Web security WTF







  • The customer-support types at Pandora would have me believe that the little orange icon in the corner of the screen is proof that the (flash-based) form here is using encryption.



  • Maybe it is? Perhaps the flash form submits the info over an encrypted connection like they say? It's not like Flash can't use SSL.



  •  Pandora does use SSL. The Entire Flash App is transported over HTTPS, but it does make some HTTP requests. It also has internal blowfish encryption, but that might have changes since the last time I looked at it....



  • @gotPSP said:

     Pandora does use SSL. The Entire Flash App is transported over HTTPS, but it does make some HTTP requests. It also has internal blowfish encryption, but that might have changes since the last time I looked at it....

    That's not the point, though - the little padlock icon still doesn't mean anything more than "We want you to think you're secure".

    Anybody can put that icon inside a page. It only means something when the browser puts it outside the page.



  • @aihtdikh said:

    the little padlock icon still doesn't mean anything more than "We want you to think you're secure".

    Anybody can put that icon inside a page. It only means something when the browser puts it outside the page.


    as opposed to "we've made sure you're secure, but don't give a shit what you think about it"? sure it would have been better if the browser could vouch for the security of the arrangement, but probably in this case that's not really possible. it would be a WTF if they haven't done anything to assure the security of the form submission. it isn't a WTF that they placed an icon on their form that might make many of their non-savvy customers feel secure.



  • @lanzz said:

    @aihtdikh said:

    the little padlock icon still doesn't mean anything more than "We want you to think you're secure".

    Anybody can put that icon inside a page. It only means something when the browser puts it outside the page.

    as opposed to "we've made sure you're secure, but don't give a shit what you think about it"? sure it would have been better if the browser could vouch for the security of the arrangement, but probably in this case that's not really possible. it would be a WTF if they haven't done anything to assure the security of the form submission. it isn't a WTF that they placed an icon on their form that might make many of their non-savvy customers feel secure.
     It is a WTF. This flys in the face of trying to educate users that unless they see the browser state that a page is secure it isn't, things like this try to suggest to them that they can trust the content instead.

    So sure the fancy flash thing is pretty but it's an extremely bad idea.

     

    (Plus you now have no idea it it really is secure or not!)



  • @aihtdikh said:

    @gotPSP said:

     Pandora does use SSL. The Entire Flash App is transported over HTTPS, but it does make some HTTP requests. It also has internal blowfish encryption, but that might have changes since the last time I looked at it....

    That's not the point, though - the little padlock icon still doesn't mean anything more than "We want you to think you're secure".

    Anybody can put that icon inside a page. It only means something when the browser puts it outside the page.

    Nonsense.  The lock icon assures you that it's safe.  Oh, that reminds me, I need everyone's credit card numbers for a... project I'm working on...  Don't worry, it's safe.  See the icon?




  • @bstorer said:

    Nonsense.  The lock icon assures you that it's safe.  Oh, that reminds me, I need everyone's credit card numbers for a... project I'm working on...  Don't worry, it's safe.  See the icon?

    Oh hey, I see a lock, so it must be safe!

    4828 572*kzzert*

    ⊰ This user has been re-educated with the aid of a high-voltage device. ⊱



  • @gotPSP said:

    Filed under: Security by "because we say it is"

    PROTIP: All Internet security is like that.  Same thing with the Verisign logos and all that.  Even certs themselves only mean security by "I paid that guy over there some money to look me over (along with millions of other people) and decide if I look trustworthy and he said I was cool."  As always, you need to take responsbility and be intelligent.  You can't expect technology to solve basic social problems like dishonesty.



  • @morbiuswilters said:

    you need to take responsbility and be intelligent.

    People can be, but when they enter Computer User mode, they tend to fail both.



  • @dhromed said:

    @morbiuswilters said:

    you need to take responsbility and be intelligent.

    People can be, but when they enter Computer User mode, they tend to fail both.

    People often fail Turing's test. 



  • @morbiuswilters said:

    People often fail Turing's test. 
     

    How is that possible? The only way that could happen is by the judger not having a good idea of what normal people say. Its impossible for a human (who can write and read natural langauge and doesn't deliberatly sabotage the test) to fail it, since if he/she does the test wasn't properly executed.



  • @dtech said:

    How is that possible? The only way that could happen is by the judger not having a good idea of what normal people say. Its impossible for a human (who can write and read natural langauge and doesn't deliberatly sabotage the test) to fail it, since if he/she does the test wasn't properly executed.
     

    Pssst!

    I think Morp was making an over-the-top comparison to subtly indicate his level of respect for the intelligence of some (many) people.

    I think.



  • @bstorer said:

    Oh, that reminds me, I need everyone's credit card numbers for a... project
    I'm working on...  Don't worry, it's safe.  See the icon?


    Sure. The link is secure, so it's totally genuine:

    [img]http://www.iconarchive.com/icons/dapino/money/Credit-Card-256x256.png[/img]



  • @morbiuswilters said:

    @gotPSP said:

    Filed under: Security by "because we say it is"

    PROTIP: All Internet security is like that.  Same thing with the Verisign logos and all that.  Even certs themselves only mean security by "I paid that guy over there some money to look me over (along with millions of other people) and decide if I look trustworthy and he said I was cool."  As always, you need to take responsbility and be intelligent.  You can't expect technology to solve basic social problems like dishonesty.

     

     

    Damn, all this time I thought SSL had some mathematical merit.



  • @dtech said:

    @morbiuswilters said:

    People often fail Turing's test. 
     

    How is that possible? The only way that could happen is by the judger not having a good idea of what normal people say. Its impossible for a human (who can write and read natural langauge and doesn't deliberatly sabotage the test) to fail it, since if he/she does the test wasn't properly executed.

    You must not have heard about a beard called SpectateSwamp.



  • @morbiuswilters said:

    @gotPSP said:

    Filed under: Security by "because we say it is"

    PROTIP: All Internet security is like that.  Same thing with the Verisign logos and all that.  Even certs themselves only mean security by "I paid that guy over there some money to look me over (along with millions of other people) and decide if I look trustworthy and he said I was cool."  As always, you need to take responsbility and be intelligent.  You can't expect technology to solve basic social problems like dishonesty.

    In addition to "you look trustworthy", a certificate (properly used) says two other things, as well. 1) The connection is encrypted, and 2) the connection has been made to the website you think it's being made to.



  • @Carnildo said:

    In addition to "you look trustworthy", a certificate (properly used) says two other things, as well. 1) The connection is encrypted, and 2) the connection has been made to the website you think it's being made to.

    Plus - 3) if a scammer somehow managed to get a convincing-looking SSL certificate from a trusted certifying authority, they wouldn't have been able to do that without leaving at least some evidence for the law enforcement to follow.

    The folks at certifying authorities have procedures to follow! It's a position that needs responsibility and meticulous following of security procedures! It's not like someone would walk in and get themselves a SSL cert in a big company's name, or something - they check stuff pretty thoroughly. Well, at least they wouldn't be able to pull that off the second time. Well, at least not if the staff at the CA still has that in recent memory. Maybe. =)



  • @Carnildo said:

    In addition to "you look trustworthy", a certificate (properly used) says two other things, as well. 1) The connection is encrypted, and 2) the connection has been made to the website you think it's being made to.
     

    You're confusing a (browser-controlled) SSL-certificate with a "3rd-party certificate" (aka: a image you can download and just put on your server so it doesn't mean shit)



  • @derula said:

    You must not have heard about a beard called SpectateSwamp.
     

    Does he count as human?



  • @Carnildo said:

    @morbiuswilters said:

    @gotPSP said:

    Filed under: Security by "because we say it is"

    PROTIP: All Internet security is like that.  Same thing with the Verisign logos and all that.  Even certs themselves only mean security by "I paid that guy over there some money to look me over (along with millions of other people) and decide if I look trustworthy and he said I was cool."  As always, you need to take responsbility and be intelligent.  You can't expect technology to solve basic social problems like dishonesty.

    In addition to "you look trustworthy", a certificate (properly used) says two other things, as well. 1) The connection is encrypted, and 2) the connection has been made to the website you think it's being made to.

    1) An encrypted connection to a malicious party means nothing.

    2) It means the cert has a name that looks legit and that the user reads it and understands.  This has failed in the past, it will fail in the future.

     

    My point is that SSL is only as good as the worst credential-verifier at the CA.  In other words, security by "because we say it is".  I don't see how anything you brought up contradicts my point.



  • @Kl4m said:

    Damn, all this time I thought SSL had some mathematical merit.

    A chain is only as strong as its weakest link and a forum only has discussions as intelligent as the least-thoughtful member of the thread will allow.



  • @WWWWolf said:

    Plus - 3) if a scammer somehow managed to get a convincing-looking SSL certificate from a trusted certifying authority, they wouldn't have been able to do that without leaving at least some evidence for the law enforcement to follow.

    By the time law enforcement is on the scene, the damage is done and the criminals have vanished from sight to a country with sunny beaches, beautiful women and no extradition treaties.

     

    @WWWWolf said:

    The folks at certifying authorities have procedures to follow! It's a position that needs responsibility and meticulous following of security procedures! It's not like someone would walk in and get themselves a SSL cert in a big company's name, or something - they check stuff pretty thoroughly. Well, at least they wouldn't be able to pull that off the second time. Well, at least not if the staff at the CA still has that in recent memory. Maybe. =)

    I think you're being facetious, but you used punctuation so I can't be sure.  You obviously seem to know that the CAs have been tricked in the past and will be tricked in the future.



  • @morbiuswilters said:

    @Carnildo said:

    @morbiuswilters said:

    @gotPSP said:

    Filed under: Security by "because we say it is"

    PROTIP: All Internet security is like that.  Same thing with the Verisign logos and all that.  Even certs themselves only mean security by "I paid that guy over there some money to look me over (along with millions of other people) and decide if I look trustworthy and he said I was cool."  As always, you need to take responsbility and be intelligent.  You can't expect technology to solve basic social problems like dishonesty.

    In addition to "you look trustworthy", a certificate (properly used) says two other things, as well. 1) The connection is encrypted, and 2) the connection has been made to the website you think it's being made to.

    1) An encrypted connection to a malicious party means nothing.

    2) It means the cert has a name that looks legit and that the user reads it and understands.  This has failed in the past, it will fail in the future.

    I don't know if you're familiar with how SSL certificates work, but they're issued for a specific URL. If you're visiting www.google.com, and the site presents your browser with a certificate for www.microsoft.com, your browser isn't going to let the connection go through: someone has hijacked the site or your connection. This does not depend on any action on the part of the user. (1) by itself isn't very useful, but between them, (1) and (2) prevent a very wide range of attacks.



  • @Carnildo said:

    I don't know if you're familiar with how SSL certificates work, but they're issued for a specific URL. If you're visiting www.google.com, and the site presents your browser with a certificate for www.microsoft.com, your browser isn't going to let the connection go through: someone has hijacked the site or your connection. This does not depend on any action on the part of the user. (1) by itself isn't very useful, but between them, (1) and (2) prevent a very wide range of attacks.

    I don't know if you know how users think, but something like ebay.comerce.ru is going to look legit to a lot of users.  Hell, a lot of people don't know what a URL is. 



  • @morbiuswilters said:

    Hell, a lot of people don't know what a URL is. 
     

    Sure they do. It's that thing with "www" in front of it.



  • @dtech said:

    @morbiuswilters said:

    People often fail Turing's test. 
     

    How is that possible? The only way that could happen is by the judger not having a good idea of what normal people say. Its impossible for a human (who can write and read natural langauge and doesn't deliberatly sabotage the test) to fail it, since if he/she does the test wasn't properly executed.


    how is babby formed

    how is babby formed

    how girl get pragnent



  • @morbiuswilters said:

    @Carnildo said:

    I don't know if you're familiar with how SSL certificates work, but they're issued for a specific URL. If you're visiting www.google.com, and the site presents your browser with a certificate for www.microsoft.com, your browser isn't going to let the connection go through: someone has hijacked the site or your connection. This does not depend on any action on the part of the user. (1) by itself isn't very useful, but between them, (1) and (2) prevent a very wide range of attacks.

    I don't know if you know how users think, but something like ebay.comerce.ru is going to look legit to a lot of users.  Hell, a lot of people don't know what a URL is. 

    It would be a pretty half-arsed browser which didn't check for a domain name mismatch and warn the end user about it. IIRC, even IE6 did that.



  • @Physics Phil said:

    @morbiuswilters said:

    @Carnildo said:

    I don't know if you're familiar with how SSL certificates work, but they're issued for a specific URL. If you're visiting www.google.com, and the site presents your browser with a certificate for www.microsoft.com, your browser isn't going to let the connection go through: someone has hijacked the site or your connection. This does not depend on any action on the part of the user. (1) by itself isn't very useful, but between them, (1) and (2) prevent a very wide range of attacks.

    I don't know if you know how users think, but something like ebay.comerce.ru is going to look legit to a lot of users.  Hell, a lot of people don't know what a URL is. 

    It would be a pretty half-arsed browser which didn't check for a domain name mismatch and warn the end user about it. IIRC, even IE6 did that.
     

    But there won't be any mismatch.  "ebay.comerce.ru" is really the name of the site; the fact that it's not owned by eBay, but by some russian mafia phishing operation, cannot detected by verifying the certificate.

    In this situation, SSL just guarantees that you're speaking to the phisher that you didn't know you were talking to, and not being overheard by some MitM.



  • @DaveK said:

    @Physics Phil said:

    @morbiuswilters said:

    @Carnildo said:

    I don't know if you're familiar with how SSL certificates work, but they're issued for a specific URL. If you're visiting www.google.com, and the site presents your browser with a certificate for www.microsoft.com, your browser isn't going to let the connection go through: someone has hijacked the site or your connection. This does not depend on any action on the part of the user. (1) by itself isn't very useful, but between them, (1) and (2) prevent a very wide range of attacks.

    I don't know if you know how users think, but something like ebay.comerce.ru is going to look legit to a lot of users.  Hell, a lot of people don't know what a URL is. 

    It would be a pretty half-arsed browser which didn't check for a domain name mismatch and warn the end user about it. IIRC, even IE6 did that.
     

    But there won't be any mismatch.  "ebay.comerce.ru" is really the name of the site; the fact that it's not owned by eBay, but by some russian mafia phishing operation, cannot detected by verifying the certificate.

    In this situation, SSL just guarantees that you're speaking to the phisher that you didn't know you were talking to, and not being overheard by some MitM.

    Precisely.  So if the user doesn't pay attention to the URL all they see is the lock icon, colored-in address bar, eBay's logos, etc..  So yet again I will restate it: SSL certs are useless if users don't act with caution and intelligence.  The CAs should catch stuff like "ebay.scammer.ru", but they don't always.  Plus, there are many ways to work around it anyway if users aren't educated.



  • @Carnildo said:

    I don't know if you're familiar with how SSL certificates work, but they're issued for a specific URL.

    Not URL, hostname.

    @Carnildo said:

    If you're visiting www.google.com, and the site presents your browser with a certificate for www.microsoft.com, your browser isn't going to let the connection go through...

    Well typically the browser puts up a warning, and lets you go ahead anyway.  This is very useful when I'm knowingly testing my own app with a self-signed cert, for example, but people in general are just far too trusting and just hit that "go ahead anyway" button.



  • Oh, [i]come on[/i], guys. We are [i]professionals[/i]! [i]We[/i] can easily distinguish between "ebay.com" and "ebay.scammer.us". Who cares about credit cards of those unintelligent, illiterate, mud-dwelling troglodytes, whom marketers like to call "users"? Isn't that [i]obvious[/i] that you [i]can't[/i] have secure transactions without learning the Internet architecture in intimate detail first? They had it coming, plain and simple.



  • @morbiuswilters said:

    @DaveK said:

    @Physics Phil said:

    @morbiuswilters said:

    @Carnildo said:

    I don't know if
    you're familiar with how SSL certificates work, but they're issued for
    a specific URL. If you're visiting www.google.com, and the site
    presents your browser with a certificate for www.microsoft.com, your
    browser isn't going to let the connection go through: someone has
    hijacked the site or your connection. This does not depend on any
    action on the part of the user. (1) by itself isn't very useful, but
    between them, (1) and (2) prevent a very wide range of attacks.

    I
    don't know if you know how users think, but something like
    ebay.comerce.ru is going to look legit to a lot of users.  Hell, a
    lot of people don't know what a URL is. 

    It would be a
    pretty half-arsed browser which didn't check for a domain name mismatch
    and warn the end user about it. IIRC, even IE6 did that.
     

    But
    there won't be any mismatch.  "ebay.comerce.ru" is really the name
    of the site; the fact that it's not owned by eBay, but by some russian
    mafia phishing operation, cannot detected by verifying the certificate.

    In
    this situation, SSL just guarantees that you're speaking to the phisher
    that you didn't know you were talking to, and not being overheard by
    some MitM.

    Precisely.  So if the user doesn't pay attention to the URL all they see is the lock icon, colored-in address bar, eBay's logos, etc..  So yet again I will restate it: SSL certs are useless if users don't act with caution and intelligence.  The CAs should catch stuff like "ebay.scammer.ru", but they don't always.  Plus, there are many ways to work around it anyway if users aren't educated.


    Yes, but if, like me, the user does act with caution and intelligence, SSL certs are extremely useful. Either ebay.scammer.ru is handing out a valid SSL certificate for its domain, in which case I know for certain that I typoed the URL and am not where I want to be, or ebay.scammer.ru has hijacked a DNS server, is handing out the ebay.scammer.ru certificate in response to a request for www.ebay.com, and from the mismatch I know that I'm not where I want to be.



  • @morbiuswilters said:

    @DaveK said:

    @Physics Phil said:

    @morbiuswilters said:

    @Carnildo said:

    I don't know if you're familiar with how SSL certificates work, but they're issued for a specific URL. If you're visiting www.google.com, and the site presents your browser with a certificate for www.microsoft.com, your browser isn't going to let the connection go through: someone has hijacked the site or your connection. This does not depend on any action on the part of the user. (1) by itself isn't very useful, but between them, (1) and (2) prevent a very wide range of attacks.

    I don't know if you know how users think, but something like ebay.comerce.ru is going to look legit to a lot of users.  Hell, a lot of people don't know what a URL is. 

    It would be a pretty half-arsed browser which didn't check for a domain name mismatch and warn the end user about it. IIRC, even IE6 did that.
     

    But there won't be any mismatch.  "ebay.comerce.ru" is really the name of the site; the fact that it's not owned by eBay, but by some russian mafia phishing operation, cannot detected by verifying the certificate.

    In this situation, SSL just guarantees that you're speaking to the phisher that you didn't know you were talking to, and not being overheard by some MitM.

    Precisely.  So if the user doesn't pay attention to the URL all they see is the lock icon, colored-in address bar, eBay's logos, etc..  So yet again I will restate it: SSL certs are useless if users don't act with caution and intelligence.  The CAs should catch stuff like "ebay.scammer.ru", but they don't always.  Plus, there are many ways to work around it anyway if users aren't educated.

    Hey, it's secure phishing! At least your pilfered CC details won't be sniffed by other phishers!


  • @Toad King said:

    Maybe it is? Perhaps the flash form submits the info over an encrypted connection like they say? It's not like Flash can't use SSL.
    Let's say the site is using encryption properly, but that doesn't mean, about the lock icon, "maybe it is" proof of such.  It's just an image and is proof of absolutely nothing.

    I'll agree this is a huge WTF - what was going through Pandora's minds when they decided to ask for payment details through a flash app?  What's so hard about making a regular web page for that?  There's no way in hell I'd feel comfortable using this.



  • @dml said:

    Let's say the site is using encryption properly, but that doesn't mean, about the lock icon, "maybe it is" proof of such.
    I blew a motivator while reading this sentence.



  • @belgariontheking said:

    I blew a motivator while reading this sentence.
     



  • The point someone made on TDWTF forms a while ago is that the web page does not have to use HTTPS(SSL)... just the submition does. Just because you connected using HTTPS does not mean that they cannot submit any form or do any server-interaction in non-https. Your browser icon is worth just as much as the pandora icon. Its just a way to make you feel more secure.



  • @astonerbum said:

    The point someone made on TDWTF forms a while ago is that the web page does not have to use HTTPS(SSL)... just the submition does. Just because you connected using HTTPS does not mean that they cannot submit any form or do any server-interaction in non-https. Your browser icon is worth just as much as the pandora icon. Its just a way to make you feel more secure.

    Every web browser I've used will throw up a dialog if you're on a secure page, but the URL you're submitting the form to is insecure. The browser icon means this page is secure, and the lack of a warning means that the next page is also secure.



  • @Carnildo said:

    @astonerbum said:

    The point someone made on TDWTF forms a while ago is that the web page does not have to use HTTPS(SSL)... just the submition does. Just because you connected using HTTPS does not mean that they cannot submit any form or do any server-interaction in non-https. Your browser icon is worth just as much as the pandora icon. Its just a way to make you feel more secure.

    Every web browser I've used will throw up a dialog if you're on a secure page, but the URL you're submitting the form to is insecure. The browser icon means this page is secure, and the lack of a warning means that the next page is also secure.


     Yea, but notice that MOST people will hide that warning permenently!
    Its just annoying since I click a link in my gmail and I get a
    popup. Popups don't work! Do you get a pop up every time you go to a web page saying "this page is not secure!"? No! you get a little icon on top, because noone will use the browser otherwise.

     I am not going to design the perfect system, but since pandora is all in flash I see the need for that icon... BUT they should just jump out of the flash and use HTTPS and avoid this whole nonsense. Then again most people won't care or notice. And to further point out the problem, flash should solve this by alerting the browser that it is/is not in secure connection mode.



  • @astonerbum said:

    @Carnildo said:

    @astonerbum said:

    The point someone made on TDWTF forms a while ago is that the web page does not have to use HTTPS(SSL)... just the submition does. Just because you connected using HTTPS does not mean that they cannot submit any form or do any server-interaction in non-https. Your browser icon is worth just as much as the pandora icon. Its just a way to make you feel more secure.

    Every web browser I've used will throw up a dialog if you're on a secure page, but the URL you're submitting the form to is insecure. The browser icon means this page is secure, and the lack of a warning means that the next page is also secure.


     Yea, but notice that MOST people will hide that warning permenently!

    What browser are you using? Opera considers the "submitting a secure form to an insecure URL" message critical enough that you can't disable it.


Log in to reply