Enforcing SSL security enhancements
asked 2015-01-09 17:52:33 +0200
Hey guys, I have a proposal to improve the security of our Jolla phones. Recently, many works in research have shown vulnerabilities in SSL implementations (e.g. APIs, libraries) that makes SSL connections vulnerable to active man-in-the-middle attacks.
Several solutions have been proposed in order to enhance the security of SSL, and I want to suggest to implement them within Jolla's products, in order to protect users from possible attacks on the most sensitive protocol on the Internet.
Very recently has been proposed CERTSHIM : http://davejingtian.org/2014/11/06/ccs14-securing-ssl-certificate-verification-through-dynamic-linking/ . "Under the certShim environment, when the SSL library entry function is called, instead of falling into the original SSL library implementation, the code flow will be redirected to the certShim SSL implementation, which is also built upon the original SSL libraries but provides the ability to enforce the correct SSL certification verification procedure even the application code fails to do so. For sure, there are more stuffs in certShim. Please check the paper." More information and code available here: http://davejingtian.org/2014/11/06/ccs14-securing-ssl-certificate-verification-through-dynamic-linking/ . I cannot estimate the effort to implement this solution within the Sailfish OS, however I strongly believe it is worthy.
Another proposed solution is called MalloDroid. This applications detects SSL vulnerabilities on Android Apps. Therefore, I think it would be nice to implement such a solution within Sailfish OS, in such a way, before a user installs an application, it gets analyzed and verified through this system. A pop-up window can display information about security vulnerabilities before the user install the app, so he is at least aware about it. The code of AndroGuard is here: https://github.com/androguard/androguard The code of MalloDroid can be found here: https://github.com/sfahl/mallodroid For more detailed information there is the paper or this OWASP (https://www.owasp.org/images/7/77/Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl%2BMarian_Harbach%2BMathew_Smith.pdf) session.
I hope these features can be implemented within Sailfish OS in order to enhance the security and the privacy of the users. Implementing these solutions as apps, I think it does not make it as powerful as an enforcement. I hope this thread can raise some interest.