Monday, March 30, 2009

Encrypt Everything

Nowadays, most people involved with computer security know that they should use encrypted protocols. With the rapid development of open wireless networks, the systematic use of encryption is becoming increasingly critical. How many people still use FTP or POP3 on the Internet? Too many...


Use Encrypted Equivalent Protocol

Most clear-text protocols on top of TCP as an encrypted counter part. Here are a few examples:
  • telnet -> SSH
  • FTP, kermit -> SCP/SFTP over SSH- or FTPS over SSL
  • POP3/IMAP/SMTP -> POP3S/IMAPS/SMTPS, SMTP + TLS, etc.
  • Webmail over HTTP -> HTTPS
Additionally, although service proiders may offer encrypted protocols, they do not always make them available by default due to the fact taht encryption does add processing overhead. Webmail providers, for example, will typically default to an HTTP only page. It is up to end users to explicitly requests an HTTPS page when accessing the service.


Add your own SSL encryption

For the TCP protocols, you can always use an SSL tunnel such as stunnel. You can use stunnel in different ways:
  • Install it on a client which does not support SSL to communicate with an SSL-enabled server.
  • Install it on a server which does not support SSL to communicate with SSL-enabled clients
  • Install it on both the client and the server to encrypt any TCP traffic
If your System Administrator tells you he doesn't want to touch that critical HTTP server to enable HTTPS, let him know he can install stunnel to encrypt any traffic coming to port 443 and forward it to the local HTTP port 80. That way you get an HTTPS server without needing to reconfigure the exiting HTTP server.


Use an SSH Tunnel

If using SSL encryption with stunnel is not possible in your environment, you can use an SSH tunnel. Using SSH port redirection (-L option on Unix), you can redirect any remote port to a local port through an SSH tunnel. For example, ssh login@your-domain.net -L8000:127.0.0.1:80 allows you to browse your domain.net through SSH by using the address http://locahost:8000/.

You can also use an intermediate machine for your SSH encryption. ssh login@intermediate.net -L8000:192.168.1.10:80 would encrypt the traffic between your client and intermediate.net. In this case, the traffic between intermediate.net and 192.168.1.10 would not be encrypted.


Use Tor

Tor is becoming a popular way encrypt traffic. There is a plugin for Firefox to enable/disable Tor with one click, a proxy to redirect any browser through Tor, etc. Also it is a very young project, this might be the most user-friendly solution, especially on Windows. The down side is taht it does increase significantly the latency, using Tor might slow down your web browsing.


- Julien

Tuesday, March 17, 2009

Two common misunderstandings about SSL

SSL is an encryption layer used commonly to secure HTTP (HTTPS), IMAP (IMAPS) and POP3 (POP3S). It is a widely used protocol, but it is not very well understood.

SSL is an additional network layer


In the example of HTTPS, SSL is a layer between TCP and HTTP. That means SSL is not aware of the layer above it, HTTP. You can replace the HTTP data by IMAP, or anything else.

A common misunderstanding is that only the HTTP data is encrypted, not the HTTP headers. If you think of SSL as an OSI layer, it is clear that all of the HTTP content must be encrypted. Layers below HTTO do not recognize the difference between HTTP headers and data.

When the HTTPS session is established, the TCP sessions is created first, then the SSL session, followed by the HTTP session. In other words, the SSL certificate is sent by the server to the client, before any HTTP data is exchanged. If a server hosts several SSL certificates for different domain names, the server would have to send the correct SSL certificate before receiving the "Host" www.mydomain.com" header from the browser.

Since the server cannot decide which certificate to send based on the HTTP context, itmust rely the data from the layers below; namely TCP and IP. From these 2 layers, the TCP destination port and destination IP address are the most interesting.

A server with a single IP address can assign different ports to different certificates: certificate 1 (domain-1.net) to the default HTTPS port 443, certificate 2 (domain-2.net) to port 444, etc. In practice, this is not an elegant solution since any non-standard port has to be embedded in the url: for example https://www.domain-1.net/ vs. https://www.domain-2.net:444/.

The SSL certificate can also be chosen based on the IP address. If a unique server host 4 domains names, it needs 4 different IP addresses, each of them associated to a unique certificate. This is the solution commonly used.


SSL protects the data, not your web server or web application

SSL encryption does not protect against SQL injection, Cross-site scripting, DoS, etc, but it does offer protection against session hijacking, password stealing and other sensitive user information. SSL protects the data, it does not directly protect the application.

- Julien