September 25, 2016

90% of all HTTPS Websites Insecure

(LiveHacking.Com) – SSL Pulse, a new project that monitors the quality of SSL sites across the Internet and reports on its findings, has discovered that 90% of all HTTPS websites are insecure. The project has tested the top 200,000 SSL web sites on the Internet and discovered that nearly 180,000 of them are insecure.

The project measures key features about an SSL configuration and ranks the website according to the SSL Server Rating Guide. According to the report 40% of the worlds top SSL sites use 128 bit (or less) ciphers for data transfer and a handful of sites have certificates with keys below 1024 bits.

The biggest weaknesses are insecure renegotiation and susceptibility to a BEAST attack. Over 8,500 sites support insecure renegotiation which since 2009 as been considered insecure. A successful exploitation of this vulnerability allows an active man-in-the-middle attacker to inject arbitrary content into an encrypted data stream. The results is that the attacker can impersonate a valid client and steal confidential data.

The SSL Pulse survey reports that 75% of SSL websites are still open to BEAST attacks. A BEAST attack is based on a flaw in the SSL protocol. A successful exploitation of this issue will result in a disclosure of a victim’s session cookies, allowing the attacker to completely hijack the application session. It was resolved in TLS v1.1, but now six years later, most clients and servers do not support newer protocol versions. To protected against a BEAST attack servers need to be configured to use TLS v1.1 or to only use RC4 with TLS v1.0 or SSL v3.0.

“About 50% (99,903 sites) got an A, which is a good result. Unfortunately, many of these A-grade sites (still) support insecure renegotiation (8,522 sites, or 8.5% of the well-configured ones) or are vulnerable to the BEAST attack (72,357 sites, or 72.4% of the well-configured ones). This leaves us with only 19,024 sites (or 9.59% of all sites) that are genuinely secure at this level of analysis,” wrote Ivan Ristic, director of engineering at Qualys and creator of SSL Labs.

The project hopes that these startling numbers will raise awareness of these issues and help web site owners improve their SSL implementations.

Is SSL/TLS Under Attack from the BEAST?

 

(LiveHacking.Com) – Juliano Rizzo and Thai Duong have released details of a vulnerability in  TLS (Transport Layer Security) 1.0, the encryption mechanism used in HTTPS (Secure Hypertext Transfer Protocol). TLS is the successor to SSL (Secure Sockets Layer) and is widely used on the Internet. The vulnerability resides in versions 1.0 and earlier of TLS, but not in versions 1.1 and 1.2, however they remain almost entirely unsupported in browsers and websites.

At the Ekoparty security conference in Buenos Aires, Juliano and Thai released a tool, known as BEAST (Browser Exploit Against SSL/TLS), that compromises TLS by exploiting the vulnerability  that has actually been known about for years but which has been regarded as just theoretical until now.

The problem is all to do with block ciphers and Cipher Block Chaining (CBC). With CBC, each ciphertext message starts with a single extra random block, or IV (“initialization vector”). TLS <= 1.0 uses CBC but has a problem in that instead of using a new random IV for every TLS message sent, it uses the ciphertext of the last block of the last message as the IV for the next message. This means that the IV is now something an attacker can predict. A more detailed look at how the attack works can be found here.

The two-factor authentication service PhoneFactor has suggested websites use the RC4 cipher to encrypt SSL traffic instead of algorithms such as AES and DES, as RC4 is not vulnerabile to this CBC/IV problem.

According to Sophos, the pair reported their findings to the major browser vendors a month ago. However so far Google is the only company to respond with a fix (which can currently be found in the beta test versions of the browser).

Google Releases Chrome 10.0.648.134 and then 10.0.648.151

Google has made two quick releases to its Chrome web browser. The first on Tuesday includes a newer version of Adobe Flash and the second on Thursday blacklists a small number of HTTPS certificates.

A few days ago, Adobe revealed the details of a new zero-day vulnerability in Flash. This vulnerability, which is being exploited via a Flash (.swf) file embedded in a Microsoft Excel (.xls) file and delivered as an email attachment, can cause a crash and/or potentially allow an attacker to take control of the affected system.

The vulnerability is also present in the Authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.1) and earlier 10.x and 9.x versions of Reader and Acrobat for Windows and Macintosh operating systems.

Adobe have a fix for this problem which it plans to release at the beginning of next week. However Google has pipped Adobe to the post and released the fix in Chrome ahead of the official Adobe release.

Google and Twitter Improve SSL Support

Google and Twitter have independently announced that they are improving their support for secure encrypted connections (with SSL and HTTPS) when using their respective services.

Google announced on its official Google Code blog that it will be improving the security of Google APIs with SSL, while Twitter, the micro-blogging service has added a new setting that allows users to always use HTTPS when accessing all pages on twitter.com, not just during log-in.

Google has already changed many of its user-facing services to either allow or require the use of HTTPS including Google web searchGmail and Google Docs. Next Google want to improve SSL support for its developer-facing APIs. Most of Google’s APIs already use SSL and beginning September 15, 2011, Google will require that all users of Google Documents List APIGoogle Spreadsheets API, and Google Sites API use SSL connections for all API requests.

With tools available like Firesheep, which make it easy to steal passwords for social networking sites when the victim is using an insecure wireless network, Twitter are emphasising the importance of using HTTPS. Twitter over SSL has been available for some time at https://twitter.com. But it has made it simpler for users to use it all the time by adding an option to the settings page.

To turn on HTTPS, go to your settings and check the box next to “Always use HTTPS,” which is at the bottom of the page.

Facebook Upgrades Security To Offer Complete Site Access Over HTTPS

Facebook have announced that from now-on the entire Facebook site can be viewed using a secure connection. Previously Facebook (like many sites) only used SSL whenever you needed to send your password to the server, but now they have upgraded their security and a secure HTTPS connection can be used for all your interactions with Facebook.

One thing to watch however is that this isn’t the default access mode for the Facebook site (although Facebook want to make it the default some time in the future). To activate secure browsing you need to edit your settings on the “Account Security” section of the Account Settings page. However Facebook are rolling out this feature slowly over the next few weeks so the secure browsing option may not have appeared in your account settings just yet.

The only real negative at the moment is that 3rd-party applications are not currently supported but Facebook promise that they are “working hard” to resolve this.

For more information on Facebook security and to take the Facebook security quiz (which was developed together with the National Cyber Security Alliance, the Anti-Phishing Working Group, and the Stop. Think. Connect. campaign) visit the Facebook Security page.

Firefox 4 to Include HTTP Strict Transport Security Support

In an effort to help mitigate man-in-the-middle attacks that make normal HTTP connections look like secured HTTPS sessions, Mozilla is adding support in Firefox 4 for a new technology called HTTP Strict Transport Security that enables site operators to tell browsers to always request an HTTPS session on future visits.

The technology, which is also known as ForceTLS, is currently an IETF draft specification and Mozilla officials say it should give users more confidence in HTTPS connections over time.

Read the full article here.

Source:[Threatpost]