Skip to main content

HTTPS Security Implementation Flaws

During the Black Hat security conference, Moxie Marlinspike, announced a major security issue with the implementation of https and SSL. The link to the Information Week article is below. Therefore, I ask how secure is the Domino https implementation. For you security experts, are there best practices that are published for implementing a Domino web site with https?

Bombshell From Black Hat: Almost All Implementations Of SSL Are Configured To Give Up Everything
Labels:

Comments

Richard Schwartz said…
Clicking the link doesn't work.
July 31, 2009 at 11:37 AM
Domino Interface said…
Richard,

Sorry about that it is fixed.
July 31, 2009 at 11:42 AM
Richard Schwartz said…
OK... So what he's saying boils down to this: we all know that if the login page for a secure site is not secure itself, then a man-in-the middle can alter it so that the POST of the login credentials is done with HTTP instead of HTTPS, and your data is out in the open. But what we're not considering is that if a man-in-the middle gets to you before you even go to the login page, he can redirect you to someplace else; and if he can convincingly spoof the login page you were trying to get to from his own secure site, and if he has a legitimate certificate for his secure site so no warnings fire up in your browser, and if users don't notice the changed URL and don't check the certificate, then the users could see what looks like a familiar secure login page and enter their credentials into a spoofed site and poof!... They've given away the keys to their kingdom.

My bank forces SSL on their home page, before login, but then they force users through a multi-step process for verification that the spoofer would not be able to reliably duplicate. Undoubtedly they're aware that someone might spoof their home page and lure people to the spoof... after all, that's how phishers work. So I doubt the fact that a man-in-the-middle can also do the same type of attack is really surprising news to a lot of people in the security world.

As for Domino, it can be configured to require HTTPS for all connections to all pages in all databases, so it certainly can be made secure. Whether the default settings for someone following directions to set up DWA from scratch will do this?... I don't know. But the real point is that if you click an insecure link in order to get to the Domino server's secure login page (and all the conditions I mentioned above are true), then it doesn't matter how secure Domino is, because someone might spoof the Domino server's login page. To truly deal with this, Domino would have to so something similar to the multi-step verification process that my bank uses. I'm sure we could write something like this, but as far as I know there's nothing like that in Domino itself.
July 31, 2009 at 12:22 PM
Domino Interface said…
Richard,

Thanks for the explanation.
July 31, 2009 at 12:39 PM
Post a Comment

Popular posts from this blog

Creating Twitter Bootstrap Widgets - Part II - Let's Assemble

Creating Twitter Bootstrap Widgets - Part I - Anatomy of a Widget Creating Twitter Bootstrap Widgets - Part II - Let's Assemble Creating Twitter Bootstrap Widgets - Part IIIA - Using Dojo To Bring It Together This is two part of my five part series "Creating Twitter Bootstrap Widgets".   As I mentioned in part one of this series, Twitter Bootstrap widgets are built from a collection standard HTML elements, styled, and programmed to function as a single unit. The goal of this series is to teach you how to create a Bootstrap widget that utilizes the Bootstrap CSS and Dojo. The use of Dojo with Bootstrap is very limited with the exception of Kevin Armstrong who did an incredible job with his Dojo Bootstrap, http://dojobootstrap.com. Our example is a combo box that we are building to replace the standard Bootstrap combo box. In part one, we built a widget that looks like a combo box but did not have a drop down menu associated with it to allow the user to make a select...
Post a Comment
Read more

The iPhora Journey - Part 8 - Flow-based Programming

After my last post in this series -- way back in September 2022, several things happened that prevented any further installments. First came CollabSphere 2022 and then CollabSphere 2023, and organizing international conferences can easily consume all of one's spare time. Throughout this same time period, our product development efforts continued at full speed and are just now coming to fruition, which means it is finally time to continue our blog series. So let's get started... As developers, most of us create applications through the conscious act of programming, either procedural, as many of us old-timers grew up with, or object-oriented, which we grudgingly had to admit was better. This is true whether we are using Java, LotusScript, C++ or Rust on Domino. (By the way, does anyone remember Pascal? When I was in school, I remember being told it was the language of the future, but for some reason it didn't seem to survive past the MTV era).  But in the last decade, there a...
Post a Comment
Read more

MWLUG 2015 Session Abstract Submission is Now Open and New MWLUG 2015 Web site

I am please to announce that session abstract submission is now opened for MWLUG 2015.  Abstract submission will close on May 22, 2015 so get your abstracts in.  To submit your abstract go to: http://mwlug.com/mwlug/mwlug2015.nsf/Abstract.xsp This year's theme is "Transforming Collaboration Through Innovation".  So if you have done unique ways of incorporating or using others technologies with the IBM portfolio, different ways of utilizing the IBM portfolio in your business, or taking IBM technology and make it do things that it was not designed to do, we want to hear from you as an innovator. So don't be shy and submit your abstract. MWLUG 2015 session tracks include: Application Development Best Practices in Social Collaboration Customer Business Cases Innovation System Administration As always, if you have never spoken at a conference, here is your opportunity to contribute to our community.  We reserve a number of slots for new speakers.  ...
Post a Comment
Read more