Google releases Nogotofail tool to test vulnerability to Man-in-the-Middle attacks
This last year has produced a number of attacks using network vulnerabilities, from Heartbleed to Apple gotofail flaw to the most recent POODLE attack. The common trait in this attack was the attack on SSL/TLS weak points.
Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols designed to provide communication security over the Internet. Both these layers are used for securing internet communications. SSL was the one of the earliest and hence is the most popular protocol. It used a 128-bit encryption which is theoretically next to impossible to crack, which should make it the near perfect security mechanisms. And so it was thought, until cyber criminals started using other aspects of the protocol to carry out attacks. The SSL encryption was a mountain they could not move, so they decided to go around it. TLS is its successor and is claimed to be much more resistant to attacks. Although, SSL being as popular as it is, most websites do not support TLS yet. That has not stopped attackers from finding out vulnerabilities in TLS either.
For those not in the know, MitM is a textbook way of attacking internet users. The fundamental behind this is, when a user A is communicating with a user B, the attacker called C will be listening in on the communication line between them. Now C cannot attack them directly, since this will alert the users that there is an eavesdropper in their midst. So this attacker may just sit and spy on the communication. Or if he wants to attack, he’ll break the communication line by making himself a node in between. Thus, there will now exist 2 communication lines, one between A and C & another between C and B. The attacker C, will take information from A, modify it and send it to B and repeat the process for messages from B to A. In either of the ways, A & B have no clue that their communication isn’t secure and Mr.C is listening to every word being communicated.
This is the basic fundamental onto which attackers have built their attacks upon. And one of the major problems just described, the users have little or no clue an attack is taking place. Hence, the onus to plug any vulnerabilities lies in the hand of the developers and Google aims to empower them in the fight against such attacks.
“The core of nogotofail is the on path network MiTM named nogotofail.mitm that intercepts TCP traffic. It is designed to primarily run on path and centers around a set of handlers for each connection which are responsible for actively modifying traffic to test for vulnerabilities or passively look for issues. nogotofail is completely port agnostic and instead detects vulnerable traffic using DPI instead of based on port numbers. Additionally, because it uses DPI, it is capable of testing TLS/SSL traffic in protocols that use STARTTLS,” the tool’s documentation says.
Google’s security team designed nogotofail tool to work on essentially any client that connects to the Internet. “The Android Security Team has built a tool, called nogotofail, that provides an easy way to confirm that the devices or applications you are using are safe against known TLS/SSL vulnerabilities and misconfigurations. Nogotofail works for Android, iOS, Linux, Windows, Chrome OS, OSX, in fact any device you use to connect to the Internet. There’s an easy-to-use client to configure the settings and get notifications on Android and Linux, as well as the attack engine itself which can be deployed as a router, VPN server, or proxy,” Chad Brubaker of the Android security team wrote in a blog post.
The Google nogotofail tool will help developers identify the weak spots in their applications’ implementations before an attacker can take advantage. “We’ve been using this tool ourselves for some time and have worked with many developers to improve the security of their apps. But we want the use of TLS/SSL to advance as quickly as possible,” Brubaker wrote.