Sign in with
Sign up | Sign in

Bogus Web Certificates Threaten Mobile Users

By - Source: Tom's Guide US | B 2 comments

Style-Photography.de/ShutterstockStyle-Photography.de/Shutterstock

Dozens of fake server certificates have been found on the Internet, posing a threat to users of mobile apps that don't check such Web "signatures" properly.

The fake certificates, which were discovered by Internet-security firm Netcraft of Bath, England, spoof Google, Facebook, Apple iTunes and banks, and could let criminals stage man-in-the-middle attacks to intercept Web traffic and capture login information, bank-account numbers and personal data.

MORE: Aviator: Hands-On With the Most Secure Web Browser

Attackers would have to be on the same local networks as victims, but that's easy to achieve on public Wi-Fi networks, even those that require general-use passwords, in airports, cafes, hotels or parks worldwide.

Digital certificates, technically called SSL certificates, underlie all secure Web connections. When you connect to Gmail and the "http" in your address window changes to "https" or a padlock icon appears, it means Google's servers have presented a digital certificate verifying that they indeed belong to Google, and your browser has accepted it.

The bogus certificates found by Netcraft wouldn't fool Web browsers, which have tough signature-verification standards. But they would fool many mobile apps, which connect to Web servers directly and are frequently sloppier than browsers about verification.

"An increasing amount of online banking traffic now originates from apps and other non-browser software, which may fail to adequately check the validity of SSL certificates," Netcraft's Paul Mutton noted in a blog post Wednesday (Feb. 12).

Mutton cited a study last month by Seattle security firm IOActive that found that 90 percent of iOS banking apps mishandled certificates, and a 2012 German academic study that estimated 40 percent of all Android apps did so.

Man-in-the-middle attacks occur when a hidden party inserts himself into the communication between two other parties, neither of whom know the hidden party is there. The hidden party can talk to Party A as if he's Party B, and vice versa, and can steal or distort the messages being transmitted.

"Successful attacks would allow criminals to decrypt legitimate online banking traffic before re-encrypting it and forwarding it to the bank," Mutton wrote. "This would leave both parties unaware that the attacker may have captured the customer's authentication credentials, or manipulated the amount or recipient of a money transfer."

There's not much the average user can do to improve mobile apps that mishandle SSL certificates. Fortunately, as Mutton and Ars Technica's Dan Goodin note, top-tier apps such as those created by Facebook, Google and Twitter "whitelist" certificates so that they'll accept only those on a preset list issued by their makers.

If you want to be certain of your mobile connections, and don't mind spending a bit of money, install an app such as Hotspot Shield or TunnelBear, which will charge you a couple of bucks per month to secure all your Internet traffic.

Display 2 Comments.
This thread is closed for comments
  • 0 Hide
    j_sowder , February 15, 2014 11:49 AM
    my roomate's step-sister makes $72 every hour on the computer . She has been out of a job for five months but last month her check was $21703 just working on the computer for a few hours. see ,,,,,,,,,,,,,,,,,,,W­W­W.F­i­z­z­j­o­b.C­o­M
  • 0 Hide
    shuimnuc , February 16, 2014 5:45 PM
    discount jordan shoes http://www.shoesctv.comNFL cap wholesale http://www.shoesctv.comjordan michael http://www.shoesctv.comcheap NBA Jerseys http://www.shoesctv.comcheap jordan shoes http://www.shoesctv.comjordan store http://www.shoesctv.comAir jordan 13 http://www.shoesctv.comNBA cap wholesale http://www.shoesctv.combest handbags http://www.shoesctv.comjordan release dates http://www.shoesctv.comAir jordan 3 http://www.shoesctv.comcheap jordan http://www.shoesctv.comJordan for cheap http://www.shoesctv.comAir jordan 11 http://www.shoesctv.comcheap NFL Jerseys http://www.shoesctv.comhandbag store http://www.shoesctv.comAir jordan 1 http://www.shoesctv.comhandbag patterns http://www.shoesctv.comcheap NHL Jerseys http://www.shoesctv.comimitation handbags http://www.shoesctv.comreplica rolex http://www.shoesctv.comAir jordan 4 http://www.shoesctv.comNHL cap wholesale http://www.shoesctv.comAir jordan 9 http://www.shoesctv.comAir Max 90 http://www.shoesctv.comair shox http://www.shoesctv.comMLB cap wholesale http://www.shoesctv.comcheap MLB Jerseys http://www.shoesctv.comTop replica watches http://www.shoesctv.comAir jordan 6 http://www.shoesctv.comwholesale from china http://www.shoesctv.comjordan shoes wholesale http://www.shoesctv.comcheap designer handbags http://www.shoesctv.comdesigner handbags wholesale http://www.shoesctv.com
Tom’s guide in the world
  • Germany
  • France
  • Italy
  • Ireland
  • UK
Follow Tom’s guide
Subscribe to our newsletter