HTTPS certificates are not foolproof says research firm

Websites using HTTPS certificates may still be vulnerable to criminal activities spurred up by cyber crooks. A study released by SEC consult–a company offering application security services and information security consultancy, has revealed that a practice of sharing the same HTTPS server certificates and Secure Shell Host(SSH) keys is putting a number of small businesses at risk.

In recent months, many websites offering business related services were told to change their web page encryption from HTTP to HTTPS in order to offer better security to their clients, users, and website visitors.

Note- Hyper Text Transfer Protocol Secure (HTTPS) is nothing but a protocol (a communication medium) that encrypts and decrypts user page requests to protect against eavesdropping and cyber attacks like hacking. Because communications sent over regular HTTP connections are in ‘plain text’, they can be read by hackers while the messages are traveling between your browser and the website. But if the website is secured with HTTPS, the communication is encrypted and the hacker can’t break into the connection- atleast on paper.

If in case HTTPS Certificates and SSH keys are shared by several users, the web criminals could figure it out and read the communications.

SEC Consult analyzed the firmware of more than 4,000 embedded devices from 70 vendors by looking at the cryptographic keys, which included routers, modems, IP cameras, Security cameras, VoIP phones, network storage devices, Internet gateways and more. There were public and private keys as well as certificates in the firmware images.

The company exposed more than 580 unique private keys from the devices that were singled out. The researchers then correlated the keys from scans that were publicly available on the Internet, which led them to discover 150 certificates for 3.2 million HTTPS hosts. That translates to nine percent of all HTTPS hosts on the Web. The researchers further discovered 80 SSH host keys, or more than six percent of all secure shell hosts on the Web totaling 0.9 million hosts.

That comes out to at least 230 keys that are being actively used by more than 4 million devices. With so many devices, it should not come as a surprise some of the leading hardware manufactures in the world are affected by this glitch.

The firm has identified vulnerable devices from companies like Alcatel-Lucent, Cisco, GE, Huawei, Motorola, Netgear, Vodafone, Seagate, WD in its research.

If the report from SEC consult is carefully analyzed, it looks more of hardware side vulnerability and so they need to step-in and figure out which is best from now on. Already, companies like Cisco, ZTE, ZyXel, Technicolor, Trendnet and Unify have made an official confirmation that they are coming up with fixes by early next year.

But the big problem is with those devices which do not allow the keys and certificates to be changed, which further complicate the matter.

In this situation, the only option left is to abandon products and services from these companies.

SEC Consult has prepared and published the list of companies which are offering products which don’t allow the keys and certificates to be changed. It will release all identified certificates and private keys shortly.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s