The Anti-virus Times

Moreover, the security of SSL is a myth, and this myth is dangerous. Encrypting a channel offers no protection whatsoever in the event the certificate has been substituted on the provider level at the moment traffic is being transferred or in the event it is intercepted at the computer level (also achieved via certificate substitution).

A valid SSL certificate issued for an attacked domain lets hackers carry out an attack covertly using the MITM (Man-In-The-Middle) method. For this method to work, an attacker-controlled host that is actively intercepting traffic must be located between the targeted user and the server. This host presents itself as a legitimate server by submitting the same valid certificate.

The interception of HTTPS connections can be automated—special proxy hosts (SSL proxy) exist that can intercept traffic on-the-fly, including while generating the needed certificates. A certificate and a secret key must be downloaded to this type of proxy to enable the signing of other certificates (e.g., the so-called partner intermediate certificate issued for this purpose suffices).

MITM won’t work for HTTPS if some additional measures exist: for example, the establishment of a TLS (Transport Layer Security) connection requires mutual authentication, and the user’s secret key (or partner keys that vouch for the user’s key) is made unavailable to the intercepting host; or the user’s browser maintains a register of servers whose public key thumbprints are trusted; or the user applies additional sources of information about the authorized keys and certificates that are not available for substitution on the intercepting host (such sources include DNS or other databases).

Most services use so-called SSL termination: i.e., encrypted user HTTPS traffic only travels to an edge proxy server where it is safely translated into HTTP; from there it travels through a service’s internal (in a logical rather than a technical sense) networks in plain text. This is standard practice since total HTTPS, with a growing number of customers, quickly morphs into a very heavy, poorly scalable technology. If a traffic inspection system is located inside service networks, beyond an edge SSL proxy, no HTTPS interferes with it. The internal traffic of distributed services can easily travel in plain text between hosts and data centers along communication channels leased from major providers. While such traffic can be listened to, the user sees what appears to be an HTTPS connection.

https://dxdt.ru/2013/08/02/6066/

We’re already long accustomed to Microsoft products having errors; however, it turns out that such mistakes can be encountered beyond their borders. Take, for example, Microsoft’s website—it’s very official-looking, extremely popular, and in high demand. Let’s open it in a browser. Type any query in the search field to request a resource via the HTTPS protocol. But, wait a second...what’s this?

The certificate used by the website was generated for third-level domains. That’s why the browser is a bit surprised at first, but then it gets scared, and finally it advises, “Leave this website immediately!” Yikes, let’s get out of here!

http://blogs.drweb.com/byvaet-i-takoe/