WordPress is a free, open source content management system, typically used for blogs and quick makeshift websites. While it’s nice to have your own content, you want to make sure that its safe and secure, something which the “Lets Encrypt” project hopes to improve upon, a project that WordPress have now joined.
The Lets Encrypt Project announced on March 9th that it would soon take on a new name as it transitioned to its new home at the Electronic Frontier Foundation (EFF) a group specialising in the law, security and technology.
WordPress has now announced that it has joined the program, offering the green lock symbol everyone loves to see when travelling through the internet, with any custom domains (those that don’t have .wordpress.com in their address) now gaining the benefits of the free SSL certificate issues by the program automatically with little to no effort on their owners behalf. You can find the steps to give your website access to HTTPS certificates here, giving everyone the benefit of free and reinforced security for their websites.
Not only is it free but you get a more secure connection for minimal effort, something that has been hard to do for website up until now. What is not to like about this program? Especially those with WordPress blogs.
A new vulnerability has been discovered by security researchers that could be used to allow eavesdroppers to spy on the traffic between users and as many as one-in-three HTTPS servers. The problem arises due to the fact that many HTTP servers still support the outdated and now-insecure Secure Sockets Layer (SSL) version 2 protocol. SSLv3 succeeded SSLv2 back in 1996, however, it was only officially deprecated by 2011, which has resulted in its continued presence in servers. Even SSLv3 has since been replaced with newer, more secure Transport Layer Security (TLS) versions 1.0, 1.1 and 1.2.
While SSLv2 is totally unsuitable for encrypted communications, it wasn’t until now that security researchers have thought that its continued support in servers would pose a security threat as most modern clients such as web browsers and others capable of TLS communications no longer support it. A newly released paper has found this assumption to be false by showing that a server supporting SSLv2 can be exploited by attackers to decrypt any traffic from its clients, even those using the most up-to-date TLS protocols.
The attack, which has come to be known as DROWN (Decrypting RSA with Obsolete and Weakened eNcryption), has a number of prerequisites, but unlike some vulnerabilities, they remain practical to execute. Firstly, the server must either support SSLv2 or share its private key with another server that does, which is common in many organizations that share a key across both web and email servers. With this satisfied, the attack must then monitor several hundred encrypted communications between the victim and the server, whether by simply observing over a long period or using malicious code to force numerous connections to be repeatedly made with the sever. Even the requirement that the handshake must use the RSA key exchange algorithm is simple, as it is the most commonly used key exchange in TLS implementations.
Armed with this information, the attacker then connects to the server via SSLv2 multiple times using specially crafted handshake messages that contain modifications of the RSA ciphertext captured during the victim’s TLS connections. These connections will cause the server to leak further information regarding the secret keys used during the TLS connections despite failing. It was calculated that even in a worst-case scenario, an attacker would need to erform roughly 40,000 probe connections and 2^50 computations to decrypt one out of 900 observed TLS connections. It was estimated by the researchers that running the calculations for the attack on Amazon’s EC2 cloud computing platform would cost around $440. The attack is even significantly easier if the server is running a version of OpenSSL library that contains two known flaws.
As many as 17% of all HTTPS servers are directly vulnerable to the attack, with 25 percent of SMTP with STARTTLS servers, 20 percent of POP3S and IMAPS servers and 8 percent of SMTPS also vulnerable. Even amongst HTTPS servers that did not directly support SSLv2, those that shared their private keys with other web servers supporting SSLv2 raised the overall percentage of vulnerable servers to 33%. Thankfully, while DROWN attacks may expose critical information such as login or banking credentials, the attack would have to be executed from scratch for every user and the server’s long-term private keys are not exposed, only the keys negotiated for specific sessions.
Server administrators have been urged to ensure that SSLv2 has been disabled on their servers, including any sharing private keys. Instructions on how to do so have been provided by the researchers for the most common web servers and TLS libraries. For those unsure whether their server is vulnerable, even with SSLv2 disable, a tool has been released to determine is a server is vulnerable and affected by key reuse.
It is scary to think that some of the websites vulnerable to this issue include big names used in the everyday lives of many such as yahoo.com, weibo.com, buzzfeed.com, weather.com, flickr.com, and dailymotion.com.
The OpenSSL cryptographic library was recently updated in response to a high severity vulnerability that was found its code. The vulnerability made it possible for attackers to get hold of the decryption key used for traffic secured by HTTPS and other transport layer security methods.
Thankfully, while the consequences of the vulnerability were high, the flaw can only be exploited when a very specific set of conditions are met. For starters, only version 1.0.2 even contains the vulnerability. The application reliant on it must then use groups based on the digital signature algorithm (DSA), which then generate ephemeral keys using the Diffie-Hellman key exchange. Server applications typically re-use the same private Diffie-Hellman exponent for the lifetime of the server process, by default. The result is that the server’s encrypted traffic then becomes vulnerable to a key-recovery attack, the same being the case in configurations that rely on a static Diffie-Hellman cipher suite.
When the requirements are met, an attacker can make a barrage of handshake requests to the vulnerable endpoint system. With enough requests, partial secret values can be obtained and combined using the Chinese Remainder Theorem to calculate the encryption key. More extensive information on the attack and vulnerability can be found on Antonio Sanso’s blog and as part of an OpenSSL security advisory.
Thankfully, the majority of mainstream OpenSSL and DSA-based Diffie-Hellman reliant applications don’t seem to meet these requirements. For example, the common Apache Web Server enables the SSL_OP_SINGLE_DH_USE option, which causes different private exponents to be used across the process’ lifespan. Meanwhile, the two main forks of OpenSSL, do not have the vulnerability present in them. Google’s BoringSSL removed the option for SSL_OP_SINGLE_DH_USE some months earlier, while in LibreSSL, it was deprecated less than a week ago. Anything that uses a static cipher suite risks continuing to be vulnerable, however.
Sanso reported the bug privately to the OpenSSL project maintainers on the 12th of January, meaning it took only two weeks for them to identify, test and roll out a fix. Curiously, at the time of the bug being reported, a fix relating to the re-use of Diffie-Hellman exponents had already been committed to the OpenSSL but was yet to be part of a release. For obvious security reasons, details of the vulnerability were not publicly released until a patch was already available so that would-be attackers would not be aware of the attack vector until it was already removed. While it may only affect edge-cases, if you’re running a server that relies on OpenSSL 1.0.2, you should be sure to update to 1.0.2f and those on 1.0.1 should install 1.0.1r although support for 1.0.1 is finishing at the end of this year.
Consumers are exposed to a myriad of cyber threats which are intent upon harvesting as much information as possible, from bogus emails offering state cash refunds to spoofed pages which purport to be from a genuine vendors, but are in fact aiming to collect sensitive consumer details. Well known and popular browser Mozilla Firefox have recognised the importance of alerting consumers to the security of password submission by offering a simple yet important safeguard within the latest Firefox Nightly build.
The security measure in question is in the form of a faded crossed out padlock icon within the address bar of the browser, thankfully it’s more useful than simply a new icon. The aim of this new feature is to warn consumers if a password field is not submitted over HTTPS and thus regarded as insecure. If a consumer clicks on the icon it will provide further details as to why a particular site is considered insecure, below is an image to convey the change. This feature is currently “only in testing as part of Firefox 44 Nightly”.
This new yet simple feature is a good way of informing consumers as to the risks of submitting a password over an insecure method, cyber security is a hot topic and the more every individual knows the better. It will be interesting to note the rollout timescale of this feature once Firefox confirms it for its finished builds. On a side note, let’s hope consumers actually update their browsers in order to benefit from the latest security fixes, I bet many a reader knows someone who is running a version of Firefox that is at least 10 versions behind that of the currently available.
Starting June 29th, popular site reddit will be enforcing HTTPS compliance with all of its traffic. Plaintext HTTP traffic will be rejected by the site starting on that date. HTTPS will be supported by HSTS to make sure it is more secure and secure against downgrade attacks. This move comes after reddit first introduced HTTPS 9 months ago. That program was opt-in only however and suffered some compatibility issues. It appears that reddit is now confident enough to enforce HTTPS for everyone.
reddit joins the trend of other firms in offering more secure communications by switching to HTPPS. No longer will spies be able to determine your favourite subreddits, or link your account and comments back to you. Wikipedia announced HTTPS will be rolling out for all users last week and Netflix will eventually also support HTTPS for all users after starting a roll out two months ago. In comparison, Facebook moved to HTTPS almost 3 years ago.
HTTPS encryption is not free as it still incurs a bandwidth and processing load overhead. However, the disclosure of various state sponsored bulk surveillance programs and the rise of other criminally malicious actors have led to calls for more security. reddit noted that it valued the privacy and open communication its users enjoys and in some ways, it seems logical that most communication happen over HTTPS, as it as the very least, requires malicious actors to take extra steps to break into our communications. The announcement post can be found here.
Wikipedia just took security up a notch and added some extra security measures for its readers. The founders want to make connections between Wikimedia websites and their users more secure to share and view content.
The extra security measure involves HTTPS as the default encryption protocol being used from now on, along with HSTS (HTTP Strict Transport Security) to protect users from hackers trying to ‘break’ into the secure connections.
“Today, we’re happy to announce that we are in the process of implementing HTTPS by default to encrypt all Wikimedia traffic. We will also use HTTP Strict Transport Security (HSTS) to protect against efforts to ‘break’ HTTPS and intercept traffic.” Wikimedia wrote on their website. “With this change, the nearly half a billion people who rely on Wikipedia and its sister projects every month will be able to share in the world’s knowledge more securely.”
HTTPS connections have been available since 2011 for Wikipedia and its sister websites, but users needed to use the protocol manually. However, in 2013, Wikipedia made HTTPS the default protocol for authenticated users. Now, both authenticated and anonymous users are able to browse Wikimedia websites using HTTPS automatically, regard of whether they are logged in or not.
The founders also stated that migrating to HTTPS as the default connection protocol was not easy and required years of work involving teams from across the Wikimedia Foundation. Nevertheless, their hard work paid off and users can now browse more securely on their websites. But we want to hear your opinion as users too. Do you feel more secure now that HTTPS is widely available in Wikipedia? Let us know!
There are a lot of techniques involving malware, trojans or other sort of attacks, but this one seems to affect the common and widely used HTTPS protocol, making it more ‘nasty’ than the rest. Logjam is a cryptographic attack that targets the Diffie-Hellman key exchange in HTTPS, SSH, SMTPS and other sort of negotiation protocols used by the server and browser.
So why is it so important for us to know about? It’s simple. The technique uses a man-in-the-middle approach to break the 512-bit encryption and make it readable. An academic team said that it was even able to beat a 768-bit encryption, but word is that even a 1024-bit encryption can be taken down with enough effort. What this means is that hackers using the latter technique can easily spy on the top 1 million HTTPS domains and even 66% of VPN servers.
Security specialists say that users should upgrade their browsers to the latest version and server owners should disable support for external cypher suites that generate 2048-bit Diffie-Hellman group along with updating to the latest OpenSSH. They say that the technique at hand can even be used by government agencies to easily spy on your web traffic, so hackers aren’t your only concern.
So, are you keeping everything up to date?
Thank you macnn for providing us with this information Image courtesy of PSDGraphics
Internet.org has been in the online news a lot recently, but what is it and why is it in the news?
Internet.org is a scheme created by Facebooks Founder Mark Zuckerberg, the aim of which is to provide free internet access to several countries, hopefully reaching at least 5 billion people who currently don’t have access to it. Currently offering free mobile internet access to people in India, Zambia, Colombia, Tanzania, Kenya, Ghana, Indonesia and the Philippines.
In order to access the free internet, however, users must use either facebook’s Android app, the Opera Mini web browser, Internet.org’s website or special Android Apps. This in conjunction with the limited number of sites that were available through the services, including Facebook, Wikipedia and BBC news, #and the Facts for Life health site run by the United Nations Children’s Fund among the initial 38 accessible websites. This limitation caused several companies to doubt the scheme and even pull out as it was seen in conflict with the concept of “Net Neutrality”, a phrase that has been used a lot in recent days to describe the concept that all internet traffic is equal and all sites are equal, so charging extra or forcing users to use certain sites would be against the concept (one which Tim Berners-Lee, regarded as one of the founders of the internet has spoke up about).
The scheme was recently opened up allowing for developers to join the Internet.org Platform and create their websites and services to be run through the Internet.org scheme. These do come with limitations though:
Websites must not be data heavy – this means that websites which use a lot of high-quality images, videos or real-time voice and video chat based systems are banned from the scheme.
No Encrypted connections – Currently the Internet.org platform does not support HTTPS (SSL/TLS), the systems used to guarantee a secure connection with a certain connection such as Outlook or your bank’s website. This is due to the web traffic currently going through internet.org’s proxy servers, meaning that all services currently utilizing encryption are rejected from the scheme.
In an online video announcing the platform, Zuckerberg talked about the principle of Net Neutrality and stated that,
“Its not sustainable to offer the whole internet for free though. It costs tens of billions of dollars every year to run the internet and no operator could afford this if everything were free.
But it is sustainable to build free basic services, that are simpler, use less data and work on all low end phones. “
Zuckerberg goes on to explain that the Internet.org version of Facebook removed images and videos in order to use less data and work on low-end phones.
So what do you think? It’s good that the internet is being brought to many who would otherwise be able to afford and access it but does the concept of Net Neutrality conflict with how the scheme works? Should Net Neutrality exist and if so should there be a limit?
The video streaming giant, Netflix will soon be using the HTTPS protocol to encrypt its customer streams. A great plan that helps ensure that what they watch stays secret. This change will leave Amazon as one of the largest encrypted sites.
Turning on HTTPS on Netflix’s vast network of servers has been an impressive feat by the Netflix tech teams; This was because the demands of implementing TLS are rather severe in comparison to standard HTTP.
Each Netflix server has a 64bit Intel Xeon processor and runs the FreeBSD operating system. A single server can store up to 120 terabytes of data and can server up to 40,000 long length connections. This means the server can use up to 40 gigabits per second of bandwidth.
Netflix attempted to change this six months ago. They changed several dedicated servers to use the TLS protocol to a select set of end users. They compared the performance results with a similar range of end users and the same amount of dedicated servers and saw as much as a 53% capacity hit. The end result of the test finding that this was because of the extra power that encryption requires. The change meant that some of the streaming optimizations were lost.
On Wednesday the director of streaming standards, Mark Watson announced that it was ready to begin rolling out HTTPS for both the website and the content itself. Browser tests will be at scale in the next three months and the full website should be complete in the next coming year.
The performance impact has been restricted due to some TLS optimizations that the Netflix engineers crafted for high performance FreeBSD applications.
Netflix’s entry into the HTTPS world comes as security advocates have been calling on all websites to encrypt their traffic. The force behind these requests is that if HTTPS is used then it can stop state sponsored attacks that countries such as the US and China launch from the internet backbone.
Mozilla is making great strides towards making user experience as secure as possible, and with the release of Firefox 37 it brings HTTP encryption, without a need for HTTPS, the standard security layer for communications protocol encryption.
The latest iteration of Firefox achieves this thanks to what is known as opportunistic encryption. To achieve this, Firefox will route port 80 requests not sent in cleartext to a port that the server administrator can choose, so long as the server supports HTTP/2 protocol and specify the AltSvc header.
It’s not the most secure method of encrypting data, since it can still be vulnerable to targeted attacks, but it is certainly better than nothing, and is safe enough for everyday internet browsing.
Other additions to Firefox 37 include HTML5 playback and WebGL rendering improvements, using HTTPS for Bing searches, and strengthened protection against site impersonation via OneCRL centralised certificate revocation.
The SSL-busting technology recently discovered to be pre-installed on Lenovo laptops has been found as part of another 12 pieces of software, including Trojan malware. The HTTPS-bypassing code, developed by Israeli company Komodia, was a part of the now-infamous Superfish software found on-board Lenovo laptops.
Matt Richard, threat researcher for the Facebook security team, revealed the extent of the code’s reach in a post on Friday, writing, “What all these applications have in common is that they make people less secure through their use of an easily obtained root CA [certificate authority], they provide little information about the risks of the technology, and in some cases they are difficult to remove.”
He continued, “Furthermore, it is likely that these intercepting SSL proxies won’t keep up with the HTTPS features in browsers (e.g., certificate pinning and forward secrecy), meaning they could potentially expose private data to network attackers. Some of these deficiencies can be detected by antivirus products as malware or adware, though from our research, detection successes are sporadic.”
Even the developer Komodia calls one of its SDKs an “SSL hijacker”, so it’s no surprise that the code has found its way into malicious software. The malware, Trojan.Nurjax, was first discovered back in December. According to Symantec, the malware “hijacks the Web browser on the compromised computer and may download additional threats.”
HTTPS is the security standard of the internet. A glance at that tells the user that their data should be secure. But what if that web address prefix is absent? Only 24 percent of 151,000 implement the HTTPS protocol. Enter Let’s Encrypt, created by non-profit Internet Security Research Group and sponsored by Mozilla, Electronic Frontier Foundation, Cisco, and Akamai.
Let’s Encrypt wants to set-up a single-line command tool for authenticating a website, itself acting as a certificate authority, for free. Other companies offer similar services, but for a fee. Essentially, Let’s Encrypt offer online security, at no charge, at the click of a button. The ambition is to make it easy enough for every entity with a website, at every level of coding ability, to administer HTTPS security.
Reddit now offers its users full HTTPS support via CloudFlare, a popular CDN and DNS provider. However, there are a couple of catches to obtain this extra security feature; you must be signed into the site to use HTTPS and you need to opt-in as the option is off by default.
The extra security will no doubt be a welcome addition to the site for many of the readers, especially in light of modern hacking and privacy concerns. Reddit have integrated a new security tab to make sure you’re up to speed with the feature and to guide people through the simple process of enabling HTTPS features.
It ensures your browser communicates with Reddit over a secure channel when logged in.
It disables the “display links with a reddit toolbar” preference.
Some third-party apps may not support it.
Changing it will log you out of reddit on other devices, and will invalidate your old private RSS feeds.
If it proves successful and Reddit can work out issues with points two and three, they may even roll out the HTTPS by default for everyone.
Thank you TheNextWeb for providing us with information.
There have been reports about critical vulnerabilities in a variety of routers, including Cisco, TP-Link, ASUS, TENDA and Netgear among others, all of which can be found in a normal household.
According to Polish Computer Emergency Response Team (CERT Polska), they have noticed an increase in cyber attack, leading to a cyber attack campaign aimed at Polish e-banking users. The hackers apparently use known router vulnerability that allow attackers to change the router’s DNS configuration remotely. This allegedly is used to lure users to fake bank websites or can perform Man-in-the-Middle attacks.
“After DNS servers settings are changed on a router, all queries from inside the network are forwarded to rogue servers. Obviously the platform of a client device is not an issue, as there is no need for the attackers to install any malicious software at all.” CERT Polska researchers said.
The DNS can be changed and point to a malicious DNS server from the router’s settings, giving the hacker complete control to facilitate interception, inspection and modification to the traffic between the user and the online banking website.
It is said that most of the Banking and E-commerce sites are using HTTPS with SSL encryption, making it impossible to impersonate them without a valid digital certificate issued by a Certificate Authority (CA), but to bypass such limitation cyber criminals are also using the SSL strip technique to spoof digital certificates.
The recommended steps to take in case of such attacks are to change the default username and password for the router, update the router’s firmware to the latest version and disable Remote Administration features in the router’s settings. Another way to notice fake websites is to lay attention to the browser’s address bar and HTTPS indicators.