24 of the 100 most popular HTTPS websites appear to be safe from the recently documented TLS renegotiation flaws. Meanwhile, the other 76 sites are still vulnerable to renegotiation attacks, which allow a man-in-the-middle attacker to inject data into secure communication streams. To demonstrate the seriousness of the issue, Anil Kurmus published details of an attack scenario that showed how the flaw could be used to steal passwords from vulnerable sites such as Twitter.
Among the top 100 HTTPS websites, there are several banks and commerce companies that remain vulnerable. A few of these sites give the appearance of being intermittently vulnerable, as client requests are load balanced among a mixture of vulnerable and non-vulnerable machines.
Ben Laurie of Google was working on the renegotiation flaw around six weeks before it was made public, so it is perhaps unsurprising that 7 of the 24 safe sites are owned by Google. A further 7 sites are running Microsoft IIS 6.0, which is currently believed not to be vulnerable.
Since discovering the renegotiation problem, PhoneFactor has created a Status of Patches list, showing which vendors have already responded to the problem. A few were quick to act by disabling renegotiation support in their products, and some vendors have already implemented Eric Rescorla's proposed fix.
Netcraft's November SSL Survey found 1,217,395 distinct valid third-party SSL certificates in use on the web.
Digg
Slashdot
Reddit
StumbleUpon
Delicious
TechnoratiAn ongoing phishing attack against UK taxpayers is being given additional credibility by using a gov.uk domain. Sefton Council is hosting the phishing content on its Novel GroupWise 7.0 site at web11.sefton.gov.uk.
The phish follows one of the typical ploys commonly seen in HMRC and IRS phishing attacks: The victim is led to believe that they can receive a tax refund by submitting their full credit card details, but these details are instead sent directly to the fraudster behind the attack.
The fraudulent form submits the victim's details to a PHP script hosted at www.zamoh.biz.
The UK's Central Office of Information is responsible for deciding who can register gov.uk domains. Eligibility is strictly limited, which helps to preserve the integrity of the gov.uk namespace; however, this obviously has an undesirable effect when this integrity is leveraged by fraudulent content on compromised servers. Netcraft has informed Sefton Council about this phishing attack.
Netcraft provides an Automated Vulnerability Scanning service which regularly tests your internet infrastructure, supplies the information you need to maintain your security and eliminate vulnerabilities, and audits that it has found no serious vulnerabilities using a dynamically generated seal.
Apache.org has been offline for 3 hours this morning, after one of their servers was compromised. Their sites were displaying the message:
The message goes on to say that the compromise is "not due to any software exploits in Apache itself", but was instead due to a compromised SSH key.
Update: Most of apache.org's sites have been back online this afternoon after they switched over to servers not compromised in the attack. Apache have released more information about the incident: an account used for backups was compromised on a back-end server. This server distributes content to Apache's public web servers, so the attackers used it to distribute scripts to the web servers; once the scripts were public, the attackers could execute them remotely, gaining access to the web servers as well. But these rogue processes were detected, so the servers were taken offline for investigation and clean-up.
The most recent Netcraft Web Server Survey found more than 62 million websites running Microsoft IIS 6.0, but many of these are unlikely to be affected by the latest WebDAV remote authentication bypass vulnerability.
A new WebDAV vulnerability was published by Nikolaos Rangos on Friday, and details how attackers can bypass access restrictions using a flaw in the WebDAV functionality on IIS 6.0. By failing to handle Unicode tokens properly, the bug gives attackers access to password protected folders and, in some cases, the ability to upload files to the affected web servers.
Although IIS 6.0 accounts for more than 90% of the Microsoft sites on the Internet, the total number of vulnerable sites is likely to be substantially less than 62 million because WebDAV is not a default component of IIS 6.0 when a Windows Server 2003 machine is given the role of Application Server. Nonetheless, some people may install and enable WebDAV to provide a convenient means of publishing and managing web server content through firewalls – because WebDAV is an extension to the HTTP protocol, it can operate over the same port number as HTTP.
Microsoft issued a security advisory on Monday, which also lists IIS 5.0 as vulnerable. This issue may affect a much larger proportion of the 2.8 million IIS 5.0 websites as, unlike its successor, Windows 2000 Server automatically installs WebDAV alongside IIS 5.0.
Related Netcraft Service: SSL Survey
Related Netcraft Service: Web Application Security Testing
Netcraft's SSL Survey shows that 14% of valid third party SSL certificates are using MD5 signatures — an algorithm that is demonstrably vulnerable to attack.
Related Netcraft Service: SSL Survey
Related Netcraft Service: Web Application Security Testing
| Rackspace Managed Hosting - Web Hosting - Hosting | Swishmail.com Business Email Hosting | Compare the Best Web Hosting Companies |
| INetU Managed Hosting - Dedicated Servers | Windows Dedicated Servers from Server Intellect | Reseller hosting Managed dedicated server Ahosting |
| Business Web Hosting Services - webhosting.uk.com | Web Hosting - Dedicated Servers & VPS Hosting | Managed Hosting - PCI Compliance by NeoSpire |
Advertising on Netcraft