Google making SSL changes, other sites quiet
A security researcher holds off on releasing exploit after talks with Google, the only company to respond to complaints about SSL implementations.
A security researcher has been in discussions with Google on an exploit he plans to release that would allow a hacker to easily intercept someone's communications with supposedly secure Web sites over an unsecured Wi-Fi network, but other sites, like Facebook, Yahoo Mail, and Hotmail, remain vulnerable.
Mike Perry, a reverse engineer and developer at Riverbed Technology, says he announced on the BugTraq e-mail list a year ago a common flaw with the way Web sites implement the SSL (Secure Sockets Layer) protocol that is designed to protect people's data when they surf the Web. Typically, they only use SSL for encrypting communications during the log-in stage, he says.
There are actually two problems with SSL implementations. The first issue is that many sites do not use SSL past the log-in page, and thus expose their users' cookies to theft via sniffing by someone else on the network. A tool exploiting this flaw was released last year by Robert Graham of Errata Security, at the same time Perry announced his flaw.
Session cookies--which identify the machine as having used the correct username and password--have two modes: "secure" or "insecure." The vulnerability disclosed by Perry targets sites that attempt to use SSL, but do not flag their cookies as "secure." This flaw allows the cookies to be obtained by an attacker with access to the local network, and use them to pose as the Web surfer and access that person's e-mail accounts, bank accounts and other services, even if those users try to use https, Perry says.
Nothing was done to fix the SSL problems until a month ago when Google announced that people can set Gmail to automatically encrypt communications between a browser and Gmail servers by default, instead of having to type in https://mail.google.com, Perry says.
However, accessing the site via https://mail.google.com does not automatically preserve the "secure" session and the cookies can still be stolen, Perry says.
He says he has contacted security representatives at Hotmail, Yahoo Mail, and Facebook about the fact that their sites remain vulnerable to a so-called "man-in-the-middle attack" in which someone on the same Wi-Fi network hijacks the session cookies that are transmitted between a user's browser and a Web site. As of Friday afternoon, he hadn't heard back from them, he said.
Representatives at Microsoft and Yahoo said they were working on getting comment, while representatives at Facebook did not respond to e-mails or a phone message from CNET News seeking comment.
Amazon encrypts communications related to payment but not purchase history and recommendations, according to Perry. An Amazon spokeswoman said the company does not comment on security measures.
Perry had planned to release his exploit tool, which automates the hijacking of the cookies, on Sunday--which will be two weeks after he gave a talk about the vulnerabilities at the Defcon hacker conference in Las Vegas. There is already another exploit out there that targets the same problem, he says.
"The motivation is to raise awareness and try and encourage these sites to adopt SSL and do it properly," he said in an interview on Friday.
Delaying release of the tool
But, Perry said he has decided to delay releasing the tool for an undetermined time after talking to Google.
Google is the only one of the major Web sites to offer users the option of setting auto-encryption for all the communications with the site and not just the log-in page, as well as to properly set the "secure" property of its cookies, Perry says.
Google says it is rolling out the option not just for consumer Gmail users, but also for Google Apps enterprise users and has launched it for the premier edition of Google Apps so that communications with Google Docs, Calendar, and other included Google sites are encrypted.
It is also very possible that Google will make it so that the "always encrypt" mode is automatically enabled when people first log in via "https://gmail.google.com" instead of having to go into settings and enable it manually, Perry says.
"Just about everyone but Google simply does not want to spend the money to invest in the security of their users, and will continue to ignore this issue, just as they have for the past year," Perry wrote in an e-mail.
The vulnerability affects people using unsecured wireless networks and would require the attacker to be using the same network at the same time. However, it could affect people on other types of networks if it were to be combined with other attacks, such as ones taking advantage of a recently discovered domain name system hijacking exploit that any Web surfer could be exposed to, or more elaborate attacks involving modified DSL or cable modems, which were also discussed at Defcon, Perry says.
Perry goes into more details about the problems and his plans on his blog.