The Gaping Holes in HTTPS and SSL Security!

Scott Ogrin, a blogger, who is a software engineer as well as an electrical and computer engineer with a BSEE and MSEE, breaks it down for you in the following article:

“ In this day and age of well-known NSA spying, everyone keeps saying that the only way to be safe is to use SSL/TLS, commonly known as "browsing with https://".

The sad reality is that HTTPS does virtually nothing to protect you from the prying eyes of alphabet soup agencies - or anybody else with enough knowledge about how these supposedly "secure" connections actually work.

It's true that connecting to web sites with SSL will certainly prevent "script kiddies" and other more winky opponents from eavesdropping on your surfing or otherwise interfering in your affairs. But as for the Real Bad Guys, forget it...

We shall begin by taking a brief dive down the rabbit hole of SSL, hopefully in a way that will make sense to even the least technically inclined among us.

This issue is, after all, so extremely important that I think everyone needs to understand what is really going on, and how web security actually works, without needing a PhD in cryptography, computer science, or engineering!

Our story begins with a little e-mail I received the other day. The basic message can be found here:

Microsoft Security Advisory (2880823)

Of course, the idea that Microsoft of all companies is warning me about security is kind of laughable, so I didn't pay much attention. Nevertheless, there was this little voice in the back of my mind that kept pestering me, so I decided to dig in and see what all the hoopla was about... or indeed if any hoopla was even warranted.

“Microsoft is announcing a policy change to the Microsoft Root Certificate Program. The new policy will no longer allow root certificate authorities to issue X.509 certificates using the SHA-1 hashing algorithm for the purposes of SSL and code signing after January 1, 2016. Using the SHA-1 hashing algorithm in digital certificates could allow an attacker to spoof content, perform phishing attacks, or perform man-in-the-middle attacks.

Microsoft recommends that certificate authorities no longer sign newly generated certificates using the SHA-1 hashing algorithm and begin migrating to SHA-2. Microsoft also recommends that customers replace their SHA-1 certificates with SHA-2 certificates at the earliest opportunity. Please see the Suggested Actions section of this advisory for more information.

Okay, so that's probably like trying to read a foreign language to most people. Even I didn't understand exactly how these hashing algorithms were used with SSL. So, I started digging. What I found nearly floored me:

MD5 considered harmful today: Creating a rogue CA certificate

Now, if you thought the M$ advisory was confusing, take a peek at the above link.

WOW! That's wild.

In summary, way back in 2008, some smart people figured out a way to make themselves a Fake SSL Certificate Authority, and they accomplished this feat by using a weakness in the MD5 hashing algorithm.  [...]

First, let's define some terms - hopefully in Plain English:

SSL Web Site Certificate

This is a digital certificate, with a digital signature, that verifies that a website is who they say they are. When you connect to a web site using SSL (HTTPS), your browser says, "Papers, please!" The remote site then sends the SSL Web Site Certificate to your browser. Your browser then verifies the authenticity of this "passport". Once verified, encrypted communications ensue. The point of the SSL Web Site Certificate is that under no circumstances should anyone else be able to create a valid, signed certificate for a web site that they do not own and operate. In order to obtain an SSL Web Site Cert, you must verify by varied means that you are the owner and operator of the web site involved. So, using HTTPS is not only for encryption of communications, but also a way to verify that the site you are communicating with is the Real Thing, and not an imposter. And of course you must pay for the certificate!

Certificate Authority (CA) Root Certificate

This is also a digital certificate, with a digital signature... But in this case, this certificate can be used to create and digitally sign normal SSL Web Site Certificates. This is the kind of certificate that a CA (Certificate Authority) has. These certificates also get passed to browser makers, and are then included in your web browser. This is so that when your browser receives an SSL Web Site cert, it can use the CA Root Certificate to verify that the Web Site Cert is in fact valid.

Certificate Authority (CA)

A CA is the kind of web site from which you would buy a valid, secure SSL Web Site Certificate to use for HTTPS on your site. For example: Verisign.com, RapidSSL.com, Geotrust.com, etc. are Certificate Authorities. They have CA Root Certificates for generating and signing valid SSL Web Site Certificates.

It's helpful to understand that with all these certificates, there is a "chain of command". SSL Web Site Certificates are validated and authenticated using CA Root Certificates. CA Root Certificates are validated with yet higher-authority certificates, all the way up the pyramid to The One Great Root Certificate, which is like the God of Certificates. Thus, each lower-ranking certificate is verified up the chain of command. This all happens behind the scenes, and you have no idea it's occurring.

Piece of cake, right?

Now, where do these hash algorithms like MD5, SHA-1, and SHA-2 come into play?

All certificates contain information, like:

• Web site domain (www.mysite.com)
• Site location (country, state, etc.)
• Site owner info (company name)
• Period of validity

This information is verified before a certificate is issued. Once verified, a hash of the data is generated. This hash acts as the digital signature for the certificate. The only thing you really need to understand about hash algorithms is that what is supposed to happen is this:

1. Data of any length (30 characters, 3000 characters, 40MB, whatever) is passed into the hash algorithm
2. The hash algorithm chops up the data and mathematically processes it, thereby spitting out a signature – or digital fingerprint – of the data
3. The hash of no two chunks of data should ever be the same – just as the fingerprints of no two people should ever be the same
4. The hash output is always the same size, regardless of the size of the input data (just like a fingerprint – no matter the size of the person)

Right. There is such a thing as a “hash collision”. This is when you have 2 hashes that are identical, but they were generated from different data. That’s like if you and your neighbor suddenly had the same thumbprint. OOPS!

Now, think about that for a minute... If the police were using these hashes, or thumbprints, to verify your identity, they might mistake you for your neighbor, or your neighbor for you, if you "had the same thumbprint". If they did no other checking, and just relied on that thumbprint, they might very well "authenticate" your identities completely incorrectly. BIG OOPS!

This is exactly what happened with the MD5 SSL attack outlined at the above link.

These smarty-pants people were able to carefully buy a valid SSL Web Site Certificate from RapidSSL in 2008. Before they did that, they created their own CA Root Certificate in such a way that the hash (fingerprint) of their valid, just-purchased Web Site Cert was identical to the hash of the FAKE CA Root Certificate that they created out of thin air.

Since RapidSSL had just said, "Dudes, this Web Site Certificate fingerprint is valid!", and since this was the same fingerprint on the fake CA Root Cert, the forged CA Root Certificate becomes valid.

Now, recall that a CA Root Certificate - as long as it has a valid hash/fingerpint that will validate up the "chain of authority" - can be used to generate a valid SSL Web Site Certificate for any web site in the world... And neither you, nor RapidSSL, nor your browser will ever know that anything is amiss.

Why is this a problem? For starters, consider a man-in-the-middle attack.

 You want to go to https://www.gmail.com. But some "hackers" have used another type of hack to insert their server between you and Gmail. Normally, this would not be possible, because you're using HTTPS! You're SAFE!

WRONG!

As far as anyone knows, you are connected to gmail.com over HTTPS. But in reality, what's happening is this:

1. You try to connect to https://www.gmail.com
2. The attacker diverts your request (perhaps using DNS cache poisoning or some other such attack) to a fake server
3. Since Attacker's Server contains a falsely generated, perfectly valid SSL Web Site Certificate using the tricks outlined above, your browser doesn't know any better. Everything appears to be legit.
4. You begin doing e-mail, but all your data is actually going encrypted to Attacker's Server, being decrypted and recorded/modified, and then Attacker's Server then passes the data on to the real https://www.gmail.com (using Gmail's actual, valid SSL cert).
5. You have absolutely no clue that your "secure" communications are not secure in the least!

In other words, SSL / HTTPS means that the connection between your browser and the destination server at the URL you're visiting is supposed to be encrypted. But due to the fact the certain types of SSL certificates (which help handle the encryption) can be forged, an attacker could set up their fake server that pretends to the be the real destination server, and thus insert themselves in the middle of the connection. When that is done, the attacker has control over the connection and the data, and can thus decrypt your data, manipulate it, and/or pass it on to the real intended destination server.

Now, isn't that a daisy?

"But wait!" you say. "Isn't it therefore good for Microsoft to recommend changing the hash function to SHA-256 if SHA-1 has the same potential problem as MD5 did back in 2008?"

An excellent question! Unfortunately, yes and no. Even if you, as a web site owner, change your SSL Web Site Certificate from one that is signed using SHA-1 to a new cert that is signed using SHA-2, you are still unsafe.

Why?

Because all it takes is for ONE Certificate Authority to use a "weak" hash algorithm, and someone who is up to no good can generate a forged CA Root Certificate. Once they have that, they can generate as many SSL Web Site Certs as they want - using any hashing algorithm they please - including a fake-yet-valid cert that they can use to impersonate your "secure" site!

In other words, the weakness in the hashing algorithm is just the tip of the iceberg. Due to the hierarchical "chain of authority" in the whole certificate system, if anyone manages to create a false CA Root Cert, they are more or less god in terms of creating false SSL Web Site Certs.

Thus, in order for Microsoft's words to have an effect, there must not be ANY Certificate Authority (Web Site Cert issuer) in the whole world that still uses SHA-1. In order for the "security" to actually be more secure, everyone must upgrade right now. But this isn't going to happen.

Now, if that isn't bad enough, think about all the NSA spying. Think about how many people said, "Naw, man, I just surf using HTTPS, and I'm totally safe!"

You think so?

I don't. You know why? Well, you should, by now... But there's more!

Guess who invented the SHA-1 hash algorithm in 1995?

The NSA.

Guess who invented SHA-2 in 2001?

The NSA.

So, why should all the Certificate Authorities switch from the NSA's SHA-1 to the NSA's SHA-2? Why, because the NSA created it the way they did for a reason!

SHA-1 already has been theoretically breached, and there are a few indications that SHA-2 isn't quite as super-duper-safe as everyone thinks.

Imagine you are the NSA. You want to spy on everyone, everyone's grandmother, the grandmothers' cats, and the mice that are currently being digested inside the cats. SSL is kind of a problem... It can use pretty annoying encryption. Well, hell! No problem. Just compromise the "certificate authority chain" by forging one little CA Root Certificate, and blammo! You can eavesdrop and man-in-the-middle anybody you darn well please, SSL or not!

Web sites over SSL? No problem.

E-mail over SSL? No problem.

I have said it before, and I'll say it again: There never was security or privacy on the internet, there is no security or privacy on the internet now, and most likely there never will be. Not unless some very big changes are made...

And do you know why all this (and much, much more) is possible?

Because just like you, I had no knowledge of the gaping holes in SSL. Awareness of this and many other issues - technological, political, psychological, social, etc. - is absolutely essential.

Otherwise, frankly, we're screwed.

Links:

Fake SSL certificates deployed across the internet

The Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser Software

Read more...

FBI Pushing Plan to Force Surveillance Backdoors on Social Networks, Web Email Providers and VOIP

The FBI wants Internet companies to support a proposal that would require firms like Microsoft, Facebook, Yahoo, and Google, to build in backdoors for government surveillance. If passed, these ompanies would have to provide the bureau with decryption tools to make sense of the information that it captures.

The Communications Assistance for Law Enforcement Act (CALEA) already provides assistance to law enforcement by requiring that they cooperate with police in order to conduct lawfully-authorized electronic surveillance.  The FCC extended CALEA in 2004 to apply to broadband providers, but web companies are not covered under this law.  

Of course, once again, it's all in the name of national security and public safety.

Read more...

Beware the Heart of Darkness that May Beat Behind the Benevolence of Billionaires

It shouldn't come as any surprise that power increases moral hypocrisy,  nevertheless, that's what  Dutch researchers found who tested the aforementioned hypothesis.  They noted, “the powerful impose more normative restraints on other people, but believe that they themselves can act with less restraint.” In other words, we, the less powerful, cannot afford to trust the rich and powerful, therefore, it's incumbent upon us to educate and inform ourselves beyond the elite propaganda.

The billionaires were each given 15 minutes to present their favourite cause. Over dinner they discussed how they might settle on an “umbrella cause” that could harness their interests.

The issues debated included reforming the supervision of overseas aid spending to setting up rural schools and water systems in developing countries. Taking their cue from Gates they agreed that overpopulation was a priority.

Take god  tech-titan, Bill "Microsoft" Gates, who gathered some of the world's wealthiest and most powerful billionaires, in secret, to discuss curbing  global population, something he claims is the most important issue of our time. During his speech, "Innovating to Zero", he clearly states his agenda, “First we got population. The world today has 6.8 billion people. That’s headed up to about 9 billion. Now if we do a really great job on new vaccines, health care, reproductive health services, we lower that by perhaps 10 or 15 percent.”

Considering Mr. Gate's history, that falls on the sociopathic end of the spectrum,  and his dedication and investment (the Gates Foundation is actually an investment firm which reaps vast financial gains every year from investments that contravene its good works) to vaccinating the entire planet, his words are a little disturbing to say the least.

The Gates Foundation has poured $218 million into polio and measles immunization and research worldwide, including in the Niger Delta. At the same time that the foundation is funding inoculations to protect health, The Times found, it has invested $423 million in Eni, Royal Dutch Shell, Exxon Mobil Corp., Chevron Corp. and Total of France — the companies responsible for most of the flares blanketing the delta with pollution, beyond anything permitted in the United States or Europe.

So first, we should ask ourselves: Is overpopulation the overarching problem that Bill Gates asserts?  



Next, we must explore beneath the surface of Mr. Gate's persuasive rhetoric, because, in general, the truth is seldom found on the surface, however, in Mr. Gate's case, you can be certain, no matter how sincere his posture, it is only a pretense disguising his real purpose:  covert coercion to his will.

The Gates Foundation’s investment portfolio, included 500,000 shares of Monsanto - The short list of Monsanto`s toxic products includes Agent Orange, PCBs, aspartame, rBGH, and Ready Roundup. - stock.   Monsanto recently purchased the services of Xe (Blackwater) Intelligence Services and it was within that same time frame that Bill Gates purchased 23 million dollars (US) of Monsanto stocks, marking a substantial increase from its previous holdings, valued at just over $360,000.

Neo-Eugenics masquerading as altruism?

According to Edwin Black in his book, War Against the Weak, the eugenics movement got its start at the turn of the last century.  "American corporate philanthropy combined with prestigious academic fraud to create the pseudoscience eugenics". The Rockefeller Foundation funded eugenics research in Germany through the Kaiser-Wilhelm Institutes in Berlin and Munich, including well into the Third Reich and it was John D. Rockefeller III, a life-long advocate of eugenics, who used his “tax free” foundation money to initiate the population reduction neo-Malthusian movement through his private Population Council in New York beginning in the 1950’s.

In William Engdahl's book, Seeds of Destruction: The Hidden Agenda of Genetic Manipulation, he reports that using vaccines to covertly reduce births in the Third World is not new.  Bill Gates’ good friend, David Rockefeller and his Rockefeller Foundation were involved as early as 1972 in a major project together with WHO and others to perfect another “new vaccine.”

GMO crops and patented seeds were developed in the 1970’s with significant financial support from the pro-eugenics Rockefeller Foundation, by what were essentially chemical companies—Monsanto Chemicals, DuPont and Dow Chemicals. All three were involved in the scandal of the highly toxic Agent Orange used in Vietnam, as well as Dioxin in the 1970’s, and lied to cover up the true damage to its own employees as well as to civilian and military populations exposed.

The Bill and Melinda Gates Foundation, along with David Rockefeller’s Rockefeller Foundation, the creators of the GMO biotechnology, are also financing a project called The Alliance for a Green Revolution in Africa (AGRA) headed by former UN chief, Kofi Annan. Accepting the role as AGRA head in June 2007 Annan expressed his “gratitude to the Rockefeller Foundation, the Bill&Melinda Gates Foundation, and all others who support our African campaign.” The AGRA board is dominated by people from both the Gates’ and Rockefeller foundations.

The bottom line seems to be that the partnership between government, the major foundations and the agribusiness industry reaps far more reward than do the purported recipients of the billionaire's "benevolence".

Links:

US v. Microsoft Timeline

Microsoft v. US trial on Youtube

Docs Reveals Blackwater-Linked Companies Provided Intel & Security to Multinationals Like Monsanto, Chevron

Read more...

Browser Wars Are Back.

Over one-hundred years ago, the railroad became the foundation of our economy, just as the web is becoming today.

The Internet swept us into its "web" so fast it's hard to believe that less than 10-years ago most of us thought windows were the framed glass panes through which we could see what lurked outside, and a mouse was a timid, small rodent with the power to make creatures 50 times larger than itself, scream bloody murder and jump up on the nearest piece of furniture in sheer terror.

Marc Andreessen, co-founder of Netscape, set in motion this ball of fire which lead to what is now known as the browser wars. Unfortunately, Netscape had to contend with the already established giant, Microsoft, who wanted to control the Internet revolution despite Andreessen getting there first. Microsoft had no interest in the Internet until Bill Gates woke up one day and saw the Internet as the next big thing. Microsoft, using its immense power won and Netscape was acquired in 1999 for $4.2 billion by AOL, and Andreessen became its Chief Technology Officer.

Now it looks as if Mozilla, who rose from the ashes of Netscape, may start up the browser wars once again daring to ruffle Microsoft's feathers with Firefox 3.0.

Firefox now has 170 million users around the world and an 18 percent share of the browser market, according to Net Applications. That is especially impressive given that most of its users have made the active choice to download the software, while Internet Explorer is installed on most PCs at the factory.

Microsoft is coming out with Internet Explorer 8, nevertheless, Mozilla says Firefox 3.0 runs twice as fast as its previous version, is smarter, uses less memory and makes it much easier for users to personalize.

Adding to the competition are Apple’s Safari Web browser which has a little over 5 percent of the market and Flock,who is attempting to develop a browser that helps users share photos, videos and blog entries more easily.

Read more...

Not All Brands Are Created Equal

Apple, Google, Microsoft, Coca-Cola, McDonald's and Starbucks seem to dominate the results from Interbrand's Brand channel 2008 Brandjunkie Survey:

What brand would you most like to sit next to at a dinner party?
Top answers:

Apple Virgin Google Coca-Cola Nike

Chanel Victoria's Secret Microsoft Nokia Absolut

ARMANI Diesel innocent BMW adidas

Disney PRADA Starbucks None Louis Vuitton

What brand, if sent back 100 years would have the biggest impact on the course of history?
Top answers:

Apple Microsoft Google Coca-Cola Ford

IBM McDonald's Virgin Nokia Nike

None Sony Greenpeace Toyota Durex

Boeing Intel USA GE Starbucks

What brand that no longer exists would you resurrect?
Top answers:

None Pan Am ATARI TWA Cingular

Oldsmobile Marathon Compaq IBM MG

Polaroid Baniff Eaton's Studebaker Netscape

Ansett Fresca Amena Plymouth TAB

Which brand do you want to argue with?
Top answers:

Microsoft Apple None Coca-Cola McDonald's

Wal-Mart Starbucks Nike Sony Google

General Motors Dell Pepsi AT&T BP

USA Ford Yahoo! Levi's Shell

Brandchannel If you were to describe yourself as being a brand, what brand would you be?
Top answers:

Apple Nike Coca-Cola Virgin BMW

Audi Target Toyota None Google

Sony adidas Mercedes Chanel Pepsi

Volkswagon Puma MINI Starbucks Disney

Which brand inspires you the most?
Top answers:

Apple Nike Coca-Cola Google Starbucks

Virgin BMW None Target Nokia

Innocent adidas Dove Barack Obama Mercedes

Disney Chanel Toyota Sony IKEA

If you could rebrand any brand, what brand would it be?
Top answers:

Microsoft USA Ford Coca-Cola Pepsi

General Motors None Gap Starbucks Sony

BMW Nike Apple Reebok McDonald's

Wal-Mart Levi's Mercedes Avon Sears

What brand can you not live without?
Top answers:

Apple None Coca-Cola Google Starbucks

Nokia Microsoft Pepsi Nike Sony

McDonald's Colgate Nestlé Blackerry adidas

Intel Procter & Gamble Dell BBC Target

What brand is most likely to revolutionize the branding industry in the next five years?
Top answers:

Apple Google Doesn't exist yet Facebook Nike

Nokia Virgin Microsoft YouTube Barack Obama

Sony Toyota Coca-Cola Interbrand Starbucks

Target Second Life China Samsung innocent

What brand do you think is truly (going) "green"?
Top answers:

None Toyota BP The Body Shop Honda

General Electric Virgin Patagonia Greenpeace Whole Foods Market

Marks & Spencer Apple Wal-Mart Starbucks Innocent

Shell BMW Seventh Generation Aveda Clorox

2007 Best Global Brands

Read more...

Steve Jobs Makes Bill Gates Look Like a Saint.

I get the feeling Steve Jobs is not a very nice person. This is not the first story I've heard about the kind of man he is. I apologize if it turns out Jobs is giving away his fortune anonymously and is some kind of saint, but I doubt it.

Jobs, worth $3.3 billion, making him the 67th richest American, is certainly in a position to make the world a better place, but if this story is any indication of the way he runs his business, I'll never buy an Ipod, iMac or anything with the Apple name. Viruses and all, I'll stick with Bill Gates...at least the guy puts his money where his mouth is.

I like Mr. William H. Gates, Sr., Bill Gate's father, as well. I posted about him a few years back.

William Gates Sr., Bill Gates' father, is an advocate for a fair economy and Responsible Wealth which is a national network of businesspeople, investors and affluent Americans who are concerned about deepening economic inequality and are working for widespread prosperity. Our three primary areas of work are tax fairness, corporate responsibility, and living wages.

He truly believes that the wealthiest of us have a debt to the "source of their opportunity" which is the United States that enabled them through a stable government that educates its citizens, provides law and order and keeps us safe from harm, and supports research that gives them the necessary information to build wealth.

Read more...