Everyone, their mom and dog has been confronted with Internet security. Everywhere in life; the mainstream media, workplace policies, and even casual social life includes news and warnings about cybersecurity. Facebook, Google, and Twitter are in the international news constantly being accused of privacy violations and of having a negative impact on younger people by changing their lifestyles to one of screen engagement. In addition to that, many people have had the personal experience of their online accounts or personal computer being hacked. On a national security level, just last week American oil pipeline company Colonial payed 4.4 million dollars to recover ransomed data.
So, do we all need a deeper understanding of Internet / IT security? Yes. It’s is a big complicated field but also an important one for users to understand. So put your seat belt on and let’s do a deep dive into Internet security.
What do you need to know? How much of internet security depends on you as a user and how of it much depends on the website you are visiting, or the browser you are using?
Fast Answer: Some of the responsibility depends solely on the end-user’s (that’s you) behaviour, but some of it also depends on the developers of the websites you visit and administrators of the web-servers that deliver the website content to you. Some of it also depends on the device you are using and intermediary devices such as WiFi access points (AP), the browser you use, and even the physical security of your home or office.
Now lets drill into some of the details.
The two most critical issues for users remain to be (1) SSL/TLS encryption and (2) making sure you use a unique and complex password for each online account you register. Let’s talk about those two issues in more detail first. Then move on to some other important issues.
1. Encryption of Internet Traffic with SSL/TLS
You have no undoubtedly heard the “lock in the browser bar” warnings. On some browsers it should be green, on others it should appear locked. Why does it matter? Because un-encrypted traffic between your device and web-server could be easily read or even modified if its not encrypted. If your home router has been hacked, or if you are on an open WiFi (WiFi with no password) for example, un-encrypted traffic makes it very easy for hackers. Also, if you share a WiFi AP password with someone, they will be on the same network as your devices and this allows them to read all communication data between the AP and all devices.
The Layers of Network Communication
If you think of computer communication as layers such as an onion, you could say that the WiFi (also called 802.11) layer of the communication (between your device’s antenna and the AP) is separate from the SSL/TLS layer of the connection, which is between your browser and the web-server of the site you are visiting. The concept of layers is very important in IT communications. There are two main models used to describe these layers, but OSI model is more popular than the US Department of Defense (DOD) Model.
So, since the physical and media access control layers (Wifi / 802.11 connection layer) are happening insecurely through the open air, they can be read by anyone with a properly configured antenna, and since the encryption of that connection depends on the password to the WiFi AP, anyone you share the password to your WiFi with can capture the connection “handshake” data when devices connect, and that handshake data can be used to decrypt the WiFi (802.11) layer. That makes SSL/TLS your last line of defence when it comes to securing the information travelling between your device and the web-server. SSL/TLS happens on the transport layer, and in-fact TLS stands for transport layer security.
However, even though your Internet traffic is encrypted between the web-server and your browser, someone on the same WiFi network as your can still read any DNS requests since DNS protocols does not offer any encryption at all. So, if your new roommate seems to know all about your passion for baking cookies, and interest in the french fashion industry, you may suspect they are capturing your DNS traffic. DNS protocol is used when your computer wants to resolve a domain name from a URL (the google.com part in www.google.com/index.com?search=chocolate%20cchip%20cookies) into an IP address (such as 184.108.40.206) to contact the correct server.
SSL/TLS also prevents anyone else along the route between your computer and the web-server (or other endpoint) including employees at the website’s data-center, who may have only physical access to the web-server, from simply plugging in a “tap” device and collecting data.
Whose Responsibility is SSL/TLS?
The availability of SSL/TLS encryption to a website is determined by the configuration of the website itself. If the server administrator does not add SSL/TLS, you cannot make your connection encrypted. Also, here is some other important information you may not know. A site may offer an encrypted version (httpS:// = encrypted instead of http://) but most browsers will try to connect with http:// first! This makes the attempt to load a web-page less secure. This happens when you click a link like: www.some-site.com instead of a link like https://www.some-site.com. The http:// or https:// part is called the scheme and if the scheme is not included in the link reference, the browsers that check for http first rely on the web-server to then redirect it to got to the encrypted (httpS) site.
The fact that browsers check for HTTP first when the link doesn’t have a scheme means that any device along the route of the communication could potentially conduct a man-in-the-middle (MiTM) on the connection. The MiTM can initiate a separate connection to the server, and simply send the un-encrypted data back to the user’s browser. This is possible even if the website doesn’t offer HTTP un-encrypted connections, because your browser is not communicating directly with the server, it is communicating with the MiTM. If this is happening to your device, you will see the lock at the top of the browser will be red color or appear unlocked.
Website administrators can offer the end-user more protection against this type of attack. The protection is called HTTP Strict Transport Security – Wikipedia (HSTS). The first time your browser connects to a server with HSTS enabled, it will receive a cookie that tells the browser that this site will always require SSL/TLS. So if someone has MiTM your connection, your browser will already know that the particular website should always have encryption enabled and warn you. Also, Firefox offers something called HTTPS Only Mode which will only allow the browser to make SSL/TLS connections and warn you of any connection that does not have SSL/TLS available before it connects and downloads the page. So, you don’t have to rely on the site administrator to enable HSTS.
You may ask: Why would my browser check for the less secure site first instead of checking for the more secure site first? Maybe it’s because browsers developers want to reduce the amount of traffic that goes over the internet. Since http traffic uses less bandwidth than https, browsers check http first and only upgrade if the server forces it to. For a more in-depth technical discussion about why HTTPS is not the default, you can read this discussion. Also, as of early 2021, Google has stated that Chrome will soon use HTTPS as it’s default connection. PHew!
To make things even little more complicated, the web-servers that also support OLDER versions of encryption makes users vulnerable to something called a downgrade attack. A MITM attacker can break client connections during the initial TLS handshake, because it happens in clear-text (unencrypted) triggering a downgrade to an older and less secure version. However, if the web-server didn’t allow older versions of encryption, some older computers may not be able to access the website.
If your connection can be downgraded, the browser lock will appear green or locked, but the encryption cipher being used is susceptible to being decrypted leaving the attacker with plain-text contents of your communication.
The initial connection to the website must be made in clear-text because the encryption method has not been negotiated yet between the browser and the web-server, so, data cannot be encrypted yet. Since that initial connection information is in clear-text (or plain-text) its contents can be modified by any devices on the route including a hacked home or office router or WiFi AP, or attempts to connect to the server with versions of TLS that have not been compromised can be blocked. The downgrade still results in an encrypted connection, but the older versions of SSL/TLS (SSL v3 and TLS v1.0 and 1.1) can be broken using an attack called POODLE. But not TLS v1.2 or TLSv1.3.
So, SSL/TLS downgrading is the responsibility of the web-server administrator to implement. A website by Internet Information and Security Firm Qualys [QLYS] called SSL Labs can test a website for it’s SSL/TLS security, and you can see that ripplesoftware.ca recieves an A+ rating for SSL/TLS security, meaning that your connection to the server is at very low risk of SSL/TLS downgrade attack and uses strong encryption with only un-compromised versions of TLS.
If you work for a big fancy company, on a workstation that you don’t own, you may have some certificates installed into the browser that allow the company read all your internet traffic. That is called an HTTPS-proxy. A corporate HTTPS-proxy works by installing the same type of SSL/TLS certificate that is used for encryption between a browser and a website into the browser’s trusted certificate authority cache. A website’s SSL/TLS certificate contains a list of of allowed domains that the certificate can be used with. However, side-loaded certificates into your browser by anyone who has physical access to your computer and can log in will also be trusted. Also, theoretically, if an attacker can escape from the browser with malicious code embedded in the website itself, they could possibly install a rouge certificate into your browser. Either way, the browser will trust it and the lock will appear green or locked. If you want another good description of HTTPS Proxy you can read more.
This corporate HTTPS-proxy will only work when you are on the company network since it needs MiTM device (also called an HTTPS-proxy appliance) to manage the connection and change the original certificate issued by the website. If you take your company lap-top home, the company cannot sniff your traffic using this method unless you are using a full VPN connection that routes your internet traffic back to the office and through the corporate network. For corporations that rely on high-security, this is likely considered critical to risk mitigation, since the HTTPS-proxy can also perform some malware scans on the traffic.
Partially Encrypted Content
What about when it’s only insecure for images? Maybe you have noticed the “warning” (see image below) warning you that SOME content on the website is not secure. What kind of security risk that that pose? Well… an attacker could change the image in transit (before it reaches your browser) and try to make the image attack a vulnerability in the browser image renderer. Or they could replace the image itself to show you a picture of things you probably don’t want to see. The first case is much more serious though since this ability to “escape the browser” could lead to malware being installed on your device. You don’t want that. If you remember Adobe Flash (??CVE?) However (???) any examples in the wild?
What can you when a website serves you partially encrypted content? You can install a browser plugin that will automatically attempt to upgrade the loading of those images to a nice secure TLS connection. A browser plugin can do this simply by looking for references to http:// in your browser and replacing them with https://. Right click in the browser window and click “View Page Source” if you want to look for them yourself next time you see a warning about some content on the site being insecure.
However, that content may be on another server that is not configured to have encryption available… and… browser plugins can have vulnerabilities of its own. So, it should be from a reputable developer (more on the topic of reputable developers later). The EFF makes a browser extension that does the trick. https://chrome.google.com/webstore/detail/https-everywhere/.
If you want to read the source code of any browser plugin you can. As of the time of writing this browser plugins can only be created using scripted languages (software languages that you can read the code for). However, perhaps in the future some browser extensions will be allowed that are compiled meaning you cannot easily read the source code because it has been optimized into a compressed package. There is a new language called “Web-assembly” that allows compiled software to run in the browser in order to make fancier more awesome websites that run faster (mostly for gamers). But right now extensions cannot be compiled. For more about browser plugin security you can read these references
Ad blocking Browser Plugins
In-cognito Mode and Browser Attempts to Increase Privacy
2. P@$$#or& Security
The second most important issue in your internet safety is your password. I know your mom’s name, and your birthday, so you will have to try harder than that. This is known as your password complexity, or also called “keyspace”. Keyspace is determined by the length of your password and the set of characters in it. This makes it harder to brute-force it because the number of combinations. (equation)
However, the website also plays a role in your passwords security. Which is why you should use a unique password on each site. If a website’s server gets hacked, the data stolen will likely include your email address and password right next to each other. So, the website administrators should store your password in encrypted form. Hashed to be more precise. Hashed with PBKDF2 to be more precise. It’s the industry standard for storing passwords on your server. It makes sure that your password “ilovemymom” does’t look the same as it would in another website database if you used in another website.
If you want to see if your passwords have been stolen in a password breach before, you can enter your email into a site like: https://haveibeenpwned.com/. You can try this seemingly random email address (email@example.com) in haveibeenpwned.com to see an example of an address that has been found in data breaches. Heck, try your mom’s email address to while you are at it. Don’t forget the “I forgot my password” trick by entering someone else’s email address just to see if they have an account. On that site. Some sites will explicitly tell you they sent you an email to reset the password. Other’s will try to obfuscate by saying “If an account exists”.
You can also sign up for email notifications that will let you know faster than you run for dinner when your mom calls if your account password is ever included in password breach in the future with Firefox Monitor (https://support.mozilla.org/en-US/kb/firefox-monitor). This is because hacker like to share the data with each other so they can get credit for pwning you (and share the duty of pwning you further). If the site does not encrypted your password on the site, even other employees at the company can find it and try to pwn you.
So, to summarize, the site is responsible for encryption of passwords, (and email address / other data you submit) on their servers which they may or may not do well or at all. So, the best you can do is use a unique password for each site with good keyspace.
Ooops. Well you can do a little more if the site offers 2 factor authentication (login). You know the story, you have to check your phone for a passcode in an app or email before you can sign in. If your account really matters to you, (i.e. you can spend money there, or peoples lives depend on it) you should use 2 factor. 🙂
But you say. I can’t remember a unique password for each account. That’s where a password manager comes in. Yes, your browser can store your passwords so you don’t have to remember them, but what about when you are on another computer? I guess some browsers can sync them, but PW manager allows you access them everywhere. Any a PW can generate a random password for you that ensures you will meet the complexity requirements. I know you want to make your password your dogs name. That’s what I’m saying. Don’t do that.