When did HTTPS stop working? Please fix :)

Discussion in 'Site Suggestions, Announcements and Guidelines' started by hmscott, Apr 2, 2017.

Thread Status:
Not open for further replies.
  1. Charles P. Jefferies

    Charles P. Jefferies TG Lead Moderator Super Moderator

    Reputations:
    14,515
    Messages:
    36,137
    Likes Received:
    2,458
    Trophy Points:
    581
    HTTPS will be rolled out to NBR and other TechTarget sites this year. I have no more specific information than that.
    If I could push it through instantly, believe me, I'd have done so already.

    Charles
     
  2. Ionising_Radiation

    Ionising_Radiation ?v = ve*ln(m0/m1)

    Reputations:
    517
    Messages:
    2,166
    Likes Received:
    1,970
    Trophy Points:
    181
    With the recent discovery of a vulnerability in WPA2-encrypted Wi-Fi networks, a properly-configured HTTPS website is all the more necessary. Mods, please hurry this along; I access NBR from my phone in public wireless networks fairly frequently.
     
    hmscott likes this.
  3. Stooj

    Stooj Notebook Deity

    Reputations:
    158
    Messages:
    709
    Likes Received:
    544
    Trophy Points:
    106
    Really starting to run out of year here.... o_O
    Hope nobody is re-using a password here because they're still flying over the air un-encrypted.

    Frankly, somebody needs a rocket fired up them because an insecure login was professionally embarrassing 4 years ago. Now it's just downright dangerous and not to mention illegal in many western countries (many countries have privacy provisions which pertain to "reasonably" securing people's data). I'm not even going to delve into the potential of data leakage
     
    Ionising_Radiation likes this.
  4. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    4,915
    Messages:
    17,280
    Likes Received:
    21,200
    Trophy Points:
    931
    How goes the progress toward enabling HTTPS? :)

    Time flies, when you're chewing knackwurst.
     
    Last edited: Oct 20, 2017
  5. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    4,915
    Messages:
    17,280
    Likes Received:
    21,200
    Trophy Points:
    931
    From July, Chrome will name and shame insecure HTTP websites
    Shame! Shame! says carrot-dangling Google

    By Thomas Claburn in San Francisco 8 Feb 2018 at 18:00

    "Three years ago, Google's search engine began favoring in its results websites that use encrypted HTTPS connections.

    Sites that secure their content get a boost over websites that used plain-old boring insecure HTTP. In a "carrot and stick" model, that's the carrot: rewarding security with greater search visibility.

    Later this year comes the stick. This summer, Google will mark non-HTTPS websites as insecure in its Chrome browser, fulfilling a plan rolled out in September 2016.

    Starting with Chrome 68, due to hit the stable distribution channel on July 2018, visiting a website using an HTTP connection will prompt the message "Not secure" in the browser's omnibox – the display and input field that accepts both URLs and search queries.

    "Chrome's new interface will help users understand that all HTTP sites are not secure, and continue to move the web toward a secure HTTPS web by default," Google explained in a draft blog post due to be published today and provided in advance to The Register."

    Beware the looming Google Chrome HTTPS certificate apocalypse!
    Well, melee. Dust-up? Minor inconvenience? But it's coming!!
    By Kieren McCarthy in San Francisco 7 Feb 2018 at 08:02
    https://www.theregister.co.uk/2018/02/07/beware_the_coming_chrome_certificate_apocalypse/

    "Tens of thousands of websites are going to find themselves labeled as unsafe unless they switch out their HTTPS certificate in the next two months.
    Thanks to a decision in September by Google to stop trusting Symantec-issued SSL/TLS certs, from mid-April Chrome browser users visiting websites using a certificate from the security biz issued before June 1, 2016 or after December 1, 2017 will be warned that their connection is not private and someone may be trying to steal their information. They will have to click past the warning to get to the website.

    This will also affect certs that use Symantec as their root of trust even if they were issued by an intermediate organization. For example, certificates handed out by Thawte, GeoTrust, and RapidSSL that rely on Symantec will be hit by Google's crackdown. If in doubt, check your cert's root certificate authority to see if it's Symantec or not.

    The change will come in build 66 of Chrome – due for public release on April 17 – and the problem will get even bigger on October 23 when build 70 is released and all Symantec certificates will be listed as not being trustworthy.

    Of course, not everyone uses Chrome and not everyone will instantly upgrade to the latest version, but it's safe to say that it will become a very big headache very quickly for those sites that haven't obtained new HTTPS certs from other authorities.

    The question is: how big a headache? Early beta testers of the Chrome build have been warning that they keep coming across websites with untrusted certificates and seeing the danger message. Fortunately, one person has gone to the trouble of running a script to figure quite how ugly it's going to get.

    Security engineer Arkadiy Tetelman, who works at Airbnb according to his blog, decided to run a test in which he grabbed the certificate information from the one million biggest websites on the internet, in terms of traffic as rated by Alexa, and tested to see if they would break.

    The script took 11 hours to run and turned up some very interesting results: of the one million websites, just 11,510 are going to go TITSUP in April, with 91,627 on the chopping block in October.

    When businesses collide
    It's still a large number and there are some big names there – car company Tesla.com, water filter company Brita.com, Australia's energy regulator at aer.gov.au, and, well, 11,507 others. It's not Y2K – these outfits can buy certs from other authorities or get free ones – but it's safe to say that there are going to be a lot of unhappy people come April if action isn't taken. And then even more unhappy people a few months later.

    Fortunately, Mr Tetelman has uploaded a plain text list, so if you are a sysadmin or webmaster, we would strongly recommend doing a search to make sure you're not on it. Or, of course, be even smarter and move all your sites away from Symantec certificates.

    The issue doesn't raise the slightly troubling fact that Google has basically put an entire company's certificate-issuing operation out of business by declaring that it would no longer accept Symantec certificates. That's a scary amount of power to have.

    But on the other hand, it wouldn't be doing it if Symantec hadn't repeatedly screwed up and undermined trust in its own product by wrongly issuing SSL/TLS certs, including, unfortunately, the one for google.com. Not a smart move.

    If you are an organization that exists purely to ensure that people can trust you, then you should expect some fallout if it turns out you can't be trusted. Symantec wasn't very happy, of course, and used a whole range of angry words in a blog post about it: words like irresponsible, exaggerated, and misleading.

    It claims only 127 certificates were wrongly issued, not the 30,000 previously claimed. But here we are. A few months after its blog post and with Google refusing to budge, Symantec threw in the towel andsold off its certificate business to DigiCert.

    Don't say you haven't been warned.

    By the way, if it's the morning of Tuesday, April 17, and you are frantically skimming this article in between furious email alerts about your site being down, and phone keeps ringing, focus here: IT'S YOUR HTTPS CERTIFICATE! YOU NEED TO CHANGE IT. RIGHT NOW. ®
    PS: Mozilla's Firefox will also distrust Symantec-issued certs from version 60 onwards, due out in May this year.
     
    Last edited: Feb 17, 2018
    Vasudev and Maru like this.
  6. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    4,915
    Messages:
    17,280
    Likes Received:
    21,200
    Trophy Points:
    931
    FYI...

    23,000 HTTPS certs will be axed in next 24 hours after private keys leak
    Trustico, DigiCert come to blows as browsers prepare to snub Symantec-brand SSL
    By John Leyden 1 Mar 2018 at 00:43
    https://www.theregister.co.uk/2018/03/01/trustico_digicert_symantec_spat/

    "Customers of HTTPS certificate reseller Trustico are reeling after being told their website security certs – as many as 23,000 – will be rendered useless within the next 24 hours.
    This is allegedly due to a security blunder in which the private keys for said certificates ended up in an email sent by Trustico. Those keys are supposed to be secret, and only held by the cert owners, and certainly not to be disclosed in messages. In the wrong hands, they can be used by malicious websites to masquerade as legit operations.

    Unless the affected certificates are replaced in time, visitors to websites using Trustico-sold HTTPS certs will be turned away by their browsers, due to the digital certificates being revoked.

    The whole situation is a mess, and possibly the result of a turf war. Here's what we've managed to ascertain.

    What is Trustico?
    Trustico, based in Croydon, UK, touted SSL/TLS certificates, which are used by websites to encrypt and secure their connections. It resold certs from the Symantec brand umbrella: Symantec, GeoTrust, Thawte, and RapidSSL. This umbrella is now owned and operated by DigiCert.

    If you wanted to buy, say, a RapidSSL-issued certificate, you could do so via Trustico. The HTTPS cert ultimately leads back, along a chain of trust, to DigiCert, a root certificate authority trusted by web browsers and other software. In turn, a website presenting the Trustico-sold cert is trusted, its traffic secured using encryption, and the reassuring green padlock is displayed in visitors' browsers.

    Why are the certificates being revoked?
    According to DigiCert's chief product officer Jeremy Rowley earlier today, Trustico told DigiCert in early February that its resold certificates had been in some way "compromised," and that the certs needed to be mass revoked as a result.

    DigiCert staff, we're told, asked Trustico for more information on this security mishap. The reseller replied it had a copy of the private keys, which is usually grounds for revocation, and thus insisted that DigiCert revoke the certificates.

    When pressed for evidence, Trustico on Tuesday simply emailed DigiCert 23,000 certificates' private keys as proof it held this information, it is claimed. This forced DigiCert's hand: under the rulebook of standards set by the elders of the certificate security and browser worlds, the Trustico-sold certificates had to be revoked as a precaution within 24 hours. Specifically, the ones with their private keys in the email will be canceled.

    "Trustico has not provided any information about how these certificates were compromised or how they acquired the private keys," explained Rowley.

    "As is standard practice for a Certificate Authority, DigiCert never had possession of these private keys. Currently, we are only revoking the certificates if we received the private keys. There are additional certificates the reseller requested to have revoked, but DigiCert has decided to disregard that request until we receive proof of compromise or more information about the cause of this incident."

    On Twitter, Rowley continued: "I'll likely be posting the private keys later once people have a fair chance to replace their certificates ... The allegation of compromise, keys compromised, and request for revocation all came from Trustico."

    Before you raise an eyebrow too high, by posting the private keys, Rowley plans to disclose self-signed certificates, produced using the private keys, to prove the secret information was sent to DigiCert without revealing the actual information in public. Some have already popped online as proof DigiCert received the secret keys from Trustico.

    Alarm bells
    To warn netizens to the upcoming mass revocation, DigiCert's RapidSSL business sent out email alerts to Trustico customers urging them to get new HTTPS certificates or watch their sites go dark. Here's a copy of the memo, passed to El Reg:

    [​IMG]
    Red alert ... Click to enlarge

    DigiCert also put out a blog post, giving its side of the story:

    Trustico requested revocation of their Symantec, GeoTrust, Thawte and RapidSSL certificates, claiming the certificates were compromised. When we asked for proof of the “compromise,” Trustico did not provide details on why they were requesting the immediate revocation. Trustico’s CEO indicated that Trustico held the private keys for those certificates, and then emailed us approximately 20,000 certificate private keys.

    When he sent us those keys, his action gave us no choice but to act in accordance with the CA/Browser Forum Baseline Requirements, which mandate that we revoke a compromised certificate within 24 hours. As a CA, we had no choice but to follow the Baseline Requirements.

    Following our standard revocation process, we gave notice via email to each certificate holder whose private keys had been exposed to us by Trustico, so they could have time to get a replacement certificate.

    Now, over to Trustico.

    Upset and denials
    We asked the Brit biz for comment, and had yet to hear back at time of writing. However, posting on Mozilla's security policy newsgroup, Trustico product manager Zane Lucas was clearly upset that DigiCert sent out the above alert.

    "We didn't authorise DigiCert to contact our customers and we didn't approve the content of their email," wrote Lucas.

    "At no time had any private keys been compromised, nor had we ever informed to you that any private keys had been compromised. During our many discussions over the past week we put it to you that we believe Symantec to have operated our account in a manner whereby it had been compromised. Your usage of the word compromise has been twisted by you to your benefit and is absolutely defamatory."

    To put this in context: Trustico was fed up with using Symantec certs, and on February 13, it formally abandoned the umbrella of brands – ahead ofGoogle Chrome and Mozilla Firefox officially distrusting the certificatesdue to past security fumbles by Symantec. Trustico said it had complained privately to Symantec of long-running concerns over the security safeguards on Symantec-branded of certificates, hence Lucas' reference to its Symantec account.

    Although Lucas stressed the private keys for Trustico's resold certificates were not compromised, it did, according to DigiCert, email a copy of 23,000 of them to the root authority seemingly to trigger their revocation. At that point, DigiCert considered the certificates at risk, and started the countdown clock to cancel them.

    Trustico and DigiCert have clearly majorly fallen out, with the pair going their separate ways this month amid the behind-the-scenes drama. It even appears Trustico tried to stop DigiCert from using its online portal to send out today's emailed warning.

    In future, Trustico will flog Comodo HTTPS certificates rather than peddle Symantec-branded certs. Cynics have suggested the Brit reseller ordered the revocation of its Symantec-umbrella certs so it could drive its customers onto Comodo certificates, and thus avoid the looming Google Chrome HTTPS certificate apocalypse without losing many, if any, punters. In effect, website owners have been caught up in a turf war between Trustico and DigiCert.

    How did Trustico get the private keys to certificates it resold? We don't know for sure – but it did, and still does, offer an online private key generator for certificates. Just saying.

    In an email sent to customers a few hours ago, and seen by The Register, Trustico said it will provide free certificates to replace the soon-to-be-nuked SSL/TLS certs:

    Recently we wrote to you to let you know that we are no longer offering Symantec, GeoTrust, RapidSSL and Thawte branded SSL Certificates. Unfortunately, Google Chrome has decided to distrust these SSL Certificates. It's important to us that you SSL Certificate continues to function as normal, and not be compromised by the distrust of the Symantec brands. It is now required that you replace any existing distrusted SSL Certificate with one that is trusted by all web browsers.

    Rest assured, there hasn't been any type of compromise of our systems. However, Symantec brands will cease to function correctly due to Google Chrome's decision to distrust them.

    Recently DigiCert acquired the Symantec SSL Certificate division and subsequently an e-mail was sent by DigiCert to some of our SSL Certificate customers advising of the revocation of their distrusted SSL Certificate. We didn't authorise this e-mail to be sent and had specifically disabled it within the DigiCert system. We understand that the e-mail sent about your distrusted SSL Certificates may be confusing. It's important that you take the opportunity to replace your SSL Certificate as soon as possible.

    We're providing free replacement of affected SSL Certificates. To enable a free replacement, you'll receive an e-mail report today if you have affected SSL Certificates. Your report will contain a unique coupon code for each affected SSL Certificate. When you replace your distrusted SSL Certificates using your unique coupon codes you'll receive extra validity free of charge. If you have any questions please feel free to reply to this e-mail.

    Meanwhile, DigiCert said it, too, will offer free replacement certs to folks using Symantec-branded HTTPS certificates, which will be ignored by web browsers later this year. And, of course, don't forget you can grab free HTTPS certificates from Let's Encrypt that all major browsers trust.

    Today has been marred with confusion. Trustico's customer support lines have been jammed with complaints and queries, following DigiCert's email alerts. Reg readers told us they felt left in the dark. Perhaps it'll all be clearer in a few hours, when the dust has settled – and the certs have been nuked.

    Updated to add
    Trustico kept the private keys to its customers' certificates in cold storage, and provided them to DigiCert to start the revocation process.

    Use of HTTPS among top sites is growing, but weirdly so is deprecated HTTP public key pinning
    Better than nothing!
    By John Leyden 27 Feb 2018 at 15:03
    https://www.theregister.co.uk/2018/02/27/https_hpkp_web_security_sitrep/

    "The adoption of HTTPS among the top million sites continues to grow with 38.4 per offering secure web connections.

    A study by web security expert Scott Helme, published on Tuesday, found that HTTPS adoption by the web's most-visited sites had grown more than 7 percentage points from 30.8 per cent over the last six months since October 2017. Helme's latest biannual web security sitrep threw up the surprising finding that a security technology Google decided to depreciate last October has risen, not shrunk, in popularity.

    "The most surprising thing is probably the string growth in HPKP [HTTP public key pinning], a technology being abandoned by many and soon Google Chrome too," Helme told El Reg.

    Google said it was abandoning HPKP, a next-generation web crypto technology it initially championed, back in October, as previously reported. Experts including Helme and Ivan Ristic have criticised the technology as being both tricky to apply and potentially calamitous, if incorrectly set up. Fast forward four months and Helme has found that larger sites are less likely to use HPKP, the reverse of the trend for every other metric.

    Paul Moore, another infosec expert with a keen interest in web security, praised Helme's latest study. "My only comment would be the lack of a deep/context aware scan... meaning sites which don't use headers [at landing page] may use them elsewhere, as and when they feel necessary... something the scan wouldn't and couldn't reveal."
    [​IMG]
    Web security sitrep. Click to enlarge [source: Scott Helme]

    Helme concluded: "Whilst the rate of adoption for HTTPS has slowed, we're still seeing good growth in the numbers. All metrics are seeing positive growth and our push towards an encrypted web is still making great progress."

    Certificate authority Let's Encrypt has continued to grow its presence in the top 1 million sites on the web. By contrast there's almost no growth in the use of EV (extended validation) certificates, according to Helme.

    The payment industry is due to pull support for TLSv1.0 support within its PCI DSS credit card processing standard from June onwards. Scans run by Helme show that the vast majority of the web's most-visited locales have already prepared for this change by switching to more robust protocols, such as TLSv1.2"
     
    Last edited: Mar 2, 2018
    Vasudev likes this.
  7. Stooj

    Stooj Notebook Deity

    Reputations:
    158
    Messages:
    709
    Likes Received:
    544
    Trophy Points:
    106
    So is this actually being taken seriously at all?

    I reckon I could configure an nginx proxy to stand in front of this web server in less than 30 minutes with LetsEncrypt on it. It's really not that hard and would have little impact on existing infrastructure.
     
    Ionising_Radiation and hmscott like this.
  8. Charles P. Jefferies

    Charles P. Jefferies TG Lead Moderator Super Moderator

    Reputations:
    14,515
    Messages:
    36,137
    Likes Received:
    2,458
    Trophy Points:
    581
    HTTPS is being implemented across all TechTarget sites so there are some delays. I was told to expect it to be rolled out in the Spring. When I have more information to share, I will.

    Charles
     
Loading...
Thread Status:
Not open for further replies.

Share This Page