[prev in list] [next in list] [prev in thread] [next in thread] List: openbsd-misc Subject: Re: letsencrypt && https && openbsd.org = https://www.openbsd.org/ From: Nick Holland <nick () holland-consulting ! net> Date: 2015-12-09 4:22:58 Message-ID: 5667ACD6.1060006 () holland-consulting ! net [Download RAW message or body] On 12/08/15 20:26, Anthony J. Bentley wrote: > Giancarlo Razzolini writes: >> One of the main benefits of the TLS wouldn't only be to render >> impossible for anyone to know which pages you're accessing on the site, >> but also the fact that we would get a little more security getting the >> SSH fingerprints for the anoncvs servers. Having them in clear text as >> they are today, isn't very secure. > > Another attack currently possible against www.openbsd.org is changing > the https://openbsdstore.com links to http://openbsdstore.com, and > running sslstrip on that. Or the PayPal links... HAHAHHAHAHA... you think adding a certificate changes this? Pull up a chair, lemme tell you a story. I used to work for a company I'm sure you have heard of -- Two letters, starts with a G. And they don't make cars. When I hired in, one of my coworkers told me, "Congrats, you now work for four or five of the largest companies in the world". That company. This company was a target for cyber attack for a whole lot of reasons, and they did all kinds of (token) security education things -- including an annual "Security Week" ("token" as in chanting rules that are not understood and easily broken), and lots of time and effort was put into compliance, security technology, buzzwords and check-boxes so that effort could be demonstrated. And of course, there were lessons on https and encryption and how encryption solves everything and always look for the https:// and and and ... My team was a hot-shot security team...I worked with some absolutely amazing people in the world of incident response, including one who literally wrote the book on it. We tended to live in our own little world significantly detached from the rest of the company. We had our own infrastructure in fact, which was part of my job to run. So, most of us didn't actually USE a lot of the corporate infrastructure, such as the company web portal much. But after I was there about three years, they refreshed my laptop, and because things were kinda quiet in my job at that point, I got to spend a little time looking around the new machine, which I didn't do when I first started. And this time, I didn't immediately change the browser start screen from the company portal to something more useful. And ... I looked at the company portal for the first time...closely. It looked something like this: +---------------------------------------------------------+ | url: http://intranet.bla.com/stupid/long/url/portal/ | +---------------------------------------------------------+ | | | +------------------------------+ | | | _ Please log in! | | | | ,(_), | | | | | | SSO:__________ | | | | |___| PW:__________ | | | | | | | | | | | +------------------------------+ | | | | | +---------------------------------------------------------+ That little thing that looks like an "i" is supposed to be a lock graphic. My ASCII art skills are lame. But then, the "Single Sign-On" screen on the portal wasn't much more than my ASCIIart, either. A box. A couple boxes for user ID (SSO) and PW. And a graphic of a lock. And I stare at this some more...and realize that my eyes aren't fooling me. That's a graphic of a lock. And no https:// in the URL. No encryption in sight. I can't believe where I'm sitting and what I'm looking at. I walk over to one of my coworkers, a smart guy who knows the importance and tools of "compliance", but understand real security, too. I have him go to the portal, and he immediately, reflexively starts typing in his SSO and PW, in spite of my yelling "STOP! STOP! DON'T DO IT!". He looked at me puzzled. I tap the URL on his screen. I tap the lock graphic. His look goes from "What silly crap has Nick got for me this time?" to pure panic. "oh. my. God. We are going to have to do a password roll" (a change of pw for EVERY SINGLE PERSON in the company -- as he realized this was a major breach of security protocols). (On further investigation, it turned out the BOX was a frame that did happen to be encrypted, so there was no actual need for a PW roll, and there was no actual obvious security event...but again, there was absolutely nothing "proving" the communications was encrypted, and anyone could set up a rogue page and snag passwords). I put a ticket in to have this fixed. It was closed without action, with the explanation, "well, that will be a lot of work to change, we won't be scheduling any time on this page for a year or so". Note that something like 100,000 users all over the world, receiving all kinds of "security training" never noticed this default page every single browser in the company was initially set to use as their home page. The programmers did it wrong. Their supervisors signed off on it. CIOs never noticed this. My hot-shot security team didn't notice this (though...as they told me "I never use that page", and I'm using the same excuse). It took three years for ME to notice this. And when brought to the attention of the guilty, it was dismissed with a wave of the hand as unimportant. Ancient history? Not really. This happened almost exactly two years ago. https is a joke. IF and WHEN it works properly, it's too complex for the real world to understand (ahem...and even recognize). Encrypting everything as some are advocating is truly wasted effort that could be spent better on real security measures. End-to-end encryption is a good idea. I'd even say it's necessary as a good practice for any sites dealing with logins or financial information, but completely insufficient to be called "security" by itself. Attacks are almost always on the end points. I'd actually feel far better if my bank did no encryption and could convince me their infrastructure was actually designed well than the little green lock next to the URL makes me feel (of course, both is best, but I can guess what the application and infrastructure security is like...) Nick. [prev in list] [next in list] [prev in thread] [next in thread]