{"id":7852,"date":"2017-06-06T07:11:26","date_gmt":"2017-06-06T15:11:26","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/06\/06\/news-1634\/"},"modified":"2017-06-06T07:11:26","modified_gmt":"2017-06-06T15:11:26","slug":"news-1634","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2017\/06\/06\/news-1634\/","title":{"rendered":"HTTPS… Everywhere!"},"content":{"rendered":"

Credit to Author: J\u00e9r\u00f4me Boursier| Date: Tue, 06 Jun 2017 14:00:43 +0000<\/strong><\/p>\n

We recently updated our redirections rule<\/a> in HTTPS-Everywhere<\/a>, a browser extension that automatically redirects you to the HTTPS version of the website you are trying to visit. Now is a good time for us to give a short\u00a0overview of how important HTTPS is. We’ll also talk about a few major HTTPS-related events that happened lately.<\/p>\n

When we browse the web, several third-parties are able to snoop on the connection between the user and the website, including the user’s ISP, law enforcement, the website’s ISP, and other\u00a0people in between.<\/p>\n

\"Who<\/a><\/p>\n

Who can snoop on your connection without HTTPS, and what can they see? (by The TorProject)<\/em><\/p>\n<\/div>\n

These intermediaries are able to obtain and modify on the fly most of the information sent through the connection: the website reached, the web page name and content, the potential username and password, the user’s IP address, and more. It obviously poses a lot of problems, which is\u00a0why HTTPS is now mandatory for more and more websites (public sector<\/a>, banks, etc.). Using HTTP with SSL\/TLS (HTTPS) hides much of information compared to the picture above:<\/p>\n

\"Who<\/a><\/p>\n

Who can still snoop on your connection with HTTPS, and what can they see?\u00a0(by The TorProject)<\/em><\/p>\n<\/div>\n

Now, the intermediaries only get access to the website reached and the user’s IP address. The web page name, its content, the logins are no longer exposed to whoever snoops between the user and the website. It’s also no longer possible to modify this data on the fly.<\/p>\n

The security gain is then huge, as it’s possible to transmit sensitive data in an authenticated way without being modified. This is possible thanks to a chain of trust established between the user software (a web browser, for instance) and a third-party who authenticated the service (a website, for instance).<\/p>\n

This third party is called a Certificate Authority (CA). There currently are a lot <\/a>of different CAs and all of them need to strictly follow the guidelines in order to stay trusted by web browsers, operating systems, and other software.<\/p>\n

Once a service requests a certificate to be authenticated, the Certification Authority proceeds to a multiple-step process in order to verify the owner identity. If it’s successful, the service will be authenticated.<\/p>\n

A widespread adoption<\/h3>\n

However, despite the huge benefit of using SSL\/TLS, anyone who requests a trusted certificate for a specific domain needs to regularly pay an expensive fee, which slows down the adoption rate.<\/p>\n

In 2014, a new non-profit Certificate Authority was created by the ISRG<\/a> with the idea to provide trusted certificates for free for everyone. The adoption was huge:\u00a0Let’s Encrypt<\/a> has been publicly launched in 2016 and has already delivered more than 33M certificate since then, for more than 40M domains<\/a>.<\/p>\n

\"Let's<\/a><\/p>\n

Let’s Encrypt Certificates Issued Per Day<\/em><\/p>\n<\/div>\n

For the first time, more than 50% of total web page requests have been served over HTTPS<\/a> in early 2017 and it’s still climbing.<\/p>\n

\"Percentage<\/a><\/p>\n

Percentage of pages loaded over HTTPS – Google Transparency Report<\/em><\/p>\n<\/div>\n

This widespread adoption is definitely good news for security. However, the landscape evolves very quickly, with involved parties trying to fix the remaining problems\u2014and introduce new ones.<\/p>\n

Web browsers pushing harder<\/h3>\n

In order to push the adoption much further, web browsers are also taking active actions.<\/p>\n

Recently, Google<\/a> and Mozilla<\/a> announced a new feature in their browsers (Chrome and Firefox, respectively): websites served over HTTP will be labeled as non-secure (whereas before HTTP websites used to be the norm and only websites served over HTTPS had a specific label):<\/p>\n

\"\"\"\"<\/p>\n

They also announced the end of support for the SHA1 algorithm<\/a>, which is still used by some Certificate Authorities despite several flaws it suffers.<\/a><\/p>\n

Another step is the introduction of Certificate Transparency<\/a>, the support of which will be mandatory for all Certificate Authorities from October 2017\u00a0in order to<\/a>\u00a0very quickly detect wrongly issued certificates and malicious Authorities, thus, revoking them as quickly as possible.<\/p>\n

Last but not least, they are taking strong positions against Certificate Authorities that\u00a0don’t follow the rules and best practices: Google and Mozilla announced their intention to distrust the \u201cClass 3 Public Primary CA<\/em>\u201d Symantec certificate due to several failures to comply with the industry rules<\/a> and other more<\/a>\u00a0recent security problems<\/a>. This will revoke the trusted chain and will trigger a warning for users visiting a service authenticated with this certificate and may even block them to visit the website depending on their configuration unless Symantec changes their practices or agree to comply with Google and Mozilla requests which\u00a0may be<\/a> the case.<\/p>\n

Security software playing nasty<\/h3>\n
Despite all these actions to push more and more\u00a0 SSL\/TLS implementation best practices, a major issue still <\/span>persists<\/span>.\u00a0<\/span>Several antivirus software, middleboxes, or corporate appliances analyze web or mail connections to scan for malicious content. While it’s easy to achieve for clear-text traffic (like HTTP), it’s much more difficult to do so for SSL\/TLS traffic.<\/span><\/div>\n
<\/div>\n
As pointed by <\/span>the recent study <\/span>“The Security Impact of HTTPS Interception”<\/i><\/span><\/a>,<\/i><\/span> these solutions tend to behave <\/a><\/span>like<\/span> spyware<\/span>\u00a0and<\/span> play<\/span><\/a>\u00a0nasty<\/a><\/span>\u00a0with<\/a><\/span>\u00a0SSL\/TLS while they try to decrypt it “<\/span>for security reasons”<\/i><\/span>. As expected, it usually puts the user at risk while breaking the security chain, reducing the connection security, and reintroducing old security flaws.<\/span><\/div>\n
<\/div>\n
Malware is seen to maliciously modify the system certificate root store (which stores the list of trusted certificates from known Certificate Authorities). They add a non-trusted certificate and set it as trusted, or remove known and legit certificate in order to break the connection to known services. The latter has been seen very recently on our forum<\/a>:<\/span><\/div>\n
<\/div>\n
\n
\"List<\/a><\/p>\n

List of certificates maliciously marked as untrusted by the system<\/p>\n<\/div><\/div>\n

<\/div>\n
But as explained, several security software programs proceed in a very similar manner.\u00a0<\/span>The study has used browsers legit SSL\/TLS handshakes with some being knowingly intercepted by security software (and middlebox, corporate appliances) to be able to draw a comparison based on the relationship between the user agent and Client Hello messages<\/a>.<\/span>\u00a0They used portions of Cloudflare, Firefox update servers, and several popular e-commerces websites traffic in order to get a sufficient amount of data.<\/span><\/div>\n
<\/div>\n
The results are particularly explicit by themselves: 90% of connections to Firefox servers, 32% of connections to e-commerce’s websites, and 54% of Cloudflare connections have been observed to be less secure while being intercepted.<\/span><\/div>\n