Aractus

Blog of Daniel Baxter, now secure! :)

Free SSL from Let's Encrypt!

Archive for March, 2017

The Symantec SSL shitstorm!

UPDATE 1: A few of the facts outlined below are wrong. I will update this post in a few hours to make it both more balanced, and more accurate. Until then I refer to a response from Symantec here, and you can make your own minds up about it.

Okay, so in my last post I was not abreast of the full facts. Now that I am I will start by quoting the guy that discovered the security vulnerability, Chris Bryne:

My STRONG recommendation, is that anyone who purchased a Symantec certificate from a third party, between early 2013 and late 2016, revoke that cert and have it re-issued… either directly by Symantec, or simply revoking and having another trusted CA issue a different cert… as soon as they are able to do so.

As to first party certificates… I don’t know and have not been able to validate how extensive the exposure was, through which interfaces, etc… I do know that they fixed the specific issues that I found in the specific interfacecs I was able to validate, within six months as they agreed to. That said… It would be safer to revoke and re-issue, given the problems that Google themselves identified.

As to end users… I would be extremely wary of any site with a symantec cert issued before late 2016, and take some extra caution regarding any symantec cert period.

You can read all about it on his Facebook post. Chris is a fucking legend. In early 2015 he discovered a severe security vulnerability. The vulnerability is simple enough, and easy to describe and understand. When a customer purchased a security certificate from Symantec (all kinds of certs, not just SSL certs) they would be sent an email with links to retrieve/revoke/renew their certificate. There was no authentication performed besides a simple URI in the links. This could be easily modified to retrieve, revoke, or renew certificate for other customers. At the moment, this isn’t too horrible – after all every time you visit my site it sends you the TLS certificate so you can establish a secure connection, it’s not a secret. So at worst people could get up to mischief by revoking certificates other people had paid for, or issue fresh ones they have to pay for. However it’s still a very serious security breach because it means that an unauthorised person managed to get certificates issued – and it’s the CA’s job (CA = Certificate Authority, i.e. Symantec) to properly verify requests before issuing certificates.

But to make matters worse, and this is why you should NOT sign in to CBA’s Netbank or any other bank that uses a Symantec security certificate effective immediately, some resellers generated the private keys for their customers. Chris found that when this was the case it was also possible to steal customer’s private keys covertly using the same method to get the certificate. Symantec never told their customers that their private keys could have been stolen! Most websites never change their key pair, they will keep the same keys for year or even decades. That means if an attacker stole your private key using this method, they can use it any time they want so long as you keep getting new certificates generated from CSRs generated from the private key. It doesn’t matter if you change CAs and switch to say Let’s Encrypt or something, unless you change the private key all an attacker needs to do to decrypt your visitor’s traffic is perform a MITM attack a la PRISIM.

Symantec claims they don’t believe any attackers stole private keys. However, they outright lied when they issued this statement to several media outlets that ran the story (one such source for it is BleepingComputer):

We have looked into Chris Byrne’s research claim and could not recreate the problem.  We would welcome the proof of concept from the original research in 2015 as well as the most recent research.  In addition, we are unaware of any real-world scenario of harm or evidence of the problem.  However, we can confirm that no private keys were accessed, as that is not technically feasible. We welcome any feedback that helps improve security for the community.  Anyone who would like to share further details about real-world scenarios or proof of concept should contact us at https://www.symantec.com/contact/authentication/ssl-certificate-complaint.jsp.

Symantec has completely mismanaged this whole shitstorm. Chris Bryne now regrets not going public in the first place, and I can’t blame him. He states specifically on his Facebook post (in a comment) that Symantec failed to live up to their end of the agreement. They didn’t take any proactive or remedial action whatsoever to ensure everyone who was exposed to potentially having their private keys comprised generated new ones. They didn’t do shit. Since when do you need to confirm a malicious security breach first before you take action to protect your customers? You don’t – that’s not how security is done!! You assume that EVERYONE who had a private key generated by a reseller that could have been compromised was compromised, then you get all of your affected customers to generate new private keys, and then you tell them why. Symantec never even publicly disclosed the full details of this vulnerability, even after they believe they had finished fixing the problem.

So… if you have a Symantec certificate, and you bought it from a reseller like your host, and the reseller generated the private key and CSR, then revoke your certificate now, generate a new private key, and a new CSR, and use that to get a fresh certificate. Oh and, obviously do not trust any website with Symantec SSL certificate older than November 2016, especially including banks. Fuck Symantec! Chris… you’re a fucking legend.

Whirlpool Topic

The Commonwealth Bank loses its green bar!

UPDATE: Corrections made (01/04/2017).

Here’s a look at Australia’s “big four”… first in Firefox:

banks-ff

And then in Chrome:

banks-chrome

Notice anything? Where’s the green EV Bar? Should you be concerned. Well if you’re a CommBank customer – absolutely you should.

I have just sent a short email to Commbank informing them their website appears to be hacked. Appears to be – it isn’t, but with the green EV Bar that’s exactly what customers should assume has happened. This is what separates a genuine banking website from a fraudulent one. Anyone can get a domain-verified certificate, even me! Furthermore – they’re free! But there’s a big difference, I’m not asking you to enter your credit card number or other sensitive information in to my site – at most you might enter a comment with your name/pseudonym and email address in it.

So what has happened? Well to put it delicately – Symantec has made a huge fuck-up. They were found to have miss-issued over thirty thousand SSL certificates, and as a result punitive action has been taken by Google. The first phase of that action is to no longer recognise EV signed by Symantec. Google will then move to distrust all Symantec issued certificates older than nine months.

Update: It turns that previous paragraph was incorrect. It was an entirely unrelated bug in Chrome. It’s easy for us laypeople to confuse security issues, especially as this happened at the same time as Google announces their policy to revoke EV status. Anyway, this makes the remainder of this post no longer relevant.

The thing that makes me unhappy is that I don’t think they have gone far enough. This is the same shit that happened with WoSign (see here), and yet their rubbish certificates from their corrupt CA are still trusted!! Can you believe it? One third of https websites use Symantec SSL certificates. Given the impact and implication of this, I cannot understand why Google and Mozilla don’t distrust the authority outright effective from 2013 when the problem was first discovered? I mean, call me fucking cynical, but why are they now only taking punitive action FOUR goddamned years in the future? I mean in 2015 they made a goddamned counterfeit EV SSL certificate for GOOGLE.COM – that act alone should have got them booted from ever issuing another trusted certificate again. Who the fuck knows what they could have done in the one day they had that certificate – was it operated by the CIA for a covert operation perhaps?

Symantec and WoSign both need to be distrusted permanently. If this were any other security industry there would be no second chances. And by the way, shame on Google for not making it easy for users to see who the certificate issuer is when we click on the green padlock. And Mozilla – step up your fucking game and tear these rogue CA’s a new one.

No, I don’t think so. And to be honest, I don’t at all feel bad for gays and lesbians who are demanding we enact it through this term of Parliament. But before you leave in disgust and label me a bigot let me explain: I do agree we should work towards legislating same-sex marriage, but I do not agree with doing it the way that activists are demanding.

Sky News began advertising Equality Campaign in the news feed a few weeks ago. I have an ethical issue with what that – I believe they were being paid to advertise in the feed (they also show TV ads for the campaign), yet it is not clearly marked as advertising and appears to be a part of the news feed. So I think that’s very misleading.

What we have at the moment is a situation in Australia where the incumbent government took a policy of a national plebiscite to the election, however the plebiscite legislation was blocked in the Senate by the opposition and the minor parties. The government has stuck by their election promise. But it doesn’t change activists demanding they push through changes anyway – which I think is wholly unfair to Australians who want to have their say in this matter.

Labor and Greens claim that a plebiscite is “just a national poll”. That is not true – with compulsory voting in Australia you will get a solid mandate, just like the republic referendum in 1999. That’s not an opinion poll, that’s participatory democracy. Brexit in Britain was done by plebiscite too, and for an important social change like this it is important to get the public behind it. I’ve said it before, and I’ll say it again, there is no greater affront to democracy than the impact of interest/lobby groups.

To their arguments that this is not the best way to go about it: Who cares? We have a democracy. Democratic decision is imperfect by design. If it was perfect it wouldn’t be a democracy. We sacrifice perfection for the ability of all to have an equal say.

And finally, to their argument that this should be done by an act of Parliament not through a public vote: The Australian Parliament is a little over 100 years old. It’s a pretty recent institution. The institution of Marriage pre-dates the institution of Parliament, it pre-dates democracy, and it pre-dates almost every religion on Earth too. Further to that is the fact that the institution was created in parallel across a multitude of different ancient societies: it did not come from one place at one time, and it has had vastly varying rules throughout the ages. Prior to the modern British era it was overseen by the Christian Church in areas where it had influence – governments of the time did not have jurisdiction over it. In modern societies today, here in Australia, in Europe, and North America it is overseen by the governments of sovereign States. In other places though like Saudi Arabia, it is still controlled by religious organisations.

So the government should not claim to have authority over the institution of marriage. Rather, they are the rightful custodians of an ancient institution that still holds much value today. And that’s why the people, not the government, should be the ones to make decisions that involve changing its meaning. I believe if it was put to a plebiscite it would get at least 70% support of the public. So to all the activists out there – stop playing fucking games, let people have their say, and move on. You will get exactly what you want if you put it to a public vote, and you’ll be reforming marriage the right way.