-3

Assuming that we have a "green bar connection" to a website, e.g.:

enter image description here

Is an attacker still able to sniff our traffic?

How secure is a user from man-in-the-middle attacks when he has established a "green bar connection"?

Pacerier
  • 3,253
  • 6
  • 34
  • 61
  • For those who blindly downvote, you may wish to read http://meta.stackexchange.com/q/230/159916 and http://meta.stackexchange.com/q/32311/159916 first. – Pacerier Dec 30 '14 at 16:43

2 Answers2

4

It's possible but highly unlikely:

  • An attacker could have created a fake certificate based on compromising a CA certificate or reverse-engineering an valid one. These are both believed difficult, which is why the system is believed secure, but they have happened before. Typically, once the extent of the compromise is known, your OS or browser developers will push an update revoking trust in any fraudulent or compromised certificates.

  • An attacker could also have pushed their own "trusted root" certificate onto your machine via Trojan horse. If that is done, any certificates with a trust chain based on that root will be trusted by your computer. Malware removal tools can detect and delete known fraudulent trusted roots as well as look for Trojans that try to install them in the first place.

  • An installed Trojan can also key-log, sidestepping secure communications entirely; if an attacker can watch the characters you enter as you type them in on your own machine, he doesn't need to compromise the TLS channel; he can watch what you type in before it's encrypted, including usernames/passwords. Again, keylogging is a common exploit that AV software "sniffs" for among in-memory processes.

KeithS
  • 6,678
  • 1
  • 22
  • 38
  • the compromised CA scenario might not be that unlikely after all considering the relatively high number of CAs out there. This scenario even causes some modern browsers to check if the certificate used is from the usual CA or is suddenly from a totally new CA. – humanityANDpeace Oct 10 '14 at 16:18
  • Also see https://www.imperialviolet.org/2011/03/18/revocation.html for more info. – Pacerier Dec 30 '14 at 16:11
3

I believe that I'm now safe from all phishing and pharming attempts.

Since only few CAs can issue such "green bar" extended validation (EV) certificates you are mostly right if you trust EV certificates. It might still be possible that the CA got hacked, like done with Comodo and DigiNotar in 2011. It is not possible for an attacker to just add a new CA to the system because the list of CAs which can issue EV certificates is hard coded in the browser (at least with Firefox and Chrome), so an attacker would need to patch or replace your browser to show its own fake certificates with green.

Faking non-EV certificates is much easier because any of the 100s of trusted CA in the browser or any of their sub-CA could issue such a certificate. Which means an attacker can simply choose the weakest CA/sub-CA. And for non-EV certificates it is also enough to import a new CA into your browser, which a trojan could do.

Of course the attacker might also just try to open a new window where it emulates the whole browser using JavaScript including the green URL bar and the window decoration (I've seen a similar attack long ago where it tried to emulate the internet explorer window).

Are there any other vulnerabilities?

Lots. There are regularly web application vulnerabilities like XSS and SQL injection even on sites with an EV certificate. The certificate says nothing about the security of the site itself, it is only used to identify the site.

Is it still possible for me to be hacked?

Of course. The site could be hacked and serve malware. Or the site could serve ads and the ads will serve the malware (this is called malvertising). Again, the certificate says nothing about the security of the site or of any included sites (ads, tracking, social networks...).

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424