LWN Weekly Edition
Front pageSecurity
Kernel development
Distributions
Development
Linux in the news
Announcements
->One big page
This page
Previous weekFollowing week
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
SecurityFirefox 3 SSL certificate warningsUsers of Firefox 3 have likely seen the new warnings for various "invalid" SSL certificates. Unlike earlier versions of Firefox, these new warnings are much scarier, as well as more difficult to ignore—clicking through to the web site is decidedly more time consuming. This is exactly as the Mozilla folks intend, but it has raised some eyebrows, and ire, amongst site owners and Firefox users. ![[SSL warning part 1]](/images/ff3ssl/ff3httpswarn1_sm.png)
SSL certificates are used to enable encrypted communication (i.e. https) between browsers and web sites. Web site owners generate a public and private key for use in the encryption. The public key gets wrapped up in an X.509 certificate and must be signed by someone. For larger sites, it is typically a certificate authority (CA) that signs the certificate, but that generally costs money. Many smaller sites will sign their own certificate creating what is known as a self-signed certificate As part of the negotiation of an encrypted connection, a web site will present its certificate to the browser. In order to prevent man-in-the-middle attacks against the encrypted connection, the browser needs to verify that the certificate belongs to the web site it believes it is talking to. It does that by verifying the signature of the CA. ![[SSL warning part 2]](/images/ff3ssl/ff3httpswarn2_sm.png)
A signature can only be verified if the browser has the public key of the CA that has signed the certificate. Because there are a multitude of CAs, a "web of trust" is established whereby a number of root CAs sign the certificate of lesser CAs, who might in turn sign for other CAs. A browser developer, like Mozilla, chooses a set of root certificates that they trust. When verifying the certificate from some random website, the browser follows the signature chain; if it reaches one of their root certificates, the web site certificate is valid. A self-signed certificate will, of course, fail this test. When a user comes across a site that has such a certificate, Firefox 3 puts up a nasty warning. The images that accompany this article are screenshots of the warning, along with two of the three steps one must take to accept the certificate. They were generated by visiting https://bugzilla.gnome.org. The days of a single pop-up message that could easily be clicked through are long gone. ![[SSL warning part 3]](/images/ff3ssl/ff3httpswarn3_sm.png)
There are a few different issues here. To start with, there are a large number of legitimate sites that have self-signed certificates. In order to access those sites, users are being trained to click through a series of dialogs and scary ("Legitimate banks, stores, and other public sites will not ask you to do this") warnings, just as they were trained to do with single pop-up message in earlier Firefox versions. Mozilla's position is that self-signed certificates are untrustworthy, not invalid necessarily, but not something that the browser can trust without asking the user. Because most users are not very sophisticated, the warnings need to be detailed and somewhat frightening. The problem is that users of all kinds may get annoyed by the dialogs—then train themselves to essentially ignore them. Because there are CAs, like StartSSL, that provide free certificate signing (as well as others that cost less than $20/year), Mozilla is clearly trying to push web sites into moving away from self signing. There is a risk of man-in-the-middle attacks from self-signed certificates because anyone can create certificate that purports to be for any other given web site. To some extent, though, the level of danger depends on what the encryption is trying to protect. For sites that do e-commerce or transmit and receive sensitive information, there is no question that a CA signed certificate is required. There are other reasons to encrypt traffic, though, including evading deep packet inspection (DPI), where the risks of accepting a bogus certificate are relatively low. One might get ads injected into their web browser inappropriately—annoying, but hardly fatal. There is no simple solution. Mozilla is erring on the side of caution by trying to protect its users while still allowing them to override its protections. Other techniques, possibly like the Perspectives Firefox extension, may help alleviate the problem in the long term. Until then, we may have to just grit our teeth and click our way past the multiple warnings.
Brief items CERT warns about SSH key-based attacksCERT has sent out an advisory on key-based attacks being used against Linux systems. "The attack appears to initially use stolen SSH keys to gain access to a system, and then uses local kernel exploits to gain root access. Once root access has been obtained, a rootkit known as 'phalanx2' is installed." There's no talk of where the original stolen keys come from. CERT's advice includes disabling key-based authentication, which, of course, runs counter to the advice given to those trying to defend against brute-force password-guessing attacks.
Perspectives: an extension to block man-in-the-middle attacksA group at Carnegie Mellon University has announced the availability of a Firefox extension called "Perspectives"; its purpose is to provide an independent verification of SSL HTTP connections. "Perspectives employs a set of friendly sites, or 'notaries,' that can aid in authenticating Web sites for financial services, online retailers and other transactions requiring secure communications. By independently querying the desired target site, the notaries can check whether each is receiving the same authentication information, called a digital certificate, in response." The system also gets rid of the obnoxious Firefox popups associated with self-signed certificates; more information on the Perspectives page.
Revealed: The Internet's Biggest Security Hole (Wired)Wired covers a talk given at DefCon about vulnerabilities in the Border Gateway Protocol (BGP) which is the protocol used to advertise routes for internet traffic. The attack can hijack packets bound for a particular IP address, then silently send them on to the proper destination—possibly after modifying them. "The issue exists because BGP's architecture is based on trust. To make it easy, say, for e-mail from Sprint customers in California to reach Telefonica customers in Spain, networks for these companies and others communicate through BGP routers to indicate when they're the quickest, most efficient route for the data to reach its destination. But BGP assumes that when a router says it's the best path, it's telling the truth. That gullibility makes it easy for eavesdroppers to fool routers into sending them traffic."
New vulnerabilities ipsec-tools: two denial of service vulnerabilities
java: vulnerable versions can be requested by applet
kernel: several vulnerabilities
libxml2: denial of service
openoffice.org: numeric truncation error
tiff: arbitrary code execution
tomcat: multiple vulnerabilities
yelp: format string vulnerability
Page editor: Jake Edge |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||