14 DAY TRIAL // Today, Google released a network security tool, called Nogotofail, as an open source project for developers and security researchers to be able to test devices and apps for weak TLS connections and SSL certificate verification problems.
Nogotofail was created by the Android Security Team and it works with any device that can connect to the Internet, regardless of the operating system it runs on, exposing network issues that could render the data insecure when in transit.
Man-in-the-middle (MitM) used to capture traffic
Available on GitHub, the tool aims at testing apps that are more complex and override the default network configuration, which is the most secure for the average user. However, in the case of complex applications, more libraries are required and changing the initial setup is oftentimes necessary, which could lead to increased security risks for data in transit.
The developers included tests for common SSL certificate verification problems, HTTPS and TLS/SSL library bugs, SSL and STARTTLS stripping issues, and clear text problems.
At the core of Notgotofail is the man-in-the-middle (MitM) technique that allows intercepting the TCP traffic flowing through the tested device.
Optionally, clients are available in order to determine the app or the device that made a vulnerable connection; a client offers additional information about the connection, and its purpose is only to end up with more relevant tests.
Attack engine is available, it can act as a router, proxy or VPN server
“We’ve been using this tool ourselves for some time and have worked with many developers to improve the security of their apps. But we want the use of TLS/SSL to advance as quickly as possible,” says Chad Brubaker, android security engineer, in a blog post.
The attack engine included in Nogotofail can be run as a router, VPN server or proxy. This should help developers create a test environment as close as possible to a real one.
The MitM component runs on path and focuses on handlers in the connection that are responsible for making exploitation of a vulnerability possible and thus have the traffic modified.
According to the description of the product, the vulnerable traffic is not detected based on port numbers, but by using DPI (deep packet inspection); this also allows it to test the TLS/SSL traffic in protocols that rely on STARTTLS.
Anyone wishing to contribute to further development of the tool can do it by proposing new features or providing support for more platforms.