akrish

I started working again on another website which I may talk more about later, and while doing this, I noticed that I’m a lot more paranoid about security vulnerabilities than I used to be. I used to care more about functionality and usability than security, but after watching cs155 lectures and reading a lot of security papers last semester, I find it a lot more interesting to think about attacks and build my site to defend against these attacks.

I don’t want to write a lot about why I’m interested in security, but I probably should and think I will later on. I wanted to present a vulnerability that I heard about yesterday and after thinking about, I’m pretty sure that most rookie web developers (like myself) aren’t aware of the dangers here.

So I think a lot of people are familiar with packet sniffing. A packet sniffer is a tool that can intercept and try to decipher network traffic. With wireless networks, this doesn’t even require any hardware or any modifications to the router firmware. My computer can intercept any packet on the same wireless network using tools like WireShark.

And this is what I can do as a packet sniffer. I can intercept packets on my wireless network, read them and look at them for important information like email addresses, credit card numbers, passwords etc. So lets say that you are logging into some not-secure site; you provide your email account and password, and you notice that you’re logged in. I, the malicious packet sniffer, intercept the packet containing your http request, and now I have your email address and your password. Once I know this, I can try using it (or some permutations of it) to log into your email account, Facebook account, or even your online banking service. Yeah kinda scary…

So how do I prevent this attack? I can’t prevent you from intercepting the packet (at least not without some fundamental change in how wireless works, an area that I’m not familiar with so I won’t talk about it). But I can prevent you from being able to interpret the packet. If I encrypt the packet, then depending on encryption scheme you probably won’t be able to decrypt and read the content of the packet. Which brings us to SSL…

To prevent packet sniffers from stealing information, as a web developer, you need to be serving your pages of SSL. As a consumer, I can tell wether my pages is served over SSL by looking at a bunch of features of browsers. Mozilla has a lock/certificate on some pages, safari has a lock in the url bar etc.

SSL uses public-key encryption, so basically the server gives the client a public key which the client must use to encrypt all data that is sent to the server. The server maintains a private key, that no one else knows about, and it uses this key to decrypt whatever was sent from the client. Since as a packet sniffer, I don’t know the private key, there’s no way for me to decrypt your packet and steal your information.

At the same time, this encryption/decryption process introduces a lot of intense computation in serving what could be fairly simple pages. So not all pages should be served over SSL, just the ones with sensitive information. For example, most online banking systems are server entirely over SSL, but at Facebook, only the login page is.

There are a lot more details about SSL; if you want to know more, there’s plenty of information on wikipedia or you can ask me.

So most large web services do consider security and encrypt their traffic appropriately and that’s not really my concern. My issue is with kids like me (or me a year ago) developing websites without knowing or caring enough about security. These websites are unknowingly compromising my information and I have a serious problem with that. Especially since a lot of people don’t have hard enough passwords and tend to use similar (or even the same) passwords for multiple sites. It wouldn’t be hard to steal your whole online identity just because you made an account at what you thought was a pretty legitimate website.

And the solution to this is just to make sure that people know that security is a serious issue that all web developers need to know about and understand. Awareness about web vulnerabilities needs to be increased (both to developers and users). It’s also important that users know when they’re pages are served over SSL or more importantly when they aren’t (look for the lock).

My intention in writing this was to do my part in increasing awareness; hopefully I’ve saved at least one person from a lot of grief.

Edit 8/10/08: An article got posted yesterday in the new york times that kind of relates to this. It talks more long term solutions to the whole password problem. Something called Identity cards that are maintained on your local machine and of course cryptographic protocols. Read it here.