Fixing A Broken CA System – Perspectives And Convergence

ImageCertificate Authorities (CAs) hand out digital signatures that websites can use to do two things. They can provide encryption and verification – the connection between you and the server is encrypted and the Certificate Authority has verified that the website is ‘legitimate.’ Encrypting the connection attempts to stop Man In The Middle Attacks (MITM.)

Man In The Middle

A Man In The Middle attack is when an attack gets between you and the server and reads or interferes with the data. This means that the attacker can read passwords sent to a website, read an email, read anything. They can also redirect you to an exploit page or change the information in other ways.

If the information is encrypted, as it is with SSL, then MITM attacks are more difficult (more on cracking and bypassing SSL in another post.)

Why The CA System Is Broken

If the entire web were encrypted and verification were a perfect process and CAs couldn’t be hacked or tricked it would all work beautifully. Obviously all of this is impossible, so the system has to change.

Comodo and VeriSign make up the vast majority of certificates used for websites. Between the two of them they hold the majority of the CA market share but neither one has a pristine record for security. Comodo was hacked by someone who is most likely a novice hacker and VeriSign has accidentally issued certificates to malware in the past. They aren’t the only ones to have been hacked, DigiNotar brought a lot of press to the situation when they were hacked and for all we know this has happen without users finding out.

There’s also the problem of trust – we can’t really trust every single CA. Some CAs have handed out certs that allow MITM attacks for companies/ government to spy on users.

Servers can sign their own certs but then a user has no way of knowing if the cert is legitimate (hackers can provide one) and browsers will give tons of warnings about it.

The Solution

Convergence essentially works by checking the certificate against notaries. These various notaries all have information on the certificate and if the information doesn’t match you can assume that there’s something wrong. Instead of verification happening on the CA level it’s handled by many different independent notaries.

Users have full control over which notaries they use. Whereas on WordPress I’m forced to take Godaddy.com’s word on this website being legitimate with Convergence I could choose any notary I like.

CAs could act as notaries as well but the current system has the two segregated. This may not always be the case.

If you’re looking to install Convergence it’s Firefox only and Google (Microsoft, Apple) has not shown interest in supporting it.

The Definitive Guide For Securing Chrome

This is Part 2 in a series where I’ll be detailing various settings for specific programs and operating systems. For Part 1 (Firefox) click here. I won’t get to do the Ubuntu/ Windows guides today as both of those will probably take days on their own – don’t expect them before Monday.

Chrome

Google Chrome is based on the open source Chromium project. It differs in that it includes Adobe Flash Player, a PDF viewer, an auto-updater, as well as support for closed source codecs. Chrome makes use of a sandbox based on OS-provided MAC. On Linux it uses a SUID, PID, and Chroot sandbox with Mode 2 Seccomp filters and on Windows it uses various levels of Integrity Access Control.

Chrome is the browser that I consider to be most secure and in this guide I’ll be showing how to lock it down further.

I am choosing Chrome and not Chromium due to including Flash and handling updates automatically.

Privacy Settings

Chrome enables certain features that users may feel pose a privacy concern. You can enable and disable these features in the Chrome ->Settings -> Advanced Settings page.

Image

Those are my specific settings but you can enable/ disable as you please. See this link by Mattcuts to understand communications to Google Chrome.

To make Chrome more private click on the Content Settings.

Chrome allows for a fair level of control over what websites can and can not do. You can disable third party cookies from being set entirely and you can blacklist/ whitelist sites from setting cookies at all.

Image

Next you can type about:flags into the URL bar.

Go enable the feature labeled:

Disable sending hyperlink auditing pings.

Enabling this disables hyperlink audit pings, which can be used to track users.

LastPass

Chrome does not include a master password feature so you’ll have to use LastPass for something similar. I’ve posted a guide to setting up LastPass here.

Adblock Plus

As Chrome does not yet implement a Do Not Track feature if you’d like to use it you need to install Adblock Plus, which will block ads and tracking.

I also suggest you use this filter to block tracking.

UPDATE: Chrome now supports Do Not Track in the Privacy settings.

Security Settings

Credit to m00nbl00d here.

We can set Chrome to block Javascript globally and then allow by top level domain (ie: .com, .org.) This means that we can block Javascript on many sites without it bothering us. By blocking Javascript on domains like .ru and .cn we actually block a fair amount of pages that could otherwise be used against us.

Image

Notice that I’ve done the same thing with plugins. Something I personally like to do is set Click To Play, and not whitelist any sites. This is a wonderful way to prevent attacks. My recommendation is Click To Play and no whitelist.

Image

HTTPS-Everywhere

HTTPS-Everywhere is an extension developed by the EFF (Electronic Frontier Foundation) that aims to force HTTPS on all sites that make it available.

Many sites, like wordpress, offer HTTPS but don’t default to it. HTTPS-Everywhere will block and redirect requests so that you end up using the HTTPS version.

HTTPS means that the traffic between you and the server is encrypted. That means that no one besides you and the server gets to read or manipulate the data.

This prevents MITM attacks that can be used to sniff passwords or even compromise the machine by redirecting your request to an exploit page.

HTTPSwitchBoard

HTTPSwitchBoard is another Chrome extension aimed at providing a more private and secure browser. The extension allows you to limit requests that the browser makes for a wide variety of content – you can allow a website to load its CSS/images and nothing else, or add in scripting, plugins, video tags, etc on a per-request basis.

It’s quite easy to use, maintains a great blacklist that makes whitelisting safe and easy, and is much faster than conventional content blockers.

https://github.com/gorhill/httpswitchboard

 

AppArmor (Linux Only)

Chrome does not have an AppArmor profile by default on any distro that I know of. You’ll have to make one, so have a look at this guide.

Chrome already makes use of a powerful sandbox on Linux but making use of AppArmor is a good idea. There isn’t a ton of up to date documentation on the Linux sandbox so while we can gather that it’s pretty strong we shouldn’t trust it and therefor AppArmor is a very good idea. What we do know is that the Chrome sandbox makes use of Chroot, a call that requires root privilege, so I’m not sure how they’re accomplishing this (I think they use a separate UID for this and then drop from root) but either way I don’t want anything that can Chroot and Chmod having access to more of my system than it needs.

Seccomp (Linux Only)

Chrome now uses Seccomp filters for plugins. Read about seccomp here.

PPAPI Flash Player

UPDATE: Chrome now uses the PPAPI Flash Player by default, which comes in a very powerful sandbox. Make sure you have your Flash using only PPAPI in chrome://plugins.

Remember

Chrome doesn’t update anything other than itself and Flash so make sure to keep your Java, Silverlight, or any other plugins up to date as well as the underlying operating system. And make sure to set your plugins to Click To Play.

And Of Course…

If I’ve missed anything let me know. I don’t think I’ve missed anything worth putting it. I’ve purposefully left ScriptNo (now SafeScript) out as I can’t attest to it actually working correctly 100% of the time and it doesn’t have many important features built into NoScript. I think that m00n’s Javascript trick works fine.

The Definitive Guide For Securing Firefox

This is part 1 in a series where I’ll be detailing various settings for specific programs and operating systems. I’ll be writing a guide for Chrome, Firefox, Windows Vista/7/8, and Ubuntu 12.04 (maybe other things I can think of.) The guide will cover everything I can think of and will cover both system compromise, in-program compromise, and privacy concerns. I won’t cover all subjects today, probably just Firefox and Chrome.

Firefox

Firefox is the free and open source browser developed by Mozilla. It focuses on user-oriented features like a customizable UI and ensuring user satisfaction through an interactive developer community.

By default without any plugins Firefox is fairly secure in that it makes use of modern mitigation techniques and is quick to patch. This guide will go over some Firefox extensions that you can install as well as  settings that you can change to improve security and privacy.

Privacy Settings

First up we’ll change our privacy settings to include the Do Not Track header, which I recently posted about. We’ll also be disabling third party cookies as these are typically only ever used for tracking users (though they can have legitimate uses, like logging into websites via third party logins).

Firefox -> Edit -> Preferences -> Privacy

It should look like this after you’ve changed the settings:

Image

Security Settings

From the privacy tab you can click the next tab – Security.

Here we can set our master password. This password will encrypt all others so that if anyone gains unauthorized access to your system they will no be able to gain access to your information.

See this guide for creating a strong password.

Content Settings

Firefox lets you allow or deny Javascript throughout the browser in the content settings page. Disabling Javascript will break many sites but it will improve security – I recommend NoScript instead.

NoScript

NoScript is an extension developed by Giorgio Maone. NoScript is a default-deny system that blocks a webpages ability to run scripts or plugins. It also makes use of a strict XSS filter and clickjacking prevention.

By default NoScript blocks the following:

Image

This renders most attempts at exploiting the browser unsuccessful and will protect even whitelisted pages fairly well.

The problem with NoScript is that there is a ton of user interaction required. You have to whitelist every site you want to visit. It’s a pain. But if you’re after high level of security that’s what I recommend. If you globally disallow (default) you’ll benefit even when you whitelist a website.

Even if you hate the interaction I highly recommend you install NoScript and turn on the “Allow Scripts Globally” feature because it will still provide further improved security.

With NoScript ‘Allow Scripts Globally’ you miss out on the full extent of its protection but even then you’ll benefit from a few really great protections such as:

The XSS Filter – NoScript’s XSS is kinda the XSS Filter to compare all other XSS Filters to.

ClearClick – Clickjacking is a method used by attackers to trick a user into clicking a hidden or invisible ‘button’ that can lead to an exploit page or even a bank transaction. ClearClick is the only protection for this currently implemented.

CSRF Protection – CSRF is harder to explain. It attacks from the users end of the system so it can do things like get into your email account and bypass protections because it all originates from ‘you.’

MITM Protection – Man In The Middle attacks happen when, simply, the attacker is between you and the server. SSL is the typical solution but you can spoof certs and hijack even SSL communications or just attack mixed content transmissions. NoScript implements multiple protections here.

So, there you have it. Even with Scripts Globally Allowed NoScript is going to make your Firefox much more secure.

HTTPS-Everywhere

HTTPS-Everywhere is an extension developed by the EFF (Electronic Frontier Foundation) that aims to force HTTPS on all sites that make it available.

Many sites, like wordpress, offer HTTPS but don’t default to it. HTTPS-Everywhere will block and redirect requests so that you end up using the HTTPS version.

HTTPS means that the traffic between you and the server is encrypted. That means that no one besides you and the server gets to read or manipulate the data.

This prevents MITM attacks that can be used to sniff passwords or even compromise the machine by redirecting your request to an exploit page.

Convergence

Convergence is an extension that aims to solve many of the issues we see today with SSL and MITM attacks.

Check out this explanation on it here.

It hasn’t been updated in ages, and I’m not even sure if it’s supported anymore, so take this tip with a grain of salt – results may vary.

AppArmor (Linux Only)

I’ve written a guide for AppArmor already but I’d like to highlight that Ubuntu comes with a Firefox profile by default. It probably needs a bit of tweaking but if you follow the guide it’s easy to set up.

To set your apparmor profile to enforce simply enter:

# aa-enforce /etc/apparmor.d/usr.bin.firefox

Afterwords your Firefox will be held in a tight sandbox, which will prevent and contain exploits.

Use PDF.JS

Adobe Reader is one of the most commonly exploited applications and although it has improved you may want to check out PDF.JS.

You can use this simple extension to install it and Firefox will handle PDF through Javascript.

You can read more about PDF.js here.

PDF.js is arguably less secure than Adobe Reader as Reader will run within a sandbox. The goal of PDF.js is to reduce attack surface by having PDFs rendered by the Javascript engine already present in Firefox.

Remember

Always make sure to keep Firefox and all of its plugins up to date. This is critical on Windows where out of date plugins consistently lead to compromise.

And Please…

Firefox is not my default browser and hasn’t been for over a year now. If you know of any other methods for securing it please leave me a comment and I’ll try to fit it in. Thanks.

Browser Wars – Everyone Else Does It

Browser Wars – Security Style

Browser wars are monthly blogs (typically following the latest release of a browser) that basically pit the latest versions of todays browsers against each other. It’s kinda lame and I feel like a tool for doing it but I’m also really bored and I think browsers in the context of security are awesome.

So, let’s start.

What Makes A Program Secure?
In an ideal world we humans would be perfect and our code would be perfect and vulnerabilities wouldn’t exist. This is not an ideal world and we are not perfect nor is our code. Vulnerabilities do exist and for the foreseeable future this will not change. So what do we do to secure programs if they’ll always be full of holes? We accept that those holes are there and we make it as hard for hackers to make use of them as we can. There are various ways to accomplish this.

So What About Browsers?
Browsers aren’t typical programs. They’re fast paced, constantly changing, plugin-filled conduits to the wide open internet. By design they take in untrusted code. They’re just dangerous and that’s why they’re so great to look at for security.

Internet Explorer 9
Internet Explorer has laughable security, right? I mean, hey, IE6 on XP was terrible and nothing’s changed. Not exactly. Microsoft has learned from their (massive, gaping) mistakes and then some. IE9 is no IE6 by any stretch of the imagination. It’s got a multiprocess architecture that allows for tabs to be separated into low-rights processes, which means that an exploit in a tab is confined to that low-rights process.
On top of that IE9 has a new version of SmartScreen, a URL and File Blacklist based on “File Reputation” and heuristics. There hasn’t been a formal study other than the one by NSS Labs on this that I know of but NSS Labs gave a remarkable score of blocking 96+% socially engineered malware (compared to trivial scores hovering around 13% for other browsers.)
As I recall Adobe Flash also runs at low integrity when used with IE9.
The low rights sandbox and smart screen make IE9 a very secure browser.
IE is Windows only and closed source.

Mozilla Firefox 4.0+
The Firefox browser, which is developed by Mozilla, is a free and open source browser that’s been very successful. In terms of customizing UI and features Firefox is top notch and it blows Chrome and IE9 out of the water in that respect. In terms of security it is… lacking.
Firefox does implement modern techniques like ASLR, DEP, and SEHOP and it even forces ASLR on toolbar binaries.
It also makes use of the Safe Browsing API 1.0, which (last I checked) blocks something like 15-20% of malware downloads.
Firefox does not implement any “extraordinary” security measures. There is no sandbox, there is no special file reputation whatever or special memory hardening technique. There’s just nothing that really stands out about Firefox.
Firefox users are able to make use of the NoScript extension, which is potentially a really great tool, but it’s not exactly accessible for the average user and I’m partial to security features that don’t bug me.
Linux users can make use of a “whole-browser” sandbox via Apparmor/LSM. A profile is provided by default on Ubuntu but it may take some tweaking, I highly recommend you check out AppArmor for your browser – check out my guide here.

All in all, I want to love Firefox, but I can’t really give it a ton of credit here.

Google Chrome X.XXX.XX.XXXX+ (or whatever)
Google Chrome is the (relatively) new player in the browser market. At only 3 and change years old it’s had a pretty impressive start, now holding market share close to Firefox. Chrome is based on Chromium, which is an entirely open source project – the difference being that Chrome packages Flash, a PDF viewer, and an update manager (on Linux it also packages support for closed codecs.)
It uses the Safe Browsing API 2.0, which includes a file reputation module. I think NSS  Labs puts it up around 40% block rate. Again, there hasn’t been what I would consider a formal study on this.
Chrome’s main feature is a sophisticated sandbox based on the Windows integrity access control and job tokens. It is similar in architecture to IE9’s sandbox but the restrictions are much tighter, with the renderer having no file access and most of the browser running at absolute lowest rights possible  on Windows.
Chrome also sandboxes the GPU process and all extensions. Each has its own separate process.
Chrome sandboxes the Flash plugin (responsible for a large number of infections) and will soon include a much more powerful sandbox for Flash via the PPAPI(nterface, which is in beta 20.)
On Linux Chrome makes use of a namespace and chroot sandbox as well as the seccomp mode 2 filters. This allows for a strong sandbox, it’s very tight. Apparmor profiles exist for it, which are useful as they’ll even restrict the zygote process. The weakness is that the zygote process must be setUID, which is why an apparmor profile is suggested.
Chrome also limits inter process communication between it and the Java plugin, which can potentially prevent Java exploitation though it’s uncommon.

Opera 11.x
Opera is the lonely browser. On a good day it gets 4% of the market. It’s got something of a cult following and boasts pretty nice performance and a ton of features built in. As with Firefox it’s pretty lacking when it comes to security.
Opera is closed source and there isn’t a ton of documentation for security. There does not seem to be anything special about it.
No sandbox (there might be one on Linux actually but I’m not sure), not too great at filtering malware (I think NSS labs had it at 0-5%, again there needs to be more formal studies here.)
Closed source doesn’t inspire confidence either frankly.

I can’t really suggest Opera if you’re looking for security.

Conclusion:
I guess I should order them or rank them or something – answer that “Which browser is most secure?” question. I won’t try to apply anything numeric to this, that would be dumb, the system is basically an amalgamation of the above and my own personal beliefs on security.

Greatest to least: Chrome, IE9, Firefox, Opera.

I think it’s pretty close between Chrome and IE9. Firefox with NoScript and Apparmor is a pretty secure browser but for a defense in depth approach I’ve got to go with Chrome. It’s dependent on what you’re trying to secure against – when it comes to system compromise you’ll want Chrome but if it’s about preventing XSS/Clickjacking Firefox with NoScript is the way to go.

There you have it. My opinion.

I left a lot out. JIT Hardening isn’t something worth measuring as the javascript VMs all work pretty differently and they just don’t apply. I didn’t both going into ASLR or other mitigation techniques, all of the browsers have these by default at this point and the differences are subtly and in the implementation. I didn’t go into privacy, incognito/ private browsing modes, not much into extensions (this could be its own post), and some other stuff to. So consider this a very simple rundown on security. Even if I were to include everything the results would be the same, you’d just be better informed.

I’m also not going into IE10, which will include some fairly significant security improvements.

Choose the browser that is right for you. Maybe that’s the one that you think is most secure, maybe it’s the one with the UI you like best, or really any other reason. It’s your choice and it’s entirely up to you.
Sources:
http://www.accuvant.com/blog/2011/12/05/which-web-browser-is-most-secured
https://www.nsslabs.com/assets/noreg-reports/2011/nss%20labs_q3_2011_browsersem%20GLOBAL-FINAL.pdf [PDF]
http://windows.microsoft.com/en-US/windows-vista/What-does-Internet-Explorer-protected-mode-do

Chrome, Internet Explorer, Firefox Response To ‘Exploit’

A recent blogpost showed how Chrome, Internet Explorer 9, and Firefox are all vulnerable to a specific bug that can be used to trick the user into downloading a file when they meant to download something else.

 the fake flash11_updater.exe download supposedly served from adobe.com is, in reality, supplied by the attacker

The bug isn’t really the issue here, though. I mean, it’s definitely useful for social engineering and I can think of a millions ways that I could infect people with this but what I’d like to draw attention to is the response given by the browser vendors.

The response to this has apparently been:

  • Chrome: reported March 30 (bug 121259). Fix planned, but no specific date set.
  • Internet Explorer: reported April 1 (case 12372gd). The vendor will not address the issue with a security patch for any current version of MSIE.
  • Firefox: reported March 30 (bug 741050). No commitment to fix at this point

I think that says a lot about browser security. None of them have fixed it and only Chrome has stated they ever plan to, though they’ve given no date. At least Firefox and Chrome gave some discussion.

Think about it this way. If I were to post “Hey guys, update Adobe Flash Player, big security update!” and I linked to the Flash page with the download started I bet a lot of you would install it without a second thought. I’d probably fall for it too if it were linked from a forum I frequent.

This isn’t the biggest security flaw ever, it’s useful for social engineering and there’s definitely potential here but it’s not going to lead to millions of infections (on its own at least.) I just think it’s interesting to see how vendors see ‘low priority’ security flaws.

Check out the proof of concept here. Tell me this wouldn’t fool you if I’d linked to it saying that it was a security update for Flash. Be honest.

Sources:

http://lcamtuf.blogspot.com/2012/05/yes-you-can-have-fun-with-downloads.html

Three Simple Steps To Stay Private Online

Privacy is definitely a big issue lately. People are starting to realize how much information they really put out there, and it can be scary. The thing is, most people also don’t really care enough to do anything about it and trying to attain significant levels of privacy is just a huge pain (TOR, VPN, whatever.) That’s why I’ll just list three incredibly quick and painless ways to help stay a bit more private online.

Block Third Party Cookies

Third party cookies are used to track a user across multiple sites. They really don’t serve too much of a purpose except for tracking.

Chrome:

Wrench -> Settings -> Show Advanced Settings -> Content Settings -> Block Third Party Cookie and Site Data

Firefox:

Edit -> Preferences -> Privacy -> Set “Firefox Will” to “Custom Settings” and uncheck “Accept Third Party Cookies”

Install Adblock Plus With Privacy Filter:

Adblock Plus is available for Chrome and Firefox. It includes Do Not Track and can make use of privacy specific filters.

Get Adblock Plus for: Firefox | Chrome

Then go to: http://adversity.uk.to/ and install the “Antisocial” list.

Use Private Browsing/ Incognito Mode

This may seem obvious to some but many people aren’t aware that there are “private browsing” modes provided by their browsers.

These private sessions won’t store any information on your computer about what sites you’re visiting and is useful for ensuring that your session stays private to anyone else who has access to the computer.

Chrome: Control + Shift + N

Firefox:  Control + Shift + P

These are just three very simple steps to help you maintain privacy while you browse. They aren’t “perfect” and there are still issues to be worried about but for the average user I think the above information will suffice.

So Why Aren’t Third Party Cookies and Ads Blocked By Default?

I think people need to understand that by blocking ads and tracking you are fighting the one thing that keeps the internet alive. Websites are run by ads. The world, really, is run by ads but that’s a bit out of scope.

The point is that if you’re on a website you like go ahead and whitelist it with Adblock Plus. Maybe you’ll see an ad you like and they’ll get a bit of cash so that they can continue to providing you with that site.

Sources:

https://www.cdt.org/privacy/20090804_browser_rpt_update.pdf

adblockplus.org