Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Thursday July 16 2020, @08:10PM   Printer-friendly

The TLS 1.2 Deadline is Looming, Do You Have Your Act Together?:

In the pantheon of security configuration duties for organizations running internet assets, maintaining the latest TLS encryption protocols to keep the cryptographic apparatus at full strength is one of the most fundamental. TLS provides cover for the most sensitive personal and financial information that moves across the internet. As experts in measuring and monitoring third-party risk, RiskRecon and the data scientists from Cyentia Institute recently published a new report that leveraged unique scan data from millions of web servers around the world, via the RiskRecon platform, to see where the rollout of TLS 1.2[*] is going smoothly and where it is meeting resistance.

Together with its precursor SSL, TLS has long been in the crosshairs of both attackers and security researchers who understand that a weak or non-existent deployment of the protocol makes it trivial enough to carry out man-in-the-middle and other attacks against the vulnerable target.

[...] Sectors such as Education (47%), Energy (40%), and Public Administration (37%) have struggled to implement TLS 1.2 protocols. This revelation led us to ask another question – “Are these hosts collecting and transmitting important information using vulnerable protocols?” The RiskRecon portal also determines web host value by examining whether a website collects and transmits important PII or credential information. If we restrict our view to just these high-value hosts, we can zero in on where the lack of TLS 1.2 represents a substantial risk: 1 in 10 organizations transmit private information over flawed protocols.

While our study found that this fundamental protocol lacks attention from some IT Security teams, it does not need any further introduction to those who would look to exploit any vulnerability in web communications. The clock is ticking to properly secure your lines of internet communications, standard bodies and web browsers have put out their warnings, and there is no time like to present to get up to speed.

[*] The latest version of TLS (Transport Layer Security) is 1.3; see RFC 8446.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by Opportunist on Friday July 17 2020, @10:23AM (8 children)

    by Opportunist (5545) on Friday July 17 2020, @10:23AM (#1022822)

    Then how do I verify that I'm actually talking with your server and not some imposter?

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 2, Touché) by Zinnia Zirconium on Friday July 17 2020, @09:38PM (7 children)

    by Zinnia Zirconium (11163) on Friday July 17 2020, @09:38PM (#1023084) Homepage Journal

    How do you know I'm not some imposter? You don't and it doesn't matter because I deal second hand in publicly available data nobody cares about. Maybe if the data were private or secret or sensitive or important in any way then I might bother with encryption.

    .......and yeah I use SSH for a private channel into my own server but also I see my SSH log and honestly I gain more security from port knocking. I got no break in attempts in my log. Nobody so much as touches my SSH because nobody guesses my knock sequence.

    • (Score: 1, Redundant) by darkfeline on Friday July 17 2020, @10:18PM

      by darkfeline (1030) on Friday July 17 2020, @10:18PM (#1023099) Homepage

      Nobody cares about you server so it doesn't need encryption? Great, good for you. Unfortunately, most servers do handle important data so they need TLS.

      --
      Join the SDF Public Access UNIX System today!
    • (Score: 2) by Opportunist on Saturday July 18 2020, @08:54AM (5 children)

      by Opportunist (5545) on Saturday July 18 2020, @08:54AM (#1023305)

      If I cannot verify that I'm talking to your server and not an impostor, how could I be certain that the data I get from you is actually accurate? Even if I trusted you that you provide genuine data, I could not verify that I actually got that data from you and not someone trying to forge it, either to plant false data or to slander you and make your visitors think you provide false data.

      • (Score: 1) by Zinnia Zirconium on Saturday July 18 2020, @09:07PM (4 children)

        by Zinnia Zirconium (11163) on Saturday July 18 2020, @09:07PM (#1023495) Homepage Journal

        I serve data second hand and I can't be sure I get accurate data from my primary source who could suddenly decide they fukken hate me and start providing only me specifically with junk data which I have no way of verifying for accuracy and then my visitors would get junk despite my honest efforts. Encryption doesn't solve the garbage-in-garbage-out problem.

        • (Score: 2) by Opportunist on Sunday July 19 2020, @08:49AM (3 children)

          by Opportunist (5545) on Sunday July 19 2020, @08:49AM (#1023662)

          Thanks for the warning, I'll find a different source then. If you cannot even verify your own source, why would I want to use you as one?

          • (Score: 1) by Zinnia Zirconium on Sunday July 19 2020, @05:57PM (2 children)

            by Zinnia Zirconium (11163) on Sunday July 19 2020, @05:57PM (#1023786) Homepage Journal

            OK bye. Don't search my Jango index and don't use my YouTube proxy. Go directly to Jango and YouTube instead. I don't care.

            Better yet use Pandora. Everybody uses Pandora because Pandora is Pandora and everybody uses Pandora. I still don't care.

            If I get Let's Encrypt certificates then someone will tell me Let's Encrypt isn't trusty enough because Let's Encrypt only verifies domains and domains can be hijacked.

            A couple of whois searches would turn up the fact that I'm using Freenom and No-IP for my DNS which means I don't own my domains. And do you remember that time in 2014 when No-IP was hijacked by Microsoft. I remember.

            A couple of web searches would turn up the fact that I do all my development work at Wikidot which doesn't do HTTPS either. Oh no. How will I verify my source code at Wikidot is untampered before I deploy it to production.

            Wikidot also happens to host the SCP Foundation. SCP Foundation doesn't encrypt. SCP Foundation isn't trusty enough. Oh no. How will you verify the data about every SCP is accurate and not intercepted by an imposter. It's the SCP Foundation. How much do you actually care.

            SoylentNews does TLS 1.3. There's a silly lock icon on the browser and everything. That's good isn't it. Nope. SoylentNews uses Let's Encrypt. Let's Encrypt didn't verify ownership of SoylentNews. SoylentNews can't be trusted. SoylentNews could be hijacked by Microsoft right now. Don't ever trust SoylentNews.

            Where's the massive troll spam campaign to convince SoylentNews to buy real certificates from a real certifying authority instead of cheap Let's Encrypt which could be so very hijacked by Microsoft right now. Seriously where is the troll spam.

            Trolls gonna troll me no matter what I do. Isn't that right troll.

            • (Score: 2) by Opportunist on Sunday July 19 2020, @06:54PM (1 child)

              by Opportunist (5545) on Sunday July 19 2020, @06:54PM (#1023808)

              Let's Encrypt does not verify ownership because that's not what a certificate is supposed to verify. A certificate does exactly what Let's Encrypt allows you to do: To verify whether the server you are connecting to is the server you may expect to reach at this address. Who that server belongs to is beyond the scope of a certificate, as is whether that server belongs to who you think it belongs to. If you connect to www.bankofmurrica.com and expect to do safe online banking because you see the lock symbol, you misunderstand the purpose of certificates.

              A certificate makes no statement about the ownership of a system. Only that the system you are connecting to is the system that claims to belong to that domain name.

              • (Score: 2, Interesting) by Zinnia Zirconium on Monday July 20 2020, @03:13AM

                by Zinnia Zirconium (11163) on Monday July 20 2020, @03:13AM (#1023955) Homepage Journal

                Uh. No. Let's Encrypt doesn't verify ownership because Let's Encrypt is cheap. Ain't nobody at Let's Encrypt wanna gawk at a notarized photo of my government issued photo ID to prove I am who I say I am. That would take time and effort and somebody would want to get paid to do the work and it would raise the price of the certificate above free.

                Let's Encrypt does only so much work as can be easily automated for free: challenge the HTTP server at a DNS domain name which I specify to produce a fukken stupid response. And by fukken stupid I mean "respond to this HTTP request by copying the request into the response."

                I got Let's Encrypt to issue a certificate for my YouTube proxy which was the most challenging of my servers because my YouTube proxy is an HTTP server in a bash script. So wow I had to write two lines of code to pass the fukken stupid challenge that Let's Encrypt claims is proof enough that I'm me. But what if I'm not me. What if I'm some DNS hijacker who hijacked my domain. I am using No-IP.

                Did I mention No-IP got DNS hijacked by Microsoft a few years ago. So now every troll says everybody should use Let's Encrypt and everybody knows every troll says everybody should use Let's Encrypt including every DNS hijacker. So now this year when somebody like Microsoft wants to hijack everybody at someplace like No-IP all they gotta do is take the extra step of renewing all the Let's Encrypt certificates for all the hijacked domains which the hijackers legitimately control according to Let's Encrypt fukken stupid challenge response shht.

                Bam. Every browser shows the fukken lock icon and everybody trusts they connected to the server they expected and nobody notices Let's Encrypt is even more dangerous than not encrypting at all. At least when not encrypting everybody knows not to do stupid shht like type passwords and credit card numbers into a song search form.

                So when is SoylentNews gonna get DNS hijacked and someone collects a nice collection of reusable passwords. Or is SoylentNews already hijacked. SoylentNews does use Let's Encrypt which just screams unnoticeable hijack.

                See I don't need encryption. I don't accept passwords and I don't accept credit cards. I'm not a business and I'm not a bank.

                I might actually go ahead and finish setting up socat with Let's Encrypt certificates and put socat in front of my HTTP servers for that warm fuzzy HTTPS feeling. But I would do it just for the technical challenge. It's all fukken pointless.