{"id":1321,"date":"2011-09-08T15:11:42","date_gmt":"2011-09-08T13:11:42","guid":{"rendered":"http:\/\/www.ofcourseimright.com\/?p=1321"},"modified":"2011-09-08T15:11:42","modified_gmt":"2011-09-08T13:11:42","slug":"web-insecurity-and-what-can-be-done","status":"publish","type":"post","link":"https:\/\/ofcourseimright.com\/?p=1321","title":{"rendered":"Web (in)Security and What Can Be Done"},"content":{"rendered":"<p><a href=\"http:\/\/www.ofcourseimright.com\/blog\/wp-content\/uploads\/2008\/06\/cybercrime.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"alignleft size-full wp-image-26\" title=\"Cybercrime\" src=\"http:\/\/www.ofcourseimright.com\/blog\/wp-content\/uploads\/2008\/06\/cybercrime.jpg\" alt=\"\" width=\"96\" height=\"132\" \/><\/a>We all like to think that web security is perfect, but we all know better.\u00a0 You know about spam, phishing, and all manner of malware.\u00a0 You probably run a virus scanner on your computer.\u00a0 But what you don&#8217;t expect and shouldn&#8217;t expect is that the core of our security system would have a flaw.\u00a0 It does, and has, from the beginning.\u00a0 What&#8217;s more, it&#8217;s a known flaw.<\/p>\n<p>How is it your browser decides to trust a site, or to show that lovely lock icon and perhaps a green URL bar when your communication is both encrypted and verified to be to a specific end point?\u00a0 The simple answer is that your browser provider, <a title=\"Microsoft\" href=\"http:\/\/www.microsoft.com\">Microsoft<\/a>, <a href=\"http:\/\/www.mozilla.org\">Mozilla<\/a>, <a href=\"http:\/\/www.apple.com\">Apple<\/a>, or <a href=\"http:\/\/www.google.com\">Google<\/a>, has made a decision on your behalf that \u2013 at least as initially configured \u2013 your browser will trust a certain set of authorities\u2013 <a href=\"http:\/\/en.wikipedia.org\/wiki\/Certificate_authority\">certificate authorities<\/a> (CAs)\u2013 who will validate others.<\/p>\n<p>One such certificate authority got hacked.\u00a0 Badly.\u00a0 And because they were trusted by your browser, so might you have been.\u00a0 Here&#8217;s how it works.<\/p>\n<ul>\n<li>When you access a URL that begins with &#8220;https&#8221;, a certificate is sent by that site that is signed by one of the trusted CAs, saying &#8220;yes, I agree that this is google.com,&#8221; (for example).\u00a0 If someone gets in between you and Google, they won&#8217;t have the private key associated with that certificate, and they won&#8217;t be able to validate to your browser.<\/li>\n<li>If someone breaks into a CA and gets a certificate for &#8220;google.com&#8221; (again, for example), and then gets between you and the real Google, they <strong>will<\/strong> be able to masquerade.\u00a0 It doesn&#8217;t matter which CA it is, as long as your browser trusts it.\u00a0 Google needn&#8217;t have any relationship with that CA.<\/li>\n<\/ul>\n<p>This is <a href=\"http:\/\/www.computerworld.com\/s\/article\/9219838\/Researcher_raps_Apple_for_not_blocking_stolen_SSL_certificates\">what happened with DigiNotar<\/a>.\u00a0 Not only did they get hacked, but they didn&#8217;t notice.\u00a0 They didn&#8217;t have sufficient controls in place to even spot the attack.\u00a0 That they should have had.<\/p>\n<p>But now there&#8217;s something else we can do.\u00a0 In the Internet Engineering Task Force (<a href=\"http:\/\/www.ietf.org\">IETF<\/a>), a few folks led by a gentleman by the name of Paul Hoffman have developed an approach where sites like Google can effectively register which certificates are valid for them in an separate alternative authority that we largely trust, the <a href=\"http:\/\/en.wikipedia.org\/wiki\/Domain_Name_System\">Domain Name System<\/a> (DNS).\u00a0 You use DNS to convert site names like ofcourseimright.com to IP addresses like 10.1.1.1.<\/p>\n<p>The group working on it is called &#8220;<a href=\"http:\/\/datatracker.ietf.org\/wg\/dane\/\">dane<\/a>&#8220;.\u00a0 Had the dane mechanism been in place in the browser, the attack on Diginotar and Google would have failed, even if Google was a customer of Diginotar (which they weren&#8217;t).<\/p>\n<p>When we speak of security we always discuss defense in depth.\u00a0 That is\u2013 never rely on exactly one mechanism to protect you, because at some point it will surely break.\u00a0 In this case, the attacker needed to (a) compromise the CA and (b) get in between the service and the end user to succeed.\u00a0 Had dane been in place, atop (a) and (b), the attacker would also have to have compromised Google&#8217;s DNS for the attack to succeed.\u00a0 That&#8217;s likely even harder than compromising a CA.<\/p>\n<p>Dane has another potential benefit: in the long run, it may get browsers completely out of the business of telling you who to trust, or it will extremely limit that trust.<\/p>\n<p>This attack also demonstrates that as threats evolve our response to those threats evolves.\u00a0 Here we understood the threat, but just didn&#8217;t get the work done fast enough before a CA was compromised.\u00a0 I still call this a win, as I think we can expect to see dane even faster than we expected before the attack.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>We all like to think that web security is perfect, but we all know better.\u00a0 You know about spam, phishing, and all manner of malware.\u00a0 You probably run a virus scanner on your computer.\u00a0 But what you don&#8217;t expect and shouldn&#8217;t expect is that the core of our security system would have a flaw.\u00a0 It &hellip; <a href=\"https:\/\/ofcourseimright.com\/?p=1321\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Web (in)Security and What Can Be Done&#8221;<\/span><\/a><\/p>\n","protected":false},"author":172,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[50,87,9],"tags":[416,413,415,274,414,97,171,412],"class_list":["post-1321","post","type-post","status-publish","format-standard","hentry","category-complexity","category-internet","category-security","tag-browser","tag-certificate-authority","tag-dane","tag-google","tag-hack","tag-ietf","tag-ssl","tag-tls"],"_links":{"self":[{"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=\/wp\/v2\/posts\/1321","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=\/wp\/v2\/users\/172"}],"replies":[{"embeddable":true,"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1321"}],"version-history":[{"count":1,"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=\/wp\/v2\/posts\/1321\/revisions"}],"predecessor-version":[{"id":1322,"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=\/wp\/v2\/posts\/1321\/revisions\/1322"}],"wp:attachment":[{"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1321"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1321"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1321"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}