Category Archives: Internet

A strong case for encrypting all web sites – even simple ones

Troy Hunt has put together a video that demonstrates various ways that traffic coming from an unencrypted web site can be dicked around with, for various nefarious purposes, using a technique called a Man In The Middle (MITM) attack.

You can usually tell if a web site is encrypted by looking at your web browser’s address bar. For example, URLs for this web site (boot13.com) should appear in the address bar with a lock, followed by https:// rather than the unencrypted http://. If you try to access any part of this site using http://, you’ll be redirected to the equivalent https:// address.

Although the video does get a bit technical, it’s worth watching all 24+ minutes. You should understand enough of it to see the danger.

Perhaps the most interesting of Troy’s observations is that encrypting a web site doesn’t really provide any direct benefit to the site’s owner. This is not about protecting your web site; it’s about protecting its visitors. In other words, encrypting your web site is an act of altruism.

After watching Troy’s video, I immediately started an evaluation of all my own web sites, as well as those of clients, to make sure that all traffic coming from them is encrypted. Most are already using HTTPS, but some don’t force the use of HTTPS.

Troy Hunt’s video

If you run a web site, you should realize by now that there’s no good reason to avoid turning on encryption. It’s also easier than ever, and — thanks to Let’s Encrypt — no longer has to cost anything. The HTTPS Is Easy video series is a good starting point if you’re not sure how to proceed.

Update 2018Aug08: Sadly, people in remote and underserved locations are having a lot of trouble accessing sites via HTTPS. While that certainly sucks for them, I’m confident that solutions to the specific technical issues involved will be found.

Recommended: My Online Security web site

My Online SecurityEver wondered what would happen if you did the unthinkable and clicked the link in that suspicious-looking email? Well, wonder no more, because there’s a guy in the UK who analyzes all the malware, viruses, scams, and phishing email he receives, and publishes his findings on his web site, My Online Security.

The site operator is in the UK, so he may not always be exposed to the same threats as those of us in North America, but I’ve found that there’s a lot of overlap. Usually, if I’m seeing a particular kind of scammy email, this guy has written about it. The site is updated frequently, often multiple times per day.

There are other useful resources on My Online Security, including a malware submission form, links to other malware analysis sites, a support forum, and recommendations for staying safe online.

Nasty Cloudflare bug leaked sensitive information for months

Cloudflare provides caching, proxy, and security services for thousands of web sites, including some very popular ones like digitalocean.com, patreon.com, bitpay.com, news.ycombinator.com, medium.com, 4chan.org, yelp.com, okcupid.com, zendesk.com, uber.com, 23andme.com, curse.com, and minecraftforum.net.

For about five months, starting in September 2016, a truly awful bug in Cloudflare’s services caused private information from sites hosted by Cloudflare to be leaked to unrelated systems. Since the leaked information was merrily crawled and stored by all the major search engines, all that data became available to the entire planet.

The leaked data includes just about everything you wouldn’t want leaked, such as encryption keys, cookies, passwords, private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, and hotel bookings.

My initial reaction to the news of this leak was relief, because I don’t use Cloudflare for any of my (or my clients’) web sites. But I use other web sites and services that use Cloudflare, so my private information may have been leaked. Almost anyone who uses the web actively could be affected by this bug, and its fallout.

The bug itself has been fixed by Cloudflare. The major search engines are working with Cloudflare to scrub related private information from their databases. But the damage has already been done.

What should you do?

If you run any web sites or services that use Cloudflare, you should take action immediately, by invalidating all user sessions (e.g. login cookies). How this is done depends on the platform you’re using (WordPress, Joomla, etc.) You should probably recommend to your members/subscribers that they change their passwords.

If you use any of the affected sites or services, you should probably change the associated passwords. This may turn out to be overkill, but it’s difficult to know for certain.

The full extent of the damage caused by this bug remains to be seen. In the worst case scenario, malicious hackers noticed the bug when it first appeared, and proceeded to gather leaked information for months.

References

Continue reading Nasty Cloudflare bug leaked sensitive information for months

Anonymity isn’t the problem

There are good reasons to be anonymous online. And yet most people assume that anonymity is just a license to be a jerk. The fact is that some people will be jerks online whether they’re anonymous or not.

Sadly, some less-well-informed people have decided that anonymity is somehow the root of all evil on the net, and think that forcing people to use their real names online will magically make everyone nice. This kind of thinking has even pervaded some very high profile companies, including Google and Facebook, both of which have pushed hard to make people use their real names.

Anonymity is a frequent topic of discussion over at Techdirt, where the comments section is open to the public and allows anonymity. Because the Techdirt staff actually engage with commenters (jerks and otherwise), the debate rarely gets out of hand, and some of the most interesting comments are posted by anonymous users.

Google gets tougher on scammy web sites

If you use Google search (and really, who doesn’t?), you’ve probably noticed the big warnings that appear when you try to click on some search results. That’s Google Safe Browsing (GSB), protecting you from a malicious web site.

GSB flags sites that fail to comply with Google’s Malware, Unwanted Software, Phishing, and Social Engineering Policies.

To get rid of the warning, the owner of a site flagged by GSB must remove objectionable content and resubmit the site for verification in Google Search Console. Until recently, this process could be repeated indefinitely.

To counter repeat offenders, Google has changed the way GSB works. If a web site repeatedly fails to comply with Google’s Safe Browsing policies, it will be flagged as such, and the warning users see will appear for at least 30 days.

In the announcement for this change, Google points out that the new repeat offender policy will not apply to sites that have been hacked (i.e. changed without the owner’s permission).

Stay away from Certificate Authority WoSign/StartCom

A litany of abuse and incompetence has prompted Mozilla to completely distrust security certificates from Certificate Authority (CA) WoSign in Firefox.

Starting with Firefox 51, the browser will no longer trust WoSign or StartCom certificates. According to Mozilla: “If you receive a certificate from one of these two CAs after October 21, 2016, your certificate will not validate in Mozilla products such as Firefox 51 and later, until these CAs provide new root certificates with different Subject Distinguished Names, and you manually import the root certificate that your certificate chains up to. Consumers of your website will also have to manually import the new root certificate until it is included by default in Mozilla’s root store.

WoSign/StartCom can dig themselves out of this hole by applying for inclusion of new (replacement) root certificates, and there’s little doubt that they will pursue this course. But should anyone really trust their security and privacy to this company? I sure won’t, especially when there are excellent free alternatives like Let’s Encrypt.

Mozilla has been tracking WoSign’s failures since the beginning of 2015, recording their observations on their corporate wiki site.

The most recent example of WoSign’s failings stems from their acquisition of CA StartCom in November of 2015. WoSign failed to disclose the acquisition, then lied about it.

On a related note, Mozilla will also no longer accept audits performed by the consulting firm Ernst and Young (Hong Kong). That’s the company that failed to catch several of WoSign’s worst abuses. This is personally amusing to me, since I’ve had dealings with Ernst and Young that were somewhat less than positive.

Update 2016Nov01: Google is following Mozilla’s lead and removing trust for WoSign and StartCom certificates in Chrome, starting with Chrome 56.

Let’s Encrypt’s finances

I’m a big fan of Let’s Encrypt, an organization committed to encrypting all web traffic by proving free security certificates.

I’m also a big fan of transparency, so when LE published a summary of their financial information recently, my regard for their efforts clicked up another notch.

Highlights from LE’s financial information post:

  • Let’s Encrypt will require about $2.9M USD to operate in 2017.
  • The majority of LE’s funding comes from corporate sponsorships.
  • You can donate to Let’s Encrypt using PayPal.

For the record, this web site (boot13.com) and all my other secure sites now use Let’s Encrypt certificates.

Someone out there is testing the Internet’s breaking point

Security analyst Bruce Schneier reports on the recent increase in Distributed Denial of Service (DDoS) attacks against critical Internet infrastructure. He’s unable to go into details about exactly which companies and resources are involved, but the attacks are real. Someone is engaged in a series of DDoS probes that are clearly meant to test the Internet’s ability to cope with extreme stress.

Most DDoS attacks are perpetrated by angry hackers against web sites they don’t like, or simply to demonstrate their skills. Underground DDoS attack services are available for those not possessing the requisite skills. But the attacks Schneier is talking about stand out: they’re much more calculated and methodical than usual.

Assuming that Schneier is correct, and someone is gathering information about the Internet’s potential breaking point, one can only wonder what they have in mind. If the perpetrators are – as Schneier suggests – a state actor like China, the possibilities are the stuff of nightmares.

Cory Doctorow on the future of the privacy wars

Noted writer and technology analyst Cory Doctorow just posted a new article on the Locus Online web site: “The Privacy Wars Are About to Get A Whole Lot Worse.”

After providing some background on the current privacy situation, and how we got here, Doctorow speculates on what will happen when even the absurd notice-and-consent terms of use agreements that we see (and blindly agree to) every day are gone, leaving us surrounded with devices that invade our privacy without any pretense at consent, all in the name of commerce.

In case you hadn’t guessed, we are talking about the Internet of Things. Despite plenty of warnings from privacy advocates, and numerous real-world examples of the consequences to privacy of poorly-designed devices, the current move toward ‘smart’, connected devices continues apace. And these devices won’t ask for your consent, they’ll just compromise your privacy by default.

Meanwhile, Doctorow wonders whether and when this will come to a head with some kind of legal challenge. There have been attempts to challenge the validity of terms of use agreements that nobody ever reads, but so far the results are not promising.

I’d like to see Microsoft singled out for its current Windows strategy, which includes gathering and transmitting user information, ostensibly for the purpose of providing better support, but which can also be used to better target advertising, another feature of newer versions of Windows. To be sure, these features are currently protected behind terms of use agreements, but even those could disappear in a world dominated by smart devices.

Doctorow is worried about this, and so am I.

Connecting everything to the Internet is dangerous

By now, you’ve probably encountered the term “Internet of Things”, usually abbreviated as IoT. It refers to the rapidly increasing number of devices that are capable of connecting to the Internet. Cars, fridges, thermostats, lights… basically, anything that can be built to include a few microchips can be made to talk to the Internet. Usually wirelessly. Often silently, by default.

Which of course is a perfect scenario for a whole new category of security breaches, privacy concerns, and other, related issues.

Recommendations:

  • Where possible (and unless you have a good reason not to) avoid purchasing any non-computer device that’s Internet-capable.
  • If you must use such a device (and unless you have a good reason not to) disable any Internet-related features.
  • If you’re unable or unwilling to disable a device’s Internet features, at least configure it to maximize security.

Bruce Schneier’s recent analysis of the dangers of IoT is excellent, and definitely worth reading.