This just in! HTTPS is still a useless garbage technology.
In this episode: HTTPS is still bullshit because it does not enforce single origin. That is, a website can appear as “valid HTTPS” while serving up to you malicious third-party JavaScrpit and cookies and iframes and all sorts of attendant garbage.1 Worse, because of the way the Modern Internet™ works (i.e. being monetized by third-party adtech), there is no way of changing this without either, a) breaking every major website, or b) creating a multi-tier internet based around which websites can afford to shell out hundreds of dollars a year for EV certs.
- So long as they’re being served from a site that also uses HTTPS. Which pretty much everyone does nowadays, even malware vendors, largely thanks to Google pushing the technology to sell more analytics products.↩
Tl;dr, like everything else with SSL, EV is fucking broken.
Because I will forever be, at heart, a huge brat, one of my favorite questions to ask people who pretend to know about INFOSEC is, “So what, exactly, is the point of SSL?” (Or TLS, or HTTPS, or however you want to word it.)1
Pretty much no one, in the field or out of it, gets the answer to this question correct. I’ve written about it before2 but, tl;dr version, the original intent of SSL
“But Alis!” you say. “I can get an SSL cert free from, like, Let’s Encrypt! Hell, you get free certs from Let’s Encrypt!”
Yeah, I do. And the thing about Let’s Encrypt? It’s a perversion of the entire point of the system. And it provides exactly squat in the way of security, because in a world where anyone can get a cert issued to basically anything, for any purpose, under any name, how do you know that the entity you’re communicating with is, in fact, the entity you want to be communicating with?
Spoiler alert: you can’t, see original linked article.
“Wait,” you say, confused. “If SSL is so broken, why do tech companies like, say, Google push it so hard?”
Well, Dorothy, because, firstly, the one thing SSL does do is give carriers a level of plausible deniability when it comes to government requests to wiretap internet traffic. “Well. Here are the traffic logs from the server! Oh, well. No, you can’t read them because it’s all HTTPS. Sorry, not our fault! We did what you wanted!”3
But, mostly? Google in particular pushes SSL so damn hard because one of the thing SSL does in change the way HTTP referrers are sent. Why does Google care about this? Well, because it means webmasters suddenly don’t or can’t know where some or most of their website traffic is coming from, including search requests. So isn’t it great that Google can sell them this information as part of its ad platform! Phew, thanks Google! What a win for “privacy”!
Tl;dr, SSL is still terrible. And the “good” news? There’s still really no better option.
- The difference? Very briefly, SSL and TLS are two implementations of a secure communications protocol, with SSL being the older-and-now-deprecated version. HTTPS is basically “the web but with SSL/TLS.” In most cases the three terms are used as synecdoches, though HTTP isn’t the only thing that can be used with SSL/TLS.↩
- At length. It’s a bugbear, what can I say?↩
- It’s worth noting that this is mostly security theater; nation-state level actors, specifically intel organisations, can and do actively tap backbone networks. The thing they mostly don’t do is share the information gathered from these sources with law enforcement agencies, who desperately want it. In other words, yes. Most Current Issues In Government Surveillance are a dick measuring contest between spys and the cops.↩
Or so sayeth new research.
“So what?” you may very well ask. I don’t blame you; this is the problem with SSL in a nutshell. No one knows what it’s fucking for. People think “encryption” and “security”, because that’s what they’ve been told to think, except no, actually. SSL is for neither of those things.
The point of SSL–the original, why-we-have-this-system point–was to link an online presence with a real-world entity. The idea was that SSL certificates would be issued by a trusted third party, the Certificate Authority (CA), who would go out to a legitimate business and conduct an audit and interview, confirming that, a) they were a legitimate business, and b) that they actually owned the website they were attempting to procure the certificate for. SSL’s original use case, in other words, was to try and provide an assurance that, for example,
commbank.com.au was, in fact, the actual site of the brick-and-mortar Commonwealth Bank.
Encryption (a.k.a. “security”) was a side-effect.
The fact that almost no one nowadays realises this–even a lot of people within IT and even INFOSEC struggle with it–is because SSL was broken pretty much as soon as it was implemented. Partly because the business model is bad (that’s another rant), but mainly because the system’s efficacy relies on end users–that’s you people–knowing how the system works. If you do not understand SSL–and almost no one does–then it is worse than useless.
That isn’t your fault, by the way; blame the people who implemented the architecture.
SSL is broken. And, sadly, there’s nothing you can do about it.
Like. Seriously. Nothing about it is good. It’s expensive, abstruse, unscalable, and confers few real world security benefits to users because no one knows how it fucking works. And yes, the system relies on users understanding it in order to operate.
Case in point: when you visit, say,
https://wordpress.com/ how do you know the page that loads for you is actually the actual WordPress site, as operated by Automattic, unadulterated by any malicious injected content?
Hint: it’s got something to do with the SSL certificate. And, no, it’s not just that the cert, i.e. the “HTTPS”, exists at all.
Second hint: At the time of writing, the internet connection I’m using intentionally breaks and interferes with my access to wordpress.com–and, in fact, almost all so-called “secure” sites–in a way that would be called a “man in the middle attack” if we weren’t doing it to ourselves. This occurrence isn’t even uncommon; I’d wager just about every medium-to-large corporate, government, or educational entity in the world does it to their staff/students.1
So. My question stands: how can you, The User, know this is happening? And if you don’t know, how can you trust a system that lies and deceives you so readily?
SSL is a hell of INFOSEC’s own making. If Heartbleed does nothing else, at least it’s forced out some acknowledgment of that fact.
- Note that’s “government” and “staff” not “government” and “public”. That being said, the technologies to intercept SSL are readily available so long as the “breaker” has the ability to position themselves in a direct line between the user and the site they’re trying to access. So corporate IT connections are easy, and technically ISPs can other infrastructure providers can do this too. Whether they actually do or not… well. YMMV on that one.
So for anyone who hasn’t heard yet, the internet is broken.
No, that’s not hyperbole. Anyone claiming otherwise doesn’t understand the scope of the problem, namely that now all data that has passed through any website running a vulnerable version of OpenSSL for the last two years is “suspect”. Potentially compromised. Not only that, but any SSL certificate (specifically, the private key thereof) stored on, transmitted via, or used by any site running a compromised version of SSL is also potentially compromised.
That means, in effect, there is no way of verifying any website on the internet is, in fact, who it says it is.
SSL is a bad system, it always has been,1 but this goes beyond just data leakage.
That’s it, in other words. Game over. Patching won’t help, changing passwords won’t help, reissuing certificates won’t help. SSL itself is fucked.
The reason this spreads so far beyond just the immediately affected sites has to do with the shitty trust model SSL is based on, coupled with the scope of effort that would be required to truly clean up all potentially compromised certificates (basically a mass revocation of certs at the root level, effectively blacklisting every single SSL site on the internet). You’re talking a concerted effort across browser makers and the companies that issue SSL certificates in the first place that could take down millions of sites. The likelihood of this actually happening? Basically nil.
We haven’t felt the real pain from Heartbleed yet, I guarantee it.
The funniest part about all of this?
As the Gizmodo article mentions, because OpenSSL is open source, the introduction of what is literally the biggest security hole in the history of computing can be traced back to its author.
A kid at some university in Germany.
That’s right, shitty code featuring known flaws that would get you flunked out of CS 101 broke the trust model the entire internet is based on.
Welcome to the future.
I think the thing that pisses me off most about this vulnerability is that it’s so fundamental and so far-reaching, that it’s pretty much the equivalent in the tech sector of a drug manufacturer forgetting to put active ingredient in their medicine, and selling two years of sugar pills.
If this had happened in literally any other industry, governments all over the fucking would would be passing legislation and setting up regulatory bodies, issuing fines and, potentially, prosecuting for criminal negligence. It’s true that no one is likely to die from Heartbleed, but still. The vulnerability–and the reaction to it–is endemic of a wider problem in tech, which is the fact that the industry still acts like a bunch of pretentious teenagers who think South Park libertarianism is the height of political thought.
This is not about changing people’s passwords. In fact, it’s not about any action taken by any single user. That’s what makes this scary; it represents a fundamental failure of the prevailing INFOSEC notion that security is some magical thing that will emerge out of rugged individualism and free market forces. No one is fucking accountable for this shit, and until someone can be, it will keep happening again and again and again and again.
Imagine a car manufacturer that released cars like software developers release code. People would fucking die and the company would be shut down and its execs would be in jail.
Or, again. That analogy isn’t quite right because of the deaths, so…
Imagine if a major bank released an ATM that, if a certain series of keys were pressed on the keypad, spat out bills randomly with no record it had occurred. And it did this for years, and no one noticed. The money wasn’t deducted from anyone’s account, and no one at the bank noticed a whole lot seemed to go missing all the time (“that would never happen!” not in banking, no, but again, this level of obliviousness is equivalent to the awfulness of the Heartbleed code). And this happened for years and years and years until suddenly one day everyone realized there was double the money in circulation that there should be, and the entire economy collapsed.
That’s the level of bad we’re talking about here, not just in consequences but in the complete lack of care given by all the people and processes that should have stopped it happening.
It’s fundamental, it’s bullshit, and it’s going to cost millions (at least) to remediate.
It is, in other words, entirely indicative of everything that’s wrong with this industry.
- Case in point: what is the primary purpose of SSL? Anyone who answered “encryption”, bzzt! Wrong.