4

Before HSTS, any attacker could simply use SSLStrip and other such methods to "Rogue AP" and read data over the network from people in say coffee shops and the like?

How vulnerable is an average Joe in 2016 vulnerable to a MitM attack?

Let's assume that we are only talking about websites which uses HSTS, and that he keeps his system relatively updated (3 months old software give or take). Vulnerabilities in phone apps or the kernel, etc. can be mentioned. Would Joe be in any significant danger by just logging in to his bank or his PayPal?

QuyNguyen2013
  • 151
  • 3
  • 2
    Depends on how often average Joe visits porn sites, classic attack surfaces towards average Joes. – user3244085 Sep 20 '16 at 20:43
  • the hardest thing about all of this is getting past the modern browsers invalid https cert warning... – TheHidden Sep 20 '16 at 21:33
  • @silverpenguin Amusingly, I have only ever encountered those warnings when a developer (myself on many occasions) forgot to configure a certificate or used the wrong one for a subdomain. – Οurous Oct 20 '16 at 23:03

2 Answers2

3

The most common MitM vectors are any kind of shared network. This can range from using your neighbor's WiFi (here they, or at least their router, are automatically in a MitM position), to leaving your WiFi open (enables an attacker to connect and do ARP spoofing), to using public networks at coffee shops, airports, hotels, schools, etc. (the owner has automatic MitM; others on the network can use ARP spoofing), to business/workplace networks (your admin has MitM, others may or may not be able to gain it).

Accidentally connecting to malicious networks is also a risk. It's very easy to set up a "fake" access point (using a PC) that has an arbitrary SSID and password; if your laptop/tablet/phone is set to automatically connect to a known network, and the attacker can spoof that network (like, maybe it's the one at your favorite coffee shop, even though you're not there right now), then the attacker can use that to get a MitM position when your device connects automatically. Most people let their devices connect automatically to any network they've seen before (and some even connect to popular networks that they haven't seen before), which puts them at risk from such attacks.

HOWEVER, all the threats mentioned so far are pretty minimal as long as HSTS is used (or the app avoids ever using insecure HTTP). There are still some risks. For example, Heartbleed could be used against clients even if the server was patched, assuming the attacker had a MitM position, and some TLS clients are still vulnerable to it because people are bad at pushing updates to old software. In general, though, it's hard to effectively attack somebody this way.

Finally, though, there's the risk of interference at the ISP or backbone level. Many countries restrict the Internet within their borders, and in some cases this is done via a MitM position. Such threats are among the most dangerous, as a nation-state (especially) can simply procure fraudulent certificates that almost any device will trust, enabling interception of TLS traffic (unless good cert pinning is used).

Even without that, though, it's not that rare for CAs to issue TLS certificates to untrusted entities. It's not common, but it happens. Additionally, attacks (such as arbitrary file reads) against web servers can be used to steal their TLS private keys, enabling attackers to successfully spoof those servers. Based on my experience, that's a pretty common class of vulnerability. Such stolen certificates will not only get past HSTS, they'll also pass certificate pinning. There is no perfect defense.

CBHacking
  • 48,401
  • 3
  • 90
  • 130
2

It's an interesting question and one I think CBHacking has done a brilliant job of answering. That being said, I still think there are certain attack vectors which need to be more closely examined.

It's been mentioned that open or public wifi's are a good source for mitm attacks but this in general is down to how the average Joe uses technology in public and their at best 'limited' knowledge of what happens. With a lot of fear mongering and other genuine threats, isn't always obvious to average Joe when something isn't right. Let me continue with an example.

A teammate and I are currently finalising our latest project which aims to address or look into these exact concerns. We have some legal questions to resolve before proceeding and I certainly don't want to divulge too much but...

Referring to how susceptible average Joe really is still, my team aims to demonstrate this by broadcasting an open wireless network with an inviting name in a public place where we expect some use. The principle is that when a client connects, they are redirected to a captive portal asking them to install a "trusted Certificate Authority" before being connected.

This of course allows us the ability to decrypt a clients connection and see all details in plain text while average Joe uses the connection being completely unaware as his browser now trusts our on-the-fly certificates. The intent is to demonstrate that with some clever phrasing, we can make the instillation of something horrfically insecure and dangerous sound like another layer of security on top; most people will have no idea what this means and what it would allow a man the middle to do.

While you or I (I'd like to think at least) would cotton on to something like this very quickly and not install a random CA onto our device, we are not the "average Joe's" of the world and those that are probably don't understand and almost certainly don't care enough if it stands in the way of free Wifi!

I'll be sure to post back a link to any of our findings at a later date but understand this is subject to some legal issues being addressed first.

Tom
  • 21
  • 1