Did you know that, to quote an angry hacker:
The Internet from every angle has always been a house of cards held together with defective duct tape. It’s a miracle that anything works at all. Those who understand a lot of the technology involved generally hate it, but at the same time are astounded that for end users, things seem to usually work rather well.
Today I want to talk about all of the egregious security disasters across the Internet over the last few months, but as Inigo Montoya once said: “No, there is too much. Let me sum up.” Alas, even an incomplete summary is a lengthy litany of catastrophe. Let’s see:
- Apple:”Oh dear. “It’s as bad as you could imagine, that’s all I can say.”
Oh, and separately, their OpenSSL implementation is broken.
- Linux: “Critical crypto bug leaves Linux, hundreds of apps open to eavesdropping.”(1)
- Microsoft Word: “Zero-day vulnerability under active attack.“
- Yahoo: “Remote Command Execution Vulnerability.”
- Credit cards: Target. Nieman Marcus. California’s DMV. Etcetera.
Just another few months on the Internet, then. But don’t get me wrong. Things are much worse than that list makes them seem.
Did you know that downloading software safely is nearly impossible? Did you know that the certificate system which underwrites https, so-called “secure” browsing, is a disastrous mess and always has been? Did you know that the NSA — well, OK, I guess you do. (Thanks, Ed!) But did you know that OpenSSL, used extensively across the industry to secure apps of all kinds and sizes, is widely viewed as code so bad and confusing it “is written by monkeys?“
Today's exhibit A for "autoconf: the least bad thing in its problem space": fucking OpenSSL.—
Zack Weinberg (@elwoz) February 21, 2014
Actually, you can just delete everything in the previous tweet prior to "fucking".—
Zack Weinberg (@elwoz) February 21, 2014
Why is this? Why are we not just insecure, but increasingly insecure, in an era of widely available unbreakable cryptography? What went so terribly wrong?
Well. Three things, really.
1. Security is hard.
No, it really is.
2. Users don’t care.
No, they really don’t. The most common passwords across the Internet are “123456” and “password”. They have no interest in practicing even the most basic security hygiene:
Security: Don't click on stuff / Patch your stuff / Get rid of bad stuff (Java) / Don't click on stuff. Can I go home now?—
John Adams (@netik) February 07, 2014
…until they get hacked. And then, of course, they blame the technology.
I’m sorry to report, however, that that blame is not entirely misplaced. Because
3. Security is usually an afterthought.
No, if that. Because security is hard, and users are lazy, and so making systems which are secure even for ordinary users takes way too much time and effort, so too many companies just hack together something slapdash and hope nothing goes terribly wrong.
Do I sound like I’m overstating things? To quote “The Most Dangerous Code In The World,” from a couple of years ago:
We demonstrate that SSL certificate validation is completely broken in many security-critical applications and libraries. Vulnerable software includes Amazon’s EC2 Java library and all cloud clients based on it; Amazon’s and PayPal’s merchant SDKs responsible for transmitting payment details from e-commerce sites to payment gateways; integrated shopping carts such as osCommerce, ZenCart, Ubercart, and PrestaShop; AdMob code used by mobile websites; Chase mobile banking and several other Android apps and libraries; [etc]. Any SSL connection from any of these programs is insecure against a man-in-the-middle attack. The root causes of these vulnerabilities are badly designed APIs of SSL implementations.
My friend Will Sargent recently wrote a series of blog posts about what one has to do to actually correctly enable secure HTTP connections in Java. It’s a superb primer — but it’s tens of thousands words long, because it has to be:
- Fixing The Most Dangerous Code In The World
- Fixing X.509 Certificates
- Fixing Certificate Revocation
- Fixing Hostname Verification
It’s terrific, and as a developer who’s wrestled with SSL certificates on Android with Java myself, I’m really glad he wrote it; but in a better world — not a perfect world, mind you; really, just a non-disastrous one — he wouldn’t have had to.
Credit cards are even worse, of course. The Target hack, which was at the point-of-sale, would have been prevented by the use of chip-and-PIN technology…which is widespread, y’know, everywhere else in the developed world, and has been for many years. In the UK, chip-and-PIN was piloted in 2003 and rolled out nationwide in 2004. That’s a full decade ago. But US banks and retailers have dragged their heels — and now, as a direct result, they’re fish in a barrel.
Of course, chip-and-PIN won’t help with online credit-card transactions, where, well:
As it turns out, use of credit cards for online payments insane for different reason: ecommerce system databases themselves vulnerable.—
Marc Andreessen (@pmarca) March 23, 2014
To be fair, we have seen some moves in the right direction. Facebook — which seems to have impressive security, perhaps unsurprising in a company led by a hacker — last month released a new tool to make Android apps safer. There’s talk of a common server-security platform at the “Goldilocks” hypervisor level. And the FTC is beginning to pay attention and cite violators, including Fandango and Credit Karma:
But those are just a few flickers of life in a security-comatose body corporate. Meanwhile, we’re in an arms race, and while the attackers are training in the Shaolin Temple and gaining valuable work experience in the French Foreign Legion, the defenders are lazing around drinking beer because the dukes and duchesses told them to drain the moats, prop the gates open, and lose the arms and armor, all in order to encourage trade. I’m sure that always seems like such an awfully good idea … right until the day Genghis Khan rides up the road.
(1) For those coders among you who, previous to the GnuTLS revelation, blamed Apple’s ifs-without-braces code style for the bug:
Guys, no need to apply updates to GnuTls, I have reviewed the code and it has braces on every if statement.—
Miguel de Icaza (@migueldeicaza) March 05, 2014
Image credit: Insecurity.