October 25, 2005

Microsoft scores in anti-phishing!

Finally, some good news! Matthias points out that Microsoft has announced that they are switching to TLS in browsers. Hooray! This means no more SSL v2, and the other laxidaisical dinosaurs of the browser world can be expected to shuffle into line (Mozilla, Safari, Konqueror, Opera... yes, you may well look down in shame, especially Mozilla which was facing a bombardment of clues).

I have a sneaking suspicion that Microsoft actually are thinking a bit - not hugely but a bit - about phishing and are looking at some of the easier ways to deal with it. First, they acknowledged that phishing was a browser problem, and no other browser supplier to my knowledge has done that. Secondly, they mention from time to time phishing and security in the same breath, while the other guys are still stuck on patch counts and bug statistics and similar side issues. Thirdly:

As part of Microsoft's "secure by default" design philosophy, IE7 will block encrypted web sessions to sites with problematic (untrusted, revoked or expired) digital certificates. Users will receive a warning when they visit potentially insecure sites, which users can choose to ignore, except where certificates are revoked. "If the user clicks through a certificate error page, the address bar will flood-fill with red to serve as a persistent notification of the problem," Lawrence explained.

Huh. Not a bad idea, that, although note that it is logically the reverse of what the Petname and Trustbar people do! (Debates can be had, and more could be done, but a start is a start!) Fourthly:

The Beta 2 version of IE7 also changes the way non secure content is rendered in a secure web page. IE7 renders only the secure content by default but it offers surfers the chance to unblock the nonsecure content on a secure page using the Information Bar.

Fifthly, dropping SSL v2 as default: it's hard to concisely draw the complex connection between TLS and phishing, but it's easy to show its general or two-step effects. Microsoft makes a game attempt at this:

Lastly, the TLS implementation has been updated to support Extensions as described in RFC 3546. TLS extensions improve performance, and add capabilities to the TLS protocol. The most interesting of the extensions is the Server Name Indication (SNI) extension, as it resolves one of the long-standing limitations for HTTPS hosting.

A little background: When a web browser initiates a HTTPS handshake with a web server, the server immediately sends down a digital certificate. The hostname of the server is listed inside the digital certificate, and the browser compares it to the hostname it was attempting to reach. If these hostnames do not match, the browser raises an error.

The matching-hostnames requirement causes a problem if a single-IP is configured to host multiple sites (sometimes known as “virtual-hosting”). Ordinarily, a virtual-hosting server examines the HTTP Host request header to determine what HTTP content to return. However, in the HTTPS case, the server must provide a digital certificate before it receives the HTTP headers from the browser. SNI resolves this problem by listing the target server’s hostname in the SNI extension field of the initial client handshake with the secure server. A virtual-hosting server may examine the SNI extension to determine which digital certificate to send back to the client.

I told you it wasn't easy to explain ... in short, this means that many more ordinary sites can now use HTTPS to protect content, which speeds up the general availability of TLS (was SSL) which then kicks back and means browsers and plugins can protect against phishing. Top banana!

Last week there was a general panic issued at core Internet level - SSL v2 in OpenSSL had a flaw in it. Unfortunately, as there was no capability to turn off SSL v2 within OpenSSL, the problem turned into a schmozzle as OpenSSL is both incorporated in many packages, and also distributed in many forms. Maybe this discussion tipped the balance: get rid of SSL v2 everywhere.

Hat tip to Microsoft for having the guts to do what no other company or open source group did.

Posted by iang at October 25, 2005 06:12 PM | TrackBack

Call me a cynic, but I see it more like aiding continued extortion by CAs. Yes, it's nice to get rid of SSLv2, but most user-noticable changes will be draconian scare-the-living-bejeezus-out-of-the-user rendering effects in case of slightest non-compliance with the X.509 PKI model.
For instance, this blog will be one hell to read, because
1. name mismatch between the https links and the certificate
2. no signature chain from a trusted root

Your readers will have the url displayed on red background and have to go through a lot of scary warnings, before accessing the root.

Also, I am curious, how they are planning to live up to their promise of rendering insecure content embedded in secure pages (images, etc) differently: what if the stylesheet is thhe insecure embedded content? You can achieve pretty much any visual effect using the stylesheet, after all.

Posted by: Daniel A. Nagy at October 25, 2005 07:51 PM

Stimulated by your on-going crusade, I decided to turn off ssl v2 in my browser -- Galeon. I couldn't find any option to do so. In fact, I couldn't find any option to configure *any* security features of any kind. Finally I learned that you can type "about:config" into the URL field to see the current config. Browsing through it, I found that ssl v2 was already disabled, as was md5 and any algorithm with < 128 bit key sizes.

Posted by: Z at October 26, 2005 11:09 AM

The webpages for Wells Fargo customer account activity still contain links to other https sites. Now this is a https link to some image on akamai.net - a few months ago this was a https link to something invisible on ad.doubleclick.net. It really bothers me that MY browser contacts these other organizations when it displays an account activity page. I am shocked to see this not generate an error in my browser. My browser complains if a https webpage contains an image coming from any HTTP link (even one at Wells Fargo), but it allows images without complaint from anywhere on internet if the image is HTTPS.

Will these proposed IE7 changes put an end to this behavior? I'm not sure what my fear is here - my bank can give out all my information to everyone anyway. I'd just like assurance that my yellow https address bar tells me *everything* is coming from *that* website, encrypted.

Posted by: Logi Mess at November 1, 2005 08:09 PM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.