Techdirt. Stories filed under "https"

Nokia Running A Man In The Middle Attack To Decrypt All Your Encrypted Traffic, But Promises Not To Peek

Mike Masnick — Fri, 11 Jan 2013 17:38:43 PST

This is a bit crazy. After a security researcher pointed out that Nokia's Xpress Browser is basically running a giant man in the middle attack on any encrypted HTTPS data you transmit, the company played the whole situation down by saying, effectively, sure, that's what we do, but it's not like we look at anything. This is, to put it mildly, not comforting. Just the fact that they're running a man in the middle attack in the first place is immensely concerning. The reason they do it is that this is a proxy browser, similar to Opera, that tries to speed up browsing by proxying a lot of the content -- meaning that all of your surfing goes through their servers. In some cases, this can be much faster for mobile browsing. But, the right way to do such a thing is to only do the proxying on unencrypted traffic. With encrypted traffic, you're just asking for trouble.

After sensing the backlash, Nokia pushed out an update of the browser that appears to remove the man-in-the-middle attack, even as it had tried to claim there was nothing wrong in the first place. However, the original researcher who discovered this, Gaurang K Pandya, updated his post to note that it's not all good news.

Just upgraded my Nokia browser, the version now is 2.3.0.0.48, and as expected there is a change in HTTPS behaviour. There is a good news and a bad news. The good news is with this browser, they are no more doing Man-In-The-Middle attack on HTTPS traffic, which was originally the issue, and the bad news is the traffic is still flowing through their servers. This time they are tunneling HTTPS traffic over HTTP connection to their server

Permalink | Comments | Email This Story

Congressional Reps Pushing CISPA Cybersecurity Bill Don't Even Know How To Secure Their Own Websites

Mike Masnick — Thu, 19 Apr 2012 12:25:00 PDT

One of the big concerns we've had over politicians trying to regulate technology, is how gleefully ignorant they often seem to be about the technology they seek to regulate. It's no different with the cybersecurity bill CISPA. We've been asking for months for some actual evidence that shows that we really need a cybersecurity bill, and all we get are fanciful stories about planes falling from the sky and hackers taking down powergrids. If either thing was possible, the real response shouldn't be to set up a cybersecurity bill, but to disconnect those key infrastructure pieces from the internet.

Either way, we're learning, once again, that the backers of CISPA don't seem to know the slightest thing about "cybersecurity." Actual cybersecurity expert, Chris Soghoian has highlighted how the key sponsors of CISPA fail at basic cybersecurity for their own websites, raising serious questions about their competence in writing a cybersecurity bill.

Congressmen Rogers and Ruppersberger are, respectively, the chairman and ranking member of the House Intelligence Committee. Although it is no secret that most members of Congress do not have technologists on staff providing them with policy advice, we can at least hope that the two most senior members of the Intelligence Committee have in-house technical advisors with specific expertise in the area of information security. After all, without such subject area expertise, it boggles the mind as to how they can at least evaluate and then put their names on the cybersecurity legislation that was almost certainly ghostwritten by other parts of the government - specifically, the National Security Agency.

So, given that these two gentlemen feel comfortable forcing their own view of cybersecurity on the rest of the public, I thought it would be useful to look at whether or not they practice what they preach. Specifically, how is their own information security. While I am not (for legal reasons) going to perform any kind of thorough audit of the two members' websites or email systems, even the most cursory evaluation is pretty informative.

Take a wild guess what he found. First, he looks at whether or not they use HTTPS. As he notes, "It is now 2012. HTTPS is no longer an obscure feature used by a few websites. It is an information security best practice and increasingly becoming the default across the industry." So, what did Soghoian find? It appears that neither Reps Rogers nor Ruppersberger do a very good job securing their own sites. He finds some sites without any HTTPS at all, and the others have it configured incorrectly.

When I manually tried to visit the HTTPS URL for Congressman Ruppersberger's website last night, it instead redirected me to the Congressional Caucus on Intellectual Property Promotion. Soon after I called the Congressman's office this morning to question his team's cybersecurity skills, the site stopped redirecting visitors, and now instead displays a misconfiguration error.

Congressman Dutch's campaign webserver appears to support HTTPS, but returns a certificate error.

He notes that there is really no excuse for these configuration errors, because the House appears to be setup with an HTTPS server, and other Reps. have it properly configured on their site. Not much really needs to be done. However, the fact that other Reps have set up HTTPS really raises concerns about these two Reps and their staff when it comes to cybersecurity:

The webserver that runs all of the house.gov websites is listening on port 443 and it looks like Akamai has issued a wildcart *.house.gov certificate that can be used to secure any Congressional website. As an example, Nancy Pelosi's website supports HTTPS without any certificate errors (although it looks like there is some non-HTTPS encrypted content delivered from that page too.) This means that the Congressional IT staff can enable HTTPS encryption for Rogers, Ruppersberger and every other member without having to buy any new HTTPS certificates or setting up new webservers. The software is already all there - and the fact that these sites do not work over HTTPS connections already suggests that no one in the members' offices have asked for it.

Rep. Rogers, of course, recently stated that he's so concerned with the threats of cybersecurity that he literally "can't sleep at night." Funny, then, that he never bothered to make sure his own website was secure, huh?

Permalink | Comments | Email This Story

Senator Schumer Fails To Properly Use HTTPS On His Own Site, After Pushing Other Sites To Use It [Updated]

Mike Masnick — Tue, 1 Mar 2011 13:40:00 PST

This is just lovely. We just wrote about how Senator Chuck Schumer was pressuring websites to use https instead of http, saying (not really accurately) that http has a "security flaw." However, gojomo pointed out in a comment on that post that Schumer's own page, when you hit it via https at https://schumer.senate.gov/ reports: "schumer.senate.gov uses an invalid security certificate."
Ooops. Both Firefox and Chrome warn you not to proceed, because the connection is "untrusted" or "might not be the site you are looking for." Obviously, this is probably just a small technical error by Schumer's tech staff, but it does look pretty bad when he's out there grandstanding on https. Of course, this isn't to diminish that https is a useful tool that many websites should use to protect users, but it's not clear that we want politicians telling websites what protocols to use (especially when they haven't quite figured them out themselves).

Update: Some great points in the comments highlighting that Schumer and his staff don't control the tech behind his Senate website, and any such cert would have to be controlled by the Senate IT folks. Also they pointed out that Schumer's Senate site does not appear to take user info/logins so HTTPS wouldn't much matter. However, his personal/campaign site does appear to take info and also does not use HTTPS.

Separately, others pointed out that one of the sites he called out -- Amazon -- does use HTTPS when you login and/or order, and his calling them out suggests they're unsafe when it appears they are safe.

Permalink | Comments | Email This Story

Senator Schumer Says Websites Should Default To HTTPS

Mike Masnick — Mon, 28 Feb 2011 22:01:30 PST

There are plenty of websites where it absolutely makes sense for the default to be https, rather than http as the protocol (if you don't know -- and you should -- https encrypts the traffic, while http does not). Most banks and such already use https, but plenty of sites that don't involve financial institutions do not. Even sites like Google's Gmail only recently switched over to defaulting to https. Still, it's a bit of a surprise to see Senator Chuck Schumer announcing that major websites should switch to https, and it makes me wonder if he's preparing legislation on that. I'm not so sure that we want a law mandating https.

Separately, he seems to indicate that the lack of encryption with http is a "security flaw" that only really got attention in 2007. That's not quite true. I mean it's been well known that http isn't encrypted for much, much longer than that. And it's not so much a "flaw" as the basic way that http was designed. And, of course, whether or not websites use https, you can protect yourself with VPN encryption software or services, but it doesn't seem like Schumer wants to mandate that...

Permalink | Comments | Email This Story