Seth Schoen began his Getting HTTPS Everywhere talk at
Linuxfest Northwest (LFNW) with an optimistic take. All that's required to
have HTTPS Everywhere is
that a few million more sites deploy HTTPS, the ones that have deployed
HTTPS fix their implementations, find a way to fix the problems with the Certificate Authorities (CAs), and it's done. Piece of cake.
![[Seth Schoen]](/images/2011/lfnw-schoen2-sm.jpg)
Perhaps it's not that simple after all. Schoen, senior technologist for the Electronic Frontier Foundation (EFF), explained early in the talk that the EFF isn't pursuing HTTPS adoption everywhere for grins — Schoen talked about Wireshark and Firesheep, and the ease with which people could snoop on others' Web traffic. He used examples of sniffing conversations over VoIP and other traffic, and said that it's "just out of convenience and courtesy" that most of the traffic that goes over a network isn't sniffed and viewed by someone else. However, convenience and courtesy only go so far — there are always those who are willing to go the extra mile to violate others privacy for fun, profit, or other nefarious purposes.
Thus the need for encryption over all connections, and not just for
e-commerce sites, online banking, etc. The EFF and Tor Project released a Firefox extension called HTTPS
Everywhere last year to help make it easier for users to enforce the
use of HTTPS where it's supported. Schoen says that HTTPS adoption is much
better than a year ago, particularly with popular sites like Google and
Facebook. Even the US Federal Trade Commission (FTC) has called on Web services to start using HTTPS. Many sites now offer HTTPS as an option, though few offer HTTPS as the default.
So far, Schoen says that they estimate 500,000 users of the extension
— though that is merely a drop in the bucket when you consider the
number of people using Firefox (which passed 100 million downloads a few
weeks ago). The extension now supports more than 700 sites, which may sound
paltry until one realizes what's involved. It is not as simple as simply
adding "s" to the "http" in a request, but actually requires users to
verify that the same content is available at the URL if it is requested as
"https" instead.
In some cases, like Wikipedia, it is not. For instance, requesting "http://www.wikipedia.org" will call up (as one might expect) the front page of Wikipedia. Requesting "https://www.wikipedia.org" gives an error. Users who want secure access to Wikipedia want "secure.wikipedia.org" instead. Requesting the Mozilla homepage without the "www" gives an error for an untrusted certificate, though requesting the HTTPS version of "www.mozilla.org" works fine. In short — too many sites on the Internet do not allow the user to simply assume that HTTPS will work with all links.
So the EFF is looking for more users to help. Schoen called on users to
install HTTPS Everywhere, send bug reports when it doesn't work properly or
sites have changed, and to help write rules for it. Naturally, it would
also help if everyone responsible for a Web site would actually turn on HTTPS.
Users of Chrome and Chromium will be able to take advantage of the HTTPS
Everywhere extension soon. Schoen said that Chrome/Chromium was not
originally targeted because Chrome lacked the APIs necessary for HTTPS
Everywhere. There's also an effort afoot to provide an HTTPS Everywhere Web
proxy. He also gave a shout-out to the DuckDuckGo search engine, which has an
option for rewriting searches so that users will be sent to the secure
version of the resulting sites if available.
HTTPS Now
It doesn't help much to have the HTTPS Everywhere extension if sites don't have a secure version to redirect to. To that end, the EFF is working with Access on a program called HTTPS Now.
This effort includes resources for correctly
deploying HTTPS and the ability to search for sites and see how (or if)
they've deployed HTTPS. It also has a reporting system for users to explain how sites use HTTPS. For instance, users can report the name of the site, whether it only uses HTTPS on some pages or all pages, whether it uses secure cookies, has a valid SSL certificate, the key size of the certificate, and more. The reporting page has a lot of help to guide users who might not understand what a technology is, or how to determine if it's used. For instance, the help page for HTTPS Strict Transport Security (HSTS) explains HSTS and guides users to Qualys SSL Labs which has a SSL Server Test page which will examine a site and provide much of the information they want. (LWN, by the way, gets an overall rating of B from the service.) [ Editor's note: it would seem that accepting weak ciphers is the main thing dragging down our grade, which is something we plan to look into and fix in the near future. ]
SSL Observatory
Part of turning HTTPS on everywhere requires having a certificate — preferably not self-signed if one expects much traffic from users who have no way of verifying the veracity of a self-signed certificate. Not that certificates from CAs are always reliable. Schoen also talked about the SSL Observatory, another effort from the EFF to investigate certificates.
![[Seth Schoen]](/images/2011/lfnw-schoen1-sm.jpg)
This is no small feat. According to Schoen the effort is trying to
examine all publicly visible SSL certificates on the Internet. This
has required making TLS connections to every IPv4 address. The EFF has
found that certificates are signed by about 650 organizations that are
trusted directly or indirectly by Mozilla and/or Microsoft as CAs.
Schoen says that the CA system has been subject to "a lot of little
scandals," that are worrisome. For example, signing
unqualified domain names like "exchange" instead of
"exchange.host.tld", which is what the CAs are supposed to do. Then there's
the recent Comodo incident where a reseller
of Comodo certificates was compromised and an intruder obtained
certificates for a number of targets. Though the certificates were almost
immediately revoked, it demonstrated a potential problem with the CA and reseller structure.
Schoen noted that the system as it stands is rather fragile — not
surprising given that it was invented by Netscape as a Band-Aid to calm fears about online credit card transactions.
For now, the EFF has been gathering data and examining it on its own. Schoen says that eventually the HTTPS Everywhere plugin would allow users to submit data to the Observatory. He also noted a few other efforts along the same lines, like the Perspectives Firefox extension and Google's certificate catalog.
The combined HTTPS efforts from the EFF and its partner organizations are enormous undertakings. Having all sites on the Internet (or even most) providing secure connections, and helping to reform the current CA mess, could take quite a few years. Pushing the awareness of the need for secure connections outside the tech community that understands the issues at hand will take quite a bit of effort, not just at the user level, but also at the site level. For instance, while Google and Microsoft have HTTPS for their Webmail offerings, Yahoo only offers HTTPS at login — when one logs into Yahoo Mail using HTTPS, they're immediately shunted to HTTP after login.
This will not be an easy fix, but the EFF's efforts are already
bearing fruit. While a half-million users is a drop in the bucket,
it's an impressive uptake for one year's effort. The EFF (and tools
like Firesheep) have helped drive awareness over the last year and
encouraged some major sites to push their users to secure connections,
which is a good start — but not enough. Users would do well to
check out the resources offered by the EFF, to participate in the
Observatory and other efforts as time allows, and push their own
organizations to offer HTTPS everywhere as well.
Comments (22 posted)
Brief items
The problem as I see it is the slippery slope. Because next, the RIAA is
going to want to remotely disable computers they feel are engaged in
illegal file sharing. And the FBI is going to want to remotely disable
computers they feel are encouraging terrorism. And so on. It's important to
have serious legal controls on this counterattack sort of defense.
--
Bruce
Schneier
Time over target can get expensive when aircraft are involved although
it can be kept down to as low as $50/hr or maybe even less so it
wouldn't take much to discover every AP in a whole metro area. A
smallish haul of card numbers resulting from the flights would easily
cover it: I always consider how much an attacker would stand to gain
when considering how likely they are to do something as outlandish as
aerial wireless recon.
--
Tracy
Reed on the Dailydave mailing list (thanks to Mattias Mattsson)
Comments (none posted)
The Tor project has
announced
that it is moving away from its Firefox extension and toward the
maintenance of its own fork of the browser. "
The Tor Browser bug
[fixes] on the other hand are more directly usable by Firefox in its own
Private Browsing Mode, which makes them more likely to merge quicker, and
be maintained long-term. Also, because we are releasing our own
Firefox-based browser, we will also have more control over experimenting
with them and deploying these fixes to our users rapidly, as opposed to
waiting for the next major Firefox release."
Comments (2 posted)
New vulnerabilities
firefox: arbitrary code execution
| Package(s): | firefox |
CVE #(s): | CVE-2011-0079
|
| Created: | May 2, 2011 |
Updated: | May 5, 2011 |
| Description: |
From the Ubuntu advisory:
Boris Zbarsky, Gary Kwong, Jesse Ruderman, Michael Wu, and Ted Mielczarek
discovered multiple memory vulnerabilities. An attacker could exploit these
to possibly run arbitrary code as the user running Firefox. |
| Alerts: |
|
Comments (none posted)
firefox: multiple vulnerabilities
| Package(s): | firefox |
CVE #(s): | CVE-2011-0065
CVE-2011-0066
CVE-2011-0067
CVE-2011-0069
CVE-2011-1202
|
| Created: | April 29, 2011 |
Updated: | October 4, 2012 |
| Description: |
From the Red Hat advisory:
Two use-after-free flaws were found in the Firefox mObserverList and
mChannel objects. Malicious content could use these flaws to execute
arbitrary code with the privileges of the user running Firefox.
(CVE-2011-0066, CVE-2011-0065)
A flaw was found in the way Firefox displayed the autocomplete pop-up.
Malicious content could use this flaw to steal form history information.
(CVE-2011-0067)
A flaw was found in the way Firefox handled certain JavaScript cross-domain
requests. If malicious content generated a large number of cross-domain
JavaScript requests, it could cause Firefox to execute arbitrary code with
the privileges of the user running Firefox. (CVE-2011-0069)
A flaw was found in the Firefox XSLT generate-id() function. This function
returned the memory address of an object in memory, which could possibly be
used by attackers to bypass address randomization protections.
(CVE-2011-1202)
|
| Alerts: |
|
Comments (none posted)
kernel: multiple vulnerabilities
| Package(s): | kernel |
CVE #(s): | CVE-2011-0191
CVE-2011-1013
CVE-2011-1016
CVE-2011-1093
CVE-2011-1180
CVE-2011-1573
|
| Created: | April 28, 2011 |
Updated: | August 19, 2011 |
| Description: |
From the SUSE advisory:
CVE-2011-0191: A information leak in the XFS geometry calls could be
used by local attackers to gain access to kernel information.
CVE-2011-1013: A signedness issue in drm_modeset_ctl() could be used
by local attackers with access to the drm devices to potentially
crash the kernel or escalate privileges.
CVE-2011-1016: The Radeon GPU drivers in the Linux kernel did not
properly validate data related to the AA resolve registers, which
allowed local users to write to arbitrary memory locations associated
with (1) Video RAM (aka VRAM) or (2) the Graphics Translation Table
(GTT) via crafted values.
CVE-2011-1093: A bug in the order of dccp_rcv_state_process() was fixed
that still permitted reception even after closing the socket. A Reset
after close thus causes a NULL pointer dereference by not preventing
operations on an already torn-down socket.
CVE-2011-1180: In the IrDA module, length fields provided by a peer
for names and attributes may be longer than the destination array
sizes and were not checked, this allowed local attackers (close to
the irda port) to potentially corrupt memory.
CVE-2011-1573: Bounds checking was missing in AARESOLVE_OFFSET, which
allowed local attackers to overwrite kernel memory and so escalate
privileges or crash the kernel.
|
| Alerts: |
|
Comments (none posted)
kernel: multiple vulnerabilities
| Package(s): | kernel |
CVE #(s): | CVE-2011-1160
CVE-2011-1577
CVE-2011-1581
|
| Created: | April 29, 2011 |
Updated: | November 28, 2011 |
| Description: |
From the openSUSE advisory:
CVE-2011-1160: Kernel information via the TPM devices could by used by local attackers to read kernel memory.
CVE-2011-1577: The Linux kernel automatically evaluated partition tables of storage devices. The code for evaluating EFI GUID partitions (in fs/partitions/efi.c) contained a bug that causes a kernel oops on certain
corrupted GUID partition tables, which might be used by local attackers to crash the kernel or potentially execute code.
CVE-2011-1581: Doing bridging with devices with more than 16 receive queues could crash the kernel.
|
| Alerts: |
|
Comments (none posted)
mediawiki: multiple vulnerabilities
| Package(s): | mediawiki |
CVE #(s): | CVE-2011-0047
CVE-2011-0003
CVE-2010-2787
CVE-2010-2788
CVE-2011-1578
CVE-2011-1579
CVE-2011-1580
|
| Created: | May 2, 2011 |
Updated: | December 19, 2011 |
| Description: |
From the CVE entries:
Cross-site scripting (XSS) vulnerability in MediaWiki before 1.16.2 allows remote attackers to inject arbitrary web script or HTML via crafted Cascading Style Sheets (CSS) comments, aka "CSS injection vulnerability." (CVE-2011-0047)
MediaWiki before 1.16.1, when user or site JavaScript or CSS is enabled, allows remote attackers to conduct clickjacking attacks via unspecified vectors. (CVE-2011-0003)
api.php in MediaWiki before 1.15.5 does not prevent use of public caching headers for private data, which allows remote attackers to bypass intended access restrictions and obtain sensitive information by retrieving documents from an HTTP proxy cache that has been used by a victim. (CVE-2010-2787)
Cross-site scripting (XSS) vulnerability in profileinfo.php in MediaWiki before 1.15.5, when wgEnableProfileInfo is enabled, allows remote attackers to inject arbitrary web script or HTML via the filter parameter. (CVE-2010-2788)
Cross-site scripting (XSS) vulnerability in MediaWiki before 1.16.3, when Internet Explorer 6 or earlier is used, allows remote attackers to inject arbitrary web script or HTML via an uploaded file accessed with a dangerous extension such as .html at the end of the query string, in conjunction with a modified URI path that has a %2E sequence in place of the . (dot) character. (CVE-2011-1578)
The checkCss function in includes/Sanitizer.php in the wikitext parser in MediaWiki before 1.16.3 does not properly validate Cascading Style Sheets (CSS) token sequences, which allows remote attackers to conduct cross-site scripting (XSS) attacks or obtain sensitive information by using the \2f\2a and \2a\2f hex strings to surround CSS comments. (CVE-2011-1579)
The transwiki import functionality in MediaWiki before 1.16.3 does not properly check privileges, which allows remote authenticated users to perform imports from any wgImportSources wiki via a crafted POST request. (CVE-2011-1580) |
| Alerts: |
|
Comments (none posted)
php5: multiple vulnerabilities
| Package(s): | php5 |
CVE #(s): | CVE-2011-1072
CVE-2011-1144
CVE-2006-7243
CVE-2011-0420
|
| Created: | May 2, 2011 |
Updated: | April 13, 2012 |
| Description: |
From the CVE entries:
The installer in PEAR before 1.9.2 allows local users to overwrite arbitrary files via a symlink attack on the package.xml file, related to the (1) download_dir, (2) cache_dir, (3) tmp_dir, and (4) pear-build-download directories, a different vulnerability than CVE-2007-2519. (CVE-2011-1072)
The installer in PEAR 1.9.2 and earlier allows local users to overwrite arbitrary files via a symlink attack on the package.xml file, related to the (1) download_dir, (2) cache_dir, (3) tmp_dir, and (4) pear-build-download directories. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1072. (CVE-2011-1144)
PHP before 5.3.4 accepts the \0 character in a pathname, which might allow context-dependent attackers to bypass intended access restrictions by placing a safe file extension after this character, as demonstrated by .php\0.jpg at the end of the argument to the file_exists function. (CVE-2006-7243)
The grapheme_extract function in the Internationalization extension (Intl) for ICU for PHP 5.3.5 allows context-dependent attackers to cause a denial of service (crash) via an invalid size argument, which triggers a NULL pointer dereference. (CVE-2011-0420) |
| Alerts: |
|
Comments (none posted)
python: information leak
| Package(s): | python |
CVE #(s): | CVE-2011-1521
|
| Created: | May 3, 2011 |
Updated: | October 18, 2012 |
| Description: |
From the Pardus advisory:
A security flaw was found in the way handlers for ftp:// and file:// URL
schemes in the Python urllib and urllib2 extensible libraries processed
the urllib open URL request. A remote attacker could use this flaw to
access sensitive information or cause a denial of service (excessive CPU
and memory use) of a Python web application, processing URLs, via a
specially- crafted urllib open URL request.
|
| Alerts: |
|
Comments (none posted)
qemu-kvm: privilege escalation
| Package(s): | qemu-kvm |
CVE #(s): | CVE-2011-1750
|
| Created: | May 2, 2011 |
Updated: | July 7, 2011 |
| Description: |
From the Debian advisory:
The virtio-blk driver performed insufficient validation of
read/write I/O from the guest instance, which could lead to
denial of service or privilege escalation.
|
| Alerts: |
|
Comments (none posted)
seamonkey: arbitrary code execution
| Package(s): | seamonkey |
CVE #(s): | CVE-2011-0072
|
| Created: | April 29, 2011 |
Updated: | June 7, 2011 |
| Description: |
From the Red Hat advisory:
A use-after-free flaw was found in the way SeaMonkey appended frame and
iframe elements to a DOM tree when the NoScript add-on was enabled.
Malicious HTML content could cause SeaMonkey to execute arbitrary code with
the privileges of the user running SeaMonkey. |
| Alerts: |
|
Comments (none posted)
spip: denial of service
| Package(s): | spip |
CVE #(s): | |
| Created: | May 2, 2011 |
Updated: | May 4, 2011 |
| Description: |
From the Debian advisory:
A vulnerability has been found in SPIP, a website engine for publishing,
which allows a malicious registered author to disconnect the website
from its database, resulting in denial of service.
|
| Alerts: |
|
Comments (none posted)
thunderbird: multiple vulnerabilities
| Package(s): | thunderbird |
CVE #(s): | CVE-2011-0070
CVE-2011-0071
CVE-2011-0073
CVE-2011-0074
CVE-2011-0075
CVE-2011-0077
CVE-2011-0078
CVE-2011-0080
CVE-2011-0081
|
| Created: | April 29, 2011 |
Updated: | July 19, 2011 |
| Description: |
From the Red Hat advisory:
Several flaws were found in the processing of malformed HTML content. An
HTML mail message containing malicious content could possibly lead to
arbitrary code execution with the privileges of the user running
Thunderbird. (CVE-2011-0080, CVE-2011-0081)
An arbitrary memory write flaw was found in the way Thunderbird handled
out-of-memory conditions. If all memory was consumed when a user viewed a
malicious HTML mail message, it could possibly lead to arbitrary code
execution with the privileges of the user running Thunderbird.
(CVE-2011-0078)
An integer overflow flaw was found in the way Thunderbird handled the HTML
frameset tag. An HTML mail message with a frameset tag containing large
values for the "rows" and "cols" attributes could trigger this flaw,
possibly leading to arbitrary code execution with the privileges of the
user running Thunderbird. (CVE-2011-0077)
A flaw was found in the way Thunderbird handled the HTML iframe tag. An
HTML mail message with an iframe tag containing a specially-crafted source
address could trigger this flaw, possibly leading to arbitrary code
execution with the privileges of the user running Thunderbird.
(CVE-2011-0075)
A flaw was found in the way Thunderbird displayed multiple marquee
elements. A malformed HTML mail message could cause Thunderbird to execute
arbitrary code with the privileges of the user running Thunderbird.
(CVE-2011-0074)
A flaw was found in the way Thunderbird handled the nsTreeSelection
element. Malformed content could cause Thunderbird to execute arbitrary
code with the privileges of the user running Thunderbird. (CVE-2011-0073)
A directory traversal flaw was found in the Thunderbird resource://
protocol handler. Malicious content could cause Thunderbird to access
arbitrary files accessible to the user running Thunderbird. (CVE-2011-0071)
A double free flaw was found in the way Thunderbird handled
"application/http-index-format" documents. A malformed HTTP response could
cause Thunderbird to execute arbitrary code with the privileges of the user
running Thunderbird. (CVE-2011-0070)
|
| Alerts: |
|
Comments (none posted)
tiff: integer overflow
| Package(s): | tiff |
CVE #(s): | CVE-2010-4665
|
| Created: | April 29, 2011 |
Updated: | June 21, 2011 |
| Description: |
From the openSUSE advisory:
Directories with a large number of files could cause an integer overflow in the tiffdump tool. |
| Alerts: |
|
Comments (none posted)
udisks: loads arbitrary LKMs
| Package(s): | udisks |
CVE #(s): | CVE-2010-4661
|
| Created: | April 29, 2011 |
Updated: | August 30, 2012 |
| Description: |
From the openSUSE advisory:
This update of udisks improves input validation. Before it was possible to load arbitrary LKMs. |
| Alerts: |
|
Comments (none posted)
usb-creator: restriction bypass
| Package(s): | usb-creator |
CVE #(s): | CVE-2011-1828
|
| Created: | May 2, 2011 |
Updated: | May 4, 2011 |
| Description: |
From the Ubuntu advisory:
Evan Broder discovered that usb-creator did not properly enforce
restrictions when performing privileged disk operations. A local attacker
could use this flaw to perform certain disk operations, such as unmount
arbitrary mountpoints.
|
| Alerts: |
|
Comments (none posted)
vino: denial of service
| Package(s): | vino |
CVE #(s): | CVE-2011-0904
CVE-2011-0905
|
| Created: | May 3, 2011 |
Updated: | January 22, 2013 |
| Description: |
From the Ubuntu advisory:
Kevin Chen discovered that Vino incorrectly handled certain client
framebuffer requests. A remote attacker could use this flaw to cause Vino
to crash, leading to a denial of service.
|
| Alerts: |
|
Comments (none posted)
vlc: heap corruption
| Package(s): | vlc vlc-firefox |
CVE #(s): | CVE-2011-1684
|
| Created: | May 3, 2011 |
Updated: | May 4, 2011 |
| Description: |
From the Pardus advisory:
When parsing some MP4 (MPEG-4 Part 14) files, insufficient buffer size
might lead to corruption of the heap. |
| Alerts: |
|
Comments (none posted)
Page editor: Jake Edge
Next page: Kernel development>>
