Q&A - From The Labs

Malware Trivia: Episode 11

About IM clients and rogue SSL certificates

Instant messaging is one of the most popular ways of keeping in touch with others. They are free, have a low footprint over the network (unlike VoIP communication, for instance), they are unobtrusive and able to keep messages for us while we’re offline, or – better yet – to forward them to a cell number. No wonder that they have also made their way in companies, where they have become the most important means of communication between employees. However, there’s a much gloomier side to IM communication, as most of it takes place unencrypted, so anyone who has physical access to the network may pry on the conversation unhindered.

Is chat software we commonly use secure? If not what are our options to stop giving out our private information when connected to unprotected Wifi networks? – Question asked by Jeet.

Most of these chat applications use SSL encryption only when sending the username and password combination to the server, then send the rest of the conversations in clear. The following screenshot is a traffic capture showing a Y!IM conversation. However, a “sniffer” lurking on the network will also see information updated by other contacts, including their status updates.

Packet capture reveals conversations in plain text

TCP stream capture revealing plain-text conversations, details about other friends and their statuses

On the contrary, web-based messenger and other forms of communications seem to pay a great deal of attention to privacy and encrypt all traffic before sending it over the network. Please note that this is no assurance of privacy, but rather a personal conclusion drawn after inspecting and comparing captured packets.

The same thing applies when using unsecured WiFi networks: any other user connected to the access point or router may sniff out your traffic, learn important things about you or your contacts, and then use the information to spear-phish you or them. We understood the risks a user may take while chatting on instant messaging services since 2008, when we introduced Chat Encryption. Available both as a module in BitDefender Internet Security and Total Security line of products or as a stand-alone product, Chat Encryption secures and encrypts IM messages sent between two users running one of the products listed above. Chat Encryption seamlessly integrates with Yahoo®! Instant Messenger™ and MSN® Messenger™ and automatically encrypts conversations in real-time.

Can you please explain how exactly an SSL certificate works and how it can be breached? – Question asked by Jeet.

In order to answer your question, I need to clarify first some details about SSL and what it is used for. SSL is a security technology – also known as Secure Sockets Layer – that creates an encrypted channel of communication between your computer and the server you are trying to communicate with. Encryption is necessary in a wide range of tasks, such as sending usernames and passwords, performing e-banking transactions or simply sending an e-mail message whose content you wouldn’t like to become available to anyone eavesdropping on the network. SSL is widely used and is one of the cornerstones of trustworthiness and secure communication.

SSL Certificate information

The BitDefender MyAccount area uses SSL encryption to prevent an attacker from sniffing data

However, in order for a website to be able to create this kind of encrypted channel, it needs to have a SSL certificate installed. Upon activation of a SSL certificate, you will be provided with a private and a public key, which will be subsequently embedded in a CSR (a certificate signing request). This CSR will be sent to a Certification Authority which will issue your certificate after it has carefully evaluated the legitimacy of the details you have provided in the CSR.

Certificate signing request demo project as it appears in the server’s control panel. Sample data.

The good thing is that major, trustworthy Certificate Authorities (the entities that are trusted by default by any browser) do a great job in validating the legitimacy of a request so chances are that your certificate signing request will be denied if there are doubts about the domain name, its owner or the purpose the domain is being used for. More than that, you will be required some documents such as Business License, Articles of Association or DUNS information; shortly put, your identity will be thoroughly checked to ensure legitimacy.

It is this exhaustive verification process and the ability to revoke the certificate if found to be abusively used that allows a Certificate Authority dodge fakes and preserve trust in an open environment such as the Internet. However, recent developments show that, if compromised, Certificate Authorities can issue rogue certificates, but their ability to revoke the unauthorized ones quickly restores things to normal.

Another interesting aspect is the fact that, if you need a certificate, you can generate your own one, which would work just as any other one generated by a root CA. However, unlike a certificate provided by a reputable CA (which enjoys complete trust from the browser), your self-generated one will only encrypt traffic, but won’t vouch about your identity on the Internet. Back in December 2008, a team of researchers managed to attack the MD5 algorithm used by CAs in public-key cryptography in order to generate a collision and modify a self-signed SSL certificate to look like it had been issued by a root CA. The security implications of spoofing a trustworthy CA have been so large that most of these authorities moved from the vulnerable MD5 algorithm to SHA-1 / SHA-2 / SHA-3, which are stronger against this kind of attacks.

Well, that’s it for today. As usually, I’m waiting for your questions on data security which I will answer in the next issue of the Malware Trivia. Until then, keep your shields up and stay safe!

All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.

About the author


Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.