The job description is dictate a rogue certificate (Compromised Certificate) from a Man-In-the-Middle MITM, who hijacked a Client-Server web connection and has inserted a rogue certificate in attempt to make the browser blindly verify such certificate as legal.
The key insight on this project is to assume a Content Delivery Network (CDN). We know that popular Web Servers like [login to view URL], [login to view URL], [login to view URL] etc, run a Content Delivery Network. i.e, the Servers are located in different geographical areas in order to improve QoS, client-server efficiency and also reduce latency and Network congestion.
so, they tend to use only on Certificate Authority CA, to sign and issue their Certificate. example, google web servers in different world locations has only one CA issuer as their certificate signer.
So, in order to dictate a compromised certificate on a web server, we explore the CDN system. When an attacker has compromised a CA, and has obtained the Private Key of that CA, he can use it to issue fake certificate to any server he likes.
See what I want
So, for instance, if a user is trying to connect to a server in of yahoo in Ghana, if the certificate has been compromised, I want a countermeasure that will be able to collect the certificates of other yahoo servers located in different geographical areas and verify if the certificate details are the same. If the yahoo server certificate in Ghana is compromised, and its attributes are quite different from the other yahoo servers, a MITM attack could be suspected. If the certificates are the same, it means the connection is free.
The Key point on the Project is to Modify OpenSSL and use the C++ Multi-threading Programming to collect additional certificates from other web servers and also Verify it.