Why are SSL Protected connections so important?
Written by Marco Vellinga on 12th March 2015
Tough times for privacy
The past few years have been quite rough when it comes to privacy. Edward Snowden and Wikileaks revealed a lot of information about how governments spy on their people. Even though this is a bad thing, there is something worse.
With the increasing numbers of ‘free’ WiFi connections a problem arises. Devices with WiFi turned on are usually probing to find a known WiFi network. This is the reason why you always have WiFi when you come home. For instance your phone is always looking for a network called ‘Your Home Network’. Once you’re connected to an open free WiFi network, your device will remember this network and keeps looking for it when you don’t have WiFi access.
The device displayed above is a WiFi Pineapple. This is a wireless access router designed with “Hacking in mind”. The WiFi Pineapple is a product from Hak5 and can be bought by anyone. One feature of this router is network spoofing and it roughly works like this:
Phone → Looking for network “Free WiFi”
Router → Owh you’re looking for network “Free WiFi”? I can be named “Free WiFi”
Phone → Found it! Let’s connect
Router → Make use of my “Free WiFi”
The internet connection of your phone now runs through this Pineapple router because the phone thinks it’s connected to the known network name “Free WiFi”. The person who owns this Pineapple now has the power to ‘tap’ all your internet traffic. This can happen while your phone is in your pocket because it automatically connects to known networks! You are now vulnerable to a so called “Man in the Middle Attack” (MitM).
SSL Protected vs plain-text connections
This is where SSL Protected connections are coming into play. In this case, we are dealing with two types of connections. SSL Protected connections and plain-text connections. Connections protected with SSL can be intercepted but are nearly impossible to read. The attacker only can see the encrypted message. Without the right decryption keys the actual message can not be read by the attacker. Your bank uses SSL Protection on their website (and if they don’t you should have left them yesterday). Whenever you do something on the website, the information you send via the internet to the bank is encrypted. In this MitM position the attacker can’t read the information you’re sending. Plain-text connections which are intercepted are fully readable. The attacker can see every bit of information you send to the website. Imagine you’re a person who wants to share his knowledge with the world so you have a blog. To post blogs, you need to login with a password.
The MitM attack
One day you find yourself blogging on a sunny day outside your local bar whilst enjoying a nice cold beer. While you’re connected to the ‘known’ WiFi network provided by the Pineapple, you enter your credentials and start typing a blog. The credentials are sent in plain-text to the blog website (why on earth would you want an SSL certificate on your private blog?). The attacker sees these credentials, because they are not send via an SSL Protected connection and he can start his attack. While you are blogging, the attacker has your password and has now access to your blog account. This account might not be that interesting, but he definitely can ruin your private blog. The next thing the attacker will do is try other services with the same password (Twitter, Facebook, a company website or any other leads you like to blog about). People usually tend to use the same (or something similar) password for all accounts because you have so many accounts these days. This is of course something you should never (and don’t have to) do, but that will be discussed in another article.
The situation about the blogger is exactly why you should have an SSL Protected connection on everything, even that ‘innocent’ private blog. Whenever private information is involved, you should connect with an SSL Protected connection. This way an attacker will never have a chance in the MitM position to read passwords, account names, cookies (important!) or that one kinky comment you made on the picture your wife send you (or the picture itself for that matter).
Think twice about logging in to websites with no SSL while you’re not entirely sure the connection you’re on is trusted!