Online services security report card
Update 2/4/2011 – Updated report card chart in Figure 1
Update 11/9/2010 – Microsoft ‘fixes’ Hotmail with an unusable fix. That means I’m boosting Hotmail’s grade from a “D-” to a “D+” which is still a failure until they come out with a better fix.
Update 11/4/2010 – Microsoft promises fix to Hotmail security this month
Even though the vulnerability and easy exploitation online services have been well known since 2007, the lack of mainstream tech media coverage has allowed the online industry to sweep the problem under the rug for the past 3 years. Now that the problem can no longer be ignored because anyone can use the attack to steal other people’s account, I’m going to create an online services report card that will be updated over time. Look below Figure 1 to see basic definitions of the various types of security breaches.
Figure 1 – Online services security report card
Note that “WordPress” refers to all the independent implementations of WordPress, but the WordPress.com free hosting site does implement SSL. The bottom portion of the table refers to generic protocols that are commonly used by computers and smartphones, the vast majority of which use the unsafe versions.
What are authentication cookies?
To save you the trouble of having to sign in with username and password every time you visit a website, websites use temporary (typically expires in days) authentication cookies that are automatically pulled from your cookie database and set to the server. When the cookies expire, the user is prompted to type in their username and password which is often saved by the web browser.
When you sign in with your username and password, the secure way to do this is when there is an “HTTPS” in front of the website and the certificate is verified by authorities like Verisign. Your browser and operating system will keep a list of trusted Certificate Authorities (CA) and it will warn you when you visit a site that is signed by an untrusted CA. Some sites still use SSL encryption to transmit authentication data but don’t bother to use HTTPS and they are of the false conception that this is safe, but that’s not good enough because the user has no way of knowing if they’re visiting the wrong site or not.
Many websites don’t bother doing this and it makes it easy for someone to steal your username and password by putting up a fake hotspot and fake website. This type of attack is very dangerous to consumers but it requires the attacker to perform an active attack which carries some small risk of being caught if authorities triangulate their wireless signal. But in reality, there aren’t many resources allocated to tracking down this kind of attack, and the attack can be launched from a self contained box which vastly reduces risk for the attacker.
I and many other security experts have been hammering the U.S. banking industry since 2006 for failure to use SSL authentication and they finally fixed the problem years later. Unfortunately, websites like Twitter and Facebook still haven’t learned.
SSL browsing support
When you’re browsing a website without SSL (when the address bar reads HTTP and not HTTPS), anyone can see what you’re browsing. If this is Yahoo mail for example, people can read the messages you have loaded on the screen but they can’t go in and read other messages you’re not reading and they can’t send mail as you.
A partial sidejacking is where an attacker can get authentication cookies that allow them limited access to a user’s account. For example, Google.com allows an attacker to browse the websites as the victim and attackers can see on Google maps saved addresses (including home address). The same problem affects Yahoo but the attacker can’t access things like email.
A full sidejacking happens when the attacker can gain access to everything short of the username and password. On Facebook, they can log in to Facebook as the victim and see all private data and even send or post messages on behalf of the victim. The attacker usually can’t reset the password because sites like Facebook will ask for the old password to reset to a new password.
This is where an attacker gains access to the user’s username and password. At this point, the attacker can do anything they want with the user’s data and account. It is notable that attacking non-SSL protected protocols like POP3, SMTP, IMAP, and FTP are even easier because they can be done passively which is completely undetectable. The attack is so simple that security conferences like DEFCON has an annual “Wall of Sheep“. Attacking websites that fail to employ SSL authentication requires an active attack where the attacker has to set up a fake but realistic looking login page.