It seems like nothing that we're told can be trusted is indeed as trustworthy as we're led to believe. That said, up until now, we've basically been trusting our emotional bias towards certain brands. Microsoft, Apple, Linksys, Dell, Samsung, iOS, Android et al.
So we need to evaluate a few things...
- What software can I trust? Is Windows trustworthy? Is Mac OS X? Is there any operating system I can trust?
- What hardware can I trust? Can I even trust the actual computer I'm using right now? Can I trust my phone?
- What online services can I trust? Is online backup actually safe or am I backing up all my local PRIVATE data and entrusting it to servers on the internet hosted by companies that can be trusted?
- What can I do to protect myself?
- Are there any companies that I can truly entrust my data to in any form?
Those questions are actually a lot bigger than they appear at first glance and each should be given their own level of gravity. I won't cover them in this blog post, instead I'll start by elaborating on the issue that I mentioned in my previous post which is that relating to HTTPS - the thing that says it's safe to enter your personal information on a website.
The technologies that we're led to put our trust in by the media, SSL and TLS - you know, the ones that put the little padlock in your address bar and claims to be secure. I'm going to give you a basic crash course on the infrastructure that holds together our online security. Don't be scared off, I'm going to purposely gloss over the heavy technical information because it only serves to complicate things and won't give you a clear picture of the overall problem.
Let's say you go to your online banking website (just an example, a purchase from Tesco or Wal-mart uses exactly the same technology). The first thing you may notice is that logging into your banking website, the address bar may have changed colour, depending on the browser you use, a padlock will have appeared somewhere on your screen and the address will start HTTPS instead of HTTP. All these are the indicators that you're led to believe keep you safe and say that it's safe to shop online using your credit card details... indeed, they're the hallmarks of the security infrastructure that's been set up to keep you safe. Let's discuss what's going on behind the scenes to give you an idea of what's going on...
The site you are visiting has acquired what's called a digital certificate that's supposed to verify the authenticity of the computer (the web server) that's sending your computer that web page. A digital certificate is something that supposedly cannot be forged and is somewhat a simile for your passport or identity card. That is, it's legally binding, it cannot be repudiated. That server is bona-fide... allegedly.
Of course, bona-fides are only as good as the authority that provides them. Pretty much like our passport, if we can't trust the authority that provided the passport, then we can't trust the passport. So, how can you trust the authority? Well, in a nutshell, because we're told to - does that sound right to you? Me either. So what happens in the internet world is there is what's called a "chain of trust"... this means that the website you're visiting was given their certificate by an authority more trustworthy than them. Likewise, that authority was provided with their certificate by someone more trustworthy than them etc. all the way up to a top level authority whom we're told to trust just because someone big (like say, the government, or Microsoft) says, it's okay, you can trust them.
Well, the big top level authority that a vast number of certificates are provided by is a US company called Verisign. I'm not knocking Verisign, and I'm not setting out to make it seem like these guys are bad. They're providing a service to the best of their ability and god love 'em, they do that pretty well. The problem is, the system is flawed not because you can't trust them, but it's flawed because they're not in a position you should trust them... here's why...
Verisign is a US company, consequently they're bound by US law, which may or may not be comparable to the law of your country of residence. Recently there has been a spate of incidents where it has come to light that US companies have been compelled to violate laws they would otherwise be bound by (with legal impunity) in order for authorities to spy on people around the world, including their own citizens. It would be easy for a bad actor (a bad actor in this sense is anyone who has malicious intent and shouldn't be trusted) to set up a fake website, compel Verisign (or any certificate authority under their chain of trust), through legal means, blackmail or coersion to provide a certificate of authenticity saying that their website is the real mccoy. They can then redirect your traffic to their webserver which looks exactly likethe original, still shows the padlock and other security cues that tell you this site is safe. For all intents and purposes, it looks exactly like the original. Even if you had the technical ability to pull up the certificate and display it on your screen, it would be indeterminable. In fact, there would be very little to give the game away, only subtle clues that most everyday users would never notice... for instance, the IP address of the webserver may suddenly appear to be located in a different country than the original, but again, it may not.
When you enter a website address in your web browser, a few things happen [if you don't know what an IP address is, it's basically the phone number of your computer on the internet].
- You connect your computer to a trusted router - probably your home router, but could easily be the Wifi at the office, Starbucks, the airport or some other public network.
- You open your web browser and enter a web address in the address bar.
- Your computer checks in a local database called a cache to see if it already has an IP address for that website.
- If your computer has the IP address in its cache, we jump to step 10
- If your computer doesn't have the IP address in its cache, it goes to a database and finds the IP addresses for a list of available DNS servers. DNS stands for Domain Name Service, it's basically a phone book to look up the IP address for the website you entered - this list of DNS servers is usually provided automatically by your Internet Service Provider to your router when you connect it to the internet, and when you connect to your wifi your computer can get the list and ask it for the IP addresses.
- Your computer sends the server part of the address - the bit between the https:// and the next / for instance - www.myonlinebank.com or www.walmart.com to the first DNS server in the list.
- The DNS server looks to see if it has the IP address for the server you requested, if it does, it sends your computer back the IP address.
- If the DNS server didn't find an IP address, your computer asks the next one in the list until it finds an IP address.
- If none of the DNS servers found an IP address your computer receives an "unknown host" response and your web browser displays an ugly message to say it couldn't find what you're looking for and you curse.
- If your computer has found an IP address then it sends the address you entered in the web browser to that IP address.
- The computer at that IP address sends back a web page signed with a certificate - the one we discussed earlier.
- Your web browser checks the certificate to see if it's authentic and activates all the pretty security features on your browser that tells you the page is authentic and secure.
In that process, there are a whole heap of places that can be attacked to get between you and the real server in order to get at your information...
- The wifi on your router can be hacked and reprogrammed to maliciously gain access to your local network and steal data directly from your local computers via a number of attacks.
- Someone can gain a bad certificate and pretend to be a legitimate website, but this requires redirecting you to their site instead of the original... this can be done by modifying the programming of your router so that all DNS queries are routed to their DNS servers, modifying the real DNS servers you use to direct traffic to their website.
- Someone can find a way to install a certificate of trust on your computer and use a certificate signed by that certificate of trust so that everything still looks secure in your web browser, even with an certificate that's not been signed by a trustworthy authority.
- Someone could compel a trusted authority, such as Verisign to provide them with a "legitimate" certificate for a rogue website to obtain your information.
There is a less broken approach using an infrastructure called "Web of Trust", but honestly, that's not much less broken than the Chain of Trust that web browsers are configured for. I will cover that in another post.
So there you have it, that is why putting your faith blindly in HTTPS is not secure. What can you do to secure yourself against these issues? Am I saying don't use online banking or make purchases online? No, I'm not saying that at all. I am saying, be careful which sites you trust, and don't necessarily trust them just because your browser says to. If you see anything suspicous, like marketing emails from comapnies you don't normally get email from, emails asking you to log in to update your security information, emails claiming to be from security departments of various companies, beware. Chances are you can still make purchases from your usual online stores and chances are, your usual banking website is legitimate. If in doubt, open your web browser manually and type the address into the address bar yourself. Don't Google for your bank website, don't open it from links in an email. Be cautious.
There are some thins we should also do help mitigate certain attack approaches (what we call attack vectors):
- Never ever connect to a wifi access that you can't be sure you can trust. The minute you do, all of the data you transmit can be logged by whoever is in control of that access point.
- If you must connect to a public wifi access point, find the provider of the access point and ask them the name of it, don't assume that the ones you see can all be trusted. It's easy to set up a fake wifi access point in a coffee shop and start harvesting people's data. [Side note, never plug your iPhone into a charger that you can't trust, there are attacks that can install malicious software on your iPhone to harvest your data as well]
- Log in to your home router right now and make sure you've changed the following:
- The router should definitely not have the default network name, so change it from Linksys or DLink or whatever it was when you got it to something else. It shouldn't be anything that can easily be identified by your address, location or person. Someone shouldn't be able to identify and access your network just by knowing you unless you've given them the access information.
- The router should definitely not have the default password, and in fact, if you have a router that lets you change the default username, change that too.
- The router should not have remote administration enabled unless you absolutely need it, if it is enabled, don't use the default port for remote administration. Changing it isn't that much of a hindrance because an attacker with a port scanner will still find the open port, but it's one extra step they must take, reducing the chances you'll be attacked by some kid without much of a clue.
- The router should be using at least WPA2 security... not that this is foolproof, there are known hacks that can bypass it, but it's much safer than WEP and WPA which any 15 year old with some readily available software can bypass it. I will cover configuring better security protocols on your router in a later blog post. A shared key is a security risk, if you can configure enterprise grade security on your router giving each user their own username and password, it's a lot safer. I'll cover this in a later blog post.
- Make sure your shared key is strong. Preferably a combination of both lower and uppercase letters, numbers and other symbols longer than 8 characters.
- If you expect to have anyone other than your local network using your wifi - for instance family and friends, set up guest wifi and use wireless isolation to make sure that every computer that is connected to your guest network is isolated in their own space.
- Configure wireless access MAC authentication. The MAC address is a physical address assigned to the network card installed in your computer. On it's own, this is no hindrance to an attacker as the MAC address can be faked, but in combination with everything else, it's one extra step for someone to bypass.
- If you can, reduce the wifi signal so that your wifi access point can't be connected to from outside the house. If an attacker can't hear the signal, they can't connect.
- Find a list of DNS servers that can be trusted and configure your router to use those instead of trusting your ISP to provide them. Ideally they'll be hosted in an independent state that is known for strict privacy laws - such as Iceland or Switzerland.
- The clock in your router is used to synchronize features that may include some security level features. If you have the ability to configure an NTP server, make sure you configure an NTP server you trust - for instance ch.pool.ntp.org in Switzerland [don't take my word for this].
That should keep you relatively safe for the moment... we'll cover WPA2 Enterprise security and how you can get that installed on your home router for better security in the next post.
As always, anyone that has further information that would be helpful in addition to this post, please post in the comments. I look forward to hearing from you.