The sorry tale of the (un)Secure Sockets Layer

Topic

New Reply

	TOP STORY The sorry tale of the (un)Secure Sockets Layer
	By Woody Leonhard Two brazen Web-server break-ins this year call into question one of the Internet’s fundamental security mechanisms — website security certificates. Because the most recent breach affected only PC users in Iran, most of us assume we’re immune. But we’re not; here’s why — and what we can do to protect ourselves.

---

The full text of this column is posted at WindowsSecrets.com/top-story/the-sorry-tale-of-the-(un)secure-sockets-layer/ (opens in a new window/tab).

Columnists typically cannot reply to comments here, but do incorporate the best tips into future columns.[/td]

[/tr][/tbl]

Reply | Quote

Replies

Hi,

Thanks for your explanation. But I wonder what we can do more. After the DNS cache poisoning was discovered a new additional protocol was created : DNSsec. Which signs the DNS response with a certificate. As long as these certificates are of a different origin (CA) then there are two checks.The third measure is still under debate but, if I understand correctly, is DANE , a white list provided by the owner of the SSL certificates and websites that tells which certificates are currently valid.
That would mean a third check.
And I wonder if it is possible to make another addition to DNS eg. a second DNS resolve action with a different DNS server, to verify the results of the first one.
And there is the host file, when going to or residing in a country like Iran. One could make your own entry’s in the host file for important websites Thereby making it even more difficult to change the IP address of a website for a man in the middle attack.

regards,

Robert

Reply | Quote

Thanks Woody for the very clear explanation, much appreciated.

I would be very surprised if this problem was not already happening on a fairly wide scale already! The prize is enormous and hacking is quite commonplace therefore hacking companies and faking certificates will be a criminal’s or State’s priority, most unfortunately.

It seems clear to me that the industry needs to go back to basics, but I also said that a few years ago about the financial industry when it was crashing around us, and look what happened there – nothing! No significant new rules were introduced by regulators and the banks have continued to repeat their appalling techniques because of vested interests and we’ll soon see another crash.

Same situation will happen with certs, there will be lots of talk but vested interests will prevent anything substantial happening.

It will then be down to individual users to work out their own security strategies, and probably individual banks starting to issue their own certs and own browser versions to enable a direct and locked connection.

I already use Trusteer Rapport as advised by my bank but I don’t think that even this could guard against false certs in this way, or perhaps it can? They are meant to stop man-in-the-middle attacks. Similarly I trialled Prevx Safeonline.

It would be nice to see in the next newsletter that you review and explain how these two softwares work and how effectively they can deal with these sorts of hacks?

Reply | Quote

Here is an option that has the potential to make the system safer:

http://perspectives-project.org/

Perspectives adds another layer of cross-checking in the process of validating certs.

There is also CsFire:

http://distrinet.cs.kuleuven.be/software/CsFire/

It’s less clear to me what CsFire does, but it sounds like it could be helpful in prevent MITM attacks.

It would be great if you could check these Firefox extensions out and do a followup.

Reply | Quote

notify notify notify notify notify

Reply | Quote

After reading this article I successfully write-protected the hosts file on a PC with XP as OS. But on my other PC, running under WIN 7 Ultimate 64bit I can’t find any sub dir driversetc or a “hosts” – file anywhere. The OS is configured to show all hidden files. Any suggestions? Thanks!

Reply | Quote

Put a “” after drivers, and look in a subfolder called “etc”.

Reply | Quote

Great article Woody, thanks. After reading this, I was intrigued regarding the CA’s currently listed in my Firefox browser. I found quite a list, including a number of entries for DigiNotar (I’m using Firefox 6.0.2) and it made me wonder…”are all of these entries necessary?” There are French entries, German entries, Commodo, etc…Does the general public really need these entries? What would be the harm in my ‘distrusting’ most of these entries? Also, can the Validation option in preferences be used to ehance a users security as well?

Interesting…

Reply | Quote

Put a “” after drivers, and look in a subfolder called “etc”.

Oops, [shame] I relied on Total Commander’s search engine. It does not find the file with “hosts” or “hosts.* as search string, I tested it again a few seconds ago. Strange….

Thanks a lot!

Reply | Quote

my agency is implementing digital signatures based on the ARX CoSign system, which in my state require digital certificates to be purchased from state-approved Certificate Authorities. ARX also requires that each of our users of the system be issued a unique code created by ARX and safeguarded in their appliance. This muli-layer approach to certificate security seems less likely to be exploited.

Reply | Quote

In your article you said to make the Host file read only. If my Host file has been compermised and I make it read only I have not accomplished anything. How can I know if I have the correct Host File?

I also have about 40 files called “Host.nnnnnnnn-nnnnnn.backup” where the n’s are random numbers. Should these files be removed?

OldGuy IK

Reply | Quote

Woody – thanks for a very clear article on the situation with the certificates, CA’s and RA’s. Having worked in the IETF, I certainly am familiar with the CA/RA division and process.

Certainly, many aspects of Internet operation are under the control of various “authorities” – address assignment being a big one before (are we still ‘before’?) the widespread implementation of IPv6. One wishes one could ensure the proper operation of any authority responsible for handing out ‘numbers’ that are needed for the proper operation of some aspect of the Internet (addresses, certificates, assigned numbers, …). Perhaps unrealistic. But you touched on that in your article – it’s not a windows problem, not even a browser problem. It’s a human problem!

As one of the contributors to this thread pointed out, it is unclear that making the host file read-only helps if it’s already been compromised. Not sure what else one can do – how to tell if it’s the case. (As an aside, I had to log on to my admin account to change the permissions of the host file; couldn’t even do it from my user account even tho I gave my admin password; seems the things you can do from user even with an admin password vs admin are not uniform – not to me anyway.)

But a question that occurred to me while reading the article: so I check read-only; what happens if a legit pgm (won’t even touch the issue of how do I know it’s legit) wants to write to it? Will that pgm give me a certificate?

Another thing that might be useful as far as the article goes, although advanced, is to check the certificate entries. DigitNotar should be on the untrusted list. It is on my computer. Not sure how it happened since I didn’t do it explicitly. Must have been one of those MS updates that did it (and I try to read the explanation of any update I allow onto my computer; the explanation in the update window is fairly useless/generic and the KB article you’re pointed to is not much better).

Even finding the certificate mgr was not easy – and it should be.

As a friend of mine said, if you want computers to be easy to use, the manufacturer has to make it easy. This area (certificates, updates, etc) has a ways to go.

Reply | Quote

In your article you said to make the Host file read only. If my Host file has been compermised and I make it read only I have not accomplished anything. How can I know if I have the correct Host File?

I also have about 40 files called “Host.nnnnnnnn-nnnnnn.backup” where the n’s are random numbers. Should these files be removed?

OldGuy IK

If you view the content of your current Hosts file (not the backups) you will see a list of entries where websites are equated with IP addresses, for instance:

127.0.0.1 Localhost (which is correct)

To determine if all the entries are legit you would have to check every URL using a DNS Lookup site to confirm that the IP addresses are correct. For those users who find this too technical note that for general internet browsing it’s not necessary have a hosts file. In the early days of the internet the Hosts file made browsing faster by providing a local database for DNS lookup, but that’s not necessary today with broadband. You can disable it by renaming – for instance Hosts.sav – or just delete it. You can then create a new empty text file called “Hosts” (rename and remove the txt extension) and make it read only.

Reply | Quote

If my Host file has been compermised and I make it read only I have not accomplished anything. How can I know if I have the correct Host File?

As noted in an earlier reply, hosts arrives from the factory with only a single entry for the fictitious domain name localhost which is pointed back to your computer. The odds that you need anything else in your hosts file is low.

Reply | Quote

I am running Win 7 Ultimate 64-bit SP1 Build 7601
I have two hosts files, neither of which is located at the designated location. In fact there is no etc folder there either. However, both hosts files DO display the same properties dialog box as described in Woody’s article. Their file paths are:
C:Windowswinsxsamd64_microsoft-windows-w..nfrastructure-other_31bf3856ad364e35_6.1.7600.16385_none_6079f415110c0210hosts
and
C:$INPLACE.~TRMachineDATAWindowsSystem32driversetchosts
I wonder if I should lock either one or both of these files.
And I am curious why there are two instead of one and why not in the location described by Woody.
:huh:

Reply | Quote

When attempting to access my ISP’s web site I got this:-

I have reported it to TalkTalk. Other than avoiding the site, is there anything else I can do ?

Reply | Quote

In your article you said to make the Host file read only. If my Host file has been compermised and I make it read only I have not accomplished anything. How can I know if I have the correct Host File?

I also have about 40 files called “Host.nnnnnnnn-nnnnnn.backup” where the n’s are random numbers. Should these files be removed?

OldGuy IK

A fresh copy can be downloaded from here http://winhelp2002.mvps.org/uninstall.htm

Reply | Quote

my agency is implementing digital signatures based on the ARX CoSign system, which in my state require digital certificates to be purchased from state-approved Certificate Authorities. ARX also requires that each of our users of the system be issued a unique code created by ARX and safeguarded in their appliance. This muli-layer approach to certificate security seems less likely to be exploited.

The ARX CoSign appliance generates PKI keys for registered users that can be used to ONLY digitally sign electronic documents (these keys cannot be used to encrypt documents). By virtue of buying the CoSign appliance, the company becomes a de facto CA, and is therefore solely responsible for any PKI signing keys they issue to their users, which in most most companies is available to any person registered in the company dB (typically Microsoft’s Active Directory).

The ARX appliance does not issue SSL keys.

Reply | Quote

I am not sure what this does exactly but it looks related to the subject and perhaps worth investigating:

http://convergence.io/index.html

Reply | Quote

OK, I’ve done the whole DigiNotar certificate cleaning job and I’m satisfied those certificates are gone from my trusty old XP system.

BUT… the process has allowed me to browse the remaining “Trusted” certificates there. And I have a big question.
Who ARE all these guys and can I trust their certificates?

Take a look at the attachment (sorry for the unformatted text) and tell me – do you have certificates from these kind of foreign agencies on your system?
And if you do, do you know anything about them? Do you trust them? How do you know?

I guess I am just surprised how many foreign names are on my certificate list.
Are you?

Reply | Quote