24 of the 100 most popular HTTPS websites appear to be safe from the recently documented TLS renegotiation flaws. Meanwhile, the other 76 sites are still vulnerable to renegotiation attacks, which allow a man-in-the-middle attacker to inject data into secure communication streams. To demonstrate the seriousness of the issue, Anil Kurmus published details of an attack scenario that showed how the flaw could be used to steal passwords from vulnerable sites such as Twitter.

Among the top 100 HTTPS websites, there are several banks and commerce companies that remain vulnerable. A few of these sites give the appearance of being intermittently vulnerable, as client requests are load balanced among a mixture of vulnerable and non-vulnerable machines.

Ben Laurie of Google was working on the renegotiation flaw around six weeks before it was made public, so it is perhaps unsurprising that 7 of the 24 safe sites are owned by Google. A further 7 sites are running Microsoft IIS 6.0, which is currently believed not to be vulnerable.

Since discovering the renegotiation problem, PhoneFactor has created a Status of Patches list, showing which vendors have already responded to the problem. A few were quick to act by disabling renegotiation support in their products, and some vendors have already implemented Eric Rescorla's proposed fix.

Netcraft's November SSL Survey found 1,217,395 distinct valid third-party SSL certificates in use on the web.

Posted by Paul Mutton at 25 November 2009 in Security | Print this Page

An ongoing phishing attack against UK taxpayers is being given additional credibility by using a gov.uk domain. Sefton Council is hosting the phishing content on its Novel GroupWise 7.0 site at web11.sefton.gov.uk.

The phish follows one of the typical ploys commonly seen in HMRC and IRS phishing attacks: The victim is led to believe that they can receive a tax refund by submitting their full credit card details, but these details are instead sent directly to the fraudster behind the attack.

gov-uk-phish-resized.png

The fraudulent form submits the victim's details to a PHP script hosted at www.zamoh.biz.

gov-uk-phish-action.png

The UK's Central Office of Information is responsible for deciding who can register gov.uk domains. Eligibility is strictly limited, which helps to preserve the integrity of the gov.uk namespace; however, this obviously has an undesirable effect when this integrity is leveraged by fraudulent content on compromised servers. Netcraft has informed Sefton Council about this phishing attack.

Netcraft provides an Automated Vulnerability Scanning service which regularly tests your internet infrastructure, supplies the information you need to maintain your security and eliminate vulnerabilities, and audits that it has found no serious vulnerabilities using a dynamically generated seal.

Posted by Paul Mutton at 1 September 2009 in Security | Print this Page

Apache.org has been offline for 3 hours this morning, after one of their servers was compromised. Their sites were displaying the message:

apache-compromise.png

The message goes on to say that the compromise is "not due to any software exploits in Apache itself", but was instead due to a compromised SSH key.

Update: Most of apache.org's sites have been back online this afternoon after they switched over to servers not compromised in the attack. Apache have released more information about the incident: an account used for backups was compromised on a back-end server. This server distributes content to Apache's public web servers, so the attackers used it to distribute scripts to the web servers; once the scripts were public, the attackers could execute them remotely, gaining access to the web servers as well. But these rogue processes were detected, so the servers were taken offline for investigation and clean-up.

Posted by Colin Phipps at 28 August 2009 in Security | Print this Page

The most recent Netcraft Web Server Survey found more than 62 million websites running Microsoft IIS 6.0, but many of these are unlikely to be affected by the latest WebDAV remote authentication bypass vulnerability.

A new WebDAV vulnerability was published by Nikolaos Rangos on Friday, and details how attackers can bypass access restrictions using a flaw in the WebDAV functionality on IIS 6.0. By failing to handle Unicode tokens properly, the bug gives attackers access to password protected folders and, in some cases, the ability to upload files to the affected web servers.

Although IIS 6.0 accounts for more than 90% of the Microsoft sites on the Internet, the total number of vulnerable sites is likely to be substantially less than 62 million because WebDAV is not a default component of IIS 6.0 when a Windows Server 2003 machine is given the role of Application Server. Nonetheless, some people may install and enable WebDAV to provide a convenient means of publishing and managing web server content through firewalls – because WebDAV is an extension to the HTTP protocol, it can operate over the same port number as HTTP.

Microsoft issued a security advisory on Monday, which also lists IIS 5.0 as vulnerable. This issue may affect a much larger proportion of the 2.8 million IIS 5.0 websites as, unlike its successor, Windows 2000 Server automatically installs WebDAV alongside IIS 5.0.

Posted by Paul Mutton at 20 May 2009 in Security | Print this Page
Two years after their first appearance in the Netcraft SSL Survey, Extended Validation (EV) SSL certificates now make up more than 1% of all SSL certificates on the Web.

Related Netcraft Service: SSL Survey
Posted by Paul Mutton at 27 February 2009 in Security | Print this Page
A new wave of phishing attacks against eBay is exploiting a clever combination of wildcard DNS records and cross-site scripting (XSS) vulnerabilities to use other people's websites to help steal credentials from victims.

Related Netcraft Service: Web Application Security Testing
Posted by Paul Mutton at 17 February 2009 in Security | Print this Page


Related Netcraft Service: SSL Survey
Posted by Colin Phipps at 8 January 2009 in Security | Print this Page

Netcraft's SSL Survey shows that 14% of valid third party SSL certificates are using MD5 signatures — an algorithm that is demonstrably vulnerable to attack.



Related Netcraft Service: SSL Survey
Posted by Colin Phipps at 1 January 2009 in Security | Print this Page
Netcraft has detected another live vulnerability on a Yahoo website, which is currently being used to steal authentication cookies from its users — transmitting them to a website under the control of a remote attacker. The attacker can then use the stolen details to gain access to his victims' Yahoo accounts, such as Yahoo Mail.

Related Netcraft Service: Web Application Security Testing
Posted by Paul Mutton at 26 October 2008 in Security | Print this Page
Netcraft's Phishing Site Takedown and Countermeasures service helps banks respond to phishing attacks promptly and effectively.
Posted by Paul Mutton at 9 September 2008 in Netcraft Services, Security | Print this Page