pskl.us

Tag: firefox

Protect Your Passwords on “Semi-Secure” Websites

by on Aug.19, 2009, under Tutorials, Whining

Even our great-grandmothers know they shouldn’t log into their bank account while on open wifi, right? But what about your Google/gmail account, Facebook, Twitter, etc? The login credentials for these sites are becoming more and more valuable as they connect to more and more of our lives. Most offer some form of secure login, but they don’t make it terribly obvious.

For instance, you can go directly to https://www.twitter.com/ and you’ll get a completely HTTPS login page, including a HTTPS submit button for sending your credentials. The same goes for Facebook…however, nobody knows to use the https urls. Rather than redirecting http traffic to the https front end (and making everybody warm and fuzzy), most of these sites have simply used a https submit button so that your credentials are submitted securely. Some banks even do this, and it is infuriating. I’ve even seen FAQ links right next to the https submit buttons explaining that the site is secure even though you don’t see https at the top of the screen. You’d think it would save them a lot of customer support time and trouble by simply encrypting the entire page…but I digress.

There is an obvious problem with https submit buttons: it is far from obvious that the operation is secure. Browser developers have put a great deal of effort into making it clear when you are or are not on a properly-certified https site…change the color of the address bar, etc. So you’d think that maybe this lack of apparent security would be something the “bad people” would take advantage of? You would be correct. Sam Bowne (of samsclass.info … NOT one of the “bad people”) demonstrated a typical man-in-the-middle attack of this variety using SSLStrip (created by the great Moxie Marlinspike of thoughtcrime.org). Simply put, the targeted user is unknowingly accessing Facebook through the attacker’s proxy. The proxy replaces the HTTPS submit with a standard HTTP and then captures the submitted data when the user attempts to log in. The entire transaction is completely transparent to the targeted user.

Sam Bowne also demonstrated his own spin on SSLStrip: The Wall of Stripped Sheep. The WoSS is a nifty play on the famous Defcon “Wall of Sheep” which displays the usernames and partial passwords of people who are using the Defcon network to login to non-secure email systems/twitter/etc. In the case of the WoSS, it is a nifty little web interface that will display captured usernames and passwords (using SSLStrip) for 4 popular sites.

While it is possible to spoof SSL certs and truly pull off a sinister man-in-the-middle attack for https sites (see Moxie’s incredible Defcon talk from this year), it is much more difficult to pull off and considerably more rare in the wild. Attacks like SSLStrip are much easier for the average scumbag to use to gain access to your email account, which, as we all know, is the doorway to every other site/service you use. Even if some baddie doesn’t use this as a jumping off point for full-on identity theft, do you want somebody farting around in your Facebook account?

So what do you do? When possible, go directly to the https version of the site rather than the default http. When that isn’t possible, and you absolutely MUST sign into some site, try a nifty little (experimental) Firefox plugin called “Safe” from the Mozilla addons site.

safe04

As the description says, Safe makes SSL and extended SSL more visible to the user. The most obvious thing that Safe does is to add a green or blue border to https sites depending upon whether they have a Extended Validation (EV) cert (which makes the border green) or a normal cert (which makes the border blue). I didn’t feel like looking around for an expired cert site, but I believe it gives you a red border if that is the case. See the following examples:

safe06

Normal SSL Cert

safe05

EV Cert

The next thing Safe does for you is to make you aware of https submit buttons. Brilliant. Down at the bottom of your browser, it adds a little key icon which looks like this:

safe09

However, when you hover your mouse over a button that submits via https, it looks like this:

safe08

demonstrated here:

safe07

This functionality should really be built into Firefox. Until it is, I recommend installing this addon and keeping an eye on the little key. I probably don’t have to explain this, but just in case, here is the jist:

If you don’t see that key light up when you are about to submit credentials for some website, it is much easier for somebody to intercept them.

If you are reading this blog, I gotta figure you know how common this threat is, but I figured I’d say it anyway.

If you would like to protect yourself even more, check out this nifty tool from Irongeek (brought to my attention by Sam Bowne). It is called DecaffeinatID and, among other things, it gives you an alert if the MAC address associated with a gateway IP changes (this is a clue that somebody is doing some ARP spoofing and probably lining you up for a man-in-the-middle attack).

Good luck protecting yourself…

Leave a Comment :, , , , , , , , more...

Digitally Sign and Encrypt Email in Thunderbird

by on Jul.06, 2009, under Tutorials

Ever wanted to send signed and/or encrypted email from Thunderbird?  Here are the steps required to configure your Thunderbird client to use the personal certificates available from Comodo:

1)  Fill out Comodo’s form here:

http://www.comodo.com/products/certificate_services/email_certificate.html

2)  In a few minutes, you’ll receive an email containing a link to your digital certificate.  Follow the link in Firefox.

3)  Firefox will automatically import your certificate..  into Firefox.  We need to get it into Thunderbird, so..

4)  In Firefox, go to Tools -> Options -> Advanced -> Encryption -> View Certificates.  Locate your cert in the list, select it and choose Backup.  Save the file to a safe place.  When prompted, select a strong passphrase.  Remember, if someone obtains your certificate and password, they can sign emails as coming from you.

5)  Go to Thunderbird, and select Tools -> Account Settings -> Security -> View Certificates -> Import.  Select the .p12 file you exported from Firefox.  When prompted, enter a passphrase to protect the key within Thunderbird.  You’ll also be asked for the passphrase you assigned to the key during the export.  You should not use the same passphrase for these steps!

6)  Back in the Security window, click “Select..” in the Digital Signing dialog area.  Thunderbird will automatically select the certificate that matches the current account’s email address.

7)  Enable automatic message signing, if desired, by clicking  the “Digitally sign messages (by default)” checkbox.

8)  Go send some digitally signed messages!   If you want to send encrypted messages, you’ll need to import the recipient’s public key, or use PKI — stay tuned for a future how-to.

1 Comment :, , , , more...

NoScript + Xmarks = Awesome whitelist sync

by on Jun.03, 2009, under Tutorials

UPDATE: The “backup to bookmark” seems to have been removed from noscript settings. However, you can now backup your whitelist and other settings using Firefox Sync. Just remember to go to about:config in firefox and find “noscript.sync.enabled” and set it to “true” (default is false).
I hope they bring back the bookmark setting… or just add some direct sync integration with xmarks.

If you aren’t already using NoScript with Firefox, you probably should be. If you don’t know what NoScript is, go here, install it, then come back and read the rest of this. If you already have it, make sure you have the most recent version installed.

For those of us who have multiple computers or are constantly reinstalling OS’s and browsers, the big problem with NoScript is that you have to either export/import your NoScript config/whitelist/blacklist, or you need to build them from scratch with each new install. Yesterday I found the answer to this problem. I’m sure I’m not the only one who has found this feature but I haven’t yet found any good how-to for implementing it… so here you go.

On your primary system, go to Tools >> Add-ons in Firefox. Find your NoScript extension

noscript-1

Click on “Options” and then the “General” tab:

noscript-2

Check the box next to “Backup NoScript configuration in a bookmark”

noscript-3

Once you hit OK, it will create a Firefox bookmark called [NoScript]

This bookmark contains your entire configuration for NoScript, including your whitelist and blacklist, and will be updated any time your config changes. Now all you have to do is sync your bookmarks using Xmarks (formerly FoxMarks) or Weave. I prefer Xmarks but Weave certainly has some nice features… In any case, I’ll assume you are running Xmarks. If you aren’t check it out here, install it, create an account, etc etc etc.

Once you have synced up once, move on to one of your other systems. Install NoScript and Xmarks if you haven’t already (and make sure you have the most recent version), and make sure you run a sync FIRST…THEN go to the NoScript options and enable the “Backup NoScript config” checkbox. When you hit OK, you’ll get a popup like this:

noscript-5

Hit OK and it will overwrite this computer’s NoScript config with the config from your primary computer. Moving forward, they’ll be sync’ed up every time Xmarks syncs.

One thing you’ll want to try to avoid is altering the config on two computers at the same time. By “alter the config” I mean “add to the whitelist” or any other change to NoScript. If you do, the next Xmarks sync will upload the first computer’s config and the second computer will ask you if you want to use the local bookmark or the server version.

noscript-6

I’d choose the server version and just try not to do that again in the future.

If you work like I do, I think you’ll find this very useful. Just remember that Xmarks stores all this bookmark data on their servers…so you can decide whether or not that is something you can live with. One of the benefits of Weave is that you can set up your own Weave server (via WebDAV), so maybe that will appeal to the more security-conscious among us.

– Jeremy

UPDATE: The “backup to bookmark” seems to have been removed from noscript settings. However, you can now backup your whitelist and other settings using Firefox Sync. Just remember to go to about:config in firefox and find “noscript.sync.enabled” and set it to “true” (default is false).
I hope they bring back the bookmark setting… or just add some direct sync integration with xmarks.

10 Comments :, , , , , , more...

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!