Posts Tagged ‘Web’
It really bothers me when websites truncate their posts in RSS feeds and only show you little snippets of the story. It defeats the purpose of RSS – and renders my offline reader useless. I can understand why they do it; they want to get page views and ad impressions, and most of the time the post isn’t that interesting so I skip it. But really, does the Whitehouse.gov RSS feed have to do it too?
I have a problem with certificate authorities. I hate that most people have no idea what they are even though they deal with them every time they browse the web. Show of hands, does anyone understand what these dialogs are talking about?
I’m going to venture a guess that not many people raised their hands. So you’re all told to look for certain visual cues when browsing sensitive sites (banking, etc) but I’m sure no one ever told you what they mean or why they’re necessary. I’m about to tell you why it is all utterly stupid.
This all pertains to sites which deal with sensitive information, like your bank’s website, or any log in screen. The goal is to establish a unique encryption session between your computer and the server, so that eavesdroppers aren’t able to steal your valuable information as it gets sent along the line. This is accomplished by using the Secure Socket Layer (SSL) protocol. SSL uses public-key cryptography to securely establish a session (symmetric) key that is used to protect the subsequent data. This is how it works:
- Client (you and your browser) connects to a server over https:// (port 443)
- Server sends you it’s public certificate – This certificate contains the server’s public key .
- Client generates a random number, encrypts it with the server’s certificate and sends it – This number is the premaster key
- Server takes the premaster key along with some other random numbers that were exchanged and generates the session key
Now that you and the server have agreed on the same key all the data sent from this point forward will be encrypted.
So, some questions should come to mind:
Can’t someone eavesdrop on the key creation and thus obtain the session key?
No. The session key is made up of three random numbers hashed together, two of which will be available to an eavesdropper, and the third (the premaster key) will be encrypted with the server’s public key, so that only you and the server know what it is.
How can I trust the server’s certificate?
Well, each certificate is signed by a certificate authority.
What’s a certificate authority?
It’s a company that signs certificates. You see, a website will generate a public/private key pair and then send out a Certificate Signing Request (CSR) out to a CA who will take the public key and attach a digital signature to it and return it to the site. Now the website can distribute this signed certificate so it can’t be faked. When a browser receives a certificate, it verifies that the certificate has been signed by one of it’s trusted CAs
So, where do I get a trusted CA certificate?
Chances are, you already have them. Your computer, web browser, and java VM all ship with root trusted authority certificates in their respective certificate stores.
Wait, who are these CA’s again?
Here is a list that I found googling: Catsdeep FreeSSL, Comodo, Digicert, Digi-Sign, Digital Signature Trust Co., Ebizid, Enterprise SSL, GeoTrust, GlobalSign, LiteSSL, Network Solutions, Pink Roccade PKI, ProntoSSL , QualitySSL, Rapid SSL, Real digital certificates, Secure SSL, SimpleAuthority, SSL Certificate Management Site, SSL.com, Thawte Digital Certificates, The USERTRUST Network, Verisign, XRamp Security
That’s a pretty big list full of companies I’ve never heard of. Why should I trust them?
Well, they’re big companies, with a lot of money invested in this. Plus, how can you not trust them, with names like those, they must be secure!
In all seriousness, that last question is exactly the problem I have with certificate authorities. We have absolutely no reason to trust them. Worse than that fact though is that nobody understands just how much trust we are placing in these companies. We are taught as users to not be bothered with all of the magic that is going on between the browser, the ca, and the server, and to just assume that if there is a lock on the corner of your screen than you are safe and everything is good. This gives the CA a level of unaccountable authority because not only are we incapable of noticing any wrong doing on their part, we are completely ignorant of their existence! It’s a wonder scenarios like this aren’t more prevalent:
For those that don’t like to click on links, this is a security bulletin about Erroneous VeriSign-Issued Digital Certificates that attackers are using to sign invalid certificates.
The certificate authority is the main point of failure in the X509 and SSL system. I can’t for the life of me understand why any person in the field of security could conclude that giving a single company that much authority over an entire protocol is a good idea. They build these massively complicated, mathematically intense systems for protection, and then leave it open to a single entity for trust.
I wrote this post under that assumption that most users don’t know what a certificate authority is, or even vaguely what is happening during a secure connection. I feel like this illustrates a failure in the security community, much more so than in the individual user. We walk a fine line in the computer security field, constantly afraid that if we require the slightest bit of effort from a user than they are not going to use the technology. That’s all understandable, but if you go so far as to completely remove them from the process you leave them incapable of protecting themselves and fill them with a false sense of security. By not even being aware of the most essential component in SSL security, it is impossible for anyone to know what to do if there is a failure somewhere along the line. If the connection gets attacked, the protocol will rightly fail and the user will be presented with a choice; proceed anyway, or stop. How is the user supposed to make the correct decision here?
To illustrate this point, I want to see some comments. Answer this question: what do you do when you encounter a website with an invalid certificate? Do you just click ok and view the site anyway?
The economics of the Internet is very simple: websites publish content and place advertisements on the page to offset costs. In most cases these advertisements are supplied by a third party ad agency. Google AdCenter and Microsoft are huge players in this, as well as Amazon and many others. Generally, these advertisements are nothing more than annoying. Unfortunately this is no longer the case. Hackers have created malicious banner advertisements and are using Doubleclick to get them hosted on legitimate sites. So far, The Economist, MLB.com and Canada.com have all been infected. Here is an except from Wired:
If you’ve seen any of the ads, you may have experienced something like this: You’re on a legitimate site. Your browser window closes down. A new browser window comes up, redirecting you to an antivirus site, while a dialog box comes up telling you that your computer is infected and that your hard drive is being scanned. The malware tries to download software to your computer and scans your hard drive again.
In other advertising news, Engadget, a popular gadget blog, recently got into some hot water over an over the top and intrusive advertisement that was actually crashing people’s browsers. Here are the related posts (the comments are a good read)
In light of all of this I have cranked up my Adblock and am now blocking any and all advertisements. Ad agencies and websites together need to address this issue and gain my confidence back. I’m surely not going to let my machine get infected by some advertisement I don’t want to see to begin with. For the uninitiated, I have added links to different ad blocking programs for different browsers.
Ha.ckers.org has posted an interesting interview with a phisher who makes a living hacking social networking websites. Of course, you have to take what the hacker says with a grain of salt, considering he is a criminal and goes by the anonymous name of “lithium”. That being said, it is still pretty interesting to hear from an 18 year old high school drop out who has stolen over 20 million IDs. He claims that once he has a user’s social networking password he can break into their email address or other accounts because “5 times out of 10 the person uses the same password for their email account.” Here’s a good tip: never reuse the same password.
Ha.ckers.org is a web-application security blog run by “security gods” RSnake and id. They post relevant and accurate information about current security issues. Also, not to be missed is the full-disclosure forums at sl.ackers.org.
Despite the growing threat, websites and applications are becoming more and more permeable leaving unsuspecting users at risk. The best way to defend yourself is to become aware of the techniques and capability of the attackers, and to practice strong security habits.
For those of you that haven’t been following the new Silverlight technology, I will provide some background. Silverlight , also called WPF/E, is Microsoft’s a new cross-browser, cross-platform plug-in designed to deliver rich multimedia through the web. In principle it is very similar to Adobe’s Flash and Flex technology, but it is an entirely different in design. The runtime environment includes a subset of the .NET framework, and the development tools allow for the integration of C#, AJAX, VB, and other web applications. This is an attempt by Microsoft to bring the rich graphical abilities and interoperability of the .NET framework onto the web. This simplifies the development process, and gives the web developer a lot more tools to use. One of the most interesting capabilities of Silverlight is its ability to stream HD video efficiently. Check out the Silverlight gallery page for some great samples.
Now on to the real point of this post. Las Vegas hosted MIX07 this week, which is a convention intended to demonstrate the capabilities of Silverlight, WPF, and .NET3.0. Numerous companies were there presenting their prototypes and sharing their ideas about how to use this technology to spread their multimedia. Among those presenting were Netflix, who will integrate Silverlight into their “Watch Now” feature and Fox Movies, who made a demo showing trailers for their new movies. Of course, the most important demonstration was done by Major League Baseball.
Here is a video from the MIX07 convention featuring Bob Bowman, President and CEO of MLB Advanced Media, and Justin Shaffer, VP New Media, introducing what MLB.tv plans to do with their player and how Silverlight will improve the experience.
There are a couple of interesting points in the video that I want to bring up. First, Bob Bowman claims that they create 8-10 DVDs worth of data every second. Which is a testament to how obsessed baseball fans are with statistics, video clips, and media.
The other point I want to discuss is Bob’s claim that his site can’t be simple and plain because it “has to appeal to 16-17 year olds and have 65 moving parts.” I am interested in the reader’s (all two of you) opinion on this, and also how you all feel about the new look of the MLB.tv player. Here’s mine opinion: I like the new MLB.tv player and I am excited about Silverlight. It provides web developers and media companies the freedom and flexibility on the web that they never had before and could lead to some beautifully designed and incredibly useful websites. On the other hand, it could pollute the web (even more so) with cluttered, annoying, and ultimately unnavigable sites. If designers truly believe that their websites need “65 moving parts” then I think the latter will happen more often than the former.