Security hole in Windows Browsers; Using https (secure mode) while on public networks

Written by Fred Friday, 09 October 2009 01:54
Print PDF
User Rating: / 0
PoorBest 
Font SizeLarger FontSmaller Font

Some major security flaws have come to our attention, and we wanted to warn our customers.  This is not related to our services, but rather of your use of security on the Internet.

* Security hole in Windows Browsers
* Using https (secure mode) while on public networks

--

* Security hole in Windows Browsers

Microsoft Windows security software has a flaw, allowing secure sites to be spoofed.  So when you think you are on a secure connection to your bank, Paypal, Amazon, etc. you can actually be connected to a hacker site instead, giving them your login, personal, credit card or other financial information. The way this is done is by registering a specially crafted security certificate, forging a legitimate site name (like Bank of America for example) so that the browser believes it to be Bank of America, when it is not.

This problem was brought to Microsoft's attention 9 weeks ago.  They're still "studying" the problem.  They have not acknowledged that it is a problem, much less that it is very serious.

In the meantime, hackers have been distributing a faked Paypal security certificate, which can be used to hijack Paypal sessions and steal your login info and money.  Other certificates are doubtless also being spread in the wild, but we know for certain that a bogus Paypal certificate is being circulated.

This security holes affects all browsers on Windows that use Microsoft's security library Crypto API.  This includes:

Internet Explorer
Safari
Chrome

If you are using Firefox 3.0 or 3.5 you are safe, because it does NOT use Microsoft's security software.  Likewise if you are using a Mac or Linux, their browsers are also safe.

Until Microsoft acknowledges and fixes this problem, if you use Windows, you should be using Firefox for any site where you login or supply financial information.

Here's an article about this issue.  Note that it does not mention the Paypal security certificate. That has come to light since the article was published:

http://bit.ly/o5ecF

--

* Using https (secure mode) on public networks

A second and unrelated issue has been identified, and this one is actually worse than the above.  A technique has been published, where users on a public network (such as a wifi hotspot found in coffee shops, or a hotel) can have their traffic intercepted, and the hacker can capture their login or financial information, with no way for the site you are using, or the average user, to tell that this is going on.  This can be done IN SPITE of the site using a secure (https) form to collect the information.

The way this is done is if the site uses a non-secure (http) page to present you with a secure (https) form to login, supply credit card info, etc., instead of being on a completely secure (https) page.

The URL bar shows the state of the page, either non-secure (http) or secure (https).  The state of the form is hidden by the browser, so the user cannot tell what it is by looking at it.  Some browsers may warn you about "submitting insecure data" but they only typically do this one time, and most users have ignored it once long ago, so it will NOT warn you again when you really need it!

The only prevention is to force the site to secure mode FIRST, before the form is presented, so that you are already in secure mode.  Do this by putting https:// in the URL, for example:

https://gmail.com
https://www.paypal.com
https://wachovia.com

and so on.  Do this when you want to visit the site, and then DO NOT use it for anything sensitive if you are not still in secure (https) mode, as seen in the URL bar.

The problem is that many sites do not want to use secure mode, and they put it only on the button where you submit the information.  However, the hacker intercepts the page before you see it and changes it to non-secure mode.  You fill out the form, and it goes to the hacker, who captures the information, then forwards it on to the site after changing it back to secure mode.  So the site you are on does not know that you submitted the information on a non-secure form, and neither do you (since that is hidden from the user).  The only way to prevent this, again, is to be in secure mode on the entire page by making sure the URL starts with https BEFORE you fill out any form with sensitive information.

Not all sites will allow this.

Hopefully over time this will get corrected, and sensitive sites will run in secure mode all the time, not just for logging in.  In the meantime, be aware of this any time you are on a public network (wired OR wireless).  The hacker must be on the same network as you for this to work, so it is not an issue for you at home when you are working behind a router on a secured wireless network, or on an office network.

Listen to the Security Now! podcast for detailed technical explanations of both of the above problems:

Security Now 217: The Broken Browser Model
http://twit.tv/sn217


Fred


< Prev   Next >
 

Call for a Free Quote

Twitter Feed

2009 Best of Business Award

Latest Blog


Contact