Secure network communications are an important feature of modern computing environments. To provide secure network communications, a variety of secure network protocols have been developed that attempt to validate the identities of the parties to a communication, and then attempt to secure the content of the network communications through encryption. Some attackers deploy automated systems that attempt to intercept secure network connections. Limiting the impact of automated attacks on secure network communications is a challenging problem.
In one type of attack, the attacker attempts to impersonate a legitimate service on the network by deploying a decoy service, and attempts to intercept or redirect connection requests from a legitimate client to the decoy service. If the attacker successfully directs a connection request of a legitimate client to the decoy service, the legitimate client sends information to the attacker's decoy service, believing that the decoy service is the legitimate service. To respond to the legitimate client, the decoy service establishes a connection to the legitimate service, and relays information received from the legitimate client to the legitimate service. Responses received from the legitimate service are relayed to the legitimate client. If successful, the attacker is able to act as a man-in-the-middle, decoding and viewing communications between the legitimate client and legitimate service in plaintext form.
Man-in-the-middle attacks can be particularly devastating when the attacker is able to convincingly impersonate the legitimate service. This can occur if the public-private key cryptosystems which secure transport channels such as Transport Layer Security (“TLS”) or Secure Sockets Layer (“SSL”) become compromised. For example, if legitimate clients of a service trust a public-key, and the private-key corresponding to the public-key becomes accessible to an attacker, such as by using certificates signed by a compromised certificate authority (“CA”), a convincing decoy service can be created by the attacker. If the operation of the attack can be automated using the decoy service, the attacker may be able to quickly scale up the attack and compromise many client-service connections using the single decoy service.