Tag Archives: Google Chrome

DigiNotar Breach Notes

Some folk have asked me for more details about the DigiNotar breach after my brief appearance on Al Jazeera this morning. So here are the notes I prepared for the segment. Links at the bottom.

Background

web security certificates are digital IDs issued by companies entrusted with making sure they are given to the right company or organisation. It allows a user to set up a secure connection between their computer and the organisation’s website. Browsers will show a little lock or some other icon to signify the certificate has been found and is trusted.

Hackers broke into a Dutch company called DigiNotar, itself owned by US firm Vasco Data Security, in mid June. DigiNotar is one of hundreds of companies around the globe called certificate authorities that issue these authentication certificates. Browsers contain a list of which CAs they can trust.

These hackers would have been able to steal existing certificates or generate their own, meaning they could now, with the help of an Internet Service Provider, launch what are called Man in the Middle Attacks–meaning they could intercept traffic, a bit like tapping a telephone.

DigiNotar noticed that something was amiss in July, but didn’t realise the extent of the breach until late August, by which time more than 500 (531) fake certificates were issued. While some cover domains like the CIA and MI6, these are probably just distractions. The key ones are a dozen issued for domains like Google, Facebook and Skype.

Why do we think this was about Iran?

Studies of the validation requests–browsers pinging DigiNotar to confirm the certificate’s authenticity–showed that during August the bulk–maybe 99%–of the traffic was coming from Iran. When the certificates were eventually revoked, Iranian activity dropped.

Moreover the attackers left some quite obvious clues. They left calling cards: transcribed Farsi which translates into slogans such as  ”I will sacrifice my life for my leader.” “unknown soldier”

Why might Iran be interested?

Well, we now know that a lot of countries like Syria intercept ordinary Internet traffic through something called Deep Packet Inspection. This means that the government is basically snooping on web traffic. But when that traffic passes through these secure connections, it’s much harder. So the holy grail of any internet surveillance is to get a hold  of those certificates, or work around them. This is a brazen attempt to do this.

All Internet traffic in Iran has to go through a government proxy, making this kind of attack much simpler. The government ISP just uses the certificate to pretend to be Google, or whatever, and then passes the traffic on.

Is it the government?

This is harder to confirm. The Dutch government is investigating this. A similar attack took place against an Italian CA in March, and it shows similar fingerprints.

But the fact that the certificates were stolen and then used seems to suggest some official connection.

What could they have discovered?

Quite a lot. All the traffic that was intercepted could be deciphered.. meaning all browsing and emails. But it also may have captured cookies, meaning passwords, which would have made it easy to hack into target accounts and sniff around old emails, dig out other passwords, or hack into associated accounts, such as Google Docs.

Moreover, some of the certificates compromise something called The Onion Router, a service which anonymizes web traffic. Though TOR itself wasn’t compromised the certificates could convince your browser you were talking to TOR, whereas in fact you’d be talking to the attacker.

Should other people be worried?

Yes, Some browser developers have been more forthcoming than others; Google Chrome and Firefox have been quick to respond. Others less so. If you’re in Iran or think you may be targetted, it’s a good idea to change your password, and to check that no one has altered your forwarding details in your email account. You should also upgrade your browser to the latest version, whatever browser you use.

DigiNotar made some horrible mistakes: one Windows domain for all certificate servers, no antivirus, a simple administrator password. There were defaced pages on the website dating back to 2009. One has to wonder what other certificate authorities are similarly compromised. We rely on these companies to know what they’re doing. They’re the top of the food chain, in the words of one analyst.

We should now be looking closely at the previous breaches and looking for others. This is a ratcheting up of the stakes in a cyberwar; this kind of thing has real world impact on those people who thought they were communicating safely and will now fear the knock on their door.

In the future this is likely to lead to a change in the way certificates are issued and checked. I don’t think DigiNotar is going to survive this, but I think a bigger issue is bound to be how this security issue is handled. I think governments which look to the Internet as a tool for democratic change need also to be aware of just how dangerous it is to encourage dissidents to communicate online, whether or not they’re being careful.

News:

BBC News – Fake DigiNotar web certificate risk to Iranians

DigiNotar – Wikipedia, the free encyclopedia

Fake DigiNotar certificates targeting Iranians?

Expert reports/analysis:

DigiNotar Hacked by Black.Spook and Iranian Hackers – F-Secure Weblog : News from the Lab

Operation Black Tulip: Fox-IT’s report on the DigiNotar breach | Naked Security (Sophos)

Fox-IT report, operation Black Tulip (PDF)

VASCO:

Acquisition DigiNotar

VASCO DigiNotar Statement

Comodogate:

Comodo Group – Wikipedia, the free encyclopediaackground

web security certificates are digital IDs issued by companies entrusted with making sure they are given to the right company or organisation. It allows a user to set up a secure connection between their computer and the organisation’s website. Browsers will show a little lock or some other icon to signify the certificate has been found and is trusted.

 

Hackers broke into a Dutch company called DigiNotar, itself owned by US firm Vasco Data Security, in mid June. DigiNotar is one of hundreds of companies around the globe called certificate authorities that issue these authentication certificates. Browsers contain a list of which CAs they can trust.

 

These hackers would have been able to steal existing certificates or generate their own, meaning they could now, with the help of an Internet Service Provider, launch what are called Man in the Middle Attacks–meaning they could intercept traffic, a bit like tapping a telephone.

 

DigiNotar noticed that something was amiss in July, but didn’t realise the extent of the breach until late August, by which time more than 500 (531) fake certificates were issued. While some cover domains like the CIA and MI6, these are probably just distractions. The key ones are a dozen issued for domains like Google, Facebook and Skype.

 

Why do we think this was about Iran?

 

Studies of the validation requests–browsers pinging DigiNotar to confirm the certificate’s authenticity–showed that during August the bulk–maybe 99%–of the traffic was coming from Iran. When the certificates were eventually revoked, Iranian activity dropped.

 

Moreover the attackers left some quite obvious clues. They left calling cards: transcribed Farsi which translates into slogans such as  “I will sacrifice my life for my leader.” “unknown soldier”

 

Why might Iran be interested?

Well, we now know that a lot of countries like Syria intercept ordinary Internet traffic through something called Deep Packet Inspection. This means that the government is basically snooping on web traffic. But when that traffic passes through these secure connections, it’s much harder. So the holy grail of any internet surveillance is to get a hold  of those certificates, or work around them. This is a brazen attempt to do this.

 

All Internet traffic in Iran has to go through a government proxy, making this kind of attack much simpler. The government ISP just uses the certificate to pretend to be Google, or whatever, and then passes the traffic on.

 

Is it the government?

This is harder to confirm. The Dutch government is investigating this. A similar attack took place against an Italian CA in March, and it shows similar fingerprints.

 

What could they have discovered?

Quite a lot. All the traffic that was intercepted could be deciphered.. meaning all browsing and emails. But it also may have captured cookies, meaning passwords, which would have made it easy to hack into target accounts and sniff around old emails, dig out other passwords, or hack into associated accounts, such as Google Docs.

 

Moreover, some of the certificates compromise something called The Onion Router, a service which anonymizes web traffic. Though TOR itself wasn’t compromised the certificates could convince your browser you were talking to TOR, whereas in fact you’d be talking to the attacker.

 

Should other people be worried?

Yes, Some browser developers have been more forthcoming than others; Google Chrome and Firefox have been quick to respond. Others less so. If you’re in Iran or think you may be targetted, it’s a good idea to change your password, and to check that no one has altered your forwarding details in your email account. You should also upgrade your browser to the latest version, whatever browser you use.

 

DigiNotar made some horrible mistakes: one Windows domain for all certificate servers, no antivirus, a simple administrator password. There were defaced pages on the website dating back to 2009. One has to wonder what other certificate authorities are similarly compromised. We rely on these companies to know what they’re doing. They’re the top of the food chain, in the words of one analyst.

 

We should now be looking closely at the previous breaches and looking for others. This is a ratcheting up of the stakes in a cyberwar; this kind of thing has real world impact on those people who thought they were communicating safely and will now fear the knock on their door.

 

In the future this is likely to lead to a change in the way certificates are issued and checked. I don’t think DigiNotar is going to survive this, but I think a bigger issue is bound to be how this security issue is handled. I think governments which look to the Internet as a tool for democratic change need also to be aware of just how dangerous it is to encourage dissidents to communicate online, whether or not they’re being careful.

The Browser Wars: Another Milestone

(This is a copy of my Loose Wire Sevice column, produced for newspapers and other print publications. Hence lack of links)

By Jeremy Wagstaff

As you know, I’m into milestones, and another one has been passed in recent days: Microsoft’s market share of browsers is down below 60%.

Now this may not sound very exciting to you, but it is. And you are to be congratulated. Because it’s you who have made it happen.

Let me explain.

A couple of years ago, when I started training journalists on things digital, I used to ask them what browser they used. They either answered Internet Explorer—Microsoft’s browser, which comes with Windows—or they would look blankly at me.

The truth is that since the demise of Netscape in the late 1990s, there really hasn’t been much of a battle between the browsers. Most Windows users accepted Internet Explorer, while Mac users settled for the Apple browser Safari.

So when I would ask the class whether they had heard of Firefox, the Open Source browser, they would again look blank, or bored, or both.

That was then and this is now, two years on.

Now most of them have heard of Firefox, and many of them have it installed on their computers.

Not only that: Most of them have tried out Google’s own browser, Chrome.

Indeed, nowadays, when I venture a peek over shoulders at cafes and in offices, I see many more Firefoxes (or Chromes) than I used to.

So it doesn’t surprise me to read that, according to research company Net Applications, Internet Explorer’s market share has, for the first time in more than a decade, fallen below 60%.

Of course, 60% still sounds like a good chunk of the market, but remember this: Internet Explorer is the default browser on Windows computers, which still occupy most of the world’s desktops. Last year that figure was nearly 68%. Two years ago, when I started the training course, the figure was 77%. Back in 2003 it was 95%.

Compare this with Firefox, which is now on nearly a quarter of the world’s computers. And while Chrome has only a small share—6.7%—it is growing at quite a clip. A year ago that figure was closer to 2%.

Some of this may be down to a ruling in Europe which has forced Microsoft to offer 12 different browsers. But more likely is that people are getting smarter—more demanding—about what is on their computers.

After all, we spend a lot more time in our browser than we used to. Most of us now use webmail, rather than a separate email application. A lot of us use tools like Google Docs, rather than Microsoft Office. And, of course, there are productivity killers like Facebook, all of which are primarily accessed through the browser.

So what makes these other browsers so appealing?

Well, Internet Explorer is considered notoriously insecure, for one. Lots of bad things are supposed to happen if you use for online banking etc. And users like their browsers fast and light. But perhaps most importantly, Firefox—and increasingly Chrome—offer a range of plug-ins (little bits of software that, well, plug in, to your browser to do extra things for you, from tell you the time in Timbuktu to letting you save clips to online databases, or to Facebook).

This, I think, is part of a broader trend that Microsoft and others haven’t figured out yet.

I see an increasing number of people using Gmail, Google’s webmail service, and I’ve noticed that all these people have customized their interface. This wouldn’t have happened even a year ago. Now they’re exploring beneath the hood of the default settings, and changing their environment to suit their moods and work styles. Some of these changes are small—background colours or themes—but they’re also more productivity-oriented, adding labels and filters to their workflow.

This is great. This is just what they should be doing. But it’s also part of a bigger trend that I believe explains the inexorable shift away from the default.

The simple truth is that as we spend more time in the browser we’re less likely to just go with what’s given to us. We want our browser to be as good as possible and because the changes we make to our online services are movable feasts: If I’ve changed the background on my Gmail to black, shifting to another browser isn’t going to reset it back to boring white.

There’s another factor at play here. Websites used to look very different depending on what browser you used. That’s changed, as developers follow standards more closely (what’s called being “standards compliant”). This gives us users a lot more flexibility—we don’t feel like we’re going to break something on our computer, or not be able to access, say, our banking website—if we’ve left the reservation and installed another browser.

The next step: the browser replaces your operating system. Google is onto it. 

The Thin Yellow Lines of Innovation

image

Maybe you’ve already noticed this, but I very much like this feature in Google Chrome that lets you see at a glance matches for a search term within a page. The matches appear as yellow lines within the scroll bar (see above) so you can easily access them by dragging the scroll bar itself.b

Another nice twist with Chrome is that it will tell you how many matches there are on a page, and tell you which one you’re currently viewing:

image 

Nice touch. I still think the Firefox search trick of being able to highlight all instances of a search term within the page is very helpful:

image

Which helps to make the matching words stand out on the page (along with the extra option of matching case:

image

What’s interesting here is the innovation in a feature that has, elsewhere, become largely moribund. Check out the search box in Microsoft Word 2007:

image

You can choose the Reading Highlight button to, well, highlight those terms you’re looking for, but frankly, I only just found that feature and I’ve been using Word for years. The features in Chrome and Firefox I found pretty much straightaway.

And the feature doesn’t really detract from the fact that the Find box itself is pretty poorly designed, and short of features. Surely in a program that is about processing words, this would be a feature you’d have a whole team working on to improve?

Bottom line: While old software stands still, we’re seeing a lot of incremental but valuable improvements in the new software—browsers, basically—and I think therein lies a lesson. Microsoft et al, you need to turn your attention to these small things, that may not be very belly or whistly (sorry, just wanted to use the word ‘belly’) but which we all use. A lot.

Loyalty to a program, whether it’s a browser or a word processor, may often come down to these small things.