Netcraft's June SSL Survey has found that a significant number of SSL certificates are affected by the Debian OpenSSL vulnerability, including Extended Validation SSL certificates and certificates belonging to banks.
The vulnerable certificates afford opportunities to create deceptive sites which use apparently valid SSL certificates, giving the user the impression that the site belongs to the certified organisation. In the case of EV certificates, browsers will also turn the address bar green, even though the certificate may be cloned.
From an attacker's point of view, the main limitation is that the browser will warn the user if the certificate common name does not match the name used by the user to access the site, so the attacker would need to affect the user's network or the DNS results to get a completely seamless attack.
The following screenshot demonstrates the feasibility and effectiveness of such an attack.
Example based on vulnerable site found via Netcraft's SSL Survey database.
On the 13th May, Debian released a security advisory (also described in CVE-2008-0166) announcing a vulnerability in Debian's OpenSSL package, which made it possible to discover private keys from public SSL and SSH keys. The issue affects all versions of OpenSSL on Debian-based operating systems over the course of two years — ever since two lines of code were commented out to prevent compilers displaying warnings about the use of uninitialized data.
The removal of these two lines of code vastly decreases the entropy of the seed used by the pseudo-random number generator in OpenSSL, making it easier to predict the random numbers generated by OpenSSL. This makes it easy for remote attackers to conduct offline brute force attacks against the cryptographic keys used in SSL certificates generated on vulnerable systems. All SSL and SSH keys generated on Debian-based operating systems since September 2006 may be affected. Affected operating systems include Ubuntu, Kubuntu, Knoppix, Grml and the Xandros Linux distribution used by the popular Asus Eee PC.
HD Moore has published an analysis of the Debian OpenSSL issue at Metasploit, noting how the keys are tied to the process ID. Using 31 Xeon cores clocked at 2.33GHz, Moore was able to generate all 1024-bit DSA and 2048-bit RSA keys for x86 architectures in only 2 hours, and all 4096-bit RSA keys in about 6 hours.
Although a number of certificate authorities have offered free replacement certificates to customers affected by the Debian OpenSSL vulnerability, it has been reported that they have not been getting a big response. Comodo is offering a free replacement SSL certificate to any affected business, regardless of their original provider, while VeriSign is offering free reissuance for both SSL certificates and code signing certificates. GeoTrust and Thawte also offer free SSL certificate reissuance, and RapidSSL certificates can be renewed for free at GeoTrust's website.
Ranking by Failed Requests and Connection time,
May 1st – 31st 2008
INetU also had the most reliable hosting company site in March. INetU is an enterprise managed hosting company located in Allentown, PA. They have been in business since 1996 and notably offer a 100% uptime service level guarantee. Managed services provided by INetU include MySQL and MS SQL database clusters, Exchange servers, virtualization and firewalls. Their clients include Fortune 500 companies such as Microsoft, Intel, Northrop Grumman and Canon.
Aplus.Net is a division of Abacus America, Inc., and has also been offering internet services for more than 10 years. APlus.Net offers dedicated servers, web hosting, web design, marketing and is an ICANN accredited domain name registrar. The company has more than 200,000 customers and more than 6,000 dedicated server customers.
Four of May's top ten hosting companies run Linux on their main sites. Three of the others use FreeBSD and another uses Windows Server 2003.(more...)
A security researcher in Finland has discovered a cross-site scripting vulnerability on paypal.com that would allow hackers to carry out highly plausible attacks, adding their own content to the site and stealing credentials from users.
The vulnerability is made worse by the fact that the affected page uses an Extended Validation SSL certificate, which causes the browser's address bar to turn green, assuring visitors that the site – and its content – belongs to PayPal. Two years ago, a similar vulnerability was discovered on a different page of the PayPal site, which also used an SSL certificate.
"Is it safe?" - a message injected on the PayPal website today
Harry Sintonen discovered the vulnerability and announced it to other web application security specialists in an Internet Relay Chat (IRC) channel today. Sintonen told Netcraft that the issue was critical, adding that, "you could easily steal credentials," and, "PayPal says you can trust the URL if it begins with https://www.paypal.com," which is not true in this case.
While SSL certificates do indeed provide a higher level of assurance when it comes to site ownership, they cannot guarantee that a site is free from other security problems – including cross-site scripting. There are concerns that hackers may exploit misunderstandings in the significance of the green address bar for their own benefit, piggybacking off the trust that is instilled by EV certificates. Users need to be aware that a green address bar does not guarantee the origin of a page's contents if there is a cross-site scripting vulnerability on that page.
The vulnerability comes to light only a month after PayPal published a practical approach to managing phishing on their blog, which extols the use of Extended Validation certificates in preventing phishing. The document describes browsers that do not support EV certificates as "unsafe" and announces the company's plans to block customers from accessing their website from the most unsafe browsers.
PayPal was one of the first companies to adopt EV certificates and the company says it has seen noticeably lower abandonment rates on signup flows for Internet Explorer 7 users versus other browsers. According to the document, PayPal believe this correlates closely to user interface changes triggered by their use of EV certificates.
In the May 2008 survey we received responses from 168,408,112 sites.
The total number of sites has increased by 2.7 million, with 554 thousand new sites being hosted by the Dutch company XL Internet Services. Similar growth is seen at Akamai, a web content and application delivery company, where 531 thousand new sites have appeared.
The GNR web server climbs to 15th place after gaining 212 thousand sites this month. GNR is operated by Global Name Registry, which is the licence operator of the .name global top level domain that was launched in 2002. The .name gTLD is intended to be used by individuals, and most of the site addresses being served by the GNR web server use the format www.firstname.lastname.name.
Nearly all of the .name sites being hosted by Global Name Registry are served from the same IP address, and many of them use a frameset to present content from Facebook's website, showing limited public profiles for Facebook users with the same name.Total Sites Across All Domains August 1995 - May 2008
Developer April 2008 Percent May 2008 Percent Change Apache 83,554,638 50.42% 83,746,837 49.73% -0.69 Microsoft 58,547,355 35.33% 58,991,106 35.03% -0.30 10,079,333 6.08% 10,127,956 6.01% -0.07 lighttpd 1,495,308 0.90% 1,523,148 0.90% 0.00 Sun 547,873 0.33% 545,651 0.32% -0.01
Ranking by Failed Requests and Connection time,
April 1st – 30th 2008
NaviSite is the most reliable hosting company site for April 2008.
NaviSite was incorporated in 1998 and provides application solutions and hosting services using its web infrastructure platforms in 18 data centers. The company recently announced an alliance with Intel Corporation to offer a suite of managed services through Intel's value added reseller community.
NaviSite's performance is followed by DataPipe, which made 11 appearances in the top ten last year. Last month's most reliable hosting company site, INetU, appears in third place this month.
Three of April's top ten hosting companies, including NaviSite, run Linux on their main sites, while another three use FreeBSD. One company uses Windows Server 2003.(more...)
All of Netcraft's globally distributed performance monitors have recorded a solid period of downtime at a number of sites hosted in the VA Software netblock. VA Software is the former name of SourceForge, Inc, which hosts all of the affected sites, including Slashdot, the source code repository SourceForge.net, software release site Freshmeat and merchandise supplier ThinkGeek.
Static uptime graph for www.slashdot.org
Netcraft's live monitoring of www.slashdot.org can be seen here, reflecting a contiguous outage of approximately 5 hours.