The Gaping Holes in HTTPS and SSL Security!

Scott Ogrin, a blogger, who is a software engineer as well as an electrical and computer engineer with a BSEE and MSEE, breaks it down for you in the following article:

“ In this day and age of well-known NSA spying, everyone keeps saying that the only way to be safe is to use SSL/TLS, commonly known as "browsing with https://".

The sad reality is that HTTPS does virtually nothing to protect you from the prying eyes of alphabet soup agencies - or anybody else with enough knowledge about how these supposedly "secure" connections actually work.

It's true that connecting to web sites with SSL will certainly prevent "script kiddies" and other more winky opponents from eavesdropping on your surfing or otherwise interfering in your affairs. But as for the Real Bad Guys, forget it...

We shall begin by taking a brief dive down the rabbit hole of SSL, hopefully in a way that will make sense to even the least technically inclined among us.

This issue is, after all, so extremely important that I think everyone needs to understand what is really going on, and how web security actually works, without needing a PhD in cryptography, computer science, or engineering!

Our story begins with a little e-mail I received the other day. The basic message can be found here:

Microsoft Security Advisory (2880823)

Of course, the idea that Microsoft of all companies is warning me about security is kind of laughable, so I didn't pay much attention. Nevertheless, there was this little voice in the back of my mind that kept pestering me, so I decided to dig in and see what all the hoopla was about... or indeed if any hoopla was even warranted.

“Microsoft is announcing a policy change to the Microsoft Root Certificate Program. The new policy will no longer allow root certificate authorities to issue X.509 certificates using the SHA-1 hashing algorithm for the purposes of SSL and code signing after January 1, 2016. Using the SHA-1 hashing algorithm in digital certificates could allow an attacker to spoof content, perform phishing attacks, or perform man-in-the-middle attacks.

Microsoft recommends that certificate authorities no longer sign newly generated certificates using the SHA-1 hashing algorithm and begin migrating to SHA-2. Microsoft also recommends that customers replace their SHA-1 certificates with SHA-2 certificates at the earliest opportunity. Please see the Suggested Actions section of this advisory for more information.

Okay, so that's probably like trying to read a foreign language to most people. Even I didn't understand exactly how these hashing algorithms were used with SSL. So, I started digging. What I found nearly floored me:

MD5 considered harmful today: Creating a rogue CA certificate

Now, if you thought the M$ advisory was confusing, take a peek at the above link.

WOW! That's wild.

In summary, way back in 2008, some smart people figured out a way to make themselves a Fake SSL Certificate Authority, and they accomplished this feat by using a weakness in the MD5 hashing algorithm.  [...]

First, let's define some terms - hopefully in Plain English:

SSL Web Site Certificate

This is a digital certificate, with a digital signature, that verifies that a website is who they say they are. When you connect to a web site using SSL (HTTPS), your browser says, "Papers, please!" The remote site then sends the SSL Web Site Certificate to your browser. Your browser then verifies the authenticity of this "passport". Once verified, encrypted communications ensue. The point of the SSL Web Site Certificate is that under no circumstances should anyone else be able to create a valid, signed certificate for a web site that they do not own and operate. In order to obtain an SSL Web Site Cert, you must verify by varied means that you are the owner and operator of the web site involved. So, using HTTPS is not only for encryption of communications, but also a way to verify that the site you are communicating with is the Real Thing, and not an imposter. And of course you must pay for the certificate!

Certificate Authority (CA) Root Certificate

This is also a digital certificate, with a digital signature... But in this case, this certificate can be used to create and digitally sign normal SSL Web Site Certificates. This is the kind of certificate that a CA (Certificate Authority) has. These certificates also get passed to browser makers, and are then included in your web browser. This is so that when your browser receives an SSL Web Site cert, it can use the CA Root Certificate to verify that the Web Site Cert is in fact valid.

Certificate Authority (CA)

A CA is the kind of web site from which you would buy a valid, secure SSL Web Site Certificate to use for HTTPS on your site. For example: Verisign.com, RapidSSL.com, Geotrust.com, etc. are Certificate Authorities. They have CA Root Certificates for generating and signing valid SSL Web Site Certificates.

It's helpful to understand that with all these certificates, there is a "chain of command". SSL Web Site Certificates are validated and authenticated using CA Root Certificates. CA Root Certificates are validated with yet higher-authority certificates, all the way up the pyramid to The One Great Root Certificate, which is like the God of Certificates. Thus, each lower-ranking certificate is verified up the chain of command. This all happens behind the scenes, and you have no idea it's occurring.

Piece of cake, right?

Now, where do these hash algorithms like MD5, SHA-1, and SHA-2 come into play?

All certificates contain information, like:

• Web site domain (www.mysite.com)
• Site location (country, state, etc.)
• Site owner info (company name)
• Period of validity

This information is verified before a certificate is issued. Once verified, a hash of the data is generated. This hash acts as the digital signature for the certificate. The only thing you really need to understand about hash algorithms is that what is supposed to happen is this:

1. Data of any length (30 characters, 3000 characters, 40MB, whatever) is passed into the hash algorithm
2. The hash algorithm chops up the data and mathematically processes it, thereby spitting out a signature – or digital fingerprint – of the data
3. The hash of no two chunks of data should ever be the same – just as the fingerprints of no two people should ever be the same
4. The hash output is always the same size, regardless of the size of the input data (just like a fingerprint – no matter the size of the person)

Right. There is such a thing as a “hash collision”. This is when you have 2 hashes that are identical, but they were generated from different data. That’s like if you and your neighbor suddenly had the same thumbprint. OOPS!

Now, think about that for a minute... If the police were using these hashes, or thumbprints, to verify your identity, they might mistake you for your neighbor, or your neighbor for you, if you "had the same thumbprint". If they did no other checking, and just relied on that thumbprint, they might very well "authenticate" your identities completely incorrectly. BIG OOPS!

This is exactly what happened with the MD5 SSL attack outlined at the above link.

These smarty-pants people were able to carefully buy a valid SSL Web Site Certificate from RapidSSL in 2008. Before they did that, they created their own CA Root Certificate in such a way that the hash (fingerprint) of their valid, just-purchased Web Site Cert was identical to the hash of the FAKE CA Root Certificate that they created out of thin air.

Since RapidSSL had just said, "Dudes, this Web Site Certificate fingerprint is valid!", and since this was the same fingerprint on the fake CA Root Cert, the forged CA Root Certificate becomes valid.

Now, recall that a CA Root Certificate - as long as it has a valid hash/fingerpint that will validate up the "chain of authority" - can be used to generate a valid SSL Web Site Certificate for any web site in the world... And neither you, nor RapidSSL, nor your browser will ever know that anything is amiss.

Why is this a problem? For starters, consider a man-in-the-middle attack.

 You want to go to https://www.gmail.com. But some "hackers" have used another type of hack to insert their server between you and Gmail. Normally, this would not be possible, because you're using HTTPS! You're SAFE!

WRONG!

As far as anyone knows, you are connected to gmail.com over HTTPS. But in reality, what's happening is this:

1. You try to connect to https://www.gmail.com
2. The attacker diverts your request (perhaps using DNS cache poisoning or some other such attack) to a fake server
3. Since Attacker's Server contains a falsely generated, perfectly valid SSL Web Site Certificate using the tricks outlined above, your browser doesn't know any better. Everything appears to be legit.
4. You begin doing e-mail, but all your data is actually going encrypted to Attacker's Server, being decrypted and recorded/modified, and then Attacker's Server then passes the data on to the real https://www.gmail.com (using Gmail's actual, valid SSL cert).
5. You have absolutely no clue that your "secure" communications are not secure in the least!

In other words, SSL / HTTPS means that the connection between your browser and the destination server at the URL you're visiting is supposed to be encrypted. But due to the fact the certain types of SSL certificates (which help handle the encryption) can be forged, an attacker could set up their fake server that pretends to the be the real destination server, and thus insert themselves in the middle of the connection. When that is done, the attacker has control over the connection and the data, and can thus decrypt your data, manipulate it, and/or pass it on to the real intended destination server.

Now, isn't that a daisy?

"But wait!" you say. "Isn't it therefore good for Microsoft to recommend changing the hash function to SHA-256 if SHA-1 has the same potential problem as MD5 did back in 2008?"

An excellent question! Unfortunately, yes and no. Even if you, as a web site owner, change your SSL Web Site Certificate from one that is signed using SHA-1 to a new cert that is signed using SHA-2, you are still unsafe.

Why?

Because all it takes is for ONE Certificate Authority to use a "weak" hash algorithm, and someone who is up to no good can generate a forged CA Root Certificate. Once they have that, they can generate as many SSL Web Site Certs as they want - using any hashing algorithm they please - including a fake-yet-valid cert that they can use to impersonate your "secure" site!

In other words, the weakness in the hashing algorithm is just the tip of the iceberg. Due to the hierarchical "chain of authority" in the whole certificate system, if anyone manages to create a false CA Root Cert, they are more or less god in terms of creating false SSL Web Site Certs.

Thus, in order for Microsoft's words to have an effect, there must not be ANY Certificate Authority (Web Site Cert issuer) in the whole world that still uses SHA-1. In order for the "security" to actually be more secure, everyone must upgrade right now. But this isn't going to happen.

Now, if that isn't bad enough, think about all the NSA spying. Think about how many people said, "Naw, man, I just surf using HTTPS, and I'm totally safe!"

You think so?

I don't. You know why? Well, you should, by now... But there's more!

Guess who invented the SHA-1 hash algorithm in 1995?

The NSA.

Guess who invented SHA-2 in 2001?

The NSA.

So, why should all the Certificate Authorities switch from the NSA's SHA-1 to the NSA's SHA-2? Why, because the NSA created it the way they did for a reason!

SHA-1 already has been theoretically breached, and there are a few indications that SHA-2 isn't quite as super-duper-safe as everyone thinks.

Imagine you are the NSA. You want to spy on everyone, everyone's grandmother, the grandmothers' cats, and the mice that are currently being digested inside the cats. SSL is kind of a problem... It can use pretty annoying encryption. Well, hell! No problem. Just compromise the "certificate authority chain" by forging one little CA Root Certificate, and blammo! You can eavesdrop and man-in-the-middle anybody you darn well please, SSL or not!

Web sites over SSL? No problem.

E-mail over SSL? No problem.

I have said it before, and I'll say it again: There never was security or privacy on the internet, there is no security or privacy on the internet now, and most likely there never will be. Not unless some very big changes are made...

And do you know why all this (and much, much more) is possible?

Because just like you, I had no knowledge of the gaping holes in SSL. Awareness of this and many other issues - technological, political, psychological, social, etc. - is absolutely essential.

Otherwise, frankly, we're screwed.

Links:

Fake SSL certificates deployed across the internet

The Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser Software

Read more...

Founding Fathers Sanction Open Source Society

No, the Founding Fathers have not come back to life - although if they did, they wouldn't last long after witnessing what's left of the Constitution - however, their writings and example send a clear message on the topic of "open access".

Some proprietary companies claim and will continue to claim that open source or open access is communist or anti-American. The Founding Fathers would have claimed the opposite, as they had definite opinions on the free flow of information and remained very skeptical about copyright laws. They would cringe at the idea of extending copyright as we do today, as it creates monopolies and offers no public benefit. Consider the greatest inventor of all time, Benjamin Franklin, who never patented a thing he invented.

Almost 240 years ago, a good friend of Ben Franklin, Joseph Priestly, illustrates this point further. Primarily famous for figuring out that plants create "good air" therefore replacing the air animals consume, Priestly proved to be revolutionary in more fields than one - in particular, science, religion, and politics - and far more influential than he was given credit.

According to Steven Johnson, author of "The Invention of Air: A Story of Science, Faith, Revolution, and the Birth of America" Priestly is "the missing philosophical link between our founding fathers." Priestly greatly influenced the Founding Fathers including Thomas Jefferson, John Adams and Benjamin Franklin, who Priestley wrote to after his discovery of "good air" and with whom he had a collaborative and intellectual relationship.

"That the vegetable creation should restore the air which is spoiled by the animal part of it, looks like a rational system." -- Ben Franklin responding to Priestly

Years later, after Priestly accepted a job as a minister, he moved into a temporary residence adjacent to a brewery, to await the house he was supposed to move. While there, he noticed a haze coming off the brewing beer and upon further investigation, discovered carbonation, hence his discovery of soda water. He immediately published the recipe for his new invention without thought to profit, as Steve Johnson writes, "The idea of proprietary secrets, of withholding information for personal gain, was unimaginable in that group." Of course, years later, in 1783, Johann Schweppe patented the process, which continues to provide "personal gain" through today.

Ben Franklin said the following regarding the subject of open access after he invented the Franklin stove:

I wrote and published a pamphlet, entitled "An Account of the new-invented Pennsylvania Fireplaces; wherein their Construction and Manner of Operation is particularly explained; their Advantages above every other Method of warming Rooms demonstrated; and all Objections that have been raised against the Use of them answered and obviated," etc. This pamphlet had a good effect. Gov'r. Thomas was so pleas'd with the construction of this stove, as described in it, that he offered to give me a patent for the sole vending of them for a term of years; but I declin'd it from a principle which has ever weighed with me on such occasions, viz., That, as we enjoy great advantages from the inventions of others, we should be glad of an opportunity to serve others by any invention of ours; and this we should do freely and generously. -- Ben Franklin

The idea behind the Founding Father's thinking was that the free flow of ideas and information foster the growth of original thought, and as Ben Franklin said, attract the attention of genius who can improve upon and solve problems half understood.

Fast forward to the last Presidential campaign. Obama used open source software and McCain used proprietary software. With proprietary, society gets the soda water, and with open source or open access, society gets soda water and the recipe for the soda water. President-elect Obama's tech agenda seems to support the latter. His choice of Julius Genachowski to chair the FCC is at the very least, an improvement. So, even though the first stab at a Broadband Bill is disappointing, it appears that net neutrality, open source and a more level playing field just might have a chance.

"We can’t allow a system of gatekeepers to get built into the network. The Internet shouldn’t be harnessed for the profit of a few, rather than the good of the many; value should come from the quality of information, not the control of access to it." -- Damian Kulash Jr. lead singer of OK Go

Some Open Source links:

Open sustainability camp

Open source car

Open source comes to medical instruments.

Software industry vs. software society

Open Democracy - aims to build the open source model for news analysis and opinion

Read more...

Browser Racism?

Blackbird is a web browser for the African American community, developed by a group of African American entrepreneurs, under the direction of Ed Young, CEO of Blackbird. At face value, it is a regular browser, however, intrinsic to its creation, just two or three clicks away, the user can access expanded content that is targeted toward the black community, not easily found elsewhere.

Rather than segregating black content, this browser pulls out black focused information, into the web, bringing it to the forefront. This information could be found in a GOOGLE search, however, it may show up as result number 17,100,000. In other words, this browser sorts the information differently than Internet Explorer, Firefox, or Safari.

White Bird was created in response to the Blackbird project. Of course, by default, all popular downloaded browsers are "whitebirds", making the creation of White Bird nothing more than a spoof.

White Bird was developed on the simple proposition that we, as the White American community, can make the Internet experience better for ourselves and, in doing so, make it better for everyone. Primarily we believe that the White Bird application can make it easier to find White American related content on the Internet and to interact with other members of the White American community online by sharing stories, news, comments and videos via White Bird.

So, is the Blackbird browser racist? Is the White Bird browser racist?

First, we should define racism. If we define racism as hatred or intolerance of another race or the prejudice that members of one race are intrinsically superior to members of other races...Blackbird does not qualify. Nor does it segregate, as it only rearranges information...it does not take away information. The user is also given the choice (radio button) to use it as a "regular" browser.

Second, Blackbird affords a certain part of our population the opportunity to obtain information the same way the majority does - leveling the playing field, in a sense - therefore, if anything, Blackbird counters an intrinsic "racism", that is almost impossible to eliminate because it is generated by demographics, and is not the result of malicious intent.

The White Bird browser, on the other hand, might be a tad "racist". That is, if it does not allow the user to include results other than "whitebird", especially considering "whitebird" browsers are a dime a dozen. Other than providing a little amusement, White Bird serves no purpose, as - like I said before - all browsers are "whitebird".

In conclusion, the Blackbird browser is not racist at all and despite what I said before, I believe White Bird is not racist either...just useless or funny, depending on your perspective.

Jay Smooth, host of NY's WBAI's Underground Railroad, and founder of one of the first hip-hop websites, hiphopmusic.com does a very good job clarifying racism, including how best to respond to it.

"I don't care what you are; I care what you did." - Jay Smooth

Read more...

Internet is Slowly Changing Current Ownership Culture

"Ownership" implies control, and our Founding fathers conceived of an "ownership society" "We the People" could easily participate, enabling us to maintain a certain amount of control over our own lives. Back then, society was primarily agrarian, and owning land not only provided shelter but also offered, if one was willing to work hard, a source of income.

Today, owning land does not carry the same weight as it once did, making it much harder to maintain control over one's life, therefore making it impossible to preserve the Founding father's idea of what an "ownership society" looks like. In order to maintain their vision we must revise the outdated model based on agrarian culture and update it to an "ownership society" based on the technological society we currently have.

The birth of the Internet offers the potential of to forge a new type of "ownership society", once again giving everyone a chance to participate. Ecommerce or using the Internet as part of your business model allows us to participate as we have not been able to do for a long time considering a very small number of large bureaucratic corporations make it impossible to compete on our own, forcing most of us to submit to them where everything is on their terms. Web based services such as Ashop Commerce make it simple by providing shopping cart software anyone can customize in an attempt a start-up business of their own.

Of course, "We the People" have a long way to go before we can honestly say we own our own lives again because it is clear we do not, however, the Internet is one option available to all of us that can free us from the corporatization of society.

Read more...

What's New in Web Based Applications?

Under the Radar showcases emerging startups and identifying trends. Listed below are some of the cool web based applications available:

blist - is a web based database with flash interface that eliminates the need to wedge data into what's become the psuedo database, Excel. It democratizes the function of organizing data by allowing the user to store photos, lists, star ratings, documents and create new blists in each cell in a completely user-friendly environment.

GetSatisfaction, people powered customer service for absolutely everything, is a place where people can get the most from the products they use, and where companies are encouraged to get real with their customers.

Kwiry, turns text messages into reminders you retrieve online.

Magento is an open-source eCommerce platform with "design flexibiity, modular architecture and rich functionality."

NuConomy goes beyond the old page view model of site analytics and starts to measure engagement. It is a two way API, allowing your site to make changes automatically depending on input from the service. Correlation, which shows how things on the site affect other things, page hits, ratings, comments and other metrics can be weighted differently to come up with an overall algorithm to compare authors. It removes the human element which can slow things down.

SlideRocket, very similar to PowerPoint is a rich Internet application. It offers the ability to "design professional quality presentations, manage and share libraries of slides and assets, and to deliver presentations in person or remotely over the web."

SlideShare, SlideShare is the best way to share your presentations with the world. Let your ideas reach a broad audience.

Splashtop allows you to read e-mail, chat with friends, or surf the Web seconds after pushing the power button.

SupportSpace gives you instant access to a robust network of certified tech support experts.

Vello generate conference calls instantly or scheduled in advance, from anywhere, at any time.

Read more...