Phishing , Dns poisoning , Man in the middle …

Let’s start our journey in modern web application security by reviewing what is behind those words widely used but poorly understood by the majority of us.

Things are really not as complicated as they sound , the main mechanism behind those vulnerabilities relates to the fact that the http protocol provides no guarantee that you (the internaut) is really interacting with the intended site. Using various strategies an adversary can insert itself in between your browser and the site you intend to visit , and reuse your credentials to achieve its own objectives…

To solve this problem , the secure http protocol (https://… ) has been invented , which if used properly can deliver the much needed reinsurrance that you are really talking with you intend to , without the possibility for any third party to interfer. Each secure site has a public certificate of identity that can be sealed by a public certifying authority , your browser being capable of reliably checking such seals at time a new certificate is received. They are obviously flaws in this approach , as central certifying authorities can be less reliable than you would wish , however the chain of weaknesses along which today electronic criminals proceed rarely involve subverting the certifying authority.

The need for the Internet to be an open system , has resulted in a design mistake that is at the origin of many of the today experienced security problems in web applications. Deployers of internet web sites wishing to rely on the secure http protocol are free to use a non official certificate for their site , relying on the fact that end users will not consider the warning emitted by their browser that this secure site does not belong to anybody previously identified. This create a situation in which faulty certificates are more the rule than the exception , this resulting in a fair number of end users being easy target for schoolbook man in the middle attacks , on highly reputable website…

Phishing for its part is a less sophisticated kind of man in the middle , in which the end user is simply lurred into connecting to a web site that looks and smells like the real one. Though the real site is deployed on secure http , the false one may not bother with this in an effort to avoid the annoying certificate check popup.

A better design for security protocol on the internet would be to split https into two differents protocols , say https1 and https2 and in the case of https2 implements a different browser end user experience than what is currently provided for https. We believe that much of the current problems could be solved by :

1. Preventing the browser to follow any link to an https2 website.
2. Refusing to open the connection to a non certified https2 website.
3. Have browser skin clearly change when successfully entering into an https2 website.

This would put more responsabilities in the side of certifying authorities , which in current state of the web are receiving a fair amount of money for less value than you would expect.

At KerPass we are actively working on a browser extension we call gatekeeper that among other things take care of making sure that you are connecting to the right https site. More on that in another post…