Author Topic: HTTPS / SSL  (Read 1014022 times)

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
HTTPS / SSL
« on: October 14, 2005, 01:47:52 AM »
Ok, some people on updates.mozilla.org and elsewhere think the online version should use SSL (i.e., https:// ) for some stupid reason. I guess they don't understand that the on-line version doesn't submit anything over the internet; it works client-side only.

So I looked into SSL. The certificate is free from CACerts.org, but the passwordmaker.org ISP requires a static IP address -- $2/month or $24/year.

Should we do it? Bottom line is we live in a world where we must cater to the lowest-common-denominator; in other words, people who either don't have the capacity or time to understand. I want to avoid any future negative press, whether it be in blogs or on updates.mozilla.org.

Anyone have opinions? I'm looking to re-coup most or all of the $24/year from PasswordMaker users. I feel that my donation is the time I put into this stuff, and I've never asked to make a profit--just break-even.

-Eric
« Last Edit: October 15, 2005, 04:36:04 AM by Eric H. Jung »

Offline trephin

  • Jr. Member
  • **
  • Posts: 38
HTTPS / SSL
« Reply #1 on: October 14, 2005, 02:26:06 AM »
I understand your point Eric about the lowest common demoninator,

HOWEVER,

and this is not meant to offend anyone nor do I consider myself very knowledgeable in matters of security/progamming/technology (i probably know just enough to get in trouble)

but, the people who don't understand how the online version works are the same people who aren't going to understand or take the time to understand how PM in general works or what it is intended to do

that being said, i think any sort of misunderstanding can and will be corrected through other people who post replies on UMO etc and hopefully, by the new description / website / help pages

so, finally, I say, no, don't go through the whole business and expense

but that's my opinion and we know what those are worth...
« Last Edit: October 14, 2005, 02:27:36 AM by trephin »

Offline Romeo

  • Hero Member
  • *****
  • Posts: 561
HTTPS / SSL
« Reply #2 on: October 14, 2005, 02:34:33 AM »
Quote
I guess they don't understand that the on-line version doesn't submit anything over the internet; it works client-side only.
Eric, may be the way the online version works needs to be better explained, so that users will understand that nothing gets submitted.  I know that we could download the online version to make it local.  So may be we should explain that if they don't trust the online version, they can download it, save it locally, and thereby make it an offline version.

I think if you were to set up SSL, knowledgable people, like the bloggers, the press, etc. would start laughing and give you bad press because you set up the SSL.  Those bloggers would presumably understand why and that no SSL is needed and start to question your  competence.
It is impossible to create a fool-proof system, because fools are ingenious.

Offline quixin

  • Hero Member
  • *****
  • Posts: 538
HTTPS / SSL
« Reply #3 on: October 14, 2005, 02:46:50 AM »
I kind of agree with both of you therefore I am torn.  The guy that did the review over at the Rangers Tale blog said the same about the online version until I corrected him.  He literally updated what he had said immediately.  

I think the online version is explained exceptionally well but maybe a little more detail could be explained in layman's terms for the not so computer oriented users.  

Eric, did you engage in explaining the online version and why there was no need for a secure connection and what was the response?

On the other subject regarding donations, Ive said it before and I'll say it again, don't be afraid to put that donations link back up any time.  Most extension authors leave it up year round!  IMHO PASSWORDMAKER is priceless and I don't think anyone would think negative about it!
« Last Edit: October 14, 2005, 02:51:13 AM by quixin »



Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
HTTPS / SSL
« Reply #4 on: October 14, 2005, 03:25:46 AM »
Thanks for your replies. I only wish invisionfree would send me emails when people replied to my posts and then I could have replied sooner. Talk about buggy software but I digress...

Quote
Eric, did you engage in explaining the online version and why there was no need for a secure connection and what was the response?
I thought I engaged.. This is quoted from the page directly:
Quote
Is this page secure?
This page uses only javascript and html to generate passwords. There is no form submission -- purposefully -- so there is no way for the server to see or store your passwords (including the master). It would be a security risk to send passwords over an HTTP (not HTTPS) connection, and also to store them whatsoever (even encrypted) on a server; not to mention a violation of your privacy.
I'm probably assuming to much and think ppl have the time to read the full page. Of course, they don't. I don't read anything "below the fold" of a page 75% of the time or more.

Quote
Eric, did you engage in explaining the online version and why there was no need for a secure connection and what was the response?
Are you referring to UMO or a blog? No, I didn't engage.

Quote
On the other subject regarding donations, Ive said it before and I'll say it again, don't be afraid to put that donations link back up any time. Most extension authors leave it up year round! IMHO PASSWORDMAKER is priceless and I don't think anyone would think negative about it!
Yeah, I gotta get around to that. It's just a pain in the ass; I'd rather spend the 30 minutes it take me to do that on the website on PasswordMaker instead.

So anyway, I guess we'll skip the SSL stuff for now. Thanks everyone for your feedback.
« Last Edit: October 14, 2005, 03:27:12 AM by Eric H. Jung »

Offline quixin

  • Hero Member
  • *****
  • Posts: 538
HTTPS / SSL
« Reply #5 on: October 14, 2005, 11:40:45 AM »
Quote
Are you referring to UMO or a blog? No, I didn't engage.
 Yes,  I assume several people have commented somewhere or other about this and wanted to know if you pointed out the fact to them and what there response was.  Was it the same as the response I got from the guy at the Rangers Tale blog.

Again, I think the explanation on the online page is extremely well written.   Perhaps we could just add text at the top of the online version page with something like:

*** SEE BOTTOM OF PAGE FOR IMPORTANT INFORMATION REGARDING SECURITY ***

or something to that effect.



Offline breyed

  • Jr. Member
  • **
  • Posts: 28
HTTPS / SSL
« Reply #6 on: October 14, 2005, 12:25:02 PM »
For best security, both the extension download and the online version should use SSL and an https URL.  Otherwise, the door is left open for the following attack:

An attacker inserts his computer into the connection path between the client computer and the PasswordMaker web site (spoofing attack).  The attacker then provides a munged version of either the extension or the online version (depending on what the client was requesting).  The munged version will contain code to upload the master password to the attacker's web site.

Another way to think about the situation is this: the online version is unique from most javascript downloads in that it asks the user for sensitive data.   Because of that and because javascript code has the ability to share that data, the online version must be trusted.  The trust can only be established by coming unaltered from a known source, which is https provides.

Note that SSL is insufficient.  The attacker could simply use a hacked copy of the PasswordMaker web site with his own SSL.  (OK, "simply" is a misstatement: it is usually not easy to inject a site that pretends to be passwordmaker.org - but it is possible, which is why https exists.) The client wouldn't know the server is bogus and would happily chat with it over the SSL connection.  The client needs a certificate that it can trace to a root certificate authority that authenticates the server.  Can you get that free from CACerts.org?  If not, it might cost hundreds of dollars to get one. :(

Now here is an interesting twist.  Let's say you decide to secure the PasswordMaker web site with https.  The common user still won't be secure.  The problem is that the mozilla web site itself is insecure!  That is, if the user clicks Install Now from the Mozilla PasswordMaker page, he gets an insecure download link.  I wonder if automatic updates work the same way.

Futhermore, there may be an additional vulnerability, depending on Firefox's sandboxing model.  If extensions are allowed to access data from other extensions (even private data using introspection), any other extension could access the master password stored in PasswordMaker.  That would mean users would need to trust all extensions to the same degree that they do PasswordMaker.  Hopefully, Firefox is already designed to isolate extensions, but it would be worth verifying and reporting, if not.

My bottom line recommendation would be to switch to https if practical (i.e. the authentication certificate isn't too expensive) and report the vulnerability of the Mozilla download.  The other way of looking at it is to say, well, there's no point until Mozilla gets its act together.  This is largely a value judgment, similar to the political question of whether a country should bother outlawing harmful internet content even if similar content would still be available due to its legality in other countries.  My personal values tend me toward doing what I think is best if it is practical for me to implement - even if there is little immediate practical value - as a matter of principle and to set an example for others.

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
HTTPS / SSL
« Reply #7 on: October 14, 2005, 03:04:20 PM »
Thanks for the feedback. I've decided to go for it, but to keep costs down we'll use the cert from CACerts.org. Unfortunately, they are not recognized by most existing browsers as a valid CA.

Offline Tyrantmizar

  • Sr. Member
  • ****
  • Posts: 307
HTTPS / SSL
« Reply #8 on: October 15, 2005, 02:01:10 AM »
I know this is a bit after the fact, but...

Quote
Unfortunately, they are not recognized by most existing browsers as a valid CA.
Including Firefox.

It doesn't do much good to add SSL to calm people's concerns, if Firefox comes out and says "this browser has no idea if passwordmaker.org can be trusted."  Also, anyone who does read the info on security will start to question it twice more with the current setup.  First off, if it is truly secure, why would it need SSL?  Having a secure connection for a javascript form that doesn't need it does tend to look funny.  Also, seeing as Firefox itself doesn't trust it...

click to see a larger version
« Last Edit: October 15, 2005, 02:03:14 AM by Tyrantmizar »
Tyrantmizar
- <a href="http://tyrantmizar.blogsome.com/">Check out my blog</a> (shameless plug :P)
- Lord of the Feature Requests / Enhancements Forum - BWAHAHAHAHA!!!!
- Lord of the other one, the [url=http://forums.passwordmaker.o

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
HTTPS / SSL
« Reply #9 on: October 15, 2005, 02:19:54 AM »
I know about the certificate warning. It's because CACerts isn't a recognized authority. In Firefox 1.0.7, there are only 39 trusted authorities in the entire world. What a joke.

I was about to tell people to just deal with it until I saw the warning pop-up when I wasn't even navigating passwordmaker.org. Then I remembered that Firefox periodically hits http://passwordmaker.org/update.rdf to check for updates to the extension. So now people will see this message and probably think their passwords are being uploaded to passwordmaker.org or something nefarious.

I'll splurge for a certificate from one of the 39 trusted authorities, at least for a year. We'll see if it's still worth it after that.

-Eric
« Last Edit: October 15, 2005, 02:20:29 AM by Eric H. Jung »

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
HTTPS / SSL
« Reply #10 on: October 15, 2005, 04:35:29 AM »
Got a cert from godaddy.com for $29.95. Unbelievable price. The CA is Starfield Tech (they're actually owned by GoDaddy), which both IE and Firefox trust by default. It should be installed soon, replacing the one from CACerts.org.

Quote
An attacker inserts his computer into the connection path between the client computer and the PasswordMaker web site (spoofing attack). The attacker then provides a munged version of either the extension or the online version (depending on what the client was requesting). The munged version will contain code to upload the master password to the attacker's web site.
I believe this kind of attack can no longer happen now.

update: The new certificate is now in use.
« Last Edit: October 15, 2005, 06:50:34 AM by Eric H. Jung »

Offline breyed

  • Jr. Member
  • **
  • Posts: 28
HTTPS / SSL
« Reply #11 on: October 15, 2005, 10:08:15 PM »
When I go the the secure online version, I get the warning pop-up. Same goes for the xpi download.

Another issue is that since there are no links or redirects to the secure URLs, no one will know they exist, short of trying them manually. Perhaps you are just waiting to make sure everything works before switching over.

At the risk of stating the obvious, when you do hook in the https pages, for performance you should consider only linking to https for the online version, the downloads (xpi, etc.), and probably update.rdf (probably need to tweak the next version of PasswordMaker to use the https URL to update.rdf). All other pages are fine with just http, since they are not security sensitive as far as I know.

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
HTTPS / SSL
« Reply #12 on: October 16, 2005, 03:27:57 AM »
I'll disabled automatic redirect to HTTPS temporarily since there are problems with the warning pop-up still.

As for only linking the online version, xpi, and update.rdf, I'll see what I can do but I'm not sure my mod_rewrite skills are up-to-par for that yet.

Thanks for the feedback!
Eric

Offline Miquel 'Fire' Burns

  • Administrator
  • *****
  • Posts: 1157
  • Programmer
HTTPS / SSL
« Reply #13 on: October 18, 2005, 03:18:52 PM »
mod_rewrite skills you say? I might be able to offer some help.
"I'm not drunk, just sleep deprived."

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
HTTPS / SSL
« Reply #14 on: October 18, 2005, 05:32:08 PM »
Thank you! I'll PM the rules I need...

PasswordMaker Forums

HTTPS / SSL
« Reply #14 on: October 18, 2005, 05:32:08 PM »