Friday, April 1, 2016

Preventing and Mitigating Ransomware

I'm a poor writer - hopefully this will be better than my anti-Lavabit rant.

With the proliferation of Locky and it's variants, I'm sure every single one of us is finding that we're missing a piece of the security puzzle somewhere.  If you're unfamiliar with Locky, it's a form of malware that encrypts vital documents and programs and requests you pay a fee in BitCoin in order to decrypt them.

My networks have been hit twice. Fortunately I run FreeBSD Samba servers, with ZFS snapshots and replication. Desktops are considered disposable. We're also primarily manufacturing, so a rollback on affected areas was a snap.  A GPO (discussed below #3) prevented further outbreaks. Another connected company, considered 'lower risk' due to it's type of employees then had it's own outbreak.  There were MANY failures involved there.  I'll start with triage, and move on to prevention and containment.
This blog post assumes you are already doing the basics: No local admin rights. Some sort of centralized directory authentication and policy deployment. Anti-Virus installs (yes it's still helpful - every little bit helps no matter how insignificant it may seem). Patching of any sort whatsoever.  Regular backups.

One HUGE hole in our defenses - SQL.  Once Locky starts using ODBC and encrypting preconfigured DSNs, we're all going to be in a world of hurt. I've been in many organizations, and even in the larger ones (credit card processing specifically) I highly doubt ANYONE is properly securing tables. You'd think SQLSlammer would have been a wakeup call - IMHO the next Locky will be that call.

Anyways, here is where I started - how Locky was executed, and what we're doing to mitigate the issue of ransomware.  I do not include 'user training'. 
IMHO, When planning a proper defense, one should consider EVERY piece of end-user accessible equipment to be hostile - including your own.  DO NOT, UNDER ANY CIRCUMSTANCES, EXCLUDE YOURSELF FROM ANY RULES.

1.    Email not in junk folder.  CompanyA users had it in Junk.
  • Fixed, applied GPO to CompanyB and CompanyC so Outlook properly filters email marked as Spam.
    • This is due to our use of ASSP on the front-end of mail for Spam tagging, and the funky requirements for Outlook/Exchange to filter email based on a simple header.
2.    Word Macros executed.
  •  Fixed – Assuming Macros were enabled.  Microsoft disables by default.  Policy forces disabling of Macros.  Does not prevent user from enabling macros on a per-document basis.
3.    Macro wrote bat file, executed VBScript (1)
  • Fixed %temp% and %appdata% execution allowed in CompanyB and CompanyC.  Policy applied to CompanyC to prevent, but not CompanyB yet as it interferes with installers.
4.    Bat file executed VBScript.  cscript allowed to run (VBA commandline)  (2)
  • No Action. Not sufficiently tested.  Disabled cscript/wscript site-wide in past lives.
5.    AV disabled by script.
  • Fixed.  No user can disable AV on their desktop, was enabled for CompanyB.
6.    Download malicious file allowed - ran from %temp%
  • Possibly Fixed.  Added 3rd party DNS category blocking service.
  • Investigating transparent proxy w/AV. This will communicate with web sites on behalf of client PCs, AND scan downloaded files with a different AV.
    • Proxies can be an issue if they’re not transparent, because – in a properly built environment - the application must support both the proxy and AD authentication.
  • Fixed (see 3a)
7.    No backup for desktops.
  • Compensating Control – Reminded users that local systems are not backed up and are vulnerable to many issues that can destroy local data.
    • This can be anything from a HD failure to a virus to TSA confiscating equipment.
That was my initial investigation.  Since then, I've added to the list:

8.    Locky SMB browses all systems, and encrypts accessible data on all shares:
  • Testing disabling browsing services - (Mapper IO Driver & Responder Driver).  This prevents Windows from seeing any other systems on the network.
    • We map Network Locations to users based on AD Groups upon login. Drive letters are still used primarily, but can be UNC paths as well.
  • Some shares have 'Everyone' allows in subdirs.  WTF?!?!  At least one Historical install has this.  Audit needed.
 9.  What can Locky do in the future?
  • Can't browse PCs?  Ping local subnet.
    • Segregate client & server networks to prevent subnet fingerprinting.
    • Remove List rights from AD OUs that contain computer objects
  •  SQL.  ODBC DSNs defined in local PCs?  
    • Remove where possible.
    • Rewrite reports to use DSN-less connections where possible
    • Avoid popular SQL Servers (MSSQL).
Locky is a scary piece of malware. It can, and has, taken down companies large and small. We need to be vigilant and do our best to protect from what we know, and expect the unexpected.

Any suggestions? 

Wednesday, November 4, 2015

Teenage script kiddies "Armada Collective" exposes the problems with Privacy, Security, and openness.

So at VFEmail we've received this nice bit of extortion from some script kiddies:

X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
X-Spam-Status: No, score=0.4 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
 autolearn=disabled version=3.3.2
Received: (qmail 28848 invoked by uid 89); 4 Nov 2015 01:02:28 -0000
Received: (qmail 28846 invoked by uid 89); 4 Nov 2015 01:02:28 -0000
Received: (qmail 28844 invoked by uid 89); 4 Nov 2015 01:02:28 -0000
Received: by simscan 1.4.0 ppid: 28791, pid: 28819, t: 1.0843s
         scanners: clamav: 0.95.2/m:51/d:9604
Received: from unknown (HELO (bmE=@
  by with SMTP; 4 Nov 2015 01:02:27 -0000
Received: from ([]
 by with SMTPS(TLSv1_2 DHE-RSA-AES256-GCM-SHA384) (2.4.1); 3 Nov 2015 19:02:25 -0600
dkim-signature: v=1; a=rsa-sha256;; s=mail;
 c=relaxed/relaxed; q=dns/txt; h=From:Subject:Date:Message-ID:To:MIME-Version:Content-Type:Content-Transfer-Encoding;
Received: from (BITMESSAGE [])
 by with ESMTPA
 ; Wed, 4 Nov 2015 02:02:19 +0100
X-Squirrel-FromHash: cV1fVAcLRU8=
Message-ID: <7ca346ad05d1c5851004beb98d913125 .squirrel="""">
Date: Tue, 3 Nov 2015 17:02:19 -0800
Subject: Ransom request: DDOS ATTACK!
From: "Armada Collective" 
User-Agent: SquirrelMail/1.4.22
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
X-Assp-ID: m1-98947-08027
X-Assp-Session: 8C5D5AD8 (mail 1)
X-Assp-Version: 2.4.1(14200) on
X-Assp-Client-TLS: yes
X-Assp-Message-Score: -10 (SSL-TLS-connection-OK)
X-Assp-IP-Score: -10 (SSL-TLS-connection-OK)
X-Assp-Delay: not delayed (auto accepted); 3 Nov 2015 19:02:27 -0600
X-Original-Authentication-Results:; dkim=pass spf=pass
X-Assp-Message-Score: -10 (SPF pass)
X-Assp-IP-Score: -10 (SPF pass)
X-Assp-Message-Score: 10 (Foreign Country CH (GREEN.CH AG))
X-Assp-Message-Score: 20 (Regex:BombRe 'PB 20: for cheap'  bombRe: 'cheap')
X-Assp-IP-Score: 20 (Regex:BombRe 'PB 20: for cheap'  bombRe: 'cheap')
X-Assp-Spam-Level: ***
X-Assp-DKIM: verified-OK

We are Armada Collective.

All your servers will be DDoS-ed starting Friday if you don't pay 5
Bitcoins @ 1C71QxTfzVVBJnkRg2cJpFXLALwDkfvNTz within 24 hours

When we say all, we mean all - users will not be able to access their
email at all.

Right now we will start 15 minutes attack on one of your IPs
( It will not be hard, we will not crash it at the moment
to try to minimize eventual damage, which we want to avoid at this moment.
It's just to prove that this is not a hoax. Check your logs!

If you don't pay by Friday , attack will start, price to stop will
increase to 410 BTC and will go up 5 BTC for every day of attack.
In addition, we will go publicly on social networks and recommend your
users to switch to more secure providers like Tutanota and ProtonMail.

If you report this to media and try to get some free publicity by using
our name, instead of paying, attack will start permanently and will last
for a long time.

This is not a joke.

Our attacks are extremely powerful - sometimes over 1 Tbps per second. So,
no cheap protection will help.

Prevent it all with just 5 BTC @ 1C71QxTfzVVBJnkRg2cJpFXLALwDkfvNTz

Do not reply, we will not read. Pay and we will know its you. AND YOU WILL

Bitcoin is anonymous, nobody will ever know you cooperated.

So if you can't reach VFEmail - this is why.  Who are this little daisies?  It makes you wonder.  They tried to extort banks in Taiwan last month.  

Are they out for themselves, or working for Tutanota (who?) or Protonmail (I can't connect, maybe they're being DOSd)?   Why would they think we'd believe that they're honest enough to only perform illegal acts once or twice?  These can't be adults - maybe Nigeran scammers?  Though Tor and Bitmessage are a bit more advanced than the Nigerian scammers I've had to shut off.

Unfortunately this is the cost of privacy and security.  This is why the EU wants to ban 'strong encryption'.  Is your Gmail Calendar still down?  Who's running the botnet that is hampering your workday?
How do we infiltrate, and where do we begin?

Are you prepared to accept these costs?  The costs of downtime?  The costs of being 'disconnected'?
Personally,  I don't mind - I can live without this stuff for days.  But I've accepted responsibility for ensuring my users can get their mail - and frankly this is just out of my hands.

Much like main street, the Internet Tubes are filled with small businesses.  We can make laws in one country to help secure end-user systems (which are the likely source), but that doesn't cover other countries.  Non-first world countries where they are lucky to be online.

Who can see this bandwidth? Who can stop this?  I once had an argument with a nice German fellow - they have very strict privacy laws - about what the ISP can block.  You can't block anything in the EU.  In the US we're fighting for open access, and for good reason - but we still have to be responsible netizens. I think the ISP should have the flexibility to block potentially harmful traffic - whether it be email spam, fraud, or denial of service attacks.

This is the threat to the internet as we know it.  These DDOS extortionists.  Not only do they threaten the existence of your favorite online service, they threaten the Internet as a whole.  End users will want access.  Business will want reparations.  How can these guys be caught? Weak Encryption laws like those recently suggested in the EU.  Bandwidth throttling.  ISP service proxying and filtering.  We REALLY don't want these, but unless the black and grey hats put a stop to the worst offenders, we'll all suffer.

Any thoughts?  I'd love to hear them.  What's really bad is that they're not just affecting VFEmail and our silly little 10Mb line - I'm a local guy who supports a local ISP, not some global conglomerate buying from a Tier 1 provider with thousands of peers.  So when they attack, they're affecting a LOT of customers. Here's to hoping the Milwaukee FBI is a customer.

Friday, March 20, 2015

Why I think most 'email metadata privacy' issues are Sales FUD.

I run an email service. In fact I've run since 2001 - that's before Gmail. There's been a lot of talk about privacy and re-writing SMTP to provide more encryption and 'mask' metadata.  Long articles about email headers and how correlation of To/From/Subject can lead to a 'highly accurate guess' without any actual content.  This is definitely a concern, especially because correlation only provides a guess. Let's take a look at what's really happening, from the ESP (Email Service Provider) side to the LEO (Law Enforcement Organization) side to better understand the problem.

So let's start with an email's structure. Email's are designed to be like letters. There is an envelope, and content. Take a closer look at this LaTeX Template for the content part:

As you can see - it has what's referred to as 'metadata'. There is 
To: "Prof. Jones".
From: "John Smith"
and various other address info.

Remember though - this is a letter.  It's enclosed inside an envelope.  This is the content of an email that you would see. The only way to retrieve the content or the metadata contained in this email, is to open the email itself.

The envelope, on the other hand, has similar data. It has a 'To', a 'From', and a 'Date' in the form of a Postmark. This is also metadata.

So what is the difference?  It's all the same you say?

IMHO, LEGALLY, there is a world of difference.
In addition, you can leave out the From address on the envelope - so keep that in mind. Also keep in mind - LEO are building a case.
An ESP isn't required by law to provide Inbox content because the target looked at a cop funny. To get that, an investigator must investigate. There must be evidence first, and a judge must sign off on that warrant. That's the point of checks and balances in our system (Of course, in regards to NSA vacuuming up data - we're no longer talking about legal activity).

Here's the confusion - As an email provider, I receive legal requests for metadata. That metadata is gathered from the SMTP logs - not the email contents. Those logs, in my opinion, likely also exist at the Post Office. I find it highly unlikely that all the automation in the USPS (including automated scanning of hand-written envelopes), doesn't get logged somewhere. In any case, if the investigator wanted INBOX CONTENT, they MUST request INBOX content.  Therefore, if the warrant does not include mailbox contents, I can only provide log data.

This is a VFEmail log:
2015-03-24 07:58:43.155818500 CHKUSER accepted rcpt: from [win-lotto] remote [] rcpt [] : found existing recipient

That log data comes from two places - the knowledge of the connection (Remote IP address, local time) and two commands - MAIL FROM and RCPT TO.  Those are pretty obvious.  Technically there is also HELO, which is a text identifier of the remote server.

As you can see - the recipient is there, me, and the sender is Obviously Spam.  That's the envelope data.

Another point of confusion - Unlike USPS mail, Emails are processed in their entirety as they're passed through the system. That is, all the 'header' info (on the left, everything above 'deekayen,') is visible to the SMTP server during transmission. This is true everywhere, no matter what Lavabit claims.

What does that mean? It means that we can help stop Spam by checking the IPs of all the previous servers in the header to look for points of abuse. It means we can find delivery delays by checking the timestamps of each server in the header.  It does also mean that sometimes the Subject may be added to a log file - or any of the other header info. BUT, doing so is ENTIRELY up to the ESP.
Technically, during this processing, an ESP could easily write out an entire copy of this email for nefarious or legal purposes. This is also true everywhere, no matter what Lavabit claims - but in this post we're concentrating on the Metadata scare.

Any provider, unless requested to examine full email contents, should only be providing the ENVELOPE data. That's it.

"I just read half this post, I don't want my emails correlated and a profile built of me, and you haven't told me anything yet!", you say. Not true, we've whittled down perception to reality. Unless the government is requesting a wiretap, they'll simply get MAIL FROM, RCPT TO, and REMOTE IP (at least from an ESP who is privacy conscious).

So let's look at the envelope again. Just like USPS mail, the MAIL FROM can be forged. But, if you forge the From on an envelope - returned mail won't be able to reach you.  At least not directly..

VFEmail provides what we call the 'Metadata Mitigator'.  It re-writes the MAIL FROM so both the local logs and the recipient servers logs show a unique MAIL FROM address. This address is parsed at VFEmail (if the email is returned), so a bounce doesn't get lost. Most importantly though, the log data on the recipients server only shows that an email was delivered to 'Prof  Jones' from 'Random account at VFEmail'.  This method has existed for decades and is known as VERP.  Though historically it's been used for managing mailing list member bounces, not for privacy.

Wait - what?  Yes, simply mask the MAIL FROM - and there will be nothing to correlate.  The recipient's log metadata, even if they only receive email from YOU - will simply show a single email from 'anyone and everyone' - no duplicates.  The recipient would need to be specifically monitored via a wiretap order to see that you had sent them more than one email.

So why would we want to re-write the entire Email ecosystem?
We don't. It's a pointless exercise. It would remove many features we take for granted (Spam blocking, forwarding, queuing), and make things more difficult for users (No debugging info available ANYWHERE).

"But a rewrite fixes other issues too!" - so do the hundreds of alternate ways to handle email in it's current form:  
- By using PGP (see above full email example), the 'user viewable' content of an email, everything under 'Date', is encrypted at rest and in transit.
- Using TLS will encrypt everything including the MAIL FROM and RCPT TO during transit - to prevent snooping, assuming you're not rewriting your MAIL FROM. Sure, the headers are available at rest, while the email is sitting in your INBOX. But no respectable mail system uses headers for log data. And again, in order to read those headers, the ESP should have a subpoena for full mailbox content.
- Worried about the ESP reading the mail headers in your INBOX? POP and delete your mail.
- Don't trust that a provider follows their policies? They claim they can't read your INBOX, but copy it's contents to the FBI anyways? Run your own server - with SMTP being an open standard, you can choose from any number of packages and personally remove the last link in the metadata debate.

Done. You've just created 'DarkMail'.

Sunday, March 15, 2015

Why I will no longer use Chase bank

Once upon a time I had awesome credit - not anymore. Mostly due to Chase.
Sometime in 2006 Chase sent me a credit card offer - $20,000 credit, 0% until paid off. I should have saved the document. There was no '0% for 24 months' or 18 months or whatever. It was just straight up '0% until paid off'. I even called them to confirm. I should have recorded the call. I already had 3 other credit cards with them - totaling at least $15,000.
Looking back, I believe they intended it to be used for debt consolidation - I bought a motorcycle on it. A 'cash' purchase made negotiation easy, and with it being a credit card, if something were to occur I wouldn't need to meet potentially high monthly payments. I paid off about $10,000 before Chase revoked their offer and started charging me 12% interest.
That was problem #1 - and while it's MOST DEFINITELY their fault for straight up lying about their offer, I should have kept the offer and recorded the verification call.
Problem #2 came when they called me about fraud on a credit card. At this point I was no longer using Chase credit cards, and what I did have was kept in my safe. There was about $50 in iTunes charges. I asked the rep for all the info she could give me in regards to the charges (basically nothing, just 'iTunes' and the dates, no IP Address) - but I scoured my devices and accounts for an indication that possibly I left a credit card active on an account and one of my kid's used it. Nothing. I found no receipts, no purchases, no additional software or music anywhere.
This rep practically accused me of committing fraud. She didn't believe I didn't spend $50 on iTunes. I don't buy music online. I don't buy anything through iTunes because of previous DRM issues. Fortunately it didn't matter - Visa regulations say the customer is always right if there is no receipt.
That's when Chase exacted their revenge. They took all 4 of my Credit Card accounts and 'reviewed' them. They decided my $20,000 credit limit was a 'threat' to them, and dropped it down to $6000. They made similar claims and changes on each of my credit cards. They knocked at least $30,000 from my available credit.
Not a big deal, as I don't use it - right? Wrong. Your debt/credit ratio has a huge impact on your credit rating. These changes knocked 25points of my credit rating. They got their revenge.
In addition - this 'review' is now a yearly occurrence. Every year, as I pay off credit cards that I used to be 'responsbile for myself' (rather than file for bankruptcy) they drop my available credit to just above the current balance.  Lesson learned.

Don't use Chase bank. Go with a local bank/lender that doesn't have a record of lying and crashing the economy.

Wednesday, February 11, 2015

How Wyndham double dips and fucks over their 'owners'

So I'm a 'vacation owner'.  Yeah, I was stupid and bought this almost 15 years ago.  I fell for the lines and the empty promises.

They tell you things like "It's a real-estate investment", and "You get priority booking at your 'home base'".  It's all bullshit.  After dropping something like $6k on it, I now spend $30/month on Maintenance.  I get 120k points to 'spend' every other year.  So those cost me $720.
Common complaints:
  • That the timeshare interest purchased would appreciate and increase resale price and value over time.
  • That the timeshare interest purchased could be freely exchanged, transferred and sold.
  • That the timeshare interest purchased was a financial investment.
  • That the timeshare interest purchased would result in the purchaser receiving booking priority over non – purchasing vacationers wishing to stay at one or more of the properties owned and/or maintained by the defendant. 

What can I get for $720 every two years?  Well, I knowingly bought a single room for 5 days.  But it's a nice place, and I supposedly have priority booking.  In addition, those points can be used anywhere.

Using them is the problem. I tried to book my wife a weekend, and what did I find?
No Vacancy.  (Now this is after bitching to them after 2 weeks of their website not reporting inventory correctly).

So I started looking at Expeda for alternatives and come across the Wyndham Grand Desert, and what do I see?  Availability.
Not only that, but it's cheaper than WHAT I'VE ALREADY PAID.  Fuckers.
So I call Wyndham.  I knew I should have hit record on my phone.  The lady actually told me that it was a 3RD PARTY that was reselling their inventory.  Like I don't know what Sabre is.  Worse, after asking to speak with a manager, she put me on foreverhold.
Now, they'll argue they don't use Sabre, that's fine - you can find the Grand Desert GDS codes here:
You'll note their 'WorldSpan' GDS number - Expedia will get their inventory via WorldSpan:

Just for fun, I decided to also check out  Yep - Inventory:

Still cheaper than what I paid, and I chose the 'free to cancel' option. use Sabre.

This is the norm.  I haven't used this timeshare in years because of awful availability and shitty customer service.

Friday, May 23, 2014

Experts Exchange - worst 'web' site in the world.

Ugh.  I signed up for Experts Exchange to ask a single question, then didn't cancel like I should have.  They require a PHONE CALL to cancel a web membership. Now they've gotten a good 6 months of dues out of me.

So I finally did it.  I called.  The following hilarity ensued :

MAY 22, 2014  |  10:34AM PDT
Charles Nickerson replied:

Hello Mr. Romero,
Thank you for your voice mail message. I apologize you were not able to reach a representative.
All cancellation requests must be handled by phone, or live chat and processed by a live agent, I attempted to return your phone call message to make it as easy as possible, but was unable to get through and did not want to disrupt you at work, so I will make an exception in your case and help you cancel via email.
In order for me to process your cancellation, I will need some details regarding your experience. Can you tell me:
  • What led you to want to terminate your membership with Experts Exchange?
  • Was there anything about our service that didn’t meet or exceed your expectations?
  • Do you have any suggestions for what resources we could add to make Experts Exchange more valuable?
In addition, I’d like to tell you about some of our newest resources for networking with other IT professionals, and learning new skills on top of the great options we already provide for solving every day problems. I can also work with you on the price of your membership by adjusting your subscription plan to $9.95 or discounting your membership for 6 months to $5.95 if this would interest you to keep the resource available to you and keep Experts Exchange on retainer for your IT solution, Learning and Professional Networking needs.
Please email me back at your earliest convenience so that I may assist you further.
Charles Nickerson
Customer Retention Specialist | Experts Exchange
p: (805) 787-0603 ext. 401 | f: (805) 593-0275

This message was sent to in reference to Case #: 195189.

So even though I called and cancelled, I can't cancel until I answer THEIR questions. Rather bemusing for a Q/A site.

MAY 22, 2014  |  10:57AM PDT
Rick replied:
I asked a single question, and forgot to cancel - likely, the awful
requirement of calling customer service to be hassled to buy more products
is why I didn't call in the first place.

So now you can cancel, or I can submit a chargeback.


Now - I've clearly complained about the cancellation process, and the fact they've attempted to sell me, IMHO, 'additional product'.  It's additional because I'm cancelling, I don't want to continue.
I've also clearly told him to cancel the account.

MAY 22, 2014  |  11:30AM PDT
Charles Nickerson replied:
Hello Mr. Romero,
Thank you for your email,
I again apologize for the cancellation policy, it is not intended to sell you a product or more products or to even frustrate you. We maintain a community of IT users, professionals and experts. We only wish an opportunity to get any feedback regarding using the service, providing assistance to get better solutions, or offering you a discount to get more value from your membership and to ease the cost while you get more familiar with the site- we sell a membership to implementing better technology solutions, learning new technologies, and building professional networks to advance your career.
If this does not interest you at all I am happy to cancel your account and confirm the cancellation through email like I offered.If you are interested in trying the membership a little longer I can offer you discounted renewals for the next 6 months at $5.95 to make the membership more affordable and give you more value.
Please respond to this email with your answer and I will honor your request. Or, you can call me at P#877-211-8911 ext#231 ( my personal extension) and I can offer some assistance in getting better results from your questions with the “request attention” system- used when your question goes unanswered, or unresolved, for more than 24 hours, amd many other features the membership already offers you that you might not be aware of.
Thank you for your membership, we do appreciate it very much.
Charles Nickerson
Customer Retention Specialist | Experts Exchange
p: (805) 787-0603 ext. 401 | f: (805) 593-0275

So he ignored my 2nd cancel request, and continued to try and sell more products.

MAY 22, 2014  |  11:44AM PDT
Rick replied:

Maybe that'll do it.

MAY 22, 2014  |  01:22PM PDT
Charles Nickerson replied:
Hello Mr. Romero,
Thank you for taking the time to contact us with your cancellation request.
Your Experts Exchange subscription has been cancelled as you requested to prevent future billing. A cancellation confirmation email has been sent to your email address Your cancellation confirmation number is 787758. You will continue to have access to your account until the paid time runs out on 06/09/2014.
Thank you for your membership with Experts Exchange and have a great day!
Charles Nickerson
Customer Retention Specialist | Experts Exchange
p: (805) 787-0603 ext. 401 | f: (805) 593-0275
Avoid signing up at this place like the plague.

Monday, March 3, 2014

SSL certificates for Tor Hidden Services

I know I'm going to get hit from the security community for this, but there's no good reason for a CA to not sign certificates for Tor sites.

Why?  The premise of signing a certificate is that the browser manufacturer has verified CAs (Certificate Authorities) as 'noble'.  By doing so, they include these CA's so users can establish secure connections with websites who are 'known' to be the correct owners. This is, ultimately, nothing more than a UI enhancement - keeping ignorant end users from seeing a scary warning page.

Unfortunately this trust breaks down very quickly.  Many SSL certs are issued via email to an address on the domain's whois record, and then signed for up to FOUR years.  It's a one-time spot check, which has and will fail, and does not ensure the validity of the site beyond that point in time.  In addition, the CAs have gone all out marketing the implied security of SSL certificates as ensuring the website is secure.

That's as far from the truth as you can get. SSL only encrypts the CONNECTION. Signing the certificate just says someone made an effort to ensure the person who requested the certificate is truly affiliated with that domain/host.  Using an unsigned certificate still encrypts the connection, but browsers will throw an error because the 'CA' (you) that signed it has not been verified as trustworthy.
When you are looking for a 'green bar' in your web browser, all it means is some big company dished out a ton of money to be personally contacted by the CA to ensure they (at that moment) own the domain/host the certificate is being signed for.  That's it.

So how does this apply to Tor?  How do you verify a site owner for a TLD that doesn't have any registration whatsoever? 
Tor hidden service names use PKI to ensure the clients are talking to the correct endpoint.  This is EXACTLY what CAs sign certificates for. The only difference is that Tor does it for EVERY CONNECTION, while a CA does it once every FOUR YEARS.
An enterprising CA would just need to modify their verification system to connect to a specific page on a .onion hidden service, verify a pre-shared key, and you'd be set.  There's no purpose to EV certificates.  There's no need for 'wildcard' certificates. What's needed is a realization and end to the false advertising that CA signed certificates 'secure' websites - rather than scaring end-users into thinking a site is not secure merely because some CA didn't sign that site's certificate.

Users don't change their ways, I think we should send the following to CAs:
I want to put an SSL cert on a Tor .onion site. Apparently this goes against your method of verifying 'domain ownership' by using whois data. I disagree with your methods - they're flawed and inconsistent. SSL signing is to verify the owner of the HOST (hence your wildcard certs costing more) and not the domain name - yet it's the domain contact that is used to verify a hostname 'owner'.

Tor hostnames, TLDs for a better name, appear random but are based on PKI.  In fact, the destination host (hidden service) name is verified using PKI for EVERY CONNECTION - as opposed to a CA who sends an email once every FOUR YEARS or so.

So I'm asking for a change.  An option.  I'd like my Tor users (who are more advanced, but may still be ignorant of SSL) to not get that pesky "This site is not secure" warning - when it reality it's more secure than a signed SSL cert.  Why do I use SSL if Tor is more secure?  The hidden service is an endpoint within my network, and doesn't REQUIRE SSL, but I would still like to use it. It's convenience.
Your process would simply allow the CSR submitter to also submit a domain name matching URL, where they would post your PSK - instead of emailing the PSK to them as part of a link to click on. At that point, the rest of your process is the same.

Why would you want to do this?  As we move to a more privacy-based infrastructure, I don't believe you will want to get cut-out as Tor (and other alternate 'Internet' services) are integrated into browsers and the CAs relevance begin to diminish - each participant is cryptographically doing your job - https is technically not necessary. The best solution for you to stay viable and grow your business is to participate and make it pointless to ignore your services.