protection. The most commonly encountered middle attacks (Man-In-The-Middle Attack), when the connection is middle attacks, will intercept the middle of the information, the user's connection is turned to the attacker's server, user data will be steal.

 Do not trade in the public network using online banking

Information security information security expert said, the general users such as cafes try not to make credit card and online financial transactions on the Internet for public use, to avoid malicious attacker using the same network segment malicious attacks, get smart information, 3G, 4G network or home network is relatively safe. Because Internet banking may also be middle attack there are many online banking SSL risk, because the program is, usually, outsourced development, depends on whether the outsourcing vendor noticed SSL issue.

In addition, users not to point came in unknown links, but pay attention to whether the point into the link to download the program. Further pointed out that, if we find the Internet very slowly, or in some cases a sudden power rate soon, these two features can help users determine whether the phone may be malicious attacks.

If you really found the phone to be attacked to download a malicious program, you can try to remove the program, if you can not remove it, put the phone system reset, restore to factory settings, most of the cases should be lifted hazards.

SSL certificate handling risks, precautions: Avoid alert information in the public network transmission

By using the default settings can not be evidence of the following three reasons: 
1.The certificate is correct, but the server is set incorrectly. 
2. the root certificate is not pre-installed on the device, there is first pre-install the certificate on the phone, but the phone models old, leading credential that your phone has a problem. 
3. Other: Developers often like to issue its own certificates, and domain name does not match the certificate expired.

Advice to developers:
  • Be sure to use an encrypted connection astute data transmission
  • Strictly do checks on the server credentials (system default, certificate bindings)
  • Only allowed to check credentials ignored during the development phase
  • Note the use of third-party libraries if there is a problem
Advice to users:

  • Avoid the use of public spaces provided wireless network
  • Avoid the use of a wireless network encryption strength is weak, such as the WEP, WPA and the like.
  • Three WebView vulnerability, prevention methods: using the Android system 4.2.X or chrome, firefox, opera browser

Developers want the program when combined with the web, often using WebView, is an executable JavaScript, used to link networks and web elements displayed. However, Cen Zhihao also pointed out that the three major loopholes in the current WebView CVE-2012-6636, CVE-2014-1939, CVE-2014-6041, allow an attacker to steal data, Android 4.0.X and 4.1.X system has received three vulnerabilities affect, be "disastrous."

Advice to developers:

CVE-2012-6636:
  • Avoid WebView load malicious content, use HTTPS, read only local HTML
  • When 4.2.X or later to use a function to markJavascriptinterface
  • Avoid using addJavascriptInterface function on a 4.1.X or below version of the system

CVE-2014-1939:
  • Avoid WebView load malicious content, use HTTPS, read only local HTML
  • System version 3.0.X ~ 4.1.X to use removeJavascriptInterface, to remove the "searchBoxJavaBridge-" This interface

CVE-2014-6041:
  • Avoid WebView load malicious content, use HTTPS, read only local HTML
  • Smart cookie MUST be set to HttpOnly (server-side)

Advice to users:
  • System Update to 4.2.X or later
  • Avoid opening unknown origin Website
  • Non-built-in WebView (WebKit) as the core browser, like Chrome, Firefox, Opera
Note: CVE (Common Vulnerabilities and Exposures) vulnerability is an internationally known vulnerability database, a non-profit organization of business, government and academia to participate, you can quickly find software vulnerabilities place.

SSL encrypted connection is not necessarily safe, do not use online banking transactions public network
 Reviewed by Douat on Oct 13 2014
Rating: 4.5

Comments

Post a Comment

Please leave your comments and suggestions here.