A TLS/SSL Certificates Flaw Leads to Covert Data Transfer


Researchers continue to test cybersecurity measures and show us time and again that cyber threats can come from anywhere. Even a simple flaw in a security protocol, such as TLS/SSL can be exploited to breach security and steal sensitive information.

Cybersecurity is the top concern for anyone who operates in the digital world. Nowadays, cyber threats are more sophisticated and more common than ever. So much in fact, that even governments have difficulties protecting themselves from such attacks. A recent discovery in cybersecurity revealed that there’s a flaw in X.509 certificates that are common in TLS (Transport Layer Security) and SSL (Secure Socket Layer) cryptographic protocols, which are the foundation of HTTPS (Hypertext Transfer Protocol – Secure).

X.509 is the standardized format that defines public key certificates in cryptography, used for securing Internet communications. This flaw enables covert data exchange and can also be used to breach the security, by bypassing the security measures that check for certificate values. Jason Reaves, threat research principal engineer at Fidelis Security pointed out that there’s indeed a flaw in how certificates are being exchanged, which can lead to them being compromised and taken possession of for command and control (CnC) of the communication.

A proof of concept

In his research, Jason Reaves created a proof of concept that explains how TLS/SSL protocols alongside X.509 certificates have means to hide data from security measures in order to send or receive arbitrary data. The way it works is that certificates are being exchanged before the TLS handshake. That means, that data located in certificates is actually exchanged before the secured connection is established. With that in mind, data can be inserted in the certificate extensions and transferred from client to server or otherwise without being detected.

As Jason stated: “X.509 certificates have many fields where strings can be stored…The fields include version, serial number, Issuer Name, validity period and so on. The certificate abuse…takes advantage of this fact to hide data transfer inside one of these fields. Since the certificate exchange happens before the TLS session is established, there appears to never have been a data transfer, when in reality the data was transferred within the certificate exchange itself.”

Put simply, it’s a flaw in the certificate exchange that can be used for covert data transition, but it can also be used by hackers to breach security and to seize the control of communications. However, there are no reported attacks using this method, but it could prove as a potential threat to many companies and individuals in the online world.

A potential threat

Using X.509 certificates for covert data transfer isn’t exactly a revelation. As a matter of fact, it was proposed that adding data to ICMP (Internet Control Message Protocol) should be used as means of transfer back in 2005, while first mentions of covert channels were in government publications in 1993.

However, as data transfer itself may not sound as a big concern, the fact that malicious software can also be transferred using these means proves as a potential threat. Fidelis Security researchers also created a proof of concept, where they simulated a transfer of malicious ransomware called Mimikatz, similar to WannaCry ransomware that was detected worldwide in May 2017, via certificate extensions.  Mimikatz, also known as Bad Rabbit is a Petya type malware that hit Russia and Ukraine back in 2017. The ransomware hit various Russian media outlets, airport in Odessa and metro in Kiev, where attackers demanded 0.05 Bitcoin in ransom for the stolen data.

As mentioned before, there are still no reported attacks using this method, but it does mean that many online businesses can be compromised. The fact of the matter is that many websites implement HTTP with TLS/SSL protocols. What’s more, many online businesses that implement SEO (Search Engine Optimization) strategies use HTTPS, in order to improve their rankings. Back in 2014 Google announced that TLS/SSL protocols will be included as ranking signals, in order to urge websites to implement additional security. You can read this comprehensive resource if you want more information about SSL and HTTPS, as well as their role in search ranking. It’s safe to say that it’s a good thing that the flaw was first found by researchers and that no website was compromised.

A remedy

Even though this flaw can turn into a major threat, there is, however, a way for online business and individuals to protect themselves from this covert data transfers. By simulating an attack through certificate extensions, Fidelis Security researchers have also build a framework that will help users detect covert data transfers and implement security measures to protect themselves.

The framework shows the detailed process on how to detect and block unwanted certificate extensions. For instance, if there are executables in certificate data, it’s a first sign that it’s quite likely compromised. Moreover, users should block self-signed certificates as well, in order to prevent these hidden data transfers.

Researchers continue to test cybersecurity measures and show us time and again that cyber threats can come from anywhere. Even a simple flaw in a security protocol, such as TLS/SSL can be exploited to breach security and steal sensitive information. Not only that, but it can compromise an entire system. One thing is for sure, if we want to be safe online, we must continue to improve our cybersecurity and be aware of its weaknesses.


Please enter your comment!
Please enter your name here