Avast WEBforum
Other => General Topics => Topic started by: polonus on December 18, 2008, 08:59:29 PM
-
Hi malware fighters,
Many websites operate using outdated or malconfigured SSL-certificates and therefore are vulnerable to attacks, these are the conclusions from a survey to appear later this month. Rodney Thayer will make a presentation on his survey-results during the Chaos Communication Congress (CCC) in Berlin
(Dec. 27-30). It concerns dozens of problems found in SSL-certificates. "I show some web shops providing both access to wxw.shop.com as shop.com as well. They think this is helping users, but it can hamper SSL-certificates grand time."
Also Thayer found numerous sites with outdated certificates or using outdated vulnerable technologies like SSL 2 or 40-bit RC-4. "There is absolutely no reason to use SSL 2 any longer, where everybody knows it is "broken". In most cases using RC-4 can be a reason for a retailer to fail a PCI audit. One should not see these types of technologies anymore."
Check and double-check
Next to implementation problems also better standards should be brought in for certificate authorization suppliers. "During my survey I have found 247 legit certificate authorities, varying from the well-known Verisign organization to a small organization in Turkey that hands out free certificates almost "on the fly".
No Industrial Standards existing at the moment for certificate authority."
While certificate authorities does not always verify the validity of a certificate, firms should do this themselves on a regular basis, according to mentioned researcher. Users are advised to no longer ignore browser pop-ups and warnings. "Check your SSL-connection before you send sensible data." In Firefox you can use the Perspectives add-on to check verification and SSL Blacklist plug-in,
-
Good advice, Thanks polonus.
-
***
Thanks for the info, Polonus. :)
***
-
And there was me thinking all this time that paying attention to these warnings was important.
You mean it only really became important today when you reminded us?
-
And there was me thinking all this time that paying attention to these warnings was important.
You mean it only really became important today when you reminded us?
Totally unnecessary sarcastic comment!
-
C'mon guys... it's Christmas time ;)
-
Hi alanrf,
No, off course it always has been an important issue. As I remember right not so long ago Vlk also pointed out at the importance of good certificate authentication against malware. Especially as I visit coder pages for my interest in secure browser code, I see webpages where I am alerted that something is not completely OK with that page's certificate. It is not explicately saying watch out there could be malicious content here, but in these cases I start to prick my ears security/wise,
polonus
-
With no apology to tednelly whatsoever ...
This is just like saying "it is time to pay attention when avast tells you it found a virus".
polonus does a wonderful job of alerting us to information gleaned from his keen anti-malware research - but that does not mean that every report he passes on to this forum should pass without question or comment other than the usual admiration.
-
With no apology to tednelly whatsoever ...
This is just like saying "it is time to pay attention when avast tells you it found a virus".
polonus does a wonderful job of alerting us to information gleaned from his keen anti-malware research - but that does not mean that every report he passes on to this forum should pass without question or comment other than the usual admiration.
Hey alanrf , I feel that info like this isn't really directed at the regulars, but at the new members who unlike us, really don't know much about security and who come here to learn.
-
I have the Perspectives add-on but I confess to not using it much at all, so it isn't just newbies, familiarity can breed contempt.
But we can also go overboard as far as security goes and it becomes all consuming and you spend all your time keeping your security apps, add-ons, etc. up to date.
-
you spend all your time keeping your security apps, add-ons, etc. up to date.
This is why I love auto-updates programs... specially when you can count with bandwidth ;)
-
Yes, thank you, Polonus. As a matter of fact, there were two Windows XP systems I went to that were using IE7, but had the optional root certificates update missing. So I remembered it was a good idea to install that update as it provides an additional and much appreciated layer of security.
Indeed, Polonus' advice should be heeded, unless you want to let all the bad bugs enter your system, and then blame every one else for your failing systems, but not yourselves.
-
optional root certificates update
Why doesn't Microsoft release this as "critical"?
-
Beats me. ;)
-
Hi Doomer,
Very good observation of you. So do not take things for granted, and do not trust things at first glance.
Also there are many selling sites that sell things without https. There are other ways to get to the data for the cybercriminals like SQL-injection etc., but also let us not forget the obvious, practical examples like the one you gave here, are very instructional for the users of this forum section, thank you for posting,
polonus
-
With no apology to tednelly whatsoever ...
Would expect absolutely nothing from such a pomp⋅ous forum member, that holds oneself in such high esteem as to not recognize ones own unnecessary sarcastic jibe.
I don't recall asking you for anything, as for an apology I very much doubt it a word you would utter freely?
-
tednelly,
Allowing for your emotional venting ... I have apologized before in these forums ... but not today and not to you.
BTW what we are seeing in this thread is rather inverted logic.
So do not take things for granted, and do not trust things at first glance.
Like the report posted by polonus.
I was stating (albeit with some irony - perhaps the difference is not clear to some posters) that I did already take these warning seriously. Where is the evidence that others do not? I see none given. And then we have the subtle change to:
Also there are many selling sites that sell things without https
Very true ... let the buyer beware ... but what has that got to do with certificate warning in any way shape or form?
And the continuing obfuscation as a fig leaf to avoid the point I made. I think most users are already concerned when they see a certificate problem. This was, from the start, a posting of a report that is an answer looking for a problem.
-
My goodness how emotional of me!
Your comments re Polonus's post were not sarcastic, totally necessary, Polonus's sole intention as you pointed out, was to have us all heap admiration upon him.
-
tednelly,
now you are getting the hang of it!
BTW see the PM I just sent you.
-
The purpose of this post is an apology to polonus
Following a private discussion tednelly (for which my thanks) has made clear to me that my earlier comments in this thread are, or very close to being, a personal criticism of polonus whose intent in starting this thread was, I know, based solely on helping others in the forum.
My intent was to question the information being posted by polonus - which is legitimate - and not to impugn polonus or the right of polonus to post the information. For my failure in my wording to be clear in this I must apologize to polonus.
-
Thnks for the tip on Perspectives Damian ! Nice add-on ! :)
-
Thnks for the tip on Perspectives Damian ! Nice add-on ! :)
Really... I've tested it and see no purpose at all... can you share with us some usefulness of it?
-
The purpose of this post is an apology to polonus
Following a private discussion tednelly (for which my thanks) has made clear to me that my earlier comments in this thread are, or very close to being, a personal criticism of polonus whose intent in starting this thread was, I know, based solely on helping others in the forum.
My intent was to question the information being posted by polonus - which is legitimate - and not to impugn polonus or the right of polonus to post the information. For my failure in my wording to be clear in this I must apologize to polonus.
Congratulations forum users. This kind of behavior keeps the good atmosphere of the forums, don't you think?
Let me make clear I'm on the same side of Peter, Polonus, Alan ;)
-
http://www.cs.cmu.edu/~perspectives/firefox.html
The extension provides two primary benefits:
1. If you connect to a website with an untrusted (e.g.,self-signed certificate)*, Firefox will give you a very nasty security error and force you to manually install an exception. Perspectives can detect whether a self-signed certificate is valid, and automatically overrides the annoying security error page if it is safe to do so.
2. It is possible that an attacker may trick one of the many Certificate Authorities trusted by Firefox into incorrectly issuing a certificate for a trusted website. Perspectives can also detect this attack and will warn you if things look suspicious.
* The same is true for HTTPS sites with certificates that contain mismatched domain names (e.g., www.gmail.com uses a certificate for mail.google.com) or certificates that are expired.
-
I'll install it again. Thanks.
Seems that I'm not visiting pages with wrong/expired certificates... ;D
-
Yeah neither do i but every once in a while i do come across a site like that. :)
-
Is this only for FF ???
-
Is this only for FF ???
Perspectives? I think so...
-
Nice debate guy's , keep it up ;)
-
Hello Abraxas, there is an even bigger problem here, nowadays anyone can get a fully legitimate SSL Certificate, thanks to stupid Comodo ...
Read more here: https://blog.startcom.org/?p=145
In a previous article I reported about Man-In-The-Middle (MITM) attacks and if they really happen. Unfortunately it does happen as some testimonials confirm. Now it’s even easier because in the attack described previously, untrusted certificates from an unknown issuer were used. Want to make the attack perfect with no error and fully trusted certificate? No problem, just head over to one of Comodo’s resellers. ...
... This prompted me to create another certificate through them, but this time by using a domain name which should never be issued to me. For the purpose of testing, I selected the domain mozilla.com (I’m certain they will forgive me). Five minutes later I was in the possession of a legitimate certificate issued to mozilla.com - no questions asked - no verification checks done - no control validation - no subscriber agreement presented, nothing. ...
-
Hi darth_mikey,
Yes it is a nice add-on, Perspectives is, sits there in the background, until something smells fishy, and then immediately gets into action. Also have to admit that WOT alerting is also rather reasonable in this respect.
But just imagine as I was reading here a while ago that you're downloading online from a site with the wrong certification, and the downloads matter? What havoc that can bring?
polonus
-
Hi darth_mikey,
Yes it is a nice add-on, Perspectives is, sits there in the background, until something smells fishy, and then immediately gets into action.
But will it smell something fishy when the certificate has been recognized as legitimate since it was issued by Comodo ?
-
Hi Miha,
Go to Authorities in the Perspectives console, there is Comodo, I did not give it a +, so no authoritative certificates for me in this case, and no bypassing there, it stays on -
Damian
-
C'mon guys... it's Christmas time ;)
Christmas? what is Christmas...????..............are you talking about the polonus security if Christmas ;D
-
Christmas? what is Christmas...????..............are you talking about the polonus security if Christmas ;D
No, I was just trying to make people relax, take it easy, enjoy the forums, specially in this season.
-
Hi malware fighters,
Who told me that the news in this thread is not actual? It is, and just this very moment SSL Certificates with MD5 hash encryption have been broken by researchers: http://events.ccc.de/congress/2008/wiki/Streaming
Researchers have found a hole in the Internet Public Key Infrastructure (PKI) that can be used issuing providing SSL-certificates for websites, e.g. used by RSA Data Security, Thawte, Verisign en RapidSSL.
The attack could be performed by 200 Playstation 3 sony consoles, the Certification was provided by a CA Authority trusted by all websites, later one uses an "intermediary CA certificate" to sign other certificates, that the researchers want to issue. While the MD5 hashes of ;egit and malicious certificates are identical, one can copy the malicious signature onto the legit one, so that stays a valid one. Researchers predict that SHA1 will be next to be hacked, just a question of time. This will give phishing an enormous boost. Be afraid be very afraid. Perspectives stays inside my browser as is a special list in my firekeeper extension,
polonus
P.S. What measures should be taken now by browser makers? Among the measures this group of researchers is advocating is disabling the use of MD5 signatures, blacklisting rogue certificates, and the required use of more robust cryptographic hashes such as SHA-2 and, when ready, SHA-3, and here are Giorgio Maone's musing on the issue: http://hackademix.net/2008/12/30/putting-ssl-in-perspectives/
Damian
-
LOL ! What an interesting use of those PS3 consoles. ;D
So what you're saying here is we are basically s****d ?? No way of telling which certificate really is the legit one. I wonder what the response from CA,RSA,Verisign and co. will be. This is getting interesting.
-
Some more links ... ;)
http://events.ccc.de/congress/2008/Fahrplan/track/Hacking/3023.en.html
http://www.phreedom.org/research/rogue-ca/md5-collisions-1.0.ppt
http://www.phreedom.org/research/rogue-ca/
We have identified a vulnerability in the Internet Public Key Infrastructure (PKI) used to issue digital certificates for secure websites. As a proof of concept we executed a practical attack scenario and successfully created a rogue Certification Authority (CA) certificate trusted by all common web browsers. This certificate allows us to impersonate any website on the Internet, including banking and e-commerce sites secured using the HTTPS protocol.
-
This certainly isn't good news.
Until a patch or something else is available, purchasing anything online
could really put you at risk.
2009 could be a very very dangerous year indeed. >:(
-
Hi bob3160,
That does not have to be so. But banks and webshops make use of mentioned certificates. These websites are known by having https in the address bar.
The congress members made clear however that the hole is not inside the SSL-protocol itself, but for the surrounding infrastructure that is being used to issue certificates for a secure website. The researchers did not go over every detail of the exploit to prevent criminal abuse, but warn that people in the know could crack the system within a month's time.
Despite the fact that the security of SSL certification is known as being "weak", the coding system is still very much in use. The first signals that something was wrong with these techniques came as early as 2005. In 2007 there was an advice given to change over to more secure systems. Nothing happened then. The researchers wanted to demonstrate that it is really time now for Certification Authorities to issue other kind of signatures to their certificates. Also browser developers will have to clean up their act to make the situation more secure,
In light of the SSL-certificate issue, there is another option: In Firefox you can install an add-on, named "Show IP" . When the certificate is OK, but the IP address is not, there maybe something really wrong!
https://addons.mozilla.org/en-US/firefox/addon/590
polonus
Networking4all already has a super tool on their website which also tells you what algoritm has been used for all certificates in the chain!
https://www.networking4all.com/nl/helpdesk/tools/site+check/
-
Hi malware fighters,
Here you can find the instructions for the right installation of the Perspectives add-on in Firefox that will protect you against manipulated SSL-C, follow the instructions given here by Giorgio Maone, the developer of the unique extension NoScript: http://hackademix.net/2008/12/30/putting-ssl-in-perspectives/
In the light of the new CA issues and the use of Perpectives, I like to make following comments:
Firstly and foremost I use Perspectives in the recommended settings as given by Giorgio Maone.
I also relaunched the Netcraft toolbar again, download here: https://addons.mozilla.org/en-US/firefox/addon/1326
I am not a favorite of any toolbar as such (not all are friendly to say the least). The web developers toolbar tossed aside. This Netcraft toolbar has not left me down once, & together with ShowIP add-on I have a better understanding where I am going with the browser. To enhance further my in-browser security I have some pre-link checking installed there, finjan in combination with searching via Scandoo.com (I allowed that partially in NoScript), and for the individual pre-link checking: DrWeb's av link checker plug-in: https://addons.mozilla.org/en-US/firefox/addon/938
An additional site check can be found here: https://www.networking4all.com/nl/helpd ... ite+check/ Just put in any url like http://www.networking4all.com to check the installed SSL Certificate
polonus
-
Hi malware fighters,
What is your opinion about this just released SSL blaclist add-on:
http://www.codefromthe70s.org/sslblacklist.aspx
Is this adding to our security or just overkill if we have NoScript and Perspectives with the right settings?
According to me it is just adding to a feeling of false alarm when it meets MD5 SSL certificates,
polonus
-
Hi malware fighters,
According to this man it is time to bury SSL altogether.
re: http://blogs.securiteam.com/index.php/archives/1228
The problem with SSL is that checking some-one's identity is a futile business now.
In the past it could take quite some time before a firm was passed a certificate,
but times have changed in this respect.
"To-day it is not easy to proof who "you" are.
Firms have various websites for various purposes,
and it is not easy to withhold a certificate on the same grounds.
But the situation is even worse: SSL-certificates are abused to such an extent,
that users seemingly do not care any longer."
Aviram notices that for the larger part users ignore CA errors messages .
"SSL-certificates are broke, and have been so for a long time,
not because of a ingenuous attack.
The fact that there is a effective crypto-attack,
only can help to finally bury this relict,
and help towards another solution found."
polonus