This post was syndicated from: The Hacker Factor Blog and was written by: The Hacker Factor Blog. Original post: at The Hacker Factor Blog
The Electronic Freedom Foundation (EFF) is a very important organization to those of us who care about technology, security, and privacy. I primarily know about their legal efforts — protecting free speech, fair use, and civil rights. If you’re a security researcher, then you know that any moment some big corporation may choose to sue you for reporting an exploit rather than addressing their vulnerabilities. Apple has sued security researchers. Microsoft used to threaten to sue (and left open the potential to do it again). Epic Games, Cisco, and many other big companies have tried to sue people who report vulnerabilities. When this happens, we inevitably run to the EFF for assistance and guidance.
The EFF usually has a very visible position at most big security conferences and they are well-known in the security community. While I rarely donate to any organizations, I have donated to the EFF because they are needed and they do very good work.
Well… they usually do good work…
Oh, so close!
Beyond their legal actions, exposes, and topical news reports, they also provide a cute web plug-in, developed in collaboration with the Tor Project, called “HTTPS-Everywhere“. The idea is that it forces your web browser to use HTTPS rather than HTTP.
I have previously mentioned many of the limitations with HTTPS: it doesn’t reliably validate connections, it permits the human to bypass detected security risks, it is vulnerable to man-in-the-middle connection hijacking, and that little lock symbol really doesn’t mean you are secure.
As security goes, HTTPS is “better than nothing” security. Treat it like that little lock on your front door — it stops someone from easily opening the door. But it doesn’t stop someone from picking the lock, kicking in the door, listening to you through the door, or climbing in the open window next to the door.
Before Google forced everyone to use HTTPS, they offered both HTTP and HTTPS for accessing google.com. Using this plug-in, it would send you to HTTPS rather than HTTP. The same goes for eBay, PayPal, and many other sites. Lots of sites offer both HTTP and HTTPS, but few sites force you to use HTTPS when HTTP is available. In effect, this plug-in forces you to use security-by-placebo rather than no security at all.
My current irk with HTTPS-Everywhere is that the developers do not seem to be testing their code before releasing it. I recently learned that they have a rule file named Hacker-Factor.xml. This rule forces users who access my FotoForensics site to use HTTPS instead of HTTP. This is a big problem.
While FotoForensics does run both HTTP and HTTPS servers, these two interfaces do not provide the same services. “HTTP” is for the public. As clearly specified in the FAQ, the public service is public. It is not private, it offers no privacy, it is explicitly a research site, and it does not offer logins to the public.
In contrast, my HTTPS server demands a login. You won’t get to the upload page or any of the other features without login credentials. (Logins to that server are strictly limited to administrators and research partners.) With my server, you need HTTPS to access the login interface.
Forcing the Point
There is no rule that says the HTTP and HTTPS servers must provide the same content. In fact, many sites today are like mine: HTTP is for the public, and HTTPS are for users who need to login. Today, I cannot login to my bank’s web site without using HTTPS. With HTTP, I see their site, but I must switch to HTTPS to see the login. I cannot login to Google or Twitter or Facebook without HTTPS. Even most news sites use HTTP for public content but you must use HTTPS if you want to login. It is not uncommon to see very different content when using HTTPS instead of HTTP.
By forcing users to the HTTPS service at FotoForensics, HTTPS-Everywhere prevents people from using FotoForensics. Moreover, I know that I’m not the only web service out there that uses HTTP for public information and HTTPS for private access.
(I should point out that Buzzfeed.com forces users to HTTP. HTTPS at cnn.com doesn’t work. Reddit.com still uses HTTP, even for logins. And pay.reddit.com displays very different content depending on whether you use HTTP or HTTPS.)
As far as I can tell, someone associated with HTTPS-Everywhere did do a little testing with their Hacker-Factor.xml rules. They noted in their configuration file that I use a self-signed certificate. A self-signed certificate is typically considered “bad”. Except that I also use client-side certificates, which is much stronger security than third-party authentication without client-side certificates. (Also, I don’t see any point in paying a third-party certificate provider for a certificate that isn’t secure.) In effect, I have two-part authentication: something you have (the client-side certificate) and something you know (login credentials). While the EFF noticed my self-signed cert, they did not notice that they couldn’t use the HTTPS site!
I noticed this today when a user complained, so I filled out a trouble ticket, letting them know that the configuration for my site was incorrect. (The “reported by: cypherpunks” is their generic account for people who do not want to register a login with their trouble-ticket service.) They closed it out shortly after, with no change and the comment, “it won’t prohibit the vast majority of people from visiting the site.” I guess they missed the part that prohibiting ANYONE from accessing my site is a flaw in their rule-set!
The other thing that got me looking at the EFF was a tweet they made today:
One year after the first Snowden disclosure, we need a web that resists NSA spying. Fight back. Run a Tor relay. https://eff.org/tor
Wow… does the EFF really not understand what Tor does?
The folks at the Tor Project have a wonderful description of their process. Tor mixes up the path between your computer and the remote system you are accessing. Let’s assume that there is someone who can watch all network traffic. What will they be able to tell about your online activities:
- They will see that your computer is connecting to a Tor server. But they won’t know what you are doing. The data between you and the Tor server is encrypted.
- The Tor network is like a giant mixer. One node passes to another node passes to another node… And since everyone is getting mixed up, someone watching the network traffic will see you and lots of other people (and other Tor nodes) all connect to the same Tor nodes, but they won’t know which continuing traffic belongs to you. Your trail vanishes into anonymity.
- Eventually your traffic will reach an “exit node”. This is where it leaves the Tor network and connects to your desired server. The observer sees lots of exit nodes and lots of exit traffic — they don’t know which one belongs to you.
In this regard, Tor offers great security: an observer can see you enter, but doesn’t know what you sent or where you went. They can see lots of people exiting the Tor network, but they cannot identify which exit request is yours. It’s like being pursued by bloodhounds, getting into a car, and driving into rush-hour traffic — the dogs will lose your scent.
(For you deep-security folks, I’m ignoring potential connection leaks via applications that do not use Tor for DNS, or other things you run that do not pass through the Tor tunnel.)
If your path is secure, then that means you are secure, right? Well, no.
Eventually your network traffic must exit the Tor network. At that point, it’s just as secure as connecting directly. If you connect to your bank or your Reddit account, then someone watching the traffic will see your login credentials used at that service. The omnipotent observer will see you connect to Tor “going somewhere” and your credentials being used to check your email at Yahoo. At this point, they don’t need a high IQ to know it is you. (It’s like catching a bank robber who fled the scene after being identified. The cops won’t go chasing you. They’ll just send someone over to watch your house — you’re bound to go home sometime…)
Last January, there was a report about some evil Tor exit nodes. Remember: the exit nodes can watch you leave the system and they can explicitly see where you are going. According to the report, some Swedish researchers managed to find “at least 22 corrupt exit nodes that were tampering with encrypted traffic leaving the supposedly private Tor network.”
Tor nodes are run by volunteers, and there is no vetting involved. If you want to run a Tor node, you can. If you want to be an exit node, that’s allowed. And if you want to watch all traffic that leaves your exit node, there’s nothing stopping you. In the case with the Swedish researchers, they found some nodes that were intentionally altering the data that you wanted to receive.
I’d say that this is earth-shattering news, except that it isn’t. This type of exploit has been reported in 2012, and 2011 (with sample code), and pretty much every year since Tor started.
Back in 2007, one Swedish guy ran a Tor exit node and was capturing login credentials. Among other things, he saw login credentials to embassies all over the world.
You are… The Weakest Link!
At this point, Tor is only as secure as your connection to the server. If you use HTTP over Tor and you do anything that identifies yourself (fill out a form that requires your name, enter your email address, login to a service, check Facebook, do an ego-search to see who is talking about you…) then you’ve just compromised any security that Tor was providing. Someone watching the network traffic will know it was you.
Using something like HTTPS-Everywhere can help a little. It will stop you from forgetting to use HTTPS for certain web sites. However, virtually nobody uses HTTPS with client-side certificates. And without client-side certificates, it is relatively easy for someone on the network between Tor and your bank to hijack your network connection. (For the attacker, you don’t sit and wait for “Neal” to login… You hijack everyone and eventually you’ll also catch “Neal”.) Moreover, if someone is smart enough to configure a Tor exit node and monitor traffic, then they are certainly smart enough to hijack your HTTPS connection. (We’re not talking about an extreme level of difficulty here; any beginner-admin can learn to do this in a few hours.)
Run or Run Away
In their tweet, the EFF recommends that people run their own Tor relays. This will make the mixer network larger and makes tracking network traffic more difficult. However, what does it do for privacy and to your network traffic?
What my client meant to say…
Perhaps the EFF meant to tell people to use Tor and misspoke when they say to run a Tor relay… In that case, there are still two issues: speed and security. With regards to speed, Tor is really slow on its good days.
But then there is that pesky exit-node issue. Without Tor, I can connect to my bank from my home. I can be fairly confident that nobody is intercepting or hijacking the connections, and it is as safe as HTTPS (without client-certs) allows. But with Tor, I cannot trust the exit nodes. HTTPS will not notify me if the initial connection is hijacked and the exit node has a great opportunity for hijacking the connection.
Moreover, Tor nodes are run by volunteers all over the Internet. I have no idea who they are, what networks my login credentials are passing over, or who might be watching. As far as I know, there is no way to identify all of the networks that my packets touch. While I do use Tor for anonymous network access, I would never trust it in its current state for anything that requires identifiable information.
For more specific paranoia, consider this: If I connect directly from my home to my bank, I can use traceroute and identify that my packets never leave this country. Yes, corporations that run the networks may see my traffic, but I don’t have to worry about foreign governments. In contrast, if I use Tor and it randomly selects an exit node in Taiwan, then governments in Taiwan, China, Europe, and every other country can spy on my connection as the packets leave a distant Tor exit node and connect to my local bank. With Tor, there are a lot more options for people to watch my online activities and hijack the connection. Without Tor, I only have to worry about my local networks.
I typically trust the EFF’s judgment. Their legal advice and concerns about privacy, security, and technology are usually spot-on. And when the EFF speaks, people should listen.
However, as with anyone else, their suggestions are not always 100% reliable. Forcing people to use HTTPS on an HTTP-only service breaks access to the service. Releasing a HTTPS-Everywhere rule without testing it first seems like a really bad idea, and not patching it when told that the rule does not work seems willfully-ignorant. And while I agree that we need a more secure version of the Internet, Tor is not the solution. Advising people to run a Tor node without identifying the impact and risks seems like a huge mistake to me.
Perhaps I am just over-reacting. But it seems to me that the EFF just gave out some very bad advice.