On 12/08/15 20:26, Anthony J. Bentley wrote:
> Giancarlo Razzolini writes:
>> One of the main benefits of the TLS wouldn't only be to render
>> impossible for anyone to know which pages you're accessing on the site,
>> but also the fact that we would get a little more security getting the
>> SSH fingerprints for the anoncvs servers. Having them in clear text as
>> they are today, isn't very secure.
>
> Another attack currently possible against www.openbsd.org is changing
> the https://openbsdstore.com links to http://openbsdstore.com, and
> running sslstrip on that. Or the PayPal links...
HAHAHHAHAHA...
you think adding a certificate changes this?
Pull up a chair, lemme tell you a story.
I used to work for a company I'm sure you have heard of -- Two letters,
starts with a G. And they don't make cars. When I hired in, one of my
coworkers told me, "Congrats, you now work for four or five of the
largest companies in the world". That company.
This company was a target for cyber attack for a whole lot of reasons,
and they did all kinds of (token) security education things -- including
an annual "Security Week" ("token" as in chanting rules that are not
understood and easily broken), and lots of time and effort was put into
compliance, security technology, buzzwords and check-boxes so that
effort could be demonstrated. And of course, there were lessons on
https and encryption and how encryption solves everything and always
look for the https:// and and and ...
My team was a hot-shot security team...I worked with some absolutely
amazing people in the world of incident response, including one who
literally wrote the book on it. We tended to live in our own little
world significantly detached from the rest of the company. We had our
own infrastructure in fact, which was part of my job to run. So, most
of us didn't actually USE a lot of the corporate infrastructure, such as
the company web portal much. But after I was there about three years,
they refreshed my laptop, and because things were kinda quiet in my job
at that point, I got to spend a little time looking around the new
machine, which I didn't do when I first started. And this time, I
didn't immediately change the browser start screen from the company
portal to something more useful.
And ... I looked at the company portal for the first time...closely.
It looked something like this:
+---------------------------------------------------------+
| url: http://intranet.bla.com/stupid/long/url/portal/ |
+---------------------------------------------------------+
| |
| +------------------------------+ |
| | _ Please log in! | |
| | ,(_), | |
| | | | SSO:__________ | |
| | |___| PW:__________ | |
| | | |
| | | |
| +------------------------------+ |
| |
| |
+---------------------------------------------------------+
That little thing that looks like an "i" is supposed to be a lock
graphic. My ASCII art skills are lame. But then, the "Single Sign-On"
screen on the portal wasn't much more than my ASCIIart, either. A box.
A couple boxes for user ID (SSO) and PW. And a graphic of a lock.
And I stare at this some more...and realize that my eyes aren't fooling
me. That's a graphic of a lock. And no https:// in the URL. No
encryption in sight. I can't believe where I'm sitting and what I'm
looking at.
I walk over to one of my coworkers, a smart guy who knows the importance
and tools of "compliance", but understand real security, too. I have
him go to the portal, and he immediately, reflexively starts typing in
his SSO and PW, in spite of my yelling "STOP! STOP! DON'T DO IT!". He
looked at me puzzled. I tap the URL on his screen. I tap the lock
graphic. His look goes from "What silly crap has Nick got for me this
time?" to pure panic.
"oh. my. God. We are going to have to do a password roll" (a change of
pw for EVERY SINGLE PERSON in the company -- as he realized this was a
major breach of security protocols).
(On further investigation, it turned out the BOX was a frame that did
happen to be encrypted, so there was no actual need for a PW roll, and
there was no actual obvious security event...but again, there was
absolutely nothing "proving" the communications was encrypted, and
anyone could set up a rogue page and snag passwords).
I put a ticket in to have this fixed. It was closed without action,
with the explanation, "well, that will be a lot of work to change, we
won't be scheduling any time on this page for a year or so".
Note that something like 100,000 users all over the world, receiving all
kinds of "security training" never noticed this default page every
single browser in the company was initially set to use as their home
page. The programmers did it wrong. Their supervisors signed off on
it. CIOs never noticed this. My hot-shot security team didn't notice
this (though...as they told me "I never use that page", and I'm using
the same excuse). It took three years for ME to notice this. And when
brought to the attention of the guilty, it was dismissed with a wave of
the hand as unimportant.
Ancient history? Not really. This happened almost exactly two years ago.
https is a joke. IF and WHEN it works properly, it's too complex for
the real world to understand (ahem...and even recognize). Encrypting
everything as some are advocating is truly wasted effort that could be
spent better on real security measures.
End-to-end encryption is a good idea. I'd even say it's necessary as a
good practice for any sites dealing with logins or financial
information, but completely insufficient to be called "security" by
itself. Attacks are almost always on the end points. I'd actually feel
far better if my bank did no encryption and could convince me their
infrastructure was actually designed well than the little green lock
next to the URL makes me feel (of course, both is best, but I can guess
what the application and infrastructure security is like...)
Nick.
