back to article Admins warned: Drill SSL knowledge into your Chrome users

Admins of Chrome shops unite – your users are dabbling with dodgy SSL, and you must teach them how to be safer online until Google updates its browser. That's the gist of a new report from Google researcher Adrienne Porter Felt and University of California, Berkeley graduate student Devdatta Akhawe, who trawled some 25 million …

COMMENTS

This topic is closed for new posts.
Bronze badge

See I'm not terribly convinced about this research - how many of us have various servers that we administer that are self signed? My email server, PFSense router and Jabber server are all self signed, that's 3 SSL warnings for 1 person. My partner accesses the email server so that's 4 SSL warnings for 1 house.

Just how many of these "data points" relate to servers actually on the public internet?

7
0

If you self-sign a certificate you should add it, via an out-of-band method, to you trusted certificate list so that you don't see any errors. If you don't, you're doing it wrong.

1
4
Bronze badge

"If you self-sign a certificate you should add it, via an out-of-band method, to you trusted certificate list so that you don't see any errors. If you don't, you're doing it wrong."

You are far more generous than I am, for I'd raise the question of competence for *not* doing it properly.

It's what I did on a regular basis as BOFH.

At least until I could place a certificate store in place and have it trusted by the enterprise.

0
0

Exactly, and the ease of dealing with the self signed certs in Chrome over Firefox is one of the main reasons I use it. Especially as I know all my self signed certs on approx 100+ servers are fine.

0
0
Anonymous Coward

Chrome is banned from my network. It has many many more security issues to patch than Internet Explorer!

0
3
Anonymous Coward

Not to mention entering a simple URL in Chrome will dump all of a user's passwords in plain text!

0
0
Silver badge

What's It Mean?

I'm fairly positive the average user doesn't have the slightest idea what those warnings mean. It's just an extra window that appears before they can get to their content. The average user has no knowledge of security certificates or even what they mean, or even that they even exist.

10
0
Silver badge

Useless certificate system

Given the apparent ease with which you can get a certificate in the first place, the system seems to be pretty useless anyway. With all those certificate authorities out there how is an individual supposed to know which ones to trust? A list built in to your website browser is ok, but then you've only got their word for it.

Effectively all the system does at best is tell you that some outfit out there that your browser developer has heard off has some sort if vague knowledge of where to find some other guy (probably just an email address; like they're a strong identity...) whose website it is that you're visiting. Even then that doesn't mean that the website is actually trustworthy or unhacked, and these days is anyway likely to be attempting to gather as much data about you as possible for their own commercial gain. And then there's the sites that reuse the same tech but isn't part of the certificates system at all that you really do want to visit (eg your own router), and the sites that you do know about which have forgotten to renew their certificates, meaning you've got to bypass the system anyway with one or more mouse clicks.

The Internet does not have a good means of establishing identity. The technology is probably as good as we can make it, but the system is badly run by the meat bags that inhabit the system who are themselves out to make as much money as possible for the least amount of work.

Anyone got a better idea?

11
0
Silver badge
Boffin

Re: Useless certificate system

@bazza - >"Anyone got a better idea?"

Pony Express.

Homing Pigeons.

Smoke Signals.

Soup Cans and String.

(although all the above are still vulnerable to Man in the Middle Attacks)

1
0
Anonymous Coward

Trusted? CAs

I just looked at the list of trusted root CAs in Chrome. I've vaguely heard of one or two but I have no idea whether any of them are trustworthy or not. How would I know if a CA is more trustworthy than the sites it vouches for? Because Google say they are trustworthy? But why should I trust Google? And to cap it all how do I know the NSA have not silently sequestered private keys from CAs? Because I certainly don't trust the NSA.

2
0
Silver badge
Thumb Up

Re: Useless certificate system

I'm intrigued - how do you mount a man in the middle attack on smoke signals?!

2
0
Anonymous Coward

Re: Useless certificate system

Exactly. On the other hand, browsers object to self-signed certificates, which is OK unless I am granting someone access to my secure data, in which case it is my business who I let in. More specific instructions from browsers on self signed certificates would be nice but would also get closer to revealing that without an airbreak system or multifactor authentication, ssl doesn't really buy much.

How much money does Mozilla get from the likes of Verisign, I wonder?

0
0

Re: Useless certificate system

It already exists in the form of Enhanced Verification Certificates. So you can use normal certificates for everyday "is this the right site?" type verification where you don't really care to much other than to know that your el-reg password won't be snooped, then EV certs for "Is this really my bank because I'm about to give them financial details?" situations.

What really needs to happen though is for these "warnings" to go away entirely. Browsers should just point blank refuse to load content from a site with an invalid certificate. That'll be safer for everyone in the long run.

0
3
Silver badge
Flame

Re: Useless certificate system

@bazza - >"I'm intrigued - how do you mount a man in the middle attack on smoke signals?!"

Unfortunately, it often involves killing the person at one of the relay points, but it can be done.

2
0
Bronze badge

Re: Useless certificate system

"(although all the above are still vulnerable to Man in the Middle Attacks)"

I guess we have to go back to personal messengers, well known to both parties, with OTP codes to confirm they are who they appear to be and say that they are.

Or, we could simply accept the ramblings of the PFY and follow the sage commands of the BOTF. ;)

0
0
Bronze badge

Re: Useless certificate system

"I'm intrigued - how do you mount a man in the middle attack on smoke signals?!"

Get between them, preferably on a hill. Then, have a modestly large fire obscuring the original signal's smoke from the view of the receiving party and vice versa.

End users are a good source of such smoke...

2
0
Bronze badge

Re: Useless certificate system

"...without an airbreak system or multifactor authentication, ssl doesn't really buy much."

Airbreak systems are routinely broken by end users breaching the air gap, either by malfeasance or by good intentioned breach of security to more easily accomplish their job.

Multifactor authentication has also been breached, one I saw quite a bit of was using the middleware's utilities to bypass it.

By your standard, if a security model/system fails, it is useless. Might as well leave the fucking house doors wide open when you go to work!

Meanwhile, Chrome is exhibiting the same behavior as Firefox and Internet Exploder did in the past, easily permitting idiots to trust any damned site with a click through, rather than either convoluted methods to accept the site or triple or more clicks through today.

0
0
Silver badge

Re: Useless certificate system

> Anyone got a better idea?

Don't always trust a CA?

If you visit an ssl site, bring up a message saying who signed it and ask the user whether to add it as an exception. Then if the cert changes, it gets flagged as unexpected (or maybe expected if the old one has expired). That helps prevent badly issued certs from automatically being accepted.

0
0
Bronze badge

Re: Useless certificate system

"Browsers should just point blank refuse to load content from a site with an invalid certificate. That'll be safer for everyone in the long run."

OK, way cool! So, no self-signed certificates are permitted, only deep pocketed authorities are permitted, if they decide down the road to sell a certificate for 100k a pop, so be it.

Ignoring certificate theft and spoofing or various other attacks.

WAY to pin a failure mode down to a small group!

0
0
Bronze badge

Re: Useless certificate system

"f you visit an ssl site, bring up a message saying who signed it and ask the user whether to add it as an exception."

And therein lies a failure mode.

Assuming the user isn't a blithering idiot.

Be they an end user or an administrator.

Such as one SA, who I caught reading his Gmail on a domain controller. Don't know where he ended up after, probably the CIO of the US Congress, as incompetence rises.

0
0
Silver badge
Thumb Up

Re: Useless certificate system

@Andy Prough,

They used smoke signal relay points? Yes, that would certainly allow a man in the middle attack.

Anyone up for writing an RFC for SmokeIP?

1
0
Silver badge

Re: Useless certificate system

@El Andy,

Enhanced Verification Certificates might mean that some meat bag has done something slightly more than usual to check an ID, but all the same commercial pressures exist to reduce their worth. I'm sure it will only be a matter of time before one of those gets abused.

I think that the only way to really ensure that a certificate system is good is if the commercial interests surrounding them are taken out of the equation, and actual real hard information (eg perhaps a street address for the websites owners) is encoded in them, and that a CA actually goes and checks out that address regularly. Unfortunately that starts sounding very governmental and expensive, which is bound not to work universally worldwide.

0
0
Happy

Re: Useless certificate system

Pay the power company to pour energy *into* a nearby wind farm.

Site your Navajo Code Talkers upwind.

1
0

Re: middle attack on smoke signals

You could stand between the person sending and the person receiving, and send up your own signals to change the message

For instance

Many white men come!

Could become

Many white men, come!

At this point I am sure you have figured out I am not an expert in smoke signals, I doubt they used subtle punctuation…

0
0
Boffin

Re: Useless certificate system

@Wzrd1: "OK, way cool! So, no self-signed certificates are permitted, only deep pocketed authorities are permitted, if they decide down the road to sell a certificate for 100k a pop, so be it."

Er, no. You just have to use self-signed certificates correctly. That is you have to provide the certificate to end-users via an alternate method (such as auto-rollout on a corporate network) so that they can verify that the certifcate on the webserver is the expected one. An out-of-band mechanism can be just as effective as a trusted third party for verification in that regard (some might even argue better, though less convenient)

If you don't have that option, then self-signed certificates literally give you no security at all. Because I can just as easily generate one for my MITM attack server as you can and nothing can distinguish between the two. Using HTTPS in that situation provides absolutely no protection over HTTP, it's all just security theatre.

An unverifiable certificate is always a sign that there is absolutely zero security between you and the endpoint it's supposed to be securing and, as such, should always fail. Until browser makers start doing that, sysadmins the world over are going to keep doing this wrong.

0
0
Bronze badge
Childcatcher

Re: Useless certificate system

...how do you mount a man in the middle attack on smoke signals?!

With mirrors?

1
0

Re: Useless certificate system

"I'm intrigued - how do you mount a man in the middle attack on smoke signals?!"

Pigeons, fans, binoculars, and some ordinary household bleach.

Or hack one of Obama's NSA drones.

1
0
Anonymous Coward

Re: Useless certificate system

Even banks in the US seem to be giving up on EV-SSL. Not so much for technical reasons, but because customers don't know that it makes a difference.

About half the banks that do business in my city seem to have given up on EV-SSL:

https://www.citizensbank.com/

https://www.wellsfargo.com/

https://www.tdbank.com/

https://www.wsfsbank.com/

0
0
Silver badge

A fairly common example

User gets an 'untrusted certificate' warning, and as Techy happens to be within sight, asks 'What does this mean?'

Techy: It either means that your employer is not properly maintaining their website or that this is not your employer's payroll website at all. Instead it is a copy controlled by criminals. If you log in, you will give you user name and password to the criminals, which makes you in breach of contract with your employer. The criminals will be able to divert your pay cheques to accounts they control. They will also be able to enter false time sheets, and when these are discovered, you can be charged with fraud. You should close this browser and contact your employer's payroll and IT departments as soon as possible. Tell them you saw an untrusted certificate warning when you tried to access their payroll web site.

Which is worse:

1) The user clicked through the warning and logged in.

2) No-one at the company who understood what 'untrusted certificate' means had the authority to fix it.

3
0
Bronze badge

Re: A fairly common example

I enjoyed a highly successful career as an Information Assurance Security Officer for a US military installation.

Highly successful in my book is not having accounts, users or data compromised.

Chief to that success wasn't brilliant strategy in firewalls, antivirus, patching or rolling bones under the right kind of smoke. It was educating the end user. It was also, as a last ditch effort, the firewalls, antivirus and patching (I'll not comment on bones and smoke, for fifth amendment reasons).

It was also reinforced by the pain in the dick method: End user gets infected or otherwise compromised (assuming no blackmail, as that was a criminal matter and handled by guys with guns and handcuffs), end user goes through the end user security awareness course. It is a mandatory course that takes a mandatory one hour to proceed through, with questions all along the way to ensure a real human takes the course.

It is also required annually for all users. Even myself.

So, once a year, I didn't want to even piss, it was that much of a pain in the dick.

We'll suffice it to say, the end user didn't re-offend, save once. That end user was reassigned by his commander, to infantry. (True story, even the installation commander took the damned course annually and once, twice in a year, due to clicking that which was trained against.)

0
0
h3
Bronze badge

Self Signed is fine for internal stuff just install the right things for the CA onto the clients.

That just paying someone for the certificate magically makes it any better is nonsense.

(External stuff obviously you cannot expect customers to do that).

But there again the way startssl does it could be used depending on the site.

Using a client side certificate as well as a login mechanism would be useful for certain things.

1
0
Silver badge

hmm

Firefox has really come a long way and is a very nice browser these days. Its just too bad they shit the bed so badly in their bloaty dog slow memory leaky unstable insecure Edsel like days of Firefox 2 to 3.5 or so. A lot of Chrome users won't be coming back unless Chrome goes so badly off the rails as well.

0
2
Silver badge
Happy

Re: hmm

On the other hand, they've fixed the problem (very recently) that prevented you from being able to keyboard navigate the certificate exception process. I have to access several internal sites that are not maintained by me, so of course, they're using the default signed-by-loopback certificates. As oposed to the rest of our internal servers that have certificates signed by my openSSL-based CA.

0
0
Silver badge

Re: hmm

Why is this a problem? I still use Firefox, but having the "non-IE" market split between them is better than if Firefox had it all.

0
0
Silver badge

Chrome...

... would be the browser that insists on its sandbox process running as root on linux. And people actually use it?? Wonders never cease.

2
1
Silver badge

Re: Chrome...

" would be the browser that insists on its sandbox process running as root on linux."

Er, I think you have that wrong (though I'm prepared to be corrected). According to the various web pages I've read it runs the sandbox in a chroot, which is definitely not the same as running as root. I've not seen any reference elsewhere to it running as root.

1
0
Bronze badge
Boffin

Re: Chrome...

No: Chrome doesn't run as root on LInux in any shape or form - it can't.

I know this because I compile my OS from source and I've taken the trouble to find out how it works and conducted a fairly thorough but non exhaustive review of it over the years - have you?

It could still potentially rampage over my user account and perhaps watch me put in the root password but I have a few other tricks up my sleeve as does Chrome itself so although it is not 100% safe, its good enough for me and my personal use case.

I can't however speak for IE or any other browser on Windows (or any other closed source system) because I can't see the source code and I have to _assume_ that because I don't get a pop up for UAC that it isn't doing something else behind the scenes.

Have fun

Jon

2
0

This post has been deleted by its author

Re: Chrome...

@gerdesj: "I can't however speak for IE or any other browser on Windows (or any other closed source system) because I can't see the source code and I have to _assume_ that because I don't get a pop up for UAC that it isn't doing something else behind the scenes."

You can verify it using a debugger, which is the only way you can actually verify it on Linux too. Unless you compiled everything from source. Including the compiler. And whatever you compiled that with. Ad Infinitum. Source code is pretty meaningless.

Have fun

1
1
Silver badge
FAIL

Re: Chrome...

"No: Chrome doesn't run as root on LInux in any shape or form - it can't."

Sorry? Do you even have a clue what setuid root means?

"I know this because I compile my OS from source and I've taken the trouble to find out how it works and conducted a fairly thorough but non exhaustive review of it over the years - have you?"

Are you on drugs? Do you even understand what you're writing?

"my personal use case."

Oh look , a buzzphrase.

You're an idiot.

0
0
Silver badge

This study is kinda useless in my opinion. It basically boils down to Firefox having an unfriendly UI for certificate issues and people using it less as a result. It doesn't say anything about which browser's users were better able to correctly discriminate between certificate problems that can safely be ignored and those which should not be.

I donno about Chrome, but Firefox could hardy be worse on that score, since it make you do several clicks to even read details about the problem.

1
0

NOT a fan lock forcing security

Work networks are different, at least as long as espionage in general and "Intellectual Property" are concerns - they are no concern of mine though.

I connect one box alone to do banking and that's all it does.

Other than that, I hate security - I can evict the unwanted on my own, have no secrets, and value convenience highly, and privacy not at all.

Many things are slowed down or sometimes obstructed entirely by dumb-ass security.

Chrome is a terrible browser unless media consumption is the objective, which for me it is not, unless it is printed text.

0
0

Wish we had meaningful statistics

Most of my "untrusted site" warnings are clearly administrative errors: certificate is for the wrong sub-domain, certificate is expired, certificate depends on a government root I don't have, etc. How many of these click-throughs the author is warning about are actually MITM attacks? Sure, those errors could be cleverly disguised as MITM attacks, but odds are way against it. Administrative incompetence is far more widespread than sophisticated adversaries, in my experience.

If I were serious about stopping MITM attacks, I'd fix my browser to say "DANGER DANGER DANGER" whenever a site's cert turns up signed by a different CA than the same site had last time.

1
0
Alert

Type "proceed" to bypass Chrome's non-bypassable warnings

If there's a certificate problem accessing www.google.com, for example, type "proceed" into the browser and you can bypass the warning.

This is useful if you're performing your own man-in-the-middle SSL attack.

0
0

That's because most web devs use Chrome, they regularly have Fiddler/Charles/other proxies and dodgy certificates in the way and CHROME WONT LET YOU WHITELIST INTERNAL DEV SITES.

0
0
This topic is closed for new posts.

Forums