Digital Security: Self-protection

Sometimes I got a bothering paranoia  about my privacy. Recently I deleted my Google account because of an MITM attack. It seems that only affected users was my hometown friends. That’s why I’m gonna describe how to check validity of SSL certificates in this post. Let’s say you want to check validity of your SSL certificate of Google Plus service. The root certificate authority of *.google.com domains is Equifax. Google has announced that they’re planing to change their encryption system to use 2048-bit keys.

Protecting the security and privacy of our users is one of our most important tasks at Google, which is why we utilize encryption on almost all connections made to Google.

This encryption needs to be updated at times to make it even stronger, so this year our SSL services will undergo a series of certificate upgrades—specifically, all of our SSL certificates will be upgraded to 2048-bit keys by the end of 2013. We will begin switching to the new 2048-bit certificates on August 1st, to ensure adequate time for a careful rollout before the end of the year. We’re also going to change the root certificate that signs all of our SSL certificates because it has a 1024-bit key.

First make sure you have installed OpenSSL. Ubuntu users can install from repositories:

$ sudo make install openssl

Create a sandbox:

$ mkdir -p ~/.cert/plus.google.com/
$ cd ~/.cert/plus.google.com/

Then get the may-be affected certification. Make sure you have an un-trusted connection. Remember you want to check your connection. So don’t turn VPN or SSH Tunnel.

$ openssl s_client -showcerts -connect plus.google.com:443

Output should be something like:

CONNECTED(00000003)
depth=1 C = US, O = Google Inc, CN = Google Internet Authority
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com
   i:/C=US/O=Google Inc/CN=Google Internet Authority
-----BEGIN CERTIFICATE-----
MIIGKjCCBZOgAwIBAgIKZAPy8wABAACR3DANBgkqhkiG9w0BAQUFADBGMQswCQYD
VQQGEwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzEiMCAGA1UEAxMZR29vZ2xlIElu
dGVybmV0IEF1dGhvcml0eTAeFw0xMzA3MTIwOTAwMzBaFw0xMzEwMzEyMzU5NTla
MGYxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1N
b3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgSW5jMRUwEwYDVQQDFAwqLmdv
b2dsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANRk5KDRmXcTdorq
kBFq7Mz17PXY3L1XaypAA/gMju7TcS6cbMmOEhmIXX5Ul+GAxfLwmE2WSGe1K58m
++B4D153EKIXc+ilrDKt7K/BfcX1cH3qUhk6Zc3IO2PTPL3UYkWA6WiH1Ehuaf39
89FfB7Vk20Nv2QOvNOHW18qZWgbzAgMBAAGjggP9MIID+TAdBgNVHSUEFjAUBggr
BgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0OBBYEFArP+7JSI4++2qQ6xmNmryABbF8z
MB8GA1UdIwQYMBaAFL/AMOv1QxE+Z7qekfv8atrjaxIkMFsGA1UdHwRUMFIwUKBO
oEyGSmh0dHA6Ly93d3cuZ3N0YXRpYy5jb20vR29vZ2xlSW50ZXJuZXRBdXRob3Jp
dHkvR29vZ2xlSW50ZXJuZXRBdXRob3JpdHkuY3JsMGYGCCsGAQUFBwEBBFowWDBW
BggrBgEFBQcwAoZKaHR0cDovL3d3dy5nc3RhdGljLmNvbS9Hb29nbGVJbnRlcm5l
dEF1dGhvcml0eS9Hb29nbGVJbnRlcm5ldEF1dGhvcml0eS5jcnQwDAYDVR0TAQH/
BAIwADCCAsMGA1UdEQSCArowggK2ggwqLmdvb2dsZS5jb22CDSouYW5kcm9pZC5j
b22CFiouYXBwZW5naW5lLmdvb2dsZS5jb22CEiouY2xvdWQuZ29vZ2xlLmNvbYIW
Ki5nb29nbGUtYW5hbHl0aWNzLmNvbYILKi5nb29nbGUuY2GCCyouZ29vZ2xlLmNs
gg4qLmdvb2dsZS5jby5pboIOKi5nb29nbGUuY28uanCCDiouZ29vZ2xlLmNvLnVr
gg8qLmdvb2dsZS5jb20uYXKCDyouZ29vZ2xlLmNvbS5hdYIPKi5nb29nbGUuY29t
LmJygg8qLmdvb2dsZS5jb20uY2+CDyouZ29vZ2xlLmNvbS5teIIPKi5nb29nbGUu
Y29tLnRygg8qLmdvb2dsZS5jb20udm6CCyouZ29vZ2xlLmRlggsqLmdvb2dsZS5l
c4ILKi5nb29nbGUuZnKCCyouZ29vZ2xlLmh1ggsqLmdvb2dsZS5pdIILKi5nb29n
bGUubmyCCyouZ29vZ2xlLnBsggsqLmdvb2dsZS5wdIIPKi5nb29nbGVhcGlzLmNu
ghQqLmdvb2dsZWNvbW1lcmNlLmNvbYINKi5nc3RhdGljLmNvbYIMKi51cmNoaW4u
Y29tghAqLnVybC5nb29nbGUuY29tghYqLnlvdXR1YmUtbm9jb29raWUuY29tgg0q
LnlvdXR1YmUuY29tghYqLnlvdXR1YmVlZHVjYXRpb24uY29tggsqLnl0aW1nLmNv
bYILYW5kcm9pZC5jb22CBGcuY2+CBmdvby5nbIIUZ29vZ2xlLWFuYWx5dGljcy5j
b22CCmdvb2dsZS5jb22CEmdvb2dsZWNvbW1lcmNlLmNvbYIKdXJjaGluLmNvbYII
eW91dHUuYmWCC3lvdXR1YmUuY29tghR5b3V0dWJlZWR1Y2F0aW9uLmNvbTANBgkq
hkiG9w0BAQUFAAOBgQBfxSnRtvvjE4rZn/JjpRoC9HrlCXNfMtg3feveIEhGA8Cl
j5aGf2H+8RBfTYzwFmykUvlYNA47de8rHU6rAMcOR7Nq2ePB8BXpsnZ4CH0mCBNz
76V3NMkECr+o+Vn9l6sAbyjqGwA0dJ3++4SM0Hjd/6jXLXt3ICgggP4eKr09fA==
-----END CERTIFICATE-----
 1 s:/C=US/O=Google Inc/CN=Google Internet Authority
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
-----BEGIN CERTIFICATE-----
MIICsDCCAhmgAwIBAgIDFXfhMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTIxMjEyMTU1ODUwWhcNMTMxMjMxMTU1ODUw
WjBGMQswCQYDVQQGEwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzEiMCAGA1UEAxMZ
R29vZ2xlIEludGVybmV0IEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
gYkCgYEAye23pIucV+eEPkB9hPSP0XFjU5nneXQUr0SZMyCSjXvlKAy6rWxJfoNf
NFlOCnowzdDXxFdF7dWq1nMmzq0yE7jXDx07393cCDaob1FEm8rWIFJztyaHNWrb
qeXUWaUr/GcZOfqTGBhs3t0lig4zFEfC7wFQeeT9adGnwKziV28CAwEAAaOBozCB
oDAfBgNVHSMEGDAWgBRI5mj5K9KylddH2CMgEE8zmJCf1DAdBgNVHQ4EFgQUv8Aw
6/VDET5nup6R+/xq2uNrEiQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8E
BAMCAQYwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20v
Y3Jscy9zZWN1cmVjYS5jcmwwDQYJKoZIhvcNAQEFBQADgYEAvprjecFG+iJsxzEF
ZUNgujFQodUovxOWZshcnDW7fZ7mTlk3zpeVJrGPZzhaDhvuJjIfKqHweFB7gwB+
ARlIjNvrPq86fpVg0NOTawALkSqOUMl3MynBQO+spR7EHcRbADQ/JemfTEh2Ycfl
vZqhEFBfurZkX0eTANq98ZvVfpg=
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority
---
No client certificate CA names sent
---
SSL handshake has read 2790 bytes and written 347 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-RC4-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.1
    Cipher    : ECDHE-RSA-RC4-SHA
    Session-ID: 5E2774A7C4D1B6728979A80D52831BCA524AC57A5AB5C188A1A4CB48A0314A71
    Session-ID-ctx: 
    Master-Key: 10FACBF7E9E427981439570C200715F5755B05B7CD6380C465DF0E0DA94101B4A72D918F26B3344E632AEB62927A2605
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 100800 (seconds)
    TLS session ticket:
    0000 - 3a 2b 6a c3 f0 81 17 22-19 77 e9 26 48 ac f0 ec   :+j....".w.&H...
    0010 - d3 99 e9 c5 e2 47 8d 6e-7c 97 e2 f3 e3 c3 1c a7   .....G.n|.......
    0020 - 70 4c f6 04 fd 54 7a 7a-63 5d 67 47 a8 27 69 aa   pL...Tzzc]gG.'i.
    0030 - 00 2c 13 c9 7c 77 8c ac-87 c5 3d 92 b5 4b 29 10   .,..|w....=..K).
    0040 - df 83 6e 2d e2 81 d9 cb-2e 80 88 2a 31 a2 e2 35   ..n-.......*1..5
    0050 - 41 17 83 d7 a7 48 3f 7d-93 56 74 f1 c9 dc c3 89   A....H?}.Vt.....
    0060 - c5 c0 bf 7f 31 ec 9e 31-3a 7a 77 a5 37 db 67 4d   ....1..1:zw.7.gM
    0070 - b2 ac e4 06 85 ce ad dc-40 00 71 6e ed f9 4d 55   ........@.qn..MU
    0080 - 12 d8 01 f9 dc 08 b6 7e-18 94 c9 25 e9 db 5f a9   .......~...%.._.
    0090 - 2a 12 de 28                                       *..(

    Start Time: 1375440311
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---

Copy content between —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—– and paste it into ./plus.google.com.pem

Now you need to get certificate of the issuer. Make sure you’re using protection. Turn on SSH Tunnel  or VPN and:

$ wget http://www.geotrust.com/resources/root_certificates/certificates/Equifax_Secure_Certificate_Authority.pem

Create symbolic links by hashes:

$ c_rehash ~/.cert/plus.google.com/

Output looks like:

Doing /home/soroush/.cert/plus.google.com/
Equifax_Secure_Certificate_Authority.pem => 578d5c04.0
Equifax_Secure_Certificate_Authority.pem => 594f1775.0
plus.google.com.pem => a18bd28a.0
plus.google.com.pem => ae1123c5.0

To confirm you have a valid certificate you need to check original certificate authority against the may-be-hijacked certificate that you can see:

$ openssl s_client -CApath ~/.cert/plus.google.com/ -connect plus.google.com:443
CONNECTED(00000003)
depth=2 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
verify return:1
depth=1 C = US, O = Google Inc, CN = Google Internet Authority
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = *.google.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com
   i:/C=US/O=Google Inc/CN=Google Internet Authority
 1 s:/C=US/O=Google Inc/CN=Google Internet Authority
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGKjCCBZOgAwIBAgIKZAPy8wABAACR3DANBgkqhkiG9w0BAQUFADBGMQswCQYD
VQQGEwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzEiMCAGA1UEAxMZR29vZ2xlIElu
dGVybmV0IEF1dGhvcml0eTAeFw0xMzA3MTIwOTAwMzBaFw0xMzEwMzEyMzU5NTla
MGYxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1N
b3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgSW5jMRUwEwYDVQQDFAwqLmdv
b2dsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANRk5KDRmXcTdorq
kBFq7Mz17PXY3L1XaypAA/gMju7TcS6cbMmOEhmIXX5Ul+GAxfLwmE2WSGe1K58m
++B4D153EKIXc+ilrDKt7K/BfcX1cH3qUhk6Zc3IO2PTPL3UYkWA6WiH1Ehuaf39
89FfB7Vk20Nv2QOvNOHW18qZWgbzAgMBAAGjggP9MIID+TAdBgNVHSUEFjAUBggr
BgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0OBBYEFArP+7JSI4++2qQ6xmNmryABbF8z
MB8GA1UdIwQYMBaAFL/AMOv1QxE+Z7qekfv8atrjaxIkMFsGA1UdHwRUMFIwUKBO
oEyGSmh0dHA6Ly93d3cuZ3N0YXRpYy5jb20vR29vZ2xlSW50ZXJuZXRBdXRob3Jp
dHkvR29vZ2xlSW50ZXJuZXRBdXRob3JpdHkuY3JsMGYGCCsGAQUFBwEBBFowWDBW
BggrBgEFBQcwAoZKaHR0cDovL3d3dy5nc3RhdGljLmNvbS9Hb29nbGVJbnRlcm5l
dEF1dGhvcml0eS9Hb29nbGVJbnRlcm5ldEF1dGhvcml0eS5jcnQwDAYDVR0TAQH/
BAIwADCCAsMGA1UdEQSCArowggK2ggwqLmdvb2dsZS5jb22CDSouYW5kcm9pZC5j
b22CFiouYXBwZW5naW5lLmdvb2dsZS5jb22CEiouY2xvdWQuZ29vZ2xlLmNvbYIW
Ki5nb29nbGUtYW5hbHl0aWNzLmNvbYILKi5nb29nbGUuY2GCCyouZ29vZ2xlLmNs
gg4qLmdvb2dsZS5jby5pboIOKi5nb29nbGUuY28uanCCDiouZ29vZ2xlLmNvLnVr
gg8qLmdvb2dsZS5jb20uYXKCDyouZ29vZ2xlLmNvbS5hdYIPKi5nb29nbGUuY29t
LmJygg8qLmdvb2dsZS5jb20uY2+CDyouZ29vZ2xlLmNvbS5teIIPKi5nb29nbGUu
Y29tLnRygg8qLmdvb2dsZS5jb20udm6CCyouZ29vZ2xlLmRlggsqLmdvb2dsZS5l
c4ILKi5nb29nbGUuZnKCCyouZ29vZ2xlLmh1ggsqLmdvb2dsZS5pdIILKi5nb29n
bGUubmyCCyouZ29vZ2xlLnBsggsqLmdvb2dsZS5wdIIPKi5nb29nbGVhcGlzLmNu
ghQqLmdvb2dsZWNvbW1lcmNlLmNvbYINKi5nc3RhdGljLmNvbYIMKi51cmNoaW4u
Y29tghAqLnVybC5nb29nbGUuY29tghYqLnlvdXR1YmUtbm9jb29raWUuY29tgg0q
LnlvdXR1YmUuY29tghYqLnlvdXR1YmVlZHVjYXRpb24uY29tggsqLnl0aW1nLmNv
bYILYW5kcm9pZC5jb22CBGcuY2+CBmdvby5nbIIUZ29vZ2xlLWFuYWx5dGljcy5j
b22CCmdvb2dsZS5jb22CEmdvb2dsZWNvbW1lcmNlLmNvbYIKdXJjaGluLmNvbYII
eW91dHUuYmWCC3lvdXR1YmUuY29tghR5b3V0dWJlZWR1Y2F0aW9uLmNvbTANBgkq
hkiG9w0BAQUFAAOBgQBfxSnRtvvjE4rZn/JjpRoC9HrlCXNfMtg3feveIEhGA8Cl
j5aGf2H+8RBfTYzwFmykUvlYNA47de8rHU6rAMcOR7Nq2ePB8BXpsnZ4CH0mCBNz
76V3NMkECr+o+Vn9l6sAbyjqGwA0dJ3++4SM0Hjd/6jXLXt3ICgggP4eKr09fA==
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority
---
No client certificate CA names sent
---
SSL handshake has read 2790 bytes and written 347 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-RC4-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.1
    Cipher    : ECDHE-RSA-RC4-SHA
    Session-ID: 948080BCEEEC76AE136086E69F1CAAC60CA67C078528E959BAE1679B3E7AF03E
    Session-ID-ctx: 
    Master-Key: 6A4F31D9A704C8FDFFA41DC13AB5010353897EDBE8918453D5A05E6DA039A5EAB2FE357475EB0C0E86A9EBAFA8A28BBC
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 100800 (seconds)
    TLS session ticket:
    0000 - 3a 2b 6a c3 f0 81 17 22-19 77 e9 26 48 ac f0 ec   :+j....".w.&H...
    0010 - d6 65 91 8e 9e 18 09 d4-97 58 1f 53 0f d6 47 96   .e.......X.S..G.
    0020 - a8 a0 30 8c 4c af 8e d1-58 5b 01 74 93 21 35 f9   ..0.L...X[.t.!5.
    0030 - 34 03 6a c0 1a 99 b7 36-ea 1d f5 08 c1 d4 84 ed   4.j....6........
    0040 - 3d fe 84 39 a8 76 76 66-5a 34 68 06 55 7b 54 d3   =..9.vvfZ4h.U{T.
    0050 - 84 6b 10 2d 1d 26 91 3c-6c ae f7 2e 74 a8 dd a1   .k.-.&.<l...t...
    0060 - 05 6a 93 67 f4 f8 78 a3-27 36 f1 fa 5f 7d c7 45   .j.g..x.'6.._}.E
    0070 - 11 7c 52 9b 31 3e 28 3b-f9 d4 f0 23 7d 18 b8 cd   .|R.1>(;...#}...
    0080 - 9d 17 06 83 01 d2 5f 6f-e3 03 db cd ac 47 55 26   ......_o.....GU&
    0090 - 06 18 98 86                                       ....

    Start Time: 1375441275
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

There is a lot of information in output though only important on is the last line (marked as red).

Is it all over? Not yet. Check all certificate hierarchy of target domain. Certificates of mail.google.com and plus.google.com was NOT VALID since August 1st 2013 from my connection.

Take care.

Advertisements