Skip to main content

HTTPS Security Implementation Flaws

During the Black Hat security conference, Moxie Marlinspike, announced a major security issue with the implementation of https and SSL. The link to the Information Week article is below. Therefore, I ask how secure is the Domino https implementation. For you security experts, are there best practices that are published for implementing a Domino web site with https?

Bombshell From Black Hat: Almost All Implementations Of SSL Are Configured To Give Up Everything

Comments

Clicking the link doesn't work.
Richard,

Sorry about that it is fixed.
OK... So what he's saying boils down to this: we all know that if the login page for a secure site is not secure itself, then a man-in-the middle can alter it so that the POST of the login credentials is done with HTTP instead of HTTPS, and your data is out in the open. But what we're not considering is that if a man-in-the middle gets to you before you even go to the login page, he can redirect you to someplace else; and if he can convincingly spoof the login page you were trying to get to from his own secure site, and if he has a legitimate certificate for his secure site so no warnings fire up in your browser, and if users don't notice the changed URL and don't check the certificate, then the users could see what looks like a familiar secure login page and enter their credentials into a spoofed site and poof!... They've given away the keys to their kingdom.

My bank forces SSL on their home page, before login, but then they force users through a multi-step process for verification that the spoofer would not be able to reliably duplicate. Undoubtedly they're aware that someone might spoof their home page and lure people to the spoof... after all, that's how phishers work. So I doubt the fact that a man-in-the-middle can also do the same type of attack is really surprising news to a lot of people in the security world.

As for Domino, it can be configured to require HTTPS for all connections to all pages in all databases, so it certainly can be made secure. Whether the default settings for someone following directions to set up DWA from scratch will do this?... I don't know. But the real point is that if you click an insecure link in order to get to the Domino server's secure login page (and all the conditions I mentioned above are true), then it doesn't matter how secure Domino is, because someone might spoof the Domino server's login page. To truly deal with this, Domino would have to so something similar to the multi-step verification process that my bank uses. I'm sure we could write something like this, but as far as I know there's nothing like that in Domino itself.
Richard,

Thanks for the explanation.

Popular posts from this blog

The iPhora Journey - Part 8 - Flow-based Programming

After my last post in this series -- way back in September 2022, several things happened that prevented any further installments. First came CollabSphere 2022 and then CollabSphere 2023, and organizing international conferences can easily consume all of one's spare time. Throughout this same time period, our product development efforts continued at full speed and are just now coming to fruition, which means it is finally time to continue our blog series. So let's get started... As developers, most of us create applications through the conscious act of programming, either procedural, as many of us old-timers grew up with, or object-oriented, which we grudgingly had to admit was better. This is true whether we are using Java, LotusScript, C++ or Rust on Domino. (By the way, does anyone remember Pascal? When I was in school, I remember being told it was the language of the future, but for some reason it didn't seem to survive past the MTV era).  But in the last decade, there a...

Creating Twitter Bootstrap Widgets - Part II - Let's Assemble

Creating Twitter Bootstrap Widgets - Part I - Anatomy of a Widget Creating Twitter Bootstrap Widgets - Part II - Let's Assemble Creating Twitter Bootstrap Widgets - Part IIIA - Using Dojo To Bring It Together This is two part of my five part series "Creating Twitter Bootstrap Widgets".   As I mentioned in part one of this series, Twitter Bootstrap widgets are built from a collection standard HTML elements, styled, and programmed to function as a single unit. The goal of this series is to teach you how to create a Bootstrap widget that utilizes the Bootstrap CSS and Dojo. The use of Dojo with Bootstrap is very limited with the exception of Kevin Armstrong who did an incredible job with his Dojo Bootstrap, http://dojobootstrap.com. Our example is a combo box that we are building to replace the standard Bootstrap combo box. In part one, we built a widget that looks like a combo box but did not have a drop down menu associated with it to allow the user to make a select...

The iPhora Journey - Part 3 - Creating an Integrated UI Framework

The iPhora Journey - Part 1 - Reimagining Domino The iPhora Journey - Part 2 - Domino, the Little Engine that Could The iPhora Journey - Part 3 - Creating an Integrated UI Framework There are many ways to create the user interface (UI) for a web application. The HTML page could be created on the server and then pushed out. It could be static with the data generated on the page by the server with JavaScript, providing a more dynamic experience, or the server could generate new HTML content to update portions of the web page. XPages or PHP are good examples of this. Another method is to have the web page partially generated by the server and have JavaScript build the rest of the HTML by pulling data from the server via an API. This is the approach used in the Single Page Application (SPA) model. In all cases, it is still dependent on the web server technology being using.  As mentioned previously in this blog, XPages is dependent on complete integration between form and document, whi...