22 April 2014

https, hsts, mitm and the reasons why we are converting all our sites to secure-only sites

We have converted one of our primary customer sites to https-only, and have configured the server to comply with the HSTS standard.

To get a sense of our motivation, the first thing to read is the following recent post from the EFF: https://www.eff.org/deeplinks/2014/02/websites-hsts

This is a pretty good idea, although as seen below, by itself it is unlikely to win the war. 

More worryingly, it is a standard which depends on universal browser adoption for it to be effective. It should not be a surprise to hear that Microsoft are dragging their feet on the issue, trailing behind the makers of browsers such as Chrome, Safari and Firefox, which have already adopted the standard.

(Based on past experience, it is sensible to suspect that Microsoft will be planning to provide IE with its own idiosyncratic version which will introduce a whole new layer of security flaws, while failing to work well side by side with HSTS, and obliging web developers to employ a slew of clumsy hacks to get it to work properly on their sites.)

Will HSTS be enough? The jury is still out. There seems to be only a gradual rising of awareness of how vulnerable our "secure" systems are to a man-in-the-middle (MITM) attack. On this subject, the following is required listening: 


This presentation is 5 years old! It hardly bears thinking about how far on hackers will be from that point by now. And the industry is only just responding to this old news.

The section beginning at 42:15 is particularly worrying. Our "client" may be securely connected to https://paypal.com/uk/webapps/mpp/merchant/.iijk.cn with a valid security certificate, and believe they are securely connected to paypal, and about to log in.

In fact, they will be connected to paypal, and paypal will believe that it is securely connected to its client.

But between them is a MITM. In fact the client is directly connected to a site on the domain iijk.cn -- a site with a valid security certificate. The characters that look like / and . in the early part of the URL are actually IDN (international domain name) characters which only look like the ascii versions, and everything appearing before the .iijk.cn is just a long complicated subdomain with international characters.

What the MITM who is operating this domain does is to decrypt all the login information coming from the client, and then pass all the same information on to paypal, pretending to be the original client, via a secure connection to paypal. That is the reason why paypal believes that it is connected securely to its client.

The MITM passes all the information from paypal back to the real client, via the genuine secure connection to the iijk.cn domain. The browser is indeed securely connected to this domain, so it shows all the indications of being securely connected. There is almost nothing the client can see that will tip them off that there is anything dodgy about their connection.

And the trick only has to last long enough for the MITM to steal the login information, a matter of a few seconds. As soon as this has been recorded, the MITM bows out of the interaction, allowing the client to continue its communication with paypal, but directly, and carry out all the operations as though nothing had happened.

In the opinion of the presenter (again, the presentation was made in 2009, and provided the direct stimulus for the development of HSTS) there is really very little we can do about this vulnerability, short of making the whole internet secure.

This happens also to be the recommendation of Edward Snowden. On http://www.ted.com/talks/edward_snowden_here_s_how_we_take_back_the_internet, he says at 9:02:
The biggest thing that an Internet company in America can do today, right now, without consulting with lawyers, to protect the rights of users worldwide, is to enable SSL web encryption on every page you visit.
That is why we have converted our first site to pure https, including the HSTS standard, and plan to do the same with all the other sites we operate.

Instructions for implementing HSTS are available at: http://lowendtalk.com/discussion/10021/tutorial-http-strict-transport-security-setup-on-apache-nginx-and-lighttpd

10 April 2014

How to recover from Heartbleed

Summary: For companies, installing patched OpenSSL software is just the first step in fixing the Heartbleed security problem. End users face a long haul, too. A lot of work needs to be done before we're safe from Heartbleed.

By Steven J. Vaughan-Nichols April 9, 2014 -- 19:15 GMT (12:15 PDT)
Source: http://www.zdnet.com/how-to-recover-from-heartbleed-7000028253/?s_cid=e589&ttag=e589&ftag=TREc64629f

Here's the good news: The patches for the OpenSSL Heartbleed security hole are now available for all major operating systems. Here's the bad news: Simply installing the patch isn't enough to protect your servers and users from attackers. Here's the worst news: All your users—yes all of them—are going to need to reset every last one of their passwords.


You may want to ignore this problem. You don't dare do so. So long as you're running unpatched OpenSSL 1.01 or 1.02beta it will be  trivial for hackers to crack your security systems and access both your own server and your users information. Adding insult to injury, this hole has existed on any system using the latest version of OpenSSL since early 2012. Other SSL implementations, such as Microsoft's Azure SSL, are not affected by this bug.
This means that if you've been running a "secure" Apache or NGNIX Web server--about two-thirds of all Web sites--your site, potentially, has been open to attack for years. Indeed, if you've been running any network services that use OpenSSL for security, such as the Tor secure network, the Goldbug secure instant messenger, or many e-mail systems, includingYahoo Mail, it's possible that your information has been being silently harvested by attackers.
I doubt there have been massive data raids by criminals, though, simply because I think we'd all notice if billions of dollars of fake credit-card transactions started appearing on our bills. Now, what the NSA has been doing with SSL vulnerabilities is, of course, another question entirely.
But, now that everyone knows that the hole is out there, and that it's as wide-open as an interstate highway at 2 in the morning, you dare not wait a minute to update your OpenSSL software. But, after you're patched your servers, you're still not done.

09 April 2014

LastPass Now Checks If Your Sites Are Affected by Heartbleed

From the LastPass blog at: http://blog.lastpass.com/2014/04/lastpass-now-checks-if-your-sites-are.html

Yesterday we informed our community of the Heartbleed OpenSSL bug. In our blog post, we explained how this security issue impacted our service and what our users should know about the situation. We also built a tool to help our users start checking to see if their sites and services had reissued their certificates, so that users would know if it was safe to start updating passwords for those sites: https://lastpass.com/heartbleed

To help our users take action and protect themselves in the wake of Heartbleed, we've added a feature to our Security Check tool. LastPass users can now run the LastPass Security Check to automatically see if any of their stored sites and services were 1) Affected by Heartbleed, and 2) Should update their passwords for those accounts at this time.

The LastPass Security Check can be run from the LastPass Icon menu, under the Tools submenu. 

In the Security Check results, we alert you to sites affected by Heartbleed:

We will continue to update the Security Check recommendations based on which sites we have seen take action and where it is safe to update your passwords. We'll monitor the situation in general and keep our community posted. 

If you're not using LastPass yet, now is the time to get started with organizing and managing your passwords, and use our tools to generate new passwords for your online accounts.

User comments at: http://blog.lastpass.com/2014/04/lastpass-now-checks-if-your-sites-are.html

Change all your online passwords!

This is it, folks. This is the hack, the security breach, the vulnerability that you've all been expecting...and dreading. The Big One. Armageddon is now.

Okay, so perhaps I'm exaggerating, but security experts are hollering loudly about CVE-2014-0160, also known as the Heartbleed Bug. I think we should listen. Here's a compendium of highlights I've gathered from a bit of googling early today.

Executive Summary

If you're not a techie and/or you can't be bothered with reading all the mumbo-jumbo, here's the bottom line: 

You should seriously consider changing all your online passwords. 

But you may want to wait to change some of them, in case the website/online service for the password you're changing has not upgraded their servers to patch this vulnerability. Or, better yet, change your passwords now and then change them again in the near future. It's never a bad idea to change a password.

If you are a techie or a server administrator, read on.

The "Heartbleed Bug"

An alarming lapse in Internet security has exposed millions of passwords, credit card numbers and other sensitive bits of information to potential theft by computer hackers who may have been secretly exploiting the problem before its discovery. Security researchers who uncovered the threat, known as "Heartbleed," are particularly worried about the breach because it went undetected for more than two years. [2]
Dubbed the Heart Bleed Bug, the flaw was jointly discovered by a team of security engineers at Codenomicon and Neel Mehta of Google Security. [3]
Security vulnerabilities come and go, but this one is extremely serious. Not only does it require significant change at Web sites, it could require anybody who's used them to change passwords too, because they could have been intercepted. That's a big problem as more and more of people's lives move online, with passwords recycled from one site to the next and people not always going through the hassles of changing them. [1]
Yahoo Inc., which boasts more than 800 million users worldwide, is among the Internet services that could be potentially hurt by Heartbleed. The Sunnyvale, Calif., company said most of its most popular services — including sports, finance and Tumblr — had been fixed, but work was still being done on other products that it didn't identify in a statement Tuesday. [2]
"Heartbleed is massive. Check your OpenSSL!" tweeted Nginx in a warning Tuesday. [1]
But the larger problem is that many SSL certificates could be compromised now, as the secret key that protects a given certificate could be disclosed in an attack on this vulnerability. The process of revoking and reissuing those certificates could go on for a long time, depending upon how many organizations realize their sites are vulnerable and how quickly they respond. [5
“It’s a nightmare vulnerability, since it potentially leaks your long term secret key — the one that corresponds with your server certificate. Worse, there’s no way to tell if you’ve been exploited. That means the prudent thing to do now is revoke your certificate and get a new one. We’ll see how many people do that,” said cryptographer Matthew Green, a professor at Johns Hopkins University. [5]

Excuse me? "The Main FBI site?" 

Some high-profile sites, including Yahoo Mail, Lastpass, the OpenSSL site and the main FBI site have been confirmed to leak certain information via the bug. There also is a proof-of-concept exploit for the flaw posted on Github. Lastpass officials said that they patched the vulnerability Tuesday morning, and that user data was never at risk. The company was running a vulnerable version of OpenSSL, but had other security measures in place that mitigated the risk. [5] (See more on LastPass below.)
It's puzzling that such a fuss is being made about Yahoo and LastPass, but the fact that the main FBI site has been breached by this vulnerability is mentioned almost as a footnote. One would have expected the headlines to read "FBI Website Breached by Hackers!" Sigh.
Chartier and other computer security experts are advising people to consider changing all their online passwords. "I would change every password everywhere because it's possible something was sniffed out," said Wolfgang Kandek, chief technology officer for Qualys, a maker of security-analysis software. "You don't know because an attack wouldn't have left a distinct footprint." [2
But maybe changing passwords won't help. See Change Your Passwords below.

A tool by Filippo Valsorda to test for Heartbeed vulnerability (see How to Detect a Heartbleed below) showed that "Google, Microsoft, Twitter, Facebook, Dropbox, and several other major Web sites to be unaffected -- but not Yahoo. Other Web sites shown as vulnerable by Valsorda's tool include Imgur, OKCupid, and Eventbrite." [1]

The Good News

Older servers/systems are safer, ironically.
The severity of the problem is lower for Web sites and others that implemented a feature called perfect forward secrecy, which changes security keys so that past and future traffic can't be decrypted even when a particular security key is obtained. Although big Net companies are embracing perfect forward secrecy, it's far from common. [1]
Despite the worries raised by Heartbleed, Codenomicon said many large consumer sites aren't likely to be affected because of their "conservative choice" of equipment and software. "Ironically, smaller and more progressive services or those who have upgraded to (the) latest and best encryption will be affected most," the security firm said in a blog post. [2]
Adam Langley, a Google security expert who helped close the OpenSSL hole, said his testing didn't reveal information as sensitive as secret keys. "When testing the OpenSSL heartbeat (sic) fix I never got key material from servers, only old connection buffers. (That includes cookies though.)," Langley said on Twitter. [1]


It's not clear what LastPass users should do. Should they change all their passwords or not?
One of the companies affected by the vulnerability was password manager LastPass, but the company upgraded its servers as of 5:47 a.m. PT Tuesday, spokesman Joe Siegrist said. "LastPass is quite unique in that nearly all your data is also encrypted with a key that LastPass servers never get -- so this bug could not have exposed customer's encrypted data," Siegrist added. [5
“LastPass is unique in that your data is also encrypted with a key that LastPass servers don’t have access to. Your sensitive data is never transmitted over SSL unencrypted – it’s already encrypted when it is transmitted, with a key LastPass never receives. While this bug is still very serious, it could not expose LastPass customers’ encrypted data due to our extra layers of protection. On the majority of the web, user data is not encrypted before being transmitted over SSL, hence the widespread concern,” the company said in a blog post. [5
“Also, LastPass has employed a feature called “perfect forward secrecy”. This ensures that when security keys are changed, past and future traffic also can’t be decrypted even when a particular security key is compromised. ” [5]
LastPass has used perfect forward secrecy for the last six months, but is assuming its certificates could have been compromised before that. "This bug has been out there a long time," Siegrist said. "We have to assume our private keys were compromised, and we will be reissuing a certificate today." [1]

How to Detect a Heartbleed

link to tool for testing for heartbleed vulnerability
An online tool, which allows for testing of any server by its hostname for CVE-2014-0160 bug is already in place. [6]  Developer and cryptography consultant Filippo Valsorda published a tool that lets people check Web sites for Heartbleed vulnerability. Valsorda's test uses Heartbleed to detect the words "yellow submarine" in a Web server's memory after an interaction using those words. [1]

What to Do If You Own Servers

How to stop the leak? As long as the vulnerable version of OpenSSL is in use it can be abused. Fixed OpenSSL has been released and now it has to be deployed. Operating system vendors and distribution, appliance vendors, independent software vendors have to adopt the fix and notify their users. Service providers and users have to install the fix as it becomes available for the operating systems, networked appliances and software they use. [4]
There is no word (yet) on how widely the flaw might have been exploited so far. However, the vulnerable OpenSSL 1.0.1 was released in March 2012. Whoever might have learned about the security flaw in question could have been eavesdropping any TSL/SSL-encrypted communications ever since. This makes the problem a potentially global one: OpenSSL is used by very popular server software such as Apache and nginx. Their combined market share is over 66%, according to Netcraft’s April 2014 Web Server Survey, and they are commonly used by businesses of all sizes. [6
As of today, a number of Nix*-like operating systems are affected too, since they are packaged with vulnerable OpenSSL [6]:
* Debian Wheezy (Stable), OpenSSL 1.0.1e-2+deb7u4)
* Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11)
* CentOS 6.5, OpenSSL 1.0.1e-15)
* Fedora 18, OpenSSL 1.0.1e-4
* OpenBSD 5.3 (OpenSSL 1.0.1c) и 5.4 (OpenSSL 1.0.1c)
* FreeBSD 8.4 (OpenSSL 1.0.1e) и 9.1 (OpenSSL 1.0.1c)
* NetBSD 5.0.2 (OpenSSL 1.0.1e)
* OpenSUSE 12.2 (OpenSSL 1.0.1c) 
Packages with older OpenSSL versions – Debian Squeeze (oldstable), OpenSSL 0.9.8o-4squeeze14, SUSE Linux Enterprise Server – are free of this flaw. [6]

Change Your Passwords

The information online is not clear as to whether changing passwords will help. That is to say, it's never a bad idea to change one's passwords, and frequently, in terms of security. However, some are saying that to do so now before your service has upgraded their systems to plug this hole will be a waste of time.
Changing the passwords won't do any good, these experts said, until the affected services install the software released Monday to fix the problem. That puts the onus on the Internet services affected by Heartbleed to alert their users to the potential risks and let them know when the Heartbleed fix has been installed so they can change their passwords. [2]
 "This still means that the little lock icon (HTTPS) we all trusted to keep our passwords, personal emails, and credit cards safe, was actually making all that private information accessible to anyone who knew about the exploit," Tumblr said. "This might be a good day to call in sick and take some time to change your passwords everywhere — especially your high-security services like email, file storage, and banking, which may have been compromised by this bug." [2]


This is serious. Very serious. How should you respond? If you manage servers, you need to jump right on it and make sure your systems are covered, either by verifying that they are too old to have been affecting (a rare case of procrastination being a good thing) or not quite new enough, as in needing to have the new patches/upgrades installed.

Otherwise, if you're a "regular person" with online passwords -- and who isn't these days? -- then it's advisable to change all your passwords. But you may want to investigate the various sites/services you subscribe to, because if they have not updated their services to plug the vulnerability to Heartbleed, you may have to change your passwords again when they do.


1. http://www.cnet.com/news/heartbleed-bug-undoes-web-encryption-reveals-user-passwords/
2. http://abcnews.go.com/Technology/wireStory/passwords-vulnerable-security-flaw-found-23247031
3. http://beforeitsnews.com/business/2014/04/heart-bleed-bug-could-compromise-large-part-of-the-internet-2612796.html
4. http://heartbleed.com/
5. http://threatpost.com/seriousness-of-openssl-heartbleed-bug-sets-in/105309
6. http://business.kaspersky.com/the-heart-is-bleeding-out-a-new-critical-bug-found-in-openssl/