Lately, it seems that the only news we hear is what other multinational company has been hacked and how many records were accessed. We have always been security conscience, but it does appear that hackers and malware have been making us even more so lately. Unfortunately, this is neither something new, nor something that is likely to go away.
In their quest to make users, the Internet and digital devices in general more secure, a number of big Internet companies have recently announced a new collaboration that will focus on making open source projects easier for everyone. In fact, some companies have begun open sourcing their own projects.
Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols designed to provide communication security over the Internet. Unfortunately, we are witnessing many known TLS/SSL vulnerabilities, misconfigurations and library bugs. One company that is working to resolve these issues is Google (News - Alert).
Originally, SSL and TLS were designed to protect the confidentiality of information in transit. Due to the fact that the SSL protocol is old it has been the target of numerous attacks in recent years. Although TLS is SSL’s successor and considered to be more robust and resistant to attack, the fact remains that the newer versions of TLS are not as widely supported as much older versions of SSL.
To help developers and security researchers identify applications that are vulnerable to known SSL/TLS attacks and configuration problems, Google is releasing a tool that checks for these problems. This week Google introduced a new tool for testing network traffic security called nogotofail.
Google has released it as an open source project available on GitHub. This means that anyone can use it, contribute new features, provide support for more platforms and essentially do anything else as long as the end result is to help improve the security of the Internet.
According to nogotofail’s documentation, “The core of nogotofail is the on path network MiTM named nogotofail.mitm that intercepts TCP traffic. It is designed to primarily run on path and centers around a set of handlers for each connection which are responsible for actively modifying traffic to test for vulnerabilities or passively look for issues. nogotofail is completely port agnostic and instead detects vulnerable traffic using DPI instead of based on port numbers. Additionally, because it uses DPI, it is capable of testing TLS/SSL traffic in protocols that use STARTTLS.”
nogotofail was built by the Android (News - Alert) Security Team, and Google says it has been using nogotofail internally for some time and has worked with developers to improve the security of their apps. The attack engine itself can be deployed in a variety of different ways.
In a blog posting, Chad Brubaker of the Android security team said “The Android Security Team has built a tool, called nogotofai that provides an easy way to confirm that the devices or applications you are using are safe against known TLS/SSL vulnerabilities and misconfigurations. nogotofail works for Android, iOS, Linux, Windows, Chrome OS, OSX, in fact any device you use to connect to the Internet. There’s an easy-to-use client to configure the settings and get notifications on Android and Linux, as well as the attack engine itself which can be deployed as a router, VPN server, or proxy.”
One thing that makes attacks on SSL/TLS so challenging is that generally users don’t know that the attacks are taking place. We have seen this over the past 12 months from companies such as Target (News - Alert), Home Depot and JPMorgan Chase. While some attacks were caught within a week, others lasted for several months. The Google nogotofail tool is designed to help developers identify the weak spots in their applications’ implementations before an attacker can take advantage.