Why HTTPS won't cut it anymore

[computerfreaker]

I ran across this today while doing some research for my programming class - truly a little terrifying to learn that even HTTPS isn't as secure as it seems...
http://www.grc.com/sn/sn-217.htm

[Tom T.]

It's been a while since I read that episode, but IIRC, Gibson said not to panic just yet. The main example was at an open Wi-Fi hotspot, where a third party (MITM) could insert themselves into the network, and manipulate the page sent to you for login. (Or if your home wireless network is unsecured. Or any other way that a man-in-the-middle can get between you and the site.) The other issue is that some sites serve their *login* pages by http, even though your credentials are returned to them by https.

So: 1) Don't do your online banking at Starbucks or the library. Do it at home from your own *secure* network, and

2) Use NoScript Force HTTPS feature for lazy sites that send you the login page via HTTP. And complain to that webmaster!

I haven't re-read the whole article, so if I've missed anything, let me know.

[computerfreaker]

It's been a while since I read that episode, but IIRC, Gibson said not to panic just yet. The main example was at an open Wi-Fi hotspot, where a third party (MITM) could insert themselves into the network, and manipulate the page sent to you for login. (Or if your home wireless network is unsecured. Or any other way that a man-in-the-middle can get between you and the site.) The other issue is that some sites serve their *login* pages by http, even though your credentials are returned to them by https.

So: 1) Don't do your online banking at Starbucks or the library. Do it at home from your own *secure* network, and

2) Use NoScript Force HTTPS feature for lazy sites that send you the login page via HTTP. And complain to that webmaster!

I haven't re-read the whole article, so if I've missed anything, let me know.

Mostly accurate, but you missed one critical thing - some (a lot of) sites reject NoScript's Force HTTPS. There have been several sites I tried using it on, and either A. I got a different page than the HTTP one (different as in unusably different) or B. the HTTPS request was rejected and the "secure" page was redirected to a HTTP page.
Most sites play nice with NS's Force HTTPS, but a lot still don't...

The key part of that article:

If you've got - and if you're getting a secure page, then the buttons on that secure page cannot have been modified because nobody is able to intercept that. So if you're using an eCommerce system like mine, where the form you're filling out is SSL secured, then everything that follows on from that is also going to be wrapped in the SSL security because all of the Submit buttons will still be secure because no one could have changed them. The vulnerability is using a site that doesn't put you into SSL first because then the buttons that you're using to submit could have had that edited out. And that's the problem.
<snip>
It's possible to be safe, like I said, like if you - my eCommerce site insists on giving you a secure form. But if the user sees that the form they're filling out is secure, you're safe. Otherwise you don't know what, you don't know where that page came from because it's only SSL that protects you against spoofing. So somebody who inserts themselves in the middle anywhere, may not even just in your own WiFi caf, but in a hotel scenario, or maybe somebody spliced into the line downstream of the ISP. I mean, the potential for exploitation is huge.

But for sites that don't provide a secure page, and in fact reject client-side attempts to negotiate a secure connection, we're definitely vulnerable.

(Side note, after re-reading the article I noticed he's looking for NoScript:

Well, and to deal with the problem of vigilance, I mean, that's really, I mean, it comes down to the user being responsible, at this point. And I'd really like to offload that to the browser. So that if there was a way, like for example imagine a Firefox add-in which, if it was possible for sites that we use a lot, like PayPal, Amazon, Facebook, Twitter and so forth, if it's possible for them to accept https for everything, then we want to tell the browser, good. Make every URL I submit to this site, please add the "s" for me. Make it secure so I don't have to worry about it constantly any longer. Because it's so easy. I mean, you're distracted. You're in a hurry. And all it takes is one situation where you slip up, and your information has escaped.

Um, Mr. Gibson, over here! )

[Tom T.]

(Side note, after re-reading the article I noticed he's looking for NoScript:
Um, Mr. Gibson, over here! )

I sent him a message to that effect shortly after that episode came out, and it was ignored. They have a TWIT Wiki, where I've made several other comments on matters pertinent to the show, but the comments there don't seem to reach Steve, either.

He favors NS, but has some kind of mental block about it. He shut it off at first, because of the "annoying pop-ups all the time". Uh, read the FAQ, Sir, and disable them in Notifications. Someone finally told him that, and then he was enthusiastic again. Now I tried to tell him about Force HTTPS, and no luck.

The MITM and other attacks were much of the impetus for the Force HTTPS feature in the first place. Bank of America was one of the largest examples -- serving the login page insecurely, but with a big, phony *black* padlock *next to the u/p boxes* -- none in the lower-right of the browser, of course. Most banks have fixed that issue -- possibly because of the publicity generated by NS <blush>, but some less-sensitive sites still haven't.

If I were at one of those sites, and they refused to fix it, I'd weigh the sensitivity of the information, and if it were something of high value, go somewhere else.

BTW, my login to administer my own personal site, hosted by my ISP, won't secure the login page. I complained -- I'm paying them a fair chunk of money each month for a high-speed cable connection -- and they said, "It works with IE. So just log in with IE." .. Uh, thanks, but no thanks. You're an ISP; you should be browser-neutral, make your site work with the world's second-most popular browser. They said they "were working on it". That was a couple of months ago... (sigh).

But it's a low-value, rather obscure, target. Just annoying that even your own ISP won't do things right.

[computerfreaker]

(Side note, after re-reading the article I noticed he's looking for NoScript:
Um, Mr. Gibson, over here! )

I sent him a message to that effect shortly after that episode came out, and it was ignored. They have a TWIT Wiki, where I've made several other comments on matters pertinent to the show, but the comments there don't seem to reach Steve, either.

Maybe he's too busy to look at his e-mails... although he sure puts out a lot of SpinRite e-mails on his shows, eh?

He favors NS, but has some kind of mental block about it. He shut it off at first, because of the "annoying pop-ups all the time". Uh, read the FAQ, Sir, and disable them in Notifications. Someone finally told him that, and then he was enthusiastic again. Now I tried to tell him about Force HTTPS, and no luck.

Well, he seems to have had a sort of mental block about Firefox itself until finally the need for security drove him to the wall. He's happy with Fx now, but not NoScript... maybe this "Force HTTPS" thing will drive him to the wall again, this time in NS's favor.
(Come to think of it, why wouldn't he just look at the dratted "Options" screen? That's what it's there for... and the NoScript FAQ, as well)

The MITM and other attacks were much of the impetus for the Force HTTPS feature in the first place. Bank of America was one of the largest examples -- serving the login page insecurely, but with a big, phony *black* padlock *next to the u/p boxes* -- none in the lower-right of the browser, of course. Most banks have fixed that issue -- possibly because of the publicity generated by NS <blush>, but some less-sensitive sites still haven't.

Oh, n i c e. Especially nice about BOA... I'd think a bank would behave in a more intelligent way, and I doubt any padlock pictures will stop the black-hats... or is this some magic new protection scheme, BOA?

If I were at one of those sites, and they refused to fix it, I'd weigh the sensitivity of the information, and if it were something of high value, go somewhere else.

There's two medium-value sites I go to and several low-value sites... nothing high enough to go somewhere else.

BTW, my login to administer my own personal site, hosted by my ISP, won't secure the login page. I complained -- I'm paying them a fair chunk of money each month for a high-speed cable connection -- and they said, "It works with IE. So just log in with IE." .. Uh, thanks, but no thanks. You're an ISP; you should be browser-neutral, make your site work with the world's second-most popular browser. They said they "were working on it". That was a couple of months ago... (sigh).

I know it's none of my business, but maybe it's time for a change of ISP?

But it's a low-value, rather obscure, target. Just annoying that even your own ISP won't do things right.

Quite annoying, and risky as well...

[Tom T.]

Oh, n i c e. Especially nice about BOA... I'd think a bank would behave in a more intelligent way, and I doubt any padlock pictures will stop the black-hats... or is this some magic new protection scheme, BOA?

No, it *encouraged* the bad guys, as it was easy to duplicate the BA page and its phony padlock. It was to give users a false sense of security -- which is worse than no security at all. As mentioned, it's been fixed by most. But banks seem to be the *least* security-conscious around. Fun game: Go to all the banks and other financial sites, 2-click the padlock icon, and observe how many are still using the 20-year-old RC4-128 encryption, while even my teensy little long-distance provider uses state-of-the-art AES-256 encryption -- which the US Govt. uses for encrypting Top Secret classified material. Go figure....

(ISP-hosted web site insecure login)

I know it's none of my business, but maybe it's time for a change of ISP?

My options for high-speed cable are very limited...

[computerfreaker]

Oh, n i c e. Especially nice about BOA... I'd think a bank would behave in a more intelligent way, and I doubt any padlock pictures will stop the black-hats... or is this some magic new protection scheme, BOA?

No, it *encouraged* the bad guys, as it was easy to duplicate the BA page and its phony padlock.

That's what I meant - I was being heavily sarcastic. Sometimes I don't do it right and people think I'm serious...

It was to give users a false sense of security -- which is worse than no security at all. As mentioned, it's been fixed by most. But banks seem to be the *least* security-conscious around. Fun game: Go to all the banks and other financial sites, 2-click the padlock icon, and observe how many are still using the 20-year-old RC4-128 encryption, while even my teensy little long-distance provider uses state-of-the-art AES-256 encryption -- which the US Govt. uses for encrypting Top Secret classified material. Go figure....

Go figure.
No online banking for me, thanks. I'll keep it physical...
(OT, I think banks might be so careless because they figure they have cash to spare in case they get sued for leaked information, stolen ID, etc.)

(ISP-hosted web site insecure login)

I know it's none of my business, but maybe it's time for a change of ISP?

My options for high-speed cable are very limited...

Too bad...