Slashdot Mirror
Phishing Scams Incorporate SSL Certificates
dettifoss writes "Netcraft reports:
`Internet "phishing" scams are incorporating the use of SSL certificates in their efforts to trick users into divulging sensitive login information for financial accounts.'
Perhaps more disturbingly: `Scammers can also configure their web server so that deceptive SSL certificates won't trigger an alert in the user's browser. "One of the SSL encoding methods is 'plain text'," Neal Krawetz from Secure Science Corporation noted in the SANS post on the issue. "Most SSL servers have this disabled by default, but most browsers support it. When plain text is used, no central certificate authority is consulted and the user never sees a message
asking if a certificate should be accepted.'"
Phish is ghey. I got da FP. bye!
Ask me about The Shocker!
I stopped phishing when AOL 3.0 came out...
SUCK IT DOWN!
Has anyone seen the banner ad for "Slashdot tech jobs"? Let's say you're a business, and you hire someone that found your listing through Slashdot. Are you going to act all surprised when they sit around all day... reading Slashdot? What genius thought of this?
Hear recorded Slashdot headlines on your phone! New service beta testing. Just call (248) 434-5508
Based on my experiences helping neophytes do web work, my guess is that 90% of the web-using public doesn't even notice the little key icon, and don't know what a security certificate is even when the dialog to accept one appears. All they usually look at is the web page itself... especially on a browser like Safari where the lock is a small icon in the title bar that escaped me the first time I went looking for it. It might be interesting to have some usability folks do an eye movement analysis to see if the average user's eye ever tracks to the lock icon during normal browsing.
Of course, this does make it more likely for people who hit that nasty stage of knowing just enough about online security to be dangerous to get caught...
<a href="http://goatse.cx">3.141592653589793238462643 38327950288419716939937510582097494459230781640628 62
0899862803482534211706798214808651328230664709 38446095505822317253594081284811
1745028410270193 85211055596446229489549303819644288109756659334461 284756482337
867831652712019091456485669234603486 104543266482133936072602491412737245870066
063155 88174881520920962829254091715364367892590360011330 5305488204665213841469
51941511609433057270365759 59195309218611738193261179310511854807446237996274 95
6735188575272489122793818301194912983367336244 06566430860213949463952247371907
0217986094370277 05392171762931767523846748184676694051320005681271 452635608277
857713427577896091736371787214684409 012249534301465495853710507922796892589235
420199 56112129021960864034418159813629774771309960518707 2113499999983729780499
51059731732816096318595024 45945534690830264252230825334468503526193118817101 00
0313783875288658753320838142061717766914730359 82534904287554687311595628638823
5378759375195778 18577805321712268066130019278766111959092164201989 380952572010
654858632788659361533818279682303019 520353018529689957736225994138912497217752
834791 31515574857242454150695950829533116861727855889075 0983817546374649393192
55060400927701671139009848 82401285836160356370766010471018194295559619894676 78
3744944825537977472684710404753464620804668425 90694912933136770289891521047521
6205696602405803 81501935112533824300355876402474964732639141992726 042699227967
823547816360093417216412199245863150 302861829745557067498385054945885869269956
909272 10797509302955321165344987202755960236480665499119 8818347977535663698074
26542527862551818417574672 89097777279380008164706001614524919217321721477235 01
4144197356854816136115735255213347574184946843 85233239073941433345477624168625
1898356948556209 92192221842725502542568876717904946016534668049886 272327917860
857843838279679766814541009538837863 609506800642251252051173929848960841284886
269456 04241965285022210661186306744278622039194945047123 7137869609563643719172
87467764657573962413890865 83264599581339047802759009946576407895126946839835 25
9570982582262052248940772671947826848260147699 09026401363944374553050682034962
5245174939965143 14298091906592509372216964615157098583874105978859 597729754989
301617539284681382686838689427741559 918559252459539594310499725246808459872736
446958 48653836736222626099124608051243884390451244136549 7627807977156914359977
00129616089441694868555848 40635342207222582848864815845602850601684273945226 74
6767889525213852254995466672782398645659611635 48862305774564980355936345681743
2411251507606947 94510965960940252288797108931456691368672287489405 601015033086
179286809208747609178249385890097149 096759852613655497818931297848216829989487
226588 04857564014270477555132379641451523746234364542858 4447952658678210511413
54735739523113427166102135 96953623144295248493718
Why is my hamster so nice? It can eat a lot and is so soft!
(Disclaimer: I am probably biased, since we issue
SSL certificates
on our website.)
This article is a good example of yet another reason why the old advice of
"make sure the site you are dealing with has an ssl certificate, and you
should be fine" is no longer entirely true.
To be more confident you are dealing with a reputable/accountable merchant/site, you
should not only make sure that they have an SSL certificate, but you
should also actually click on the lock (or however it is done in the browser
you use) and look at the certificate.
The reason the advice used to be valid, is that traditionally, to get an SSL
certificate, you had to provide documents to prove you are who you say you
are, i.e. DUNS #, articles of incorporation, business license, DBA, bank statement,
passport, driver's license, whatever. That is still true for most of the
certificate authorities, but it isn't always true. Some of the new certificate
authorities don't actually ask to see documents before issuing the
certificate, instead, they merely make sure that you have control of the
domain by sending an email to the listed contacts. In some cases, they also
place a phone call to a number you provide them (I fail to see how this does
anything, but..). Certificate authorities that do this will issue the
certificate to "Domain control validated, organization not validated" as the
organization (or similar text to that effect) rather than to the actual name
of the company the certificate is for. These certificates are
perfectly fine for making sure things
are encrypted, however, they make the certificate useless for getting an idea
about the legitimacy of who you are dealing with. They also don't tend to
carry the warranties that other ones do (and for good reason, who would
underwrite that procedure?).
SSL Certificate
just feasted on my junk liberally..
Here's the kicker (From Article):
.
s l-120104.html)
Netcraft has developed a service to help banks and other financial organizations identify sites which may be trying to construct frauds, identity theft and phishing attacks by pretending to be the bank, or are implying that the site has a relationship with the bank when in fact there is none.
Here's the competition (From Google):
About Comodo:
Comodo is the leading WebTrust-compliant enterprise solutions provider for E-commerce Security Solutions. Firmly established in the market, Comodo markets a range of innovative products and services developed by its dedicated research lab delivering software, hardware, secure messaging and certificate-based security.
Comodo offers its SEEOS(TM) Secure Enterprise Extensible Operating System for integrated network security, together with secure Linux applications delivered via its Trustix(TM) brand, SIDEN(TM) next generation ASIC, Instant SSL Certificates for securing web servers and patented web site verification and identity solutions. For product information please contact US +1 800 772 5185 or Europe +44 (0) 161 874 7070 or visit the Comodo Home Page at www.comodogroup.com
About Betrusted:
Betrusted is the premier global provider of security and trust services to the world's leading organizations and government agencies. Through its managed security services, Betrusted offers clients a comprehensive package of leading security products coupled with unrivalled expertise to help reduce costs, increase revenues and comply with government and industry regulations. For more information, please visit our website at www.betrusted.com . Betrusted is owned by One Equity Partners, Bank One's private equity group.
(http://www.instantssl.com/ssl-certificate-news/s
Average Joe doesn't have any idea what encryption is or why it's important. Average Joe just wants to point, click, and buy. Hell, I rarely pay attention to it.
Isn't it more likely that people were suckered in not because of the SSL trick but rather simply from "scam" or mimic pages instead?
---
Never criticize religion on Slashdot. You will be modded down for "Troll" no matter how factual it is.
Considering the low level of understanding most users have, I think many more will fall for these scemes. We should all switch to the dark side.
And it rendered on, until the end of its days.
What, is this going to trick another 1% of so called "technically adept" people *COUGHmcseCOUGH* into giving their online bank login info over a freakin' website? Who ever ASKS YOU for your login information?! They reset it, and they have you reset it upon login.
Ooooh... Wait a minute. That could be a NEW strain of e-mails... Just takes a little more HTML craftmanship to code a fake E-Mail with a "reset" password, you log into the evil website with it, and enter in your "new" (which would most likely be your old one again, for most people) info. Scary!
It is pitch black. You are likely to be eaten by a grue.
This fine FP was another production of the Cabal of Logged In Trolls. Props to Sexual Asspussy and all his/her aliases; anti-props to GNAA, except for GNAA Sympathizer. Peace!
Ask me about The Shocker!
Wasn't the entire point of SSL was to be encrypted? Who's bright idea was it to put plain text in SSL in the first place, much less give browsers support for it?
If I understand correctly, phishing comes into play when users are sent an e-mail with a bogus link. Probably something like "we've detected fraudulent use of your account, please follow this link to verify your information" etc. etc.
There is no reason to follow links in e-mail to get to a site that you regularly use. If you doubt the authenticity of an e-mail from, say, American Express, just visit the site as you usually do, through a bookmark. After logging in you should be able to access the necessary info.
I don't agree... It does matter. There are those of us who still use email, despite the spam (and phishing that this story is about).
And when I get a legit looking letter that looks like a real notice from a domain registrar, web site I have account with (PayPal, eBay, eSnipe, Mwave, NewEgg, etc.) - then I want to respond.
Business is about relationship with customer and company... you SHOULD read your notices that your account is past due, that your account was hacked and you need to change your password
Fraud and crime sucks no matter what part of your life. Don't just accept it. Yes, things are not what they used to be on the Internet... it is the job of the geek to help educate the masses and to help track down the as*holes.
Unfortunately, the open-source SSL systems contribute to this problem...
Most of them let you do a functionally okay SSL certificate without having to pay a root certificate authority. However, that means you're going to get the "sorta okay" certificate message poping up, with the user being told that the certificate is valid but there's no certifying authority behind it. As a result, the user is trained to click "Yes" to that box, and is conditioned to ignore such errors...
Don't worry, I make sure to type all of my URL's now including onces such as:l d=0&mode=thread&commentsort=0&op=Reply
http://slashdot.org/comments.pl?sid=99888&thresho
Sometimes they take a while but it pays off!
solves all this by never entering any financial data anywhere on the internet. he's not a knowledgeable computer user, and he knows it. in his case, and in the case of many non technically-minded individuals, it seems much easier to simply avoid all online financial transactions.
i think his simple approach to avoiding online financial risks makes a lot of sense. many of my non-tech friends/family members might be taken in by a scam like this, and given how painful it is to explain computer things to them, from now on i'll just tell them never, under any circumstances, to enter financial data on the web.Why, oh why isn't there legislation to make this sort of thing illegal? Phishing is basically fraud, and if there was a chance that some action could be done, then these phishers would not be tempted to pull such a stunt, since they would know that there would possibly a lawsuit/jailtime behind this...
I think the problem is that the Internet is using all sorts of technologies that allow things to be misrepresented... the basic IP protocol was written in an era where every other host on the Internet could presumed to be somewhat friendly, since everyone was either part of the US Government or an academic who was affiliated with a univeristy. Any abusers of the Internet could be identified and thrown out.
Now, absolutely every weakness is being found and exploited. The Internet just wasn't designed for this...
The only time I got the clap was when I stuck it up a fucked up hippie chick in a van outside of a phish show a couple years ago. Never again.
Sad thing is, it's getting harder and harder to be able to give them basic advice.
At the rate things are going, you pretty well have to know all the same tricks the spammers/scammers do...
I mean, just the other day, I got a message from PayPal about my account. Oops, I don't have one... Okay, so that would've been my first clue, but it was faked well enough to pass Hotmail's spam filter, and it looked official, like I really had had an account suspended.
So I check the email source, because I know better. Sure enough, it's using the %00 bug to catch IE users. Assuming they would know to look for where the link actually pointed, instead of where it claimed to.
In the mean time, I went to the page. Sure enough, it wants every bit of information imagineable. All the other links off it link to actual PayPal pages... the status bar at the bottom is left blank via JavaScript. So the inobservant and gullible would be hosed...
Naturally, I feed it totally fake information (might as well give them more false data... shouldn't harm anyone, should only help get them caught, I hope), just to see what it does. Sure enough, redirects you to another actual part of the PayPal site. I sent off a LART to the hosting provider's abuse email. No response. I don't consider that a good sign.
Note that no SSL was required here. Just official-looking pages. Granted, I didn't fall for it, but I know more about these exploits than Joe Average. Joe Average probably wouldn't know what was wrong with %00 in a URL if he saw it.
This is sad, too. I've taught classes on this, and I try to teach the class as much as they are capable of understanding. Even so, it's getting to the point where I feel like they need to know at least as much as I do just to avoid these stupid scams. There's a new one made up every day, it seems, and I spend a lot of time just keeping up with what the lowlifes are doing...
So the point of all this? We practically need a "scam report" type of newspaper for the general public. Not to mention a primer detailing the older tricks in the book... not to mention some way to get the average public to read them both.
Ok if the bad guys can get certs from slime certificate houses then I can delete said certificates or mark them untrustworthy. Will I then get warning about the certificate being invalid and that should prompt me to take a closer look.
If so anybody have a list of SSL providers I should be giving a second look at when the site pops up?
Slashdot, home of supporters of free software, free music, and free speech.Except for Moderators that disagree with you.
finally an affordable way to use SSL certificates on our sites without "unsigned certificate" warnings or having to pay Verisign $895/year for each certificate!
http://slashdot.org is not OpenPGP compliant. Please remove the spaces slash inserts to verify signature.
"One of the SSL encoding methods is 'plain text'," I could have had my own certs with no browser barking for all this time ? Damm Years ago I tried the "Please install my certificate thing" It worked for a while but stupid customers kept asking questions (I am sorta joking) Now I find out I could have configured my server to avoid many of these authority issues ?
I understood most of the article, but parts of it were like Greek to me, and I'm pretty savvy. I understand encryption and know to look for the SSL lock when I'm entering sensitive information, but visual spoofing worries me. I'll be sure to look at SSL certificates from now on. I hope the browser and backbone programmers can make this more secure.
I for one object to blaming all this on Phish. I'm sure that Mr. Anastasio et al. have no connection to this illegal and extremely harmful activity.
This was the last safe territory for me. When I punch info into a https site, I get a sense that it's alot safer.
How the hell I use online banking and do any heavy shopping via https again?!
It defaults to poping up a warning that you are using low grade encryption. Plain text qualifies!
RTFA or quit trolling. The problem is not the SSL certificates or who creates them, but the browsers accepting a "plain" encryption scheme when setting up the secure channel. I haven't actually seen this but it's entirely within reason that a "plain text" encryption was available in the SSL libraries for debugging communications in SSL apps.
I think it should be fairly simple to update the browsers so they require some encryption by default. Voila. Problem solved and we don't have to kill OpenSSL or "pay a root certificate authority" for the privilege of having encryption.
I'd like to verify if my browser is vulnurable.
Do you care about the security of your wireless mouse?
I think the site you were looking for is here.
Props on the failed post.
This is fine by me. Everything up to that point doesn't need to be encrypted. However, the only way to verify that the form (i.e. credit card #) will be sent over HTTPS is to View Source and look for the POST line. And this makes verifying certificates and encryption methods even harder.
Would it make sense for a tooltip over the Submit button to show the destination of the POST? Or at least whether it's secure? How about some useful items on the right-click menu?
While I'm on the topic...When I right-click and hit View Source, why can't the browser open an editor and scroll to the line of code that I right-clicked on? I know Firefox & IE don't, maybe something else does already..
I doubt that completely removes the risks. I bet most processors now use the 'net to submit data to their central database when they get it either by phone or on paper. It's the obvious thing to do, not many want to develop their own modem-based secure networks when this cheap Internet is already here.
Or evil domain is typo of legitimate one... (Not meant to defame any website) such as www.ebaye.com, www.paypall.com, www.macaffee.com, etc...
Where is the condemnation of your friend Bob Thompson?
The browser should somehow make it more prominent then, without annoying the user. If you really wanted to be safe, have the window give itself a red border around the page, instead of a tiny little lock at the bottom. People would notice a red border, yet it wouldn't be intrusive.
"Sufferin' succotash."
Seriously... ok, not. Seriously though, at least I can pay for my RV for Bonnaroo now! :)
Someone at Microsoft decided that it's better to not scare users with too much technical information, and give them just bits of it (literally - it works/ it didn't work). IE is not exactly known for its informative error messages.
"Page cannot be displayed". Could it be because the site fell off the face of the planet, the file is missing on the server or your office network is down ? doesn't matter to IE so long as you can feel warm and fuzzy inside that it tried and it's definitely not your fault. Yeah, okay, let's put the actual error mesage at the bottom of the page so users need to scroll to see it, if they really want to, but why should they anyway. It is irritating, but this by itself probably made jobs for thousands of IT people who could "research" what happened.
Even with certs. IE refuses to work with wildcard certificates (*.domain.com) when the * part needs to match two names like a.b.domain.com. But the error message says "The cert does not match the name of the site", it pops on each SSL connection (i.e. each individual image on the page), and you can't say "OK, accept for this session" like you can when the cert expired.
Comment removed based on user account deletion
This is absolutely beautiful. Where do I send the check for the number of hours you're going to save me over the next 50 years?
THANKS!
Heh... no problem! I think I actually found that feature by accident. I'll call it even if you can tell me how to change the key binding for "open page in new tab" from Alt+Enter to Ctrl+Enter ;)
...Whether my Maker is prepared for the great ordeal of meeting me is another matter.
Churchill
SSL (in terms of how it is useful to someone browsing the web) has two roles. One is to "ensure" that data is securely transmitted between two endpoints. The other is to "ensure" that the endpoint(s) is trustworthy.
Encryption really only relates to the former. The latter relys on certificates being signed by someone trustworthy who has taken due care in verifying the identity of the certificate holder before signing.
According to the article there is a form of certificate which does not need to be signed by a trustworthy party to be accepted by user-agents without question.
So the problem here isn't really that user agents should require some encryption by default, but that they should require some indicator of trustworthyness.
(That's not to say they shouldn't require a particular level of encryption. And requiring encryption may have the knock on effect of requiring a signature. I think you understand that. I just wanted anyone else reading to be clear that "encryption" and "trust" are two different roles and that the core issue when talking about "phishing" is trust.)
Boffoonery - downloadable Comedy Benefit for Bletchley Park
fix email and you'll fix 99.5% of this bullshit. it's real simple. SMTP, or anything that relies upon SMTP will never avert spam, spoofing, phishing, or viruses. SMTP must die, NOW. the only solution is for corporations to begin implementing Microsoft Exchange Server combined with PKI for end-to-end non-repudiation. it begins with just one organization taking a stand and refusing to accept email communication from its peers who refuse to upgrade from the tragically flawed SMTP standard. others will follow out of necessity, and thus the rotting foundation of SMTP will be repaced with something which can stand the test of time.
Please forward any emails like this to spoof@ebay.com.
Thanks.
To enable the Debug menu see this tip.
http://www.rootstrikers.org/
Interesting post, but I'm glad it wasn't designed to protect people against hostile hosts. If it was, we'd probably not have the internet as we know it today. Somebody would have raised a scare early on, and the government would have heavily regulated it.
Now, after the fact, engineers can design useful protocols to work on top of or in conjunction with the internet to help solve the problem of hostile hosts. IPsec, SSL, PGP, firewalls, ssh, and fancy switches/routers all help to protect people from abuse.
And now, we have a high degree of internet freedom. We can pretty much do what we want with our bandwidth. People will get mad and hunt you down if you crack systems, violate copyrights or send spam, but aside from that, it's pretty much free. And even with all this freedom, it just requires a little persistance to prevent your machine from getting hacked.
Social scientists are inspired by theories; scientists are humbled by facts.
I bet 99% people don't even know what the lock icon means. I bet 90%+ of Slashdotters don't really know what the lock icon means and how to interpret the meaning of the cert. What does that tell you about the quality of the user interface?
The UI is oversimplified to the point of danger. So some company that you don't know, but the guy who made your browser might know declares that the cert really belongs to who it claims to belong to. Where's the accountability? Do you know any of these signers? Do you know anything at all about their security procedures? And if you did know something about them, could you adjust how much you trust them, and have your browser use other authorities to double-check them?
That's why the cert system sucks, especially with only one signature per key. I can think of ways it might be useful, but Internet Commerce isn't one of them.
Fortunately, many many years ago, before the web even existed, someone came up with a much better way of dealing with these issues. That someone was the underrated hero Phil Zimmermann, and that something is called PGP.
Now with PGP, the user has to actually think about who they trust and deal with the concept of degrees of trust, and grandma doesn't want to have to think about crypto stuff. Boo hoo. That's too bad, because if you want accuracy, and even the capacity to be able to trust what your tools are telling you, then you have to. But some people don't care. Fine, then trust some central authority just like you do with SSL certs, and your situation is no better or no worse than it currently is now.
But at least if PGP were used, then, the applications (e.g. web browsers) would be designed with the idea in mind, that certs are of varying degrees of trustworthiness, and they would have been forced into coming up with ways of presenting this information to users. (Because just because grandma doesn't care, that doesn't mean all your users don't care. So you have to deal with the issue.) That means that problems like the one in this story, wouldn't happen, because the UI would be designed, not to tell the user if an connection were SSL, but instead to inform the user about the other side's identity and the degree of certainty of that identity. A plaintext SSL connection would say something like "0% certainty" instead of a stupid lock icon.
Now, time for a plug: the GNU TLS library. These dudes made an SSL library that can use PGP certs. It's a step in the right direction. Kick ass.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Actually, that segment in BFC is a throwback to a segment from The Awful Truth called Corporate Cops - in fact the segment of film is almost identical to the trailer used in the TV show.
Screw you all! I'm off to the pub
Absolute rubbish.
Another bullshite, unfounded self-promoting, bunch of codswallup.
SSL isn't flawed (yet), its the implementation of the code in the web server. And to expoit it, a victim has to click on a link that phiz's. Hm, you all seem to think most people are stupid, well, it is generally the case, but in this situation, and the amount of press that banks have given to their customers (have you not seen the junk-mail?), it is still likey that some moron will fall for this trick, but it's not a flaw in SSL, it's a flaw in the code of the http server/client(browser).
Typical unballanced, bollocks.
arggghhhhhhhhhhhhhhh
The whole text/SSL thing is very disturbing, I thought I knew quite a bit about SSL having generated my own keys and installed certs and done some other things, but I had never found this dark corner.
Anyway, I had an idea that might be easer for users to use - instead of indicating a page is secured or not, instead let the user indicate that certain kinds of data should never be sent out over an unsecured, unverified link - any attempt to post data would result in a warning message about the information transmitted not really being protected. That would eliminate mistaken posting of data of insecure lines if people are not really paying attention to the lock (I have left up on all my browsers the warning about entering/leaving a secure page so I pretty much always know [or thought I did], but that's too annoying for most people).
You wouldn't even have to give the exact number - you could have pre-defined things like "anything that's a credit card number" or "anything with 9 digits ending with these four" or "my address". Then the browser would watch form fields and if the user tried a page submit - up would go the warning.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
The only way to avoid being a victim of this kind of fraud is to understand your computer and the internet. The average user doesn't have the personal connection to their computer that the average slashdot reader has, and they shouldn't have to. What a frightening world to live in--your money can be managed through a completely unfamiliar (and illogical, to the average computer user) medium.
Hopefully the technological divide will dimish before a major financial catastrophe occurs. IMHO, the most perilous psychological response is the urge to continue clicking "yes" or "ok" until a problem disappears. I've done it before, and i'm sure everyone else has done it too.
--- Robert Strickland
It's also common sense that nobody is expected to type 30+ characters into their address bar. It's easy to be a smart aleck and make it look funny but there's no need to be a troll when all you have to do is type "www.ebay.com" or "www.paypal.com" (or whatever site you are after), hit enter, and then login to your account.
I access my accounts at public terminals a lot and don't have the luxury of bookmarks so it amazes me that simple and usable advice (to type in the url instead of clicking a ^sneaky^ scam link) is blown all out of proportion into "OMFGBBQ!! I have to type in a paragraph of a url!" Fortunately for idiots like you, those big companies survive by separating currency from your meaty fists. They usually have short URLs that you can painlessly remember and can type rather easily since you have to mash the keyboard with your neanderthal club.
If you're a politician, lawyer or human-rights worker in a country where your opponents may take extra-legal control of a CA to issue faulty certificates, your own CA may be the best option.
Who knows better than you who is a legitimate member of your organization?
Remember, X.509 certificates are used for more than just e-commerce and online banking. They're also used for S/MIME email, Intranet Websites, and VPNs. If I were running an IPSec protected multisite VPN I sure wouldn't trust a commercial CA to decide who can connect.
Spammers and virus writers/blackhats have joined in an unholy alliance and scammers like the ones in this article are running their schemes apparently with impunity.
Existing legislation has failed mainly because it is national and not international like the net itself. Technological means have failed as clearly shown in this article. If encryption/authentication like SSL won't work, then what will.
The dream is gone. The freewheeling internet from the late 80s and early 90s is dead and will never come back. The net can no longer remain both useful and unregulated and I will certainly opt for the usefulness over unregulation.
And no, before someone starts bashing Microsoft, running Linux won't save you. This is not a technological problem. Even if every computer in the world were running free software, the users would be the same. Yes. Those who run as root and click on every goddamn mail attachment. This is a social problem just like ignorance of the general population, scamming and vandalism are in the real world.
So what to do? Well, if the problem is the same as in the real world, use the tools we already have for controlling travel, gun ownership or who gets to drive a car or practise a profession. Age limits for net access, controlled net hardware (punishments in the same class as dealing "class A controlled substances"), tightly controlled licenses for running a business on the net and most of all a compulsory international e-identity (smartcard/bio authentication; equivalent of a passport) without which you cannot even access the net.
The owls are not what they seem
(Patch the Fine Browser). It is responsible to tell users weather the site is secure and who owns the key. There are countless ways to do this, like putting a lock icon next to the standard window title bar controls such as minimize and close. MacOSX Safari does it already, why not others? Then, the page title can be prefixed with site's identity.
You can blaim user stupidity or phishers deviousness, but really it's a simple security bug and it should be fixed.
You don't have a real PKI (public-key infrastructure) unless you've got some way to revoke compromised certificates.
Suppose your server gets rooted and a bad guy gets your private key. You have to tell everyone who might go to your web site that the old certificate is no longer valid.
The good news is that there are certificate revocation lists out there. The bad news is that Internet Explorer, as of the last version I looked at, doesn't check them by default.
Next, think about the level of understanding of PKI out there, think about the usability studies that have been done on public-key software(specifically PGP), and estimate how likely it is that most organizations could resist a social engineering attack on the secret part of their SSL cert.
The indispensable Bruce Schneier has pointed out a couple of other vulnerabilities. How does your browser know what signers make a certificate valid? It ships with a list of trusted signers. How secure is this list? It isn't. Schneier has pointed out in his newsletter that a virus could silently add an evil CA to the trusted list.
His other good point was, how much would it cost to compromise the Verisign root signing key? He talked to Verisign's CEO and they decided that for $15 million you could make a down payment on a leveraged buyout of the company. So that's an upper bound. Could you make $15 million illegally with bogus Verisign-signed certs? Could the Russian mafia raise $15 million?
I've been kind of surprised that SSL has worked as well as it has for as long as it has.
> Sometimes all you need is authentication.
Certainly - but does plaintext-ssl provide that? If the page is sent over in plain text, it could have been altered in transit, for example.
Or are the pages signed or something? But then we could check the signature, right?...
Users already have trouble with a single lock icon, do you really want them to think about insecure vs signed vs encrypted? If people pay for the silliness of hardware XML accelerators (rather than using a nice binary protocol), they can pay for hardware SSL accelerators. ISPs should have no problem getting an SSL certificate and signing all users' pages with their username, given a small modification to SSL to support one more level of indirection.
In this way, most pages on the web will be https://, with the exception of some hobby and ultra-high-performance URLs. Those will be prominantly marked by the browser with a red title bar that says "Insecure page!"
No it doesn't. It underscores the need to make browsers that aren't quite so bloody stupid, and do things like always displaying the real URL (gasp!) and not allowing Javascript to open new windows without the normal user interface security features (or a big yellow border saying 'Javascript window'). In fact, it might be a good idea to always have a grey border of a few pixels between the contents of a page and the user interface widgets surrounding it.
They may have a point on the SSL certificates, but the whole PKI thing seems a complete crock anyway... Verisign, Thawte and the like are not exactly the world's most trusted institutions. Maybe in the case of banks and other high-security sites it should be possible to pick up a free CD from your local branch or from your country's financial regulator containing the public keys. Then there would need to be a simple and foolproof way to import this key into your browser.
-- Ed Avis ed@membled.com
Cuz if the guy is a slimeball who found your wallet lost on the street and decided to have some fun on you it's all to easy for him to do that. Whenever I use my credit card in person I'm never asked to prove my identity. One time awhile back a boss I had asked me to fill his truck and use his card and to call if they gave me any trouble. They swiped the card without even looking at it.
Hell, even if it's you using your own card...people are really careless and only seem to have concerns about using their card on the 'net. Too may people out there verbally broadcast their credit card info to strangers over the phone who solicit them for donations to feed the starving Africans, or hand their cards to the attendant at the full-service station when they fill their vehicles, or willingly give it to the waitress when they have lunch at Denny's, or whatever else.
I dated a diner waitress once, and know the types of losers who ended up as permanent pump jockeys from summer jobs as a teenager. I have personally witnessed those environments. In both situations many (if not most in some cases) of those employees are poorly educated, poorly paid, perennially broke, dopey chronic potheads. Also, some call centres are also pretty lax and will hire anyone who will stay long enough to learn how to use the predictive dialer system. AND WE TRUST THESE PEOPLE WITH OUR CREDIT CARDS!
Because of that I NEVER buy anything, book a room or hire a car over the phone...I go online so my credit card number is at least encrypted (and I hope that the computer jockeys are at least a bit more trustworthy than a call centre operator). I NEVER give my credit card to a waitress or a pump jockey--if I use my card at all I go to the cashier and have them swipe it electronically. Authorisation is instant and the receipt they retain doesn't show the whole number anymore (I also NEVER use the old "click-clack" impression machines either).
Sounds paranoid? Well, it's far easier to exploit those common real-world events than to set up an internet phishing expedition. C.C. fraud on the INTERNET? Even if your number was sent in the clear it's typically in transit for less than a second, and could only be aniffed out by people with access to special equipment. Sure you have to be careful about encryption and authentication but (for now) online transactions are still mostly safe. Much less bother for criminals to pursue other opportunities.
This is absolutely despicable behavior, and the folks doing this should be fined or imprisoned.
That this is even possible seems to suggest that either the "secure" system needs to be re-examined and perhaps re-implemented, or there needs to be strong controls put in place on the technology.
When its your money, or information on the line, sometimes we need regulation to make sure we aren't getting scammed by the next "popup camera" business.
Just another reason that my favorite permissions setting is 0000.
...If that's possible.
Nah, who am I kidding? I can barely use the terminal in Mac OS X!
(Though if someone would point me toward a general list or guide to the commands available, I might use it and become an even geekier... geek.
~UP
Eat the Path.
So why not bury a page or so of the most useful ones in a secure directory at your ISP? That way you have quick access to them from anywhere.
Yes, SSLv3/TLSv1 does have a NULL cipher suite, which is authentication only, and there is also support for Anonymous Diffie-Hellman key exchange (which doesn't require authentication). (See RFC 2246) But browsers don't use it. No browser, even going back to Netscape 2.0 supported NULL or ADH by default. If you wanted these cipher suites, you have to explicitly turn them on.
Go ahead, try it. Take a test Apache/mod_ssl server and change the SSLCipherSuite config line to:
SSLCipherSuite ADH:NULL
and restart the server. Now try to connect to it.
In IE, you'll get the generic "The page cannot be displayed" error. In Mozilla/Firefox, you'll get "Firefox and cannot communicate securely because they have no common encryption algorithms."
I welcome a real-world example of this "attack" that will actually work on a default-configured web browser.
I tried to duplicate this, with no success using either of the abovementioned browsers.
I tried using
openssl s_server -nocert -ciphers eNULL:aNULL:NULL -www
as well as
openssl s_server -cert mycert.crt -ciphers eNULL:aNULL:NULL -www
In both cases, both browsers refused to connect, saying that there were no shared algorithms (Firefox), or simply giving a error page (IE).
In all cases, openssl gave me messages similar to
332:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher:s3_srvr.c
Perhaps this does not qualify as "most browsers", but I'm sceptical of this report.
'Re: Do people even see the lock?' Stay sharp!
There is one at the bottom of this fraudulent phish site posing as a part of eBay that got sent to me recently via email.
http://210.93.131.250/my/index.htm
Needless to say, this is *not* a secure connection as far as the browser is concerned.
So I did what I could:
I looked up the abuse department responsible for
210.93.131.250 (the spam email *came* from this IP address) and traced it to a group of DNS servers in Korea. Cross referencing them with rfc-ignorant.org revealed they were *ALL* blacklisted--nobody worth complaining to.
I reported the phish URL to eBay by sending them the url saying in effect 'why wast the bandwith sending you the spam email itself containing the (reported) url'.
I even 'filled' out the form at the phish site, using 'fraud' and 'I reported you to eBay' in the text fields.
The website is still up and running, ready to steal some persons credit card information.
Now with the program CF13(TM) I wrote and use, such phish scam emails are scanned, deemed spam, and sent to the program's 'spamdump'. Should such a message get past CF13(TM), that would mean such a message is (concievably) reportable to the abuse department responsible for hosting the such a site....
Now, I don't have to deal *almost all* forms of email spam and don't have to hide behind an obsfucated email address to do it.
Since it appears impossible to shut down this fraudulent site, the next best thing is to prevent anybody from going there. Thus a perfectly useable IP address has been ruined by scammers....
A little basic intelligence prerequisite test before credit details. SSL+HTTPS on OpenBSD with Apache Jakarta with J2EE with the highest security options, followed by another test (just to be sure)
TWW
"Encyclopedia" is to "Wikipedia" what "Library" is to "Some people at a bus stop"
the ephemeral key is "weak" in that its randomly generated and sent over the wire using the public key of the other side, instead of a DH key exchange (like ssh does) meaning that an attacker can record ssl traffic and decrypt it later after getting the server.
legally, you're only liable for $50 of fraud; most companies cover you 100% if you report it in time (in the US).
Better yet, carry around a list of links on a mini USB keychain drive. Not to mention notes, addresses, etc.
In a related note, you can put a lock icon on a web page with out using ssl at all. Take a look at the Chase Bank Homepage. They put a lock in the login box, making users think that the login box is secure, however, it's not completely secure because it's on an unsecured page. While indead, for most people, the login information will go straight to chase secure servers, it is possible to hack the users session. How? Easy, just modify the chase.com homepage before the user gets it. Either through DNS, proxy or xss. Whatever you do, don't login to your bank account from the chase homepage.
-- these are only opinions and they might not be mine.
With the plaintext-encoding causing no errors at all it's rather simple to construct man-in-the-middle attacks on just *any* existing and wellknown server, since no warning is reported to the user.
But with all those keylogging trojans out there, who care's about the men in the middle?
Bruce Schneier has a very interesting article about the "Scam" that is the Public Key Infrastructure.
Ten Risks of PKI: What You're Not Being Told About Public Key Infrastructure
This is probably just the first of many security problems resulting from the fact that these PKI issuing authorities are more interested in Money and Marketing, than in actual security...
-- -pjk Perry Kundert perry@kundert.ca http://kundert.2y.net
This is also available from Citibank, I have one of their cards. It works exactly as you say, great for online transactions.
I've just set an Apache up with NULL encryption and tried to connect. I tried both Mozilla and IE
Mozilla refuses connection (no shared cipher). You have to edit SSL preferences to accept NULL encryption by hand. Then you can connect, but certificate is verified by browser. Lock icon is not the same as a typical SSL connection : it is broken and red enlighten.
IE refuses connection (no shared cipher). I quickly ran into config options but found nothing about NULL encryption
Which means NULL encryption seems to be refused by theses two popular browser using default install.
In the early versions of Netscape, the number of wards on the ssl key icon went up with the strength of the key crypto.
But the UI bastards thought that was too confusing, so now in later versions there's the little padlock icon that is only open or closed.
...is to communicate, not to satisfy some rule book. "I got" is perfectly clear. Because it breaks "standard" rules, "I got" is not good formal English -- but that's a cultural problem, not a matter of intelligence.
http://www.securiteam.com/securityreviews/5DP0N1P7 6E.html
Pretty much all major banks allow for internet transactions, which I'm assuming are virtually 100% secure. I have no idea how they do it, but why can't we implement their type of protocol/security system throughout the entire internet and disallow all other types of transactions? Is it too expensive or slow?
Comment removed based on user account deletion
The problem is that showing a special flag when the page is secure does not remind the user about the problems when a page is not secure.
So we would need to indicate that the page is not secure, but that's 99% of all pages... and so the user will quikckly learn to ignore it.
I think the solution to having people input their credit card details and pincode on a webpage after receiving an E-mail should not be solved by the browser, after all, the E-mail could also have told them to phone in their information...
A radical solution would be to print the wrong info on the credit card, but provide the user with the correct info on request, that way, everybody would be made aware of the problem (about not giving away this info), except those who never request the correct info, but then they won't be doing any harm with it either...