Slashdot Mirror
IE and Konqueror Bug Makes SSL Insecure
Spad writes "The Register reports that IE and Konqueror both have a bug that allows anyone with a legit Verisign SSL certificate to issue a 'legit' certificate for a 3rd party site. IE and Konqueror don't both to check the issuer of this intermediate cert making SSL in both browsers something of a joke". Update by Hetz: if you're using KDE from CVS, the fix is inside or you can wait to next week for KDE 3.0.3 (which will have more fixes for KDE 3.0). Thanks to Waldo bastian for the blazing fast fix (95 minutes since it was reported).
what about the core of konqueror (Mozilla)?
Can I get an english translation of the poster's last sentence?
I've got a mind like a steel trap - it's got an animal's foot stuck in it.
I assume that if you don't mention it,Mozilla doesn't have this problem?
Je t'aime Stéphanie
Has Slashdot become the comment board for The Reg articles ?
Little did I know, the answer was right in front of me, in the form of the one Verisign certificate I shelled out the cash for :-)
I do not deploy Linux. Ever.
making SSL in both browsers something of a joke.
And here I was assuming that a fine MS product like Internet Explorer would embody the rock-solid security I've come to expect from the fellows in Redmond.
For shame, for shame.
--saint
"Fundamentalism" isn't about divine morality. It's about human authority.
Funny, I'd say the implementations are flawed and they're insecure. If the adhered to the RFC as it was written (rather than glossing over one little step), millions of users wouldn't be in a bind here.
That said, calling SSL insecure is about as sane as calling email insecure because flawed implementations are plagued with problems or http insecure because some web servers choke on archaic flags and such.
The moral of the story? Read your RFCs and then re-read them with a friend or two to make sure you read them right the first time.
Easy does it!
This comment has been submitted already, 276865 hours , 59 minutes ago. No need to try again.
with names displayed in a font in which capital-I and lower-case-l look the same, do you accept this certificate from lnteI?
After all, Konqueror is clearly a clone of IE (think about it: explorer vs. conqueror, both are file-managers cum web browsers, etc.). This is just a demonstration of how well the KDE people can emulate MS.
Really - wouldn't this sort of vulnerablility be possible to extract by listening intently to the https behavior?
And is this OpenSSL-wide? Is that what Konqueror uses? And - how could this vulnerability exist in an open source library?
Stop the brainwash
When companies set themselves up to charge hundreds of dollars for strings of unique data called Certificates. It's frigging disgusting. I'd trust a private key long before I bought a certificate by companies who slam, and from companies who sold my identity to spammers.
Hang on, which one was which?
http://pcblues.com - Digits and Wood
... you mean Linux isn't 100% secure? How humbling!
IMHO:
Finally get rid of that "Certificate check" stuff!
Reality check: people do not use certificates to check recipient validity. They use SSL to cover traffic in transit. Man in the middle attack is much more remote possibility than having unencripted traffic flow.
People that didn't check certificates are getting what they ought to.
After associating Benham's test-page IP with www.amazon.com in my hosts file I found that in Konqueror, following a link to https://www.amazon.com brought me immediately to the 'you've been hacked' page
It seems normal to me that after associationg the IP with the amazon domain name in your hosts file, the malicious IP gets precedence over the autoritative association from the DNS.
So he dosen't get to the real amazon.com, obviously. If this attack requires a domain spoof it's quite unlikely to happen IMHO.
delete free(system.gc);
Oh and please I do know that this is probably just a simple oversight that they will patch in a few hours. Unlike MS wich probably includes a EULA requiring you to sign over you're first born. This is just a way for me to stab back against all those KDE users that make fun of my enlightenment/opera setup.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
Before the M$ vs Everyone war starts...how about we have a fair and simple timing contest.....where does this get fixed first? ;)
When in doubt, parenthesize. At the very least it will let some poor schmuck bounce on the % key in vi. (Larry Wall)
The certificate issuer is not exactly a secure concept anyway. The whole idea of "trusted providers" being a list of folks engineered by the browser's authors is just asking for trouble. Any of those companies can "go rogue" and start issuing free certs to anybody who asks, which one of them did a while back (then they succombed to the pressures and revoked all the rights, which was pretty crummy).
Besides, the contracts of all cert providers totally absolves them from any crime or misuse of data undertaken by their issued members. Which is a strange definition of "trust"...that it can only be placed in an unknown third party who has no control nor responsibility over the site you're connecting to, and neither has any liability should your data wind up in the hands of ne'erdowells.
Which is why I self sign everything. Since it all boils down to whether or not you trust me, why should I spend $150 trying to trick you into thinking I've passed some rigorous test for "trust". All that matters is that the data users send me is encrypted, which it is. That $150 cuts into my already wafer thin margins, and it cuts even more when you think I'll have to get a different sert for each of my subdomains.
Which is where this bug is actually beneficial. It allows you to get signed once for all your domain names. No more paying exorbitant sums for the paltry 10,000 cycles of processor time it takes to generate a certificate, you can get www.yourdomain as well as yourdomain, yourmisspelleddomain, secure.yourdoman and mail.yourdomain certified for the price of one. Just sign the main site...and use the money to buy an escrow insurance policy.
Hey freaks: now you're ju
An identical flaw in a piece of Microsoft and a piece of Open Source software...
I wonder which will be fixed first?
The article doesn't mention Opera. Anyone know if it is vulnerable> I certainly hope it isn't. Mozilla is marginally functional at best, and slow as molasses. Having Opera fail would mean there is NO Win32 browser that is safe to use. My bank's gonna be pissed if this gets out too far after their "Safe, Secure, Internet Banking" campaign. Oh worry me.....
Love,
Jay and Silent Bob
I guess you meant bother as in "I didn't bother to proofread my submission to Slashdot"
//m
Considering how little attention most people pay to who signs their certificates even if they are warned about them, even people with browsers which perform proper checks on these things may be able to affect themselves. Lesson there: read the certificate warnings, I guess.
So, why on earth would a bank, or all companies, only allow what is probably the most insecure browser around to access the site? A bank for cryin out loud! A company that people trust to handle their hard earned cash, allows only IE to handle "secure" transactions on their site!
And don't get me started on payment processing companies partnering with MS to develop secure payment solutions... You'd think they'd partner with IBM or any other company with a decent track record of reasonable security.
Sticking feathers up your butt does not make you a chicken - Tyler Durden
Okay, I am getting tired of seeing obvious typos and grammatical errors here. So many Slashdotters feel they are more intelligent than the average user and the unwashed masses, yet the editors and the submitters can't properly proof read stories. The editors can't even be bothered to edit a story after a major typo or when posters plainly point out an article is flat our wrong.
While I'm complaining about Slashdot, when did qualitative kharma replace quantitative kharma?
(If this post contains errors, feel free to point them out. I don't care about grammar in comments. My main concern is decent English in the article write ups.)
Now, in L33T SP34K:
Clearly, this is for you. As for your Scandanavian relatives with professional interests in cooking, you might suggest they visit this instead.
Given one hour to live, the student replied: "I'd spend it with professor FP who can make an hour seem like a lifetime."
Somebody please turn this guy onto Mozilla 1.0!
One simple rule for its versus it's
"IE and Konqueror don't both to check the issuer ...." C'mon, Taco, get another pair of eyes on your copy before you post it.
Lets see how fast the KDE team fixes their software and how fast the Microsoft team fixes theirs. If its not already done that is.
Comment removed based on user account deletion
Take a look here. I specially like the last paragraph about "reimplementing" the bug.
http://online.securityfocus.com/archive/1/286893/2 002-08-05/2002-08-11/1 (opens in new window).
It seems that it isn't TOTALLY browser related. Verisign and Microsoft both know about this error, according to the people in the thread. It's a good read with a lot of detailed info about the flaw and where the flaw exactly is.
Never underestimate the relief of true separation of Religion and State.
You say konqueror's affected?
No, _I_ say konqueror's a dreadful piece of shit. Or at least is was circa KDE 2.2.x -- haven't used it since.
Unless you meant "you" as in "all the Slashbots", in which case I would remind you that not everyone posting here is a filthy GNU hippie.
--saint
It's been 20 minutes now and KDE doesn't have the fix up yet.
;)
This is just rediculous. Why are they taking so long? I don't have all day.
Seriously though, with a long list of IE bugs still outstanding and Microsoft blaming Verisign, rather than fixing their software, I'll bet that KDE has a fix a month or more before MS.
ummmm no, most sites use it to stop man-in-the-middle attacks, and so you know your web traffic is going to who you think it is, and not some dude who poisoned your dns.
A few weeks ago I ran into a site (forgot which one) that has a certificate belonging to another site. Mozilla detected that and displayed a warning dialog.
I also avoid kde.
Hmmmm, Identical bugs in IE and Konquerer. No chance of their being shared code involved so it must be down to implementation. What determines the implementation of a protocol? The API, as defined by Verisign who developed it in the first place. My guess is that this is Verisigns stuff up in incorectly specifying the protocol for handling certificates. IE and Konquerer were both written in accordance with Verisigns protocol and so both end up with the same bug.
The only joke here is that so many people somehow trust these publicly held corporations more than they do the average person.
.com registrations.
Let's remember that Verisign is the same company that plays dishonest tricks involving
if you install kde-bindings for konqueror when you install KDE then it uses the mozilla engine to render HTML/CSS/JavaScript etc. when you surf. however, i don't believe installing kde-bindings exempts konqueror from this problem - Security is handled in a separate module within the Control Center. anyone know otherwise?
when it rains, it gets real soggy. when it pours, i'm under the tap just _waiting_ for the joy
.. to a buried page on the guy's own site. This shows a little more detail on how to get a test setup running.
Alison
"It is a miracle that curiosity survives formal education." - Albert Einstein
Speaking as an architect with DoD, this defect is ...) relying on the integrity of SSL certificates. Now, our sites are potentially open to little script kiddies. Granted, they have to pentrate some relatively thick firewalls, but, obviously, we wouldn't be using SSL if those firewalls were perfect ...
extremely distressing. DoD uses MS almost exclusively, and we rely on IE as a quasi-standard. Couple this little fact that all internal sites must use SSL. So, here I am sitting with an FOUO (Offical use only -- stuff like personnel records
The real insecurity is that they trust Verisign by default.
-Adam
If you hit the discoverer's web site using Mozilla 1.1b you get an -8183 error and it
will not display the page. Note this is not a complete spoofed-site demo unless you trick your DNS resolver into reporting his IP for www.amazon.com and pull up his page using SSL with that URL.
I would infer that Mozilla is correctly detecting the mistake in the certificate chain.
Notes on another practical demonstration of this bug are here.
With this article from the Atlantic Monthly about Bruce Schneier and bad security.
Best Slashdot Co
"The three steps to get this running are:
Download and run sslsniff-0.1.tar.gz
Setup iptables
Run arp-spoof or arp-sk
That's like saying:
"The three steps to allow me to break into your house are:
1) Go to the locksmith and make me copy of the key
2) Leave the front door unlocked just in case
3) Disconnect your alarm system
"
The odds of some of these items occuring are ridiculous.
Ok, who stole code from who?
(B) + (D) + (B) + (D) = (K) + (&)
This sort of teething problem is bound to appear in Konqueror and is not really that serious. No doubt it'll be fixed and patched within a few days (or hours if history is any guide!) it's situations like this when you see just how superior Open Source is as a paradigm.
Signed certificates simply state that Verisign trusts the company is who it says it is. That's about it. Signed certificates do not define whether your communications are encrypted or cleartext.
Signed certificates cannot prove that:
Many companies don't bother with having their certificates signed. It's pricey, an administrative burden, and doesn't really increase security. I'm annoyed that browsers have been swept into warning you if the site you're visiting doesn't support Verisign's cash flow.
About 99.999%+ of the primary uses of SSL/TLS out there are for transport encryption, not for site authentity verification, and this does nothing to reduce the security of the transport encryption.
Indeed, the site authentity thing is the way Verisign and friends get away with charging ridiculous amounts to spin off a key pair. I'm not saying that it's a useless service (it is nice to know that I'm talking with my bank versus the incredibly remote scenario that someone hijacked their domain), however that feature is pretty low on most people's importance list.
No one makes fun of Enlightenment, dude.
Now if you used Gnome, they'd have a field day with you.
Mmm. Sexy sexy blackbox. Mmmm.
If I understand the problem correctly
:
Tools -> Internet Options -> Advanced
Check :
Check for publisher's cert revocation
Check server cert revocation
Check signatures on downloaded programs
*** Warn about invalid site certs
Ta-da, you not get a dialog box asking of you want to continue if you hit one of these sites (someone earlier posted a link to thoughtcrime.com)
Comment removed based on user account deletion
"I'm annoyed that browsers have been swept into warning you if the site you're visiting doesn't support Verisign's cash flow."
I know the feeling... the only other problem is, though, how does the vast consumer-base out there deal securely online? It doesn't add anything to have to phone up to read out an SSL certificate fingerprint - you might as well just place the order over the phone!
Maybe what we need is a kind of web-of-trust like the idea of a PGP key-server, only for SSL certificates?
~Tim
--
Rushing on down to the circle of the turn
Did anyone notice how he mentions Mozilla 0.9.4 and totally neglects Mozilla 1.0?
Is anyone else getting a serious sense of deja vu here? I'm almost certain Konqueror was mishandling SSL certificates in a similar way about a year or so ago.
Can't find a ref, though. Maybe I'm just going nuts.
I can't agree more, SSL is really only practical for preventing intermediate parties from sniffing the wire and accumulating data in cleartext.
With that said, how is this attack any different than any other man-in-the-middle attack?
Eric Sarjeant
eric[@]sarjeant.com
Please beware that the overall impact of this problem is relatively minimal. The sky isn't falling. What this allows is a man-in-the-middle attack without the usual telltale browser confirmation box that one sees when using an unsigned certificate. The attacker still has to get on the network between you and the website and essentially transparent-proxy your connection through a rogue ssl proxy to make this all work. For the most part people with this level of network access for wide numbers of people are not so devious as to actually do this for profit.
On another note - if they did a traditional man-in-the-middle SSL attack, it might be very hard to track down who did it, but it would be very easy to tell it was being done (because you'd get a browser warning about the certificate not being vaild for this site and/or signed properly). With this new approach, you get no browser warning, but it's presumably easy to track down the culprit, since the certificate signing chain will include a legitimate cert issued to the attacker that can be queried at Verisign or whoever they used - unless they steal a cert from someone else.
11*43+456^2
Normally when a man in the middle substitutes his own certificate for the original destinaton's, the browser will pop up a huge warning dialog saying that the certificate isn't signed properly or that it is named incorrectly. With this vulnerability, that doesn't happen. You can exploit this vulnerability to "sniff the wire and accumulate data in cleartext." See sslsniff: http://www.thoughtcrime.org/ie.html
...any more than gcc is "fundamentally" flawed because it allows the use of sprintf() and sprintf()s have been the cause of countless buffer overflows.
Good developers use the tools, bad developers end up getting abused by them. The concepts of how to properly use them have been kicked around for years; if a programmer decides to use an inherently insecure protocol as a security mechanism, whose fault is it? I suppose it depends on whether we're developing for Microsoft or *nix, eh?
Easy does it!
This comment has been submitted already, 276865 hours , 59 minutes ago. No need to try again.
-1 "overrated" on a score:1 completely relevant post? Someone needs to shove their head into a trash compactor.
Citing security problems with mozilla and netscape 6/7, my bank doesn't allow me to use those browsers on its web site to view my account. I end up using the archaic netscape 4.7, but it also will let me use IE (if I had it). I never tried Konqueror. My credit card bank is the same way. They always say that they have plans to support my browser in the future, but it's been that way for a year so I know it must not be a big priority. [Sigh]. Maybe this latest security thing will wake them up, and perhaps they'll continue development on added browser support. -Andy
alas, it worked flawlessly
When did working flawlessly become a bad thing?
I buy a cert from Verisign.. and I'm trusted. And I issue certificates to my friends based on mine.. because I trust my friends. But Verisign isn't supposed trust my friends necessarily, because I do.
My copy of Konqueror (HEAD branch) shows me a dialog box, that lets me view the certificates. So long as you click "Details" it's quite obvious that there's a problem, and that you shouldn't continue.
Because basically it's equivalent to a plain HTTP connection. Even if you already have a valid key for a site stored, after I spoof it I can just send you a new one and you'll probably accept it as well. Even for the first use, the risk of attack may be small for you but not for the website owner that may see a lot of users sign up and be owned during a few hours when it's spoofed. Sorry, but I am not ordering from you with my credit card if you saved $150 rather than give me at least minimum assurance you are who you claim to be. At least Verisign has your credit card or bank account information. It could be that we need better CAs, ability to block ones we don't trust and at least one of them that issues free keys for non-profit sites that need security. But in the meantime, I would be happier if any well known organization can vouch that you are who you claim to be - even if you use CAs such as Microsoft, RIAA and Church of Scientology.
A Web-of-Trust is the only way to really have much confidence that you're not being Man in the Middled.
Or to put it another way: SSL sucks, PGP rules.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Besides, the poster has a point. In case you haven't been keeping up lately:
- Microsoft gets worried about their bad record in terms of security - reflected in anti-hacking insurance premiums amongst other things. Which are calculated by actuaries, of course - not random Slashdot posters.
- Microsoft made a big song-and-dance to the press about their month-long code stoppage and
security awareness initiative within the company.
- Since then, has their security record improved? Does the fact that they have no plans to fix this bug, ever strike you as a little odd?
Contrast that to the fact that the Konq people already have a fix available for testing, and I think you'll find that even were we to hold a multibillion dollar corporation to exactly the same standard as a handful of volunteers - which would be absurd, in the general case - it looks like Konquerer is going to come out ahead.People who bogusly defend multibilllion dollar corporations against altruistic volunteers annoy me.
Female Prison Rape in NY
Don't forget that the certificates cannot control the data once it's been uploaded to the server. How many attacks have their been where the DNS was redirected to a false server compared to how many have there been where the true server was compromised? SSL certificates are a solution to the wrong problem.
Oh, the error messages says "The IP address of the host www.thoughtcrime.org does not match the one the certificate was issue to."
I suppose they could have been a bit more forceful and/or clear, but that does the trick for me.
Going to the trouble of validating the certs but then not checking the CA attribute bits, like MSIE does, is just stupid.
Assuming the sources cited are accurate, we now have two independent misimplementations of SSL certificate handling, indicating that two purveyors of software that is entrusted with providing a secure (ie, private and authenticated) communications channel have screwed up in a way that suggests they did not understand properly what they were doing.
Rather puts buffer overflows into the shade, doesn't it?
As the late Professor Doctor Edsgar W. Dijkstra commented: "If you don't know what your program is supposed to do, you'd better not start writing it." RIP, a great man.
Which bank disallows IE?
The shareholder is always right.
Uh, that website you mention...thoughtcrime.org...I hit it with IE6, and it gives me a warning saying "Everything checks out EXCEPT the address on the certificate does not match the address of the site trying to send it." Then it gives me an option of accepting it, rejecting it, or viewing the certificate.
How exactly is this a bug? IE saw a problem, reported the problem to me, and gave me options on how to handle the problem. If a user decides to hit "Yes" thats their problem, not IE's.
The world moves for love. It kneels before it in awe.
IE vs. Konquerer? MS vs. Linux? Can't we see what the real issue is here? Security lock vs. Bug icon. I vote bug.
A [PGP/GNUPG style] Web-of-Trust is the only way to really have much confidence that you're not being Man in the Middled.
I understand the advantages of PGP's model over SSL's, but under PGP's model, how do I get my key signed by somebody who does not live within a few kilometers of my residence? How do I, an individual who wants to send and receive secrets to another party who lives on another continent, establish a chain of key signatures from myself to the other party?
Will I retire or break 10K?
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
http://www.cgisecurity.net/archive/browsers/
That URL alone isn't a full demonstration. Your browser notified you of a problem because it thought the web site was www.amazon.com, and you typed in www.thoughtcrime.org. You have to edit your hosts file:
66.93.78.63 www.amazon.com
For the full effect.
By consulting with a mutually trusted third party, of course. A similar concept as that of a notary public. (I said similar, not identical).
Trust centers such as Verisign make it a little simpler to verify identity: I don't have to personally check you out myself -- I accept Verisign's "voucher" that you are who you say you are, and therefore I offload my research responsibilities onto Verisign.
This is not a perfect system for many reasons. But you can't HAVE a perfect secure system. I think this system is about the best we have for now.
Now, do the spoof as he suggests. Edit your hosts file so that www.amazon.com has www.thoughtcrime.org's IP address, ie put in the line: 66.93.78.63 www.amazon.com into your hosts file. Where that file is depends on your system; in Unix it's in /etc, in Windows 9x it's in C:\WINDOWS (or whatever %WINDIR% is), in Windows NT it's something like C:\WINNT\System32\Drivers\etc. It's a plain text file. To confirm you've set it up right, type "ping www.amazon.com" afterwards, if it's pinging 66.93.78.63 then you're all set.
Now open your browser, and go to https://www.amazon.com/. If you don't get an error, your browser is vulnerable.
KMSMA (WWBD?)
Signed certificates simply state that Verisign trusts the company is who it says it is.
Other than take money do they do that much to establish that the company is who they say they are.
Anyway the certificate can say that the company is A and the webpage can say it's company B. If the certificate is okeyed by Verisign the user won't even see the certificate by default.
"I buy a cert from Verisign.. and I'm trusted."
That's it. That's all you need. I bought a bunch of certificates. I'm very trustworthy. Most of the certificates I issue are registered to the likes of Daffy Duck and Mickey Mouse, but people still download my ActiveX controls and anything I sign with my extra-special digital certificates.
I'd say more, but I don't want a horde of drooling trolls from Verisign to ravage my feet and ankles.
Taking trustworhtiness to new heights... buy your own digital certificate TODAY!!
Vortran out
Knowledge is like ignorance.. too much can be just as bad as not enough.
Oh, and while we're being sceptical, the click-through EULA for downloading and/or installing the patch will probably mutate yet again, either subtly or not-so-subtly to move M$ ever further from responsibility for software that's "so badly written it's a National Security issue", while at the same time tightening the monopoly screws even tighter.
I tried the thoughtcrime.org test with the browsers I keep around under OS X. Here are my results:
Mozilla 1.0: passed (the others are right, the error message could be more user friendly, but it worked)
Chimera 0.4.0: failed (no SSL options in Preferences, also an early version without many features)
Omniweb 4.1 (v422): failed (SSL options in Preferences)
iCab Preview 2.8.1: failed (no SSL options in Preferences)
By "failed", I mean displayed the web page with no error messages (which I presume is the test). Some of those that failed don't appear to provide SSL support in the first place.
OmniWeb doesn't have much excuse though, it appears to have SSL support, and it is not a beta.
It's beginning to look like Mozilla is the only one on the ball here.
"What I'm thinking is different from what you are."
Belabera, "Mothra 3" 1998
This is what Thawte certs are supposedly for. The company officials from Thawte physically visit your location to determine if you are a legitimate business with an honest operation. (note: I don't know if Enron ever got a Thawte cert)
I know a NUMBER of banks (and even Amazon.com who should know better) who don't implement SSL properly. They have their login and password on a NON-SSL site, which posts to a secure page.
Yes, all the traffic is encrypted (login and password), but it is EASILY spoofed. As a man in the middle, all I need to do is change the HTML on the non-secure page to post to MyCollectionOfPasswords.com, display a message that the website is down, and the user is none-the-wiser.
Reminds me of the guys who put a false front onto ATMs. The false front reads the magnetic card and accepts the pin. Reject the card, and sign in later and drain the account. Want to be a thief, people? It's that simple. (Yes, people are stupid enough to put their cards into false-front ATM's!)
Microsoft needs to be called to the carpet. But Amazon should be as well! Sell Amazon short, and release this info to the presses! Another way to get rich.
Disclaimer: I am not encouraging illegal activities, or recommending securities. I am pointing out security flaws so that they can be fixed.
I sign the keys of people I know by phone, or interact with entirely online on an ongoing basis.
I understand how it would work by telephone (read the hex digits of the fingerprint) because the public telephone system is a reasonably secure system, but I don't see how it could work for signing a public key you see on somebody's web site. How do you know the connection over which your online buddy sends her key isn't tampered somewhere between her computer and yours?
Will I retire or break 10K?
WSJ, MSNBC and Dow Jones Wire have some writeup on this.
it's about time that slashdot pointed out that it wasn't just a microsoft product that has the problem. I mean I love linux, but /. tends to be pretty damned biased :P
Well, thank God that you don't have a nuclear weapon's design specifications sitting in front of you!
But don't worry, Chairman Bill's Trustworthy Computing Initiative will have the problem solved by about the 31st of Never.
P.S.
In a related story, I read that Microsoft is farming out some of their help desk duties to HP.
"Hell no, we don't fix software, we only write it!!!".
Correct, but signed certs certify that the public key contained within is actually the public key of that trustworthy organization (and not maliciuos Bob) and can therefore be 'safely' used to encrypt traffic upstream.
Also, versign is but one of several certificate authorities.
Obviously if you certificate to be 'stolen' you'd have to give up your private key, which is by definition private.
I may have misunderstood some your points somehow, though.
why run from Vincenzo?
And the alternative would be... Oh, there isn't one. I see.
What you people don't get is that there isn't a better way to do it. Self-signed certificates are even _worse_ - any asshole can say he's www.wellsfargo.com with a self-signed certificate. At least if SSL is properly implemented it would prevent that.
I would never spend money at a site with a self-signed certificate.
And you no doubt click on details every single time you're logging into your bank's website?
No they don't. I've bought Thawte certificates for both a fortune-500 company I work for and also for my own one-man company and in both cases all I had to do was fax an authroization letter along with the corporate filing or articles of organization and supply a D&B number. Funny thing about that is I didn't even know my one-man company had a D&B number until I did this. They're apparently so easy to get it pretty much happens automatically after you're in business for a while.
Using SSL to positively identify that the site you think you are connecting to IS the site you are connecting to, has always seemed a bit ridiculous. So many ways around it.
My biggest concern is to make sure my data is encrypted from point A to point B so that no one inbetween with a sniffer can get my data.
Sure, it'd be nice to be sure that you are really connecting to where you are intending to go, but the SSL approach is a complete failure, so anyone who depends on it is just asking to be slapped.
Give me encryption, and give me a way to make sure that I'm not being spoofed, but don't tie them together, they don't belong together and it's all kind of pointless.
Opera 6.03 doesn't appear to be vulnerable, just displaying a blank page, but I duplicated the problem using the above method with IE.
I have seen this many times.
When I worked for a large ASP (app serv provider) we actually had problems with some servers doing this because of the way IIS was set up (misconfigured).
anyways, I always figured it was a security issue but I never trust anyone so it was never a big deal.
I have seen this particular exploit used a lot by things like comet cursor and other spyware/adware. They always say they are "trusted" from Microsoft. Funny thing is, since Mozilla I haven't seen any of this.
-hmmmmmmmmm
then I would:
The chances of being discovered during the time that your conducting the attack can be minimized by parsing the http headers for the browser type, and only attempting the attack for clients using vulnerable browsers. This way you could leave it in operation for longer, and steal more information.
So what have I missed here? is there some other aspect to this that makes it more complicated than I've made out? stealing the certificates was meant to be the difficult part, getting access to the network is not difficult if you are big enough, and creating a transparent-proxy is going to be relativly easy.
Somewhere there I wasn't thinkging straight:
.....
Obviously you can't parse the http header for the browser type until after you've already set up the ssl connection, which you won't have been able to do if the browser was not susceptible
However, the attack would still work, you just rely on grabbing enough passwords and stealing enough money before being discovered and shutdown to make it workwhile.
also re:
> that your conducting
should read
"that you're conducting"
...that's why I use Gnome w/ Opera :)
First I heard of a hole in amazon.com. Can someone verify?
According to the recent email to the kde-devel mail list, the fix for the SSL vulnerability is in KDE CVS and the stable KDE 3.0.x branch and will be part of the 3.0.3 release next week.
Interesting ... I read an account from one company where the Thawte people actually physically came to the premesis (a computer equipment + mod/cooling + hotrodding shop) and verified that they were a real legitimate business. If you browse the linked site's news archives, you'll see mention of it.
Verisign doesn't even generate the key pair. You generate it and send them the public key, which they "sign" and turn into a "certificate".
This is somewhat more secure as they don't get a copy of your private key.
I just tried it using Konqueror 3.0.1, and here's a screenshot of what I get when I go to the web site. After clicking continue, it prompts me again. This is similar to what I see when I come across expired certificates. After accepting the certificate despite the warnings, I see the "You've been hacked" page.
Lynx (tested with version 2.8.4rel1.1) and wget (tested with version 1.8.2) are both vulnerable as well.
The problem lies in their PKI implimentation...
If you want confidentiality, then you must worry about Man In The Middle.
SSL may do a good job of confidentiality between two end point, but when you don't know where the other end point is, then why bother at all? You can't have a confidential dialog without first authenticating who you are having the dialog with.
>Wrong error.
No.
I tried with moz1.1beta and I get the -8183 error.
Not vulnerabl (I did change my host file and ensured IE 5.5 is vulnerable).
This sort of attack does have one interesting use. A company that wants to transparent-proxy (and hence monitor) all of its employees' web-browsing can now interfere with SSL connections.
Message on kde-devel:
2 86895/2 002-08-08/2002-08-14/1l e.pl?sid=02/08/12/134123 9t ml
Date: Mon, 12 Aug 2002 10:22:55 -0700
From: Waldo Bastian
Subject: SECURITY: Konqueror SSL Vulnerability
To: kde-devel@kde.org, kfm-devel@kde.org
Konqueror (kssl to be precisely) fails to detect certificates as invalid that
have been signed by an issuer who is not allowed to do so. A patch for this
problem has been commited to both the CVS HEAD branch and the KDE_3_0_BRANCH.
KDE packages for the upcoming KDE 3.0.3 release will be updated to include
this fix. We hope to have binary packages for KDE 3.0.3 available by the
start of next week.
Thanks go to Mike Benham and Gregory Steuck for alerting us to the problem.
See also:
http://online.securityfocus.com/archive/1/
http://slashdot.org/artic
http://www.theregister.co.uk/content/4/26620.h
Cheers,
Waldo
I love idealists not because I am one, but because they make life bearable for pragmatists such as myself.
It my programming classes, this was one of the methods the prof used to figure out who was copying off of who...
Shouldn't this be investigated?
The reason you got the dialog box warning you that "The name on the security certificate is not valid or does not match the name of the site" is because you hadn't actually set up a MITM scenario. You went to www.thoughtcrime.org, its certificate claimed to be www.amazon.com, and IE properly warned you of this fact.
The warning dialog would not have appeared if your computer or name server thought that www.amazon.com _was_ www.thoughtcrime.org.
They only see the dollar signs. It's not like they are 'braver' then the Open Source projects to call IE release quality. The OS guys are just more honest, instead of saying 'yes this software will solve all your problems, it never crashes, and runs really fast. We are sure that this software will work.' The OS guys say, 'this is what we've encountered, here's the performance metrics (if there are any) and here's the code, have fun, but we don't ensure this software to work in all cases.' MS charges an arm and a leg for the software that you can't even get a bug fixed on.
BTW, SourceForge is not where people go to release software into the wild, it's where people who have an itch to scratch in the software world go to try and get more people to help them. If you are good enough to write quality software by yourself you are not going to SourceForge.
Today, the only reason that I don't like MS is that they are really starting to force you to upgrade your software more and more often. I would like to be able to put together a system and not have to slowly upgrade it, but rather:
build it,
use it,
when it becomes not useful, toss it (or give it to someone else)
not the MS way which is
build it,
use it,
upgrade it, (repeat until machine is too slow to use)
toss it.
I hate upgrading for no good reason. Being forced to upgrade software or hardware without getting new features is the pits.
This is what bothers me about Open Source model. sure you got a fix fast, but the bigger more important issue isn't being covered, testing. I mean real QA testing, having a 100K people using something isn't QA.
I working in the software publishing world and nothing can go out the door without a QA cycle performed on it. A simple fix can have nasty side effects somewhere else in a program and you won't know it without a full QA cycle. This is why commericial software doesn't roll out fixes quickly, and for their customers sake they shouldn't. When a bug is found it should be documented, and a documented bug is as good as a fix in many cases.
Real QA testing is a long process to create tests, run and document results, and to go back and restest as necessary. Being OSS software is mainly a volenteer model, people volenteer for what is interesting or challenging to do. QA get slighted. So quick fixes scare me.
Oh, and IE 5.0 did complain about the certificate being invalid
Funny that this comes out just over a week after Win2kSP3 is released....
I am no MS fan by far however... When with the Konqueror updated binaries be out... how much QA and testing went into the fix... think that maybe MS might have an internal fix they are testing now? Hmmm nope you didn't think. Just bash MS without thinking.... Again I would like to state I hate nor do I use any MS products... but sometimes the MS bashing is just plain silly.
Jeez, and people are complaining about spelling and grammatical errors. How about 'only ever heard it, don't really know what it means...' errors?
That would be, 'intents and purposes', in case you are one of the clueless.
So what's the problem? I don't trust Verisign anyway.
This isn't true at all.
When you phone up to get the SSL fingerprint, all you're doing is asking the company for data that is already public, but doing so in such a way that you can reasonably be sure that you're getting it from the official source. This transaction doesn't involve any private, sensitive data at all.
If you then use the certificate to conduct a business transaction, the sensitive data (credit card data, for instance) will be encrypted end-to-end using the now trusted certificate so that eavesdroppers cannot intercept that sensitive data (and the fact that you're using a verified certificate prevents man-in-the-middle attacks).
So the end result is quite a bit more secure than simply placing the order over the telephone, since it is possible to tap a telephone line without either end knowing about it.
Use 'slashdot stuff' in the subject line in any email you send me if you want to get past the spam filter.
And you no doubt click on details every single time you're logging into your bank's website?
every time, especially when it's a banking site. if you don't, it's your fucking fault for getting your CC info stolen or what else.
Another security leak for which Red Hat will not ship KDE updates. Sad.
And then wonder how long it will take Microsoft?
I hope Microsoft puts it through some sort of testing and Q/A process. 95 minutes to fix a serious security hole is stupid. You point out a problem with open source, lack of Q/A & testing, and hold it up like it is an advantage.
But then again, it took Mozilla how many years to but out the buggiest browser ever?
i surely hope they come up with a patch for KDE-2.1.1 that is in Redhat7.1 and Slackware8 as i prefer KDE-2.1.1 over the current release of KDE...
Some sites might rely on this "broken" SSL certificate handling. Any time you fix a bug or security hole, you risk breaking websites or software that depend on the bug or hole. One reason Wine has so many problems, and why Windows is a complete piece of crap is that they must have bug-for-bug compatability.
An employer could easily interfere with SSL connections. The employer can just install their own CA certificate in all of the browsers. This only works for monitoring employees using company provided computers, of course.
Yeah!!
All those people ought to be using Microsoft Word to edit their posts so it puts that little green squiggley underline thingy...
Oh... Never mind.
Translation: KDE's open-source dev team blows MS's out of the water in bug fixing.
May we never see th
Speechless here.
I got the same error using Mozilla 1.1b.
I also tried IE 5.5, Konquerer 2.2.2 and Lynx 2.8.5. They were all fooled by the spoof. One thing you can do is view the certificate and it will show the spoofing web site in the certificate chain. This could be a work around for the really paranoid.
Also, keep in mind that the spoofer has to have a valid certificate in order for this to work. The spoofer would have to either get a certificate (and risk getting caught) or steal one.
In a world that is Free and Open, who needs Windows and Gates?
Back in the day maybe. They can't afford plane tickets any more.
I tried this with IE 6 and Mozilla 1.0rc3 (both on an XPpro box) and both give the same results. They both show the thoughtcrime.org website without any error message or anything. Admittedly my Mozilla version is out of date, but it still seems vulnerable.
Opera v6 also works: "The server's certificate chain is incomplete, and the signer(s) are not registered". Mozilla on my system gives error -8183 for the same page.
What does your sig mean? Does it mean anything at all?
Please, its driving me crazy.
"but doing so in such a way that you can reasonably be sure that you're getting it from the official source."
....
So let's see... I google around for "soundbug UK" as something I recently wished to purchase, find a sponsored link pointing me at a site I've never heard of before, get as far as the obligatory https:// part, take a phone number from the site, phone them up say "what's your fingerprint?"
Spot the flaw?
Phoning someone up out of the blue adds nothing to the trust factor at all. You need for the out-of-band communication to be trusted for external reasons (e.g. recognizing their voice on the phone) before you can trust them. That's why I might as well save time and place my order while I'm at it.
That's where I think a web-of-trust would win; at the very least you've added in the potential for scoring, or "if it's good enough for my mate Dave, it's good enough for me", with the strength of the crypto-key signature pulling your trust up towards 100% instead of it dropping off with more levels-of-removal from the original trust-er.
~Tim
--
Rushing on down to the circle of the turn
Who says you have to get their phone number off their web site? If they have a phone number, then they should have a phone book entry, right? So you call the number in the phonebook. Now the attacker has to hijack the company's SSL sessions and their telephone lines -- a much more difficult problem.
Use 'slashdot stuff' in the subject line in any email you send me if you want to get past the spam filter.
And I have to have a phone directory for the area in question... That's not going to happen. At the very least, the effort required ("Hi bloke, can you look this up for me?", or trips to library, or even surfing around online through online phone directories - and note the trust required there) is such that it becomes worthwhile to start having key-servers to do the job.
~Tim
--
Rushing on down to the circle of the turn
no, no, the vulnerability is that they can pretend that they are amazon.com even though they aren't really amazon.com.
my apologies, wrote my last post without fully understanding the situation.
basically, when your browser is connecting to https://thoughtcrime.org/ the site is sending out a certificate saying that they are www.amazon.com. internet explorer *does* catch this problem if you don't change the name entry (for instance in your hosts file) since the site is quite directly showing you a certificate that doesn't belong to it.
the real problem is revealed when you change your computer's association of the name www.amazon.com to point to thoughtcrime.org's machine. at this point, when you visit the fake https://www.amazon.com/ your browser receives a certificate that says it's from www.amazon.com and indeed your computer thinks that www.amazon.com is that machine.
so the real problem is that at this point, internet explorer (and yes, konqueror) doesn't check the chain of who issued the certificate, it just sees that the certificate seems to match the dude who's showing it to you and proceeds without an error. in fact, the certificate that internet explorer just accepted was manufactured by the folks at thoughtcrime, who are not the certificate authority dudes that should be the only ones allowed to issue certificates!
> Unfortunately most clients/browsers seem to go out of their
> way to discourage self-signed certificates with error messages
> that sound like "This certificate was self-signed.
Yes, and at that point the user's eyes glaze over and if
he doesn't have a guru to call, he clicks any button at
random. VERY few users would deign to read the entire
message. The dialog probably has "Okay" and "Cancel",
plus the close box on the window frame. Since "Okay" is
the default button, it's highlighted, and hitting "Enter"
will select it too, so there's probably at _least_ a one
in three chance the user will hit "Okay". That's on the
first try. What is more, if the desired result is not
achieved the first time, most users will try again and
hit a different button.
Translation: SSL certs only matter to people who care
about security and privacy.
This is not helped any by the fact that older browsers
used to display a dialog that looked basically identical
to the users whenever any information was sent over an
unencrypted socket -- for example, every time the user
did a web search at an http site like Yahoo! Users who
have been around for a few years have learned to just
bop Okay whenever they see that dialog -- and they teach
this behavior to the newer users.
So users who don't know anything about security or privacy
(i.e., almost everyone) are fairly unlikely to be dissuaded
from visiting a site just because the certificate is invalid.
They're WAY more likely to skip a site because it uses a
plugin that didn't come preinstalled, or takes too long to
load during peak hours.
Cut that out, or I will ship you to Norilsk in a box.
Can you name all of the parties in your browser config that can issue certificates without question? Why not? Why should you trust parties you cannot name to vouch for website that are unknown?