HTTPSuper Solution?
A lot of security professionals know there is no solution to insecurity. There are remedies and precautions one can take, but as long as networks and servers and databases and all that other fun stuff that help to serve up YouTube videos to make the work week go by faster are around, there will always be infiltration.
Now, I don’t care to distinguish between the ‘hats’ hackers wear, because in the end, exploitation and infiltration are just that. Kind of an, ‘it is what it is,’ situation.
One of the biggest concerns I have is the amount of blind faith people put into security safeguards, particularly SSL and HTTPS. For those of you that don’t know, a quick Google will tell you that SSL stands for Secure Socket Layer. HTTPS is HTTP over SSL and the basic concept is that SSL encrypts data between the client and server, thus making it impossible for anyone to ninja your communications in transit. At least that’s the theory. Imagine 2 people standing at opposite ends of the room shouting a conversation across the place and no one other than those 2 people know what the conversation is about. Pretty awesome eh? As with most technological solutions, this is easier said than done.
Now, when people tell you “Never submit your credit card information unless you see HTTPS in the URL,” it’s like saying “don’t take candy from strangers.” I’m not saying this isn’t good advice to follow, but you should never put it past your friends, or people that act like friends, to poison you, at least I don’t. As of yet, hackers have yet to find a way to physically poison someone over the internet (give them time) but HTTPS does not mean that the connection is to be trusted.
So, if encryption is the ‘magic bullet’ of security and it will stop any attacker in his or her tracks, why am I even writing this post? (Don’t you love my clever use of rhetoric to guide the reader into following the post the way it was written?) Well, if you haven’t caught on yet, SSL is not all it is cracked up to be. Beyond merely encrypting information, SSL certificates give you the ability to validate the website or rather approve the site you are visiting. We may or may not talk about that more, we’ll see how this goes. =P
There are certain attacks known as man in the middle attacks which are pretty obvious from the name alone. A MITM attack is when a third party is able to adulterate an active or stateful connection and either hijack that connection or read the data being transmitted. Now, MITM attacks range from incredibly simple (ARP poisoning) to pretty complicated (SSH session hijacking and other forms of credential theft).
These attacks aren’t really why SSL/HTTPS has some flaws nor are they what this post is about. The biggest problem with SSL and HTTPS is that even though they encrypt your data in transit and allow you to validate the site you are visiting, they guarantee nothing as far as what the individual on the receiving end will do with your data. This is usually pretty obvious to most hackers but it isn’t necessarily something that occurs to the average PC user. It may seem that if you can trust the connection, why can’t you trust the destination? Let’s look at this a bit more in depth.
Now, when you connect to a website that uses HTTPS, you most likely are prompted to accept a security certificate like the one seen below
Now, first of all let’s look at the most glaring detail of this certificate, the .MIL extension. That’s military and probably best left alone so don’t be an idiot and screw with it at a later date in time. You will also notice that it says, “the signer(s) are not registered.” This may seem like common sense as this blog caters to people with an existing base of security knowledge but all too often things like this go unnoticed by the normal user. In reality people cannot bear to have to actually see security measures, so rather than making sure their information is going to be transmitted to a trusted individual and/or site, they click whatever they need to click so that they can order some really cute pencils as fast as humanly possible.
With that security certificate we can assume that a government issued security certificate can be trusted (relatively speaking). The real problem arises with the fact that pretty much anyone can add SSL capability to their website and issue their OWN certificates pretty inexpensively. The initial idea behind SSL certificates was that they would be issued by a trusted third party. To clarify, someone other than the server and client would issue the certificate as kind of an…impartial but trusted party. The problem with third party certification is that it costs money and since we know most people click away whatever gets in the way of them and their eBay auctions, it doesn’t need to be legit!
Let’s do a quick and somewhat inaccurate example of how this technology can exploit the ignorance of the general public.
**Disclaimer** DO NOT actually set something like this up. If you do, I am in no way responsible.
I can create a web page that advertises microwaves for $5.00. Who wouldn’t want a $5.00 microwave? Anyways, I can also enable SSL on my server and create my own certificates. This is also a rude assumption to make as it preys on their…stupidity for lack fo a better word (that is the nature of the beast), but I am going to assume that anyone who thinks a $5.00 microwave is a good investment won’t be reading the security certificate (I can’t help myself). To this user it appears as though I am providing a legitimate service and doing so in a way that will encrypt their data so that they get their microwave, I will get my $5.00 and life will be excellent. The reality of the matter is that I don’t care if 90% of my site’s visitors don’t buy because of my willy-nilly certificate. Eventually someone will be dumb enough to buy a microwave and since the best tactics are to hit and run, once I have just one credit card number, I can take off and set up a new site, selling something totally different, financed and built with the person’s credit card who was silly enough to give me their information.
In closing, think like a criminal, don’t be one. Share the information and for the love of all things sacred, check your SSL certificates.
Very good point, tronyx.
Not that I buy anything off the net anyhow, but I’ll be sure to warn my parents and neighbors.
I heard the computer tech at my friend’s house once comment to my friend’s grandmother, that “SSL is secure… It keeps you from getting hacked”. I kept my mouth shut, but he left her with the impression that “If you use SSL, you are secure.” mentality.
Of course, I was thinking of MiTM attacks, but this here is another good example.. And come to think about it, Webmin creates it’s own SSL Certificates automatically, so if I connect to https://localhost:10000 it asks me to verify the certificate.
This was a helpful and enlightening post.
Thanks Tronyx.
Good post….and very relevant point. It’s far to easy to assume that SSL encrypted traffic is secure. The point is that it might be secure transmission, but secure transmission with whom?
Interestingly, Firefox 3 will be implementing measures to remove the possibility of just “clicking through” a warning. You will actually need to go into the advanced prefs in the browser to get to a site with an untrusted cert