12 January 2015

SSL and online security

Two different articles caught my attention this past week, both of them concerning secure sites. In the light of the recent initiative from to encourage all site owners to migrate to secure connections, a reminder that these can be exploited to breach user privacy and security just as normal, unencrypted connections. I stand by my original reaction that implementing HTTPS on small sites and blogs carries a lot of complications with little benefit.

Gogo has been caught issuing a fake digital certificate for YouTube, a practice that in theory could allow the inflight broadband provider to view passwords and other sensitive information exchanged between end users and the Google-owned video service.

Normally, YouTube passwords, authentication cookies, and similar site credentials are securely encrypted using the widely used HTTPS protocols. A public key accompanying YouTube’s official HTTPS certificate ensures that only Google can decrypt the traffic. The fake certificate Gogo presents to users trying to access the video site bypasses these protections, making it possible for Gogo to decipher data. It has long been Gogo’s policy to block access to streaming sites and other bandwidth-intensive services. A company official said the fake YouTube certificate is used solely to enforce the policy and not to collect data intended for YouTube. Security and privacy advocates criticized the technique anyway, characterizing it as heavy-handed.

Dan Goodin

HSTS Super Cookies are a good example of how the introduction of new features–even those that provide much-needed security improvements—can turn into holes hackers can exploit. The whole point of HSTS is to ensure a browser always uses HTTPS when making subsequent visits to a website that supports the mechanism. Browser developers almost certainly wanted those flags to carry over from normal mode to privacy mode to ensure privacy-minded users received the benefit of this protection. Now that there's a viable way of using HSTS to uniquely identify these users, developers will surely rethink their decision, but their options may remain limited.

Dan Goodin

Update: another example, this time from a major PC manufacturer:

The critical threat is present on Lenovo PCs that have adware from a company called Superfish installed. As unsavory as many people find software that injects ads into Web pages, there's something much more nefarious about the Superfish package. It installs a self-signed root HTTPS certificate that can intercept encrypted traffic for every website a user visits. When a user visits an HTTPS site, the site certificate is signed and controlled by Superfish and falsely represents itself as the official website certificate.

Dan Goodin

Post a Comment