HTTPS What is it good for….

Quite a lot really, I know that’s not how the song goes but, HTTPS, the common abbreviation for Hyper Text Transfer Protocol Secure, is a requirement of all sites you visit, and really you should be questioning the authenticity of any site without it. Even if you are not logging in or giving over payment details, it is important for a number of reasons.

What really is it?
HTTP, or the Hyper Text Transfer Protocol, is the protocol of the web, it is how web pages are delivered to you, it is stateless, which means that each request is independent of another (essentially you arrive on the site and the server and request a page and the server responds, you click on a link to get another page and as far as the server is concerned you are a completely new person). One thing you should always be aware of is that the information sent over HTTP to the server and back to you is plain for anyone to see, read or modify.

HTTPS is end-to-end encrypted HTTP traffic using TLS (Transport Layer Security) or SSL (Secure Sockets Layer). Both the TLS and SSL protocols use what is known as Public Key Cryptography. An asymmetric system uses two ‘keys’ to encrypt communications, a ‘public’ key and a ‘private’ key. Anything encrypted with the public key can only be decrypted by the private key and vice-versa. As the name suggests, the ‘private’ key should be kept strictly private and should only be accessible the owner of the private key. In the case of a website, the private key remains securely held on the web server. Conversely, the public key is intended to be distributed to anybody and everybody that needs to be able to decrypt information that was encrypted with the private key.

When you request an HTTPS connection, the website will initially send its SSL certificate to your browser. This certificate contains the public key needed to begin the secure session. Based on this initial exchange, your browser and the website then initiate the SSL handshake. The SSL handshake involves the generation of shared secrets to establish a uniquely secure connection between yourself and the website. At this point, the certificate is checked against a certificate authority to check that it is valid and you are really communicating with the website you think you are communicating with.

HTTPS protects more than just form data! HTTPS keeps the URLs, headers, and contents of all transferred pages confidential. Any website that requires login credentials should be using HTTPS. In modern browsers such as Chrome, sites which do not use HTTPS are marked differently than those that are, in April 2018, Google Chrome has started flagging all non-HTTPS websites as insecure, which they are because your information is not protected between the server and the end user over HTTP.

You’ll hear a number of arguments against using HTTPS, most of which are based on old information or are just plain wrong.

I don’t have anything sensitive on my site. It is just a static HTML page.
The internet is not just your computer connected to their server, there are a lot of other pieces of hardware, organisations, and governments, in-between, such as your coffee shop, their Internet Service Provider, a government (not necessarily yours). Do you really want someone injecting scripts, images, or ad content onto your page so that it looks like you put them there? Or changing the words on your page? Or using your site to attack other sites? HTTPS prevents all of it. It guarantees the integrity of the data and the ability to detect tampering.

Think this doesn’t happen? The massive DDOS hack that hit GitHub a few years ago which was linked back to HTTP injection of the Baidu Chinese search engine’s Analytics JavaScript, if the pages were served over https then the code would have been protected.

HTTPS certificates are expensive
No, letsencrypt provides certificates free of charge. This used to be the case 10 years ago, but most certificate issuers now provide HTTPS certificates free of charge, and the ones that do charge are only charging for support or administration.

HTTPS is slow
This was because the server had to do more work, to encrypt the data, but this argument is no longer valid. In fact with the invention of HTTP/2, due to the compression that it offers, HTTPS is now faster than HTTP.


Source: https://www.troyhunt.com/i-wanna-go-fast-https-massive-speed-advantage/

We hash our passwords and encrypt our data at rest.
Great! But what about when it travels between the server and the visitor to your site. Don’t get me wrong, this is good security practice, to encrypt your sensitive data but only protects data at rest. If you are not using HTTPS, your data is transmitted as plain text for anyone to read.

Attackers can still impersonate my website, even if I use HTTPS.
They can certainly try, this is the reason for Certificates, to make sure you are communicating with is authentic, i.e. is who you think you are communicating with. If attackers present a mismatched or invalid TLS certificate. And if the attacker does not use HTTPS at all, browsers should mark the imposter page as insecure.

Phishing sites use HTTPS
Yes, so what, does that mean you shouldn’t use it yourself?!

HTTPS impacts SEO.
Yes that’s correct, in most cases it improves it. Google ranks HTTPS sites higher than non-protected sites.

Conclusion

This one is obvious, use HTTPS everywhere, question sites which don’t have it, do they really care about security? Netscape Communications created HTTPS in 1994 for its Netscape Navigator web browser, so it has been around for over 20 years, during that time it has been tested and improved. It is free and simple to implement and has well and truly passed the tipping point of adoption according to the most recent Google statistics 91% of all pages loaded through Chrome were using HTTPS. So ask yourself again, why would you not do this!

Why Building security backdoors into software is a bad idea

This should be obvious, but on the surface, to reasonable people, this seems reasonable. If bad people are doing bad things and the police can get enough evidence to approach a court, they can get a wire-tapping order, which will allow them to intercept any communications in the mail, or telephone that will allow them to gather evidence against the criminals.

TLDR; the basic idea is flawed and it puts individuals at risk.

This seems like an invasive but reasonable approach to protect public safety, and why software should be different? Why should there not be a master key that opens the encryption locks that criminals are using to conduct their nefarious activities? It is just those pesky software companies preventing the police from protecting us from criminals, who want to do us harm. We should make them change and allow the police to view these hidden communications. This seems reasonable, at least until you think about it.

This basic premise assumes that the ones controlling the master key or even the company that makes the software are infallible, there could never be any bugs, and there could never be anyone in those organisations who could be bribed or coerced to reveal the key, an overworked, stressed, or sleep-deprived individual could never mishandle it. This is building an intentional flaw in a defence, like the infamous drain in Helms Deep from the Lord of the Rings.

and that ended well for the men of Rohan.

This also assumes that the organisation that wants the protection can instruct the organisation that makes the software to make this weakness, and that criminals would not just use something else. True the government could restrict sales of the software to disallow the sale of software without the backdoor in force, but again this assumes that criminals are only going to use software that is legal within that region, because of course criminals are well known for following the law. The basic idea is flawed and it puts individuals at risk.

Q&A video answers from the F-Secure Lab experts about Online Banking Security

This is really just a re-post of the videos in the F-Secure Forum, but if you have not watched them yet or really have any questions on Online Banking Security then you really should watch these. All of these videos are on F-Secure’s Youtube channel, though to be honest most of the stuff does seem to just be advertising and how to use their software, these videos however are genuinely interesting.

  • Video 1. How do I remember strong passwords

  • Video 2. Are ATM’s Secure?

  • Video 3. Online banking and shopping. Mikko and Sean tell what precautions they take.

  • Video 4. What happens if you get robbed by an online criminal?

  • Video 5. Mikko and Sean’s opinion on various online banks

  • Video 6. Credit card data in recipts

  • Video 7. How Common is online criminality?

  • Video 8. Is is safe to use a smartphone for online banking?

  • Video 9. I get a warning whenever I log onto my online bank…

  • Video 10. A question about the ATM skimmers and iTunes fraud…

A Tragic Story of Mat Honan’s Digital Life being destroyed….

Seriously read this article, and I mean the whole article “How Apple and Amazon Security Flaws Led to My Epic Hacking” and shudder as to how easily it could happen to you.

For those that do not know Mat Honan (@mat) he is a senior writer for the Wired.com magazine, and he recently had his digital life turned upside down, when someone, quite interestingly through linked Google, Amazon and iCloud accounts, destroyed his digital life.

First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook.

One of the people involved in the hack “Phobia” contacted him later to discuss the hack, what made this story more horrifying is when he explains how easy it was to do.

So how did he get this vital information? He began with the easy one. He got the billing address by doing a whois search on my personal web domain. If someone doesn’t have a domain, you can also look up his or her information on Spokeo, WhitePages, and PeopleSmart.

Getting a credit card number is tricker, but it also relies on taking advantage of a company’s back-end systems. Phobia says that a partner performed this part of the hack, but described the technique to us, which we were able to verify via our own tech support phone calls. It’s remarkably easy — so easy that Wired was able to duplicate the exploit twice in minutes.

First you call Amazon and tell them you are the account holder, and want to add a credit card number to the account. All you need is the name on the account, an associated e-mail address, and the billing address. Amazon then allows you to input a new credit card. (Wired used a bogus credit card number from a website that generates fake card numbers that conform with the industry’s published self-check algorithm.) Then you hang up.

Next you call back, and tell Amazon that you’ve lost access to your account. Upon providing a name, billing address, and the new credit card number you gave the company on the prior call, Amazon will allow you to add a new e-mail address to the account. From here, you go to the Amazon website, and send a password reset to the new e-mail account. This allows you to see all the credit cards on file for the account — not the complete numbers, just the last four digits. But, as we know, Apple only needs those last four digits.

And as he later correctly points out

If you have an AppleID, every time you call Pizza Hut, you’ve giving the 16-year-old on the other end of the line all he needs to take over your entire digital life.

The most tragic part is that he is kicking himself that he did not back up his data resulting in him permanently loosing the pictures of his daughter, maybe he, and everone else should have watched the master of commedy, John Cleese’s video Institute for Backup Trauma.

A silver lining to this story was the realization of my own vulnerability, and that I and I hope you too needed to take steps to rectify the problem.

Handy wee bit of code to interrogate an Object in JavaScript

I was just working on an ajax component to communicate with a Spring.Net Webservice component and the operation returns an object in the event of an error, and all I really required was one of the properties of the object, i.e. the error message.

While I could have spent ages searching trying to find the names of all the properties of the object returned so I could work out the name of the property I wanted, I instead went to my old faithful.

This function is very simple, you pass it in a JavaScript Object and it alerts all the properties and their values. so I can quickly work out which property I needed. As it turned out e.responseText was the error message but it was also another JSON object within a JSON object so to get the sub-property I needed [Message] so I resorted (uncomfortably) to a method I don’t usually use.

Yes, eval(), I have heard this can be quite a dangerous method to make use of because especially in this case it will action any text passed to it, but I don’t know of any other method to process the returned JSON string. Suggestions welcome.

WordPress Stylesheets and scripts broken because WordPress adds https

Recently I noticed that if I viewed this site on a different machine There were no styles, and none of the scripts were being run until I logged in, at which point I added an exception for the ssl certificate for the site. This site like many others I would imagine is on shared hosting which means that my hosting provider setup the ssl certificate, which is very nice of them but does have the slight drawback that the certificate does not match my domain, which in nearly every browser will flag up an error message if you try to access it using https. For me this is not really a problem as I know why this happens and I am the only one really adding to this site so I can just ignore it.

However recently as I said above I noticed on machines that did not have an exception fort he ssl certificate, they could not see any of the lovely styling. This was because for some random reason WordPress was automatically adding https instead of http in front of all the stylesheets, and because there is an err with the ssl in this site due to the domains not matching, nobody who was not me could see this site. A problem, yes I think so.

Luckily for me I came across this wonderful website that had the solution to my problem, well at least steered me in the right direction.

The Solution was quite simple after a little exploring, just comment out the line which makes it https in /wp-includes/link-template.php

Learning about GUID’s

I have a have been puzzling over a problem where I need to create one-time keys to access a system. My question is, is this secure to use a Globally unique identifier or GUID for this key. The consensus is generally yes.

While section 6 “Security Considerations” of the RFC 4122 standard states

Do not assume that UUIDs are hard to guess; they should not be used as security capabilities (identifiers whose mere possession grants access)

For the particular use case there appears to be a consensus in the community that this is “secure enough”, it is used every day whenever you get a link in an email to reset you password. They typically use a Guid to identify the request, and as the Guid becomes invalid once it has been used, even if someone did steal your id, it would only be good for one request assuming it has not timed out (many services have a timeout of 30 minutes for these Guids to be used) or already been used which would cause the authentication to fail.

Guids are also apparently guessable because they are designed for uniqueness (i.e. using the current date and MAC address of the machine as the seed) to produce a 128-bit integer, this makes the identifier predictable which could be a problem. A problem which is easily overcome by doing a simple trick used in cryptography, add a random salt, using a cryptographically strong randomization. A person could predict the Guid potentially, but more unlikely to predict the Guid and the random value. Then if you add in Transport level security of sending the information over SSL to prevent someone listening in (though if it is being sent it is being used so would be immediately invalid).

Sources