Jaqui Greenlees

Are you concerned about default browser security settings?
You should be, since malicious code can be on ANY website you visit.

The sad truth is that very few websites are written with security of YOUR confidential information in mind. How can we tell this? It is actually easy.
Check the lower right hand corner of your browser window, is the padlock symbol locked, or open?
Odds are, it is open. That means that the website is not using the Secure Socket Layer to create an encrypted tunnel for all information passing between your computer and the server hosting the website. This enables anyone who has a packet sniffer to capture the entire data stream. Those intent on criminal activities have packet sniffers and actively look for information that should be kept confidential, like your user name and password. It is well known that 99% of people online use the same username and password for everything, so anyone will ill intent who gets such can then start accessing things like bank accounts, credit card accounts, etcetera.

What makes this lack of use of ssl in websites is the fact that EVERY browser ships with a list of trusted Certificate Authorities. Though, really, how well can you trust the word of a company that is only saying what they have BEEN PAID to say. After all, if a person is out to rip you off, they will rip you off, no matter what the Certificate Authority says about them, and that Certificate Authority is not responsible for your loss. I personally, delete the list of Certificate Authorities from my browsers, since it is the person or company whose website I am visiting that I trust, or not. It does NOT matter which CA has issued the certificate for the ssl connection, they have nothing to do with the business you are contemplating purchasing from.

The second issue is that EVERY browser is BY DEFAULT enabling things that weaken website security, and expose YOU, the end user / site visitor to having confidential information stolen. I am referring to the use of FLASH, Javascript and Activex on websites. Though Activex is only functional if you are using a Windows based computer, the huge market share Microsoft has means that it is an issue for most people. Clientside scripting exposes application logic to malicious people, making it easier for them to CRACK the website and gain illegal access to information stored on it. We can’t forget, all three of these technologies have the ability to write to the hard drive, this means they can save malicious code on your system. Activex is worse though, it is a SYSTEM level technology on Windows, which means it has System Administrator access. That is total access. The second half of this issue is that after they have written the website script to run on the clients system, the majority of website developers DO NOT bother to verify the information being submitted on the server before they process it. This means that malicious code embedded is executed by the server, possibly causing an exploit of the server in the process.

In essence, if any website that wants you to submit ANY information is not using ssl, then you should not submit any information to that website. If your BROWSER does not pop up a window about not knowing the Certificate Authority, then the people who wrote and configured the browser are TRYING to cause you harm.

That brings up the final point, message boxes or message bars. the two most popular browsers have both implemented the use of message bars across the top of the browser window. The silly thing is, that bar goes away in a few seconds, and is easily missed by the person using the computer. While message boxes get clicked away without being looked at, they still have a 50% effectiveness, while message bars can only have at most 25% effectiveness. So Microsoft’s Internet Explorer and Mozilla’s Firefox are BOTH trying to hide critical warnings from their users when they use the message bar instead of a message box.

To summarise, EVERY web browser is being sent out configured to ENABLE harm on their users from having a list of “Trusted” Certificate Authorities as well as from having client side scripting technologies enabled by default. Microsoft’s Internet Explorer and Mozilla’s Firefox being worse, in that they PURPOSELY try to hide critical security messages from you with those message bars. YOU, the END USER, need to start complaining to those responsible for these CRIMINAL acts if you really want to stop your confidential information from being exposed.

While I am slamming people for not using ssl on websites, I’ll accept the comments coming, from my own lack of ssl use here
, with only this comment on the subject:

You do not have to submit any information to this website to read it, and if in reading it you start thinking about what you can do to protect your information better, then it is worth it. I chose not to enable ssl because there is not requirement for ANY visitor to give me ANY information anywhere, unless they chose to make a comment. Then they need to give a user name, password and email address, yet after reading this post, I doubt anyone will do so lightly.

I have not looked at the Free Credit Report services offered in different countries, but the one I just saw for here in Canada is just plain wrong.

freecreditreportsincanada

A website offering this service to us Canadians. They REQUIRE that you give them your credit card information… well, ok, that will help to get credit rating. Hold it a second, the page to put the information about the credit card is on the HTTP protocol, not the secured HTTPS.

The Lawyer that owns the site obvious is a shady one, She is PROMOTING both Credit Card Fraud and Identity Theft.

Well, I blasted them directly calling them stupid thieves for not using ssl for handling credit card details.

Then I reported them to the Local RCMP Headquarters, for Montreal Quebec.

It’s only “free” for 7 days anyways, after that they charge you 29.95 a month. And the only way to avoid this recurring charge is to PHONE THEM, within that 7 day period.

so it isn’t free even if they don’t cost you EVERYTHING by their lack of security.

I bet that if you look at the other services you will find many, if not all, of these issues are there as well.

bunch of criminals they are.

here, the whois search results for the domain:

http://www.whois.net/whois_new.cgi?d=freecreditreportsincanada&tld=ca

get yourself your handy hex editor, like the one that comes with MS Visual Basic.

fire it up and open the file open dialog.

browse to the windows\system32 folder

select the LegitCheckControl.DLL in there.

open it up.

reading the partial english in the right column, look for the LegitCheckWWd

read from there to where it displays SupressWarning.

That one section of the file logs in as administrator, if you are not, turns off warnings, collects data from your computer, sends that data to Microsoft, then turns warnings back on and logs off as administrator.

I could put all 4832 html pages of the file up and let you browse through them to find it, but it would be meaningless, since I could have inserted that into what I post. find it in the file on Your LEGIT version of Windows with MS Office installed.

Then decide, is Microsoft committing the same criminal act they were penalized for by the US Courts with the Windows 98 Update issue of sending information to themselves when you ran windows update in windows 98?

With Network security auditors able to gain full admin access to University websites because they use a javascript based website, where the entire application logic is sent to the client browser, Why are website designers and developers insisting on using this SEVERE security risk technology? [ on one of the video sites such as youtube there is reportedly a video where this was done, in less than 3 minutes. ]

Every line of javascript is sent to the client browser, in human readable form. [ right-click, view source, there it all is ] There is not one valid reason to use any clientside scripting on a website. [ HEY!, Wordpress developers, that includes your blogging script!! NO TO JAVASCRIPT!! ]

My zero respect for any site that uses / requires javascript is no secret, I refuse to go to sites that do NOT function in lynx. I’m currently looking at the wordpress scripts used for this blog to remove the javascripts from it, I’ll check to see if I can implement the rss and pings with xslt instead of the AJAX they are commonly based on. If not, use a perl based cgi script to accomplish the task. [ this is asking for trouble, my perl is weak ]

Yes, I am posting this, as with all posts to this blog, with no javascript enabled in the browser.

This exploit is caused by one thing and one thing only: script author’s screwup.
Any website script that does not, by default, treat all site visitor input as dangerous is vulnerable to such an attack.

The only thing that can be done is to use scripts that do not pass SQL from within a users post to the database engine, it should instead mark such as code or a quote and put it into the database as text in the “comment” section of the table when the page displays, the user attempt to exploit the database engine by injection SQL is shown in the post, rather than actually being processed by the database engine. This, along with server logs, can be used as evidence in a court of law for the user’s attempted criminal activity. It also will very quickly stop others from attempting the same thing, as they can see that the attempt with fail and be publicly displayed as such.

Browser development teams, both open source and proprietary, need to give their heads a shake when it comes to the CA list.

They seem to have forgotten that all Certificate Authorities are businesses first. For a website to get a certificate they only have to pay a fee to any C.A. To phrase it in plain English: Pay me n dollars and I’ll tell everyone that you are a good site to do business with. This is absolute stupidity to say that any Certificate Authority is, or can be, TRUSTED.

There is no oversight on the activities of the CAs, without a body able to REVOKE a CA’s operations there is nothing to make them do anything to validate the information, business reputation specially, for those who want a certificate from them. As long as the situation remains the same, any web broswer development team that includes a list of “Trusted” Certificate Authorities should be held legally liable for any damages that end users suffer from shady website operators. Make the end user have to accept the certificate for the website, then it was by their choice that they trusted the site owner. Currently, because the CA list exists, end users are NOT being reminded that they are risking confidential data that can cost them thousands to a website and company they would most likely never be able to get recompense from. They may not be in the same part of the world as the end user, making the end user unable to even try to get their money back through legal process. [ After all, who can afford to fly to China* to try to sue a company for the money they stole. ]

So, a list of trusted Certificate Authorities is actually an extreme dis-service to the end user, and is not a nice thing for any software to have. With no oversight and enforcement body, there is not one single CA that can honestly be called “trusted”

* China only used as an example of a difficult journey and drastically different legal system, I am not saying that all companies, or even if there are any companies, in China that would or do engage in such illegal activities.

It seems that a lot of website are suffering from this particular problem, which leads me to wonder why this is so.

When I look into the records for exploits from Secunia and Sans I see that web exploits are increasing in number, with cross site scripting being the most common exploit. If we look at the site scripts named in the exploits we begin to see some commonalities. Most happen to be written in PHP, and most happen to use MySQL as the backend.

Can we honestly claim that PHP or MySQL is the reason for the exploit? I don’t think so. When the scripts themselves are examined the cause becomes much more apparent. It is a flaw in the Author(s) of the scripts work rather than in the technologies used. Most of the scripts are popular, open source, scripts readily available for download by anyone. They are written to make it easy for them to be installed and used on their website. The problems are two.
1) They tend to use relative urls within the scripts for includes and functions. If the scripts used Absolute urls instead of relative they would be less vulnerable to this type of exploit.
2) The end user input sanitization is weak to non-existent. This is the one that leave them open to the most damage. The authors of these scripts do not exclude user supplied data from parsing, allowing both cross site scripting and SQL Injection exploits.

The only real solution to this would be for people to submit bug reports to the script authors saying the dismal lack of sanitization on user supplied input is a critical security flaw in the script.

PHP and MySQL are not the only technologies that leave sites exposed to this exploit, they just happen to be the most commonly used technologies in scripts that have suffered from it.

With the rise of WEB 2.0 technologies, where websites consume services from other websites, I do fully expect that AJAX will become the “Poster Child” for cross site scripting exploits if “Web Designers” don’t smarten up and start including security in the core of their designs.

A “Web Designer” isn’t really known for doing anything but worrying about how a site looks. They are known for using code generation tools that write bad, bloated code with no attention to security issues. [ Dreamweaver being a number one culprit ]

A company wanting their corporate website revamped should immediately discard any “Web Designers” that submit quotes and only review quotes from those who identify as Website Developers and Designers. Those who use the developer term are more likely to worry about solid code that is secure first, then work on making the site look good with that code. This is the ideal solution for any website that has Client data that must be kept confidential.
[ ecommerce sites specifically, they have credit card and mailing address data being submitted to them. ]