Friday, July 31, 2009

HTTPS Security Implementation Flaws

During the Black Hat security conference, Moxie Marlinspike, announced a major security issue with the implementation of https and SSL. The link to the Information Week article is below. Therefore, I ask how secure is the Domino https implementation. For you security experts, are there best practices that are published for implementing a Domino web site with https?

Bombshell From Black Hat: Almost All Implementations Of SSL Are Configured To Give Up Everything

4 comments:

Richard Schwartz said...

Clicking the link doesn't work.

Richard Moy said...

Richard,

Sorry about that it is fixed.

Richard Schwartz said...

OK... So what he's saying boils down to this: we all know that if the login page for a secure site is not secure itself, then a man-in-the middle can alter it so that the POST of the login credentials is done with HTTP instead of HTTPS, and your data is out in the open. But what we're not considering is that if a man-in-the middle gets to you before you even go to the login page, he can redirect you to someplace else; and if he can convincingly spoof the login page you were trying to get to from his own secure site, and if he has a legitimate certificate for his secure site so no warnings fire up in your browser, and if users don't notice the changed URL and don't check the certificate, then the users could see what looks like a familiar secure login page and enter their credentials into a spoofed site and poof!... They've given away the keys to their kingdom.

My bank forces SSL on their home page, before login, but then they force users through a multi-step process for verification that the spoofer would not be able to reliably duplicate. Undoubtedly they're aware that someone might spoof their home page and lure people to the spoof... after all, that's how phishers work. So I doubt the fact that a man-in-the-middle can also do the same type of attack is really surprising news to a lot of people in the security world.

As for Domino, it can be configured to require HTTPS for all connections to all pages in all databases, so it certainly can be made secure. Whether the default settings for someone following directions to set up DWA from scratch will do this?... I don't know. But the real point is that if you click an insecure link in order to get to the Domino server's secure login page (and all the conditions I mentioned above are true), then it doesn't matter how secure Domino is, because someone might spoof the Domino server's login page. To truly deal with this, Domino would have to so something similar to the multi-step verification process that my bank uses. I'm sure we could write something like this, but as far as I know there's nothing like that in Domino itself.

Richard Moy said...

Richard,

Thanks for the explanation.