NPI's Cascadia Advocate

Offering commentary and analysis from Washington, Oregon, and Idaho, The Cascadia Advocate is the Northwest Progressive Institute's unconventional perspective on world, national, and local politics.

Wednesday, April 22nd, 2015

Browse with confidence: NPI’s core network now encrypting all visits by default

It seems like hard­ly a week goes by these days when we don’t hear about yet anoth­er data breach or new­ly-dis­cov­ered exploit in wide­ly used soft­ware. Bad neigh­bor­hoods have exist­ed on the Inter­net for a long time, but dan­ger now seems to present itself at every turn. There’s mal­ware lurk­ing all over the place, email accounts are con­stant­ly being hijacked to send spam, and web­sites are being bro­ken into to steal infor­ma­tion or cause dam­age to a fir­m’s rep­u­ta­tion.

Sad­ly, many of these inci­dents are hap­pen­ing because peo­ple aren’t tak­ing basic steps to stay safe. Tech­nolo­gies like HTTPS and SNI exist to encrypt data and user ses­sions, but they aren’t as wide­ly used as they ought to be.

NPI has always been a secu­ri­ty and pri­va­cy con­scious orga­ni­za­tion, and we have repeat­ed­ly spo­ken out here in sup­port of good cyber­se­cu­ri­ty hygiene.

But we know that speak­ing out isn’t enough. Real lead­er­ship means set­ting a good exam­ple for oth­ers to fol­low. We have to walk our talk.

And today, we’re doing just that.

With so many grim devel­op­ments on the cyber­se­cu­ri­ty front late­ly, it’s our plea­sure to be the bear­ers of some good news for a change.

Over the past year, we’ve invest­ed in some impor­tant improve­ments to our web infra­struc­ture, with the last pieces going into place this week. Thanks to these improve­ments, which are made pos­si­ble due to the gen­eros­i­ty of our loy­al sup­port­ers, we are now able to encrypt — by default! — all vis­its to our core net­work (nwprogressive.org), which includes the Cas­ca­dia Advo­cate and In Brief.

What does this mean? It means that when you type in nwprogressive.org or nav­i­gate here from a link or book­mark, your brows­er will com­mu­ni­cate with our serv­er over an encrypt­ed con­nec­tion.

How can we guar­an­tee this? Because we’re no longer giv­ing any­body the option of con­nect­ing to nwprogressive.org inse­cure­ly.

Try typ­ing the address for this blog right now, and our serv­er will redi­rect you. It’ll require you to con­nect over a secure port, and you’ll see the pre­fix change to HTTPS if you did­n’t put in. The idea here is to make sure that data sent by our web serv­er to your com­put­er gets scram­bled as it trav­els across the Inter­net using Trans­port Lay­er Secu­ri­ty (TLS). Like­wise, if you fill out a form on our site and send us data, the con­tents will be encrypt­ed while in tran­sit to our serv­er.

We have actu­al­ly been using HTTPS to man­age NPI’s web­sites for quite a long time, but now HTTPS is the default on the fron­tend as well as the back­end.

You can tell that the con­nec­tion is secure because a pad­lock icon will appear in your address bar. Addi­tion­al­ly, because we have invest­ed in an extend­ed val­i­da­tion cer­tifi­cate, the pad­lock icon should be green, and part or all of your address bar may also appear green. If you’re using a desk­top brows­er, you’ll see NPI’s name.

For exam­ple, in Mozil­la Fire­fox on a Mac:

Screenshot of address bar in Firefox with Cascadia Advocate loaded

If you click on the green por­tion of the address bar with NPI’s name in it, a tooltip pops up ver­i­fy­ing that you’re access­ing NPI’s web­site over a secure con­nec­tion, and the cer­tifi­cate is trust­ed.

Depend­ing on what brows­er and oper­at­ing sys­tem you have, the address bar will look dif­fer­ent. The green back­ground might stretch across the entire width of the bar, or it might only appear behind the text that says North­west Pro­gres­sive Insti­tute. Regard­less, some part of the bar will turn a shade of a green, as you can see from the fol­low­ing com­pi­la­tion of brows­er address bars:

Examples of address bars with green fields Not many orga­ni­za­tions go to the trou­ble of invest­ing in extend­ed val­i­da­tion cer­tifi­cates. They can be pret­ty expen­sive (though we secured ours at a very good price) and a bit of a both­er to set up.

But EV cer­tifi­cates have one crit­i­cal­ly impor­tant advan­tage over reg­u­lar secure cer­tifi­cates: they’re immune to spoof­ing in two of the most-wide­ly used browsers in the world. Those are Fire­fox and Chromi­um (which Google Chrome is based on).

Coin­ci­den­tal­ly, Chromium/Chrome and Fire­fox also hap­pen to be the browsers of choice for the vast major­i­ty of peo­ple vis­it­ing NPI’s net­work of web­sites. That much we know from con­sult­ing our serv­er logs and site sta­tis­tics.

So, most of you read­ing this ben­e­fit from our invest­ment in an EV cer­tifi­cate.

Cer­tifi­cate spoof­ing can cer­tain­ly be mali­cious (with an intent to cause harm) but some­times it is done by insti­tu­tions we trust — like our employ­ers or our schools — that want to spy on us. Researcher Steve Gib­son explains:

Any cor­po­ra­tion, edu­ca­tion­al insti­tu­tion, or oth­er Inter­net con­nec­tiv­i­ty provider who wish­es to mon­i­tor every Inter­net action of its employ­ees, stu­dents or users—every pri­vate user ID & pass­word of every social net­work­ing or bank­ing site they vis­it, their med­ical records, all “secure” email… EVERYTHING — sim­ply arranges to add one addi­tion­al “Pseu­do Cer­tifi­cate Author­i­ty” to their users’ browsers or com­put­ers.

It’s that sim­ple.

By “pseu­do cer­tifi­cate author­i­ty”, Steve means a fake enti­ty invent­ed by the cor­po­ra­tion or insti­tu­tion that wish­es to spy on its users, as opposed to a real cer­tifi­cate author­i­ty like Syman­tec’s Thawte, Como­do Group, Trust­wave, GeoT­rust, or the new­ly-formed, free soft­ware com­mu­ni­ty-backed Let’s Encrypt.

Con­sid­er Steve’s hypo­thet­i­cal:

For exam­ple, sup­pose that “Ben­dover Indus­tries” installs a com­mer­cial­ly avail­able “SSL Proxy” (also known as an HTTPS or TLS Proxy). Then, as part of prep­ping com­put­ers for use inside their net­work, Ben­dover’s IT depart­ment sim­ply adds one addi­tion­al “trust­ed” Cer­tifi­cate Author­i­ty to each com­put­er. That’s all it takes.

Now, when­ev­er any­one inside Ben­dover’s net­work makes a “secure” con­nec­tion to any remote pub­lic web site—their bank, Google Mail, Face­book, anything—that con­nec­tion is inter­cept­ed by Ben­dover’s SSL Proxy appli­ance before it leaves the build­ing.

On-the-fly, the SSL Proxy Appli­ance cre­ates a fraud­u­lent “spoofed” web serv­er cer­tifi­cate in order to imper­son­ate the intend­ed remote web site, and it signs that fraud­u­lent cer­tifi­cate itself using the sig­na­ture of the also-fraud­u­lent Cer­tifi­cate Author­i­ty that was pre­vi­ous­ly plant­ed inside the user’s brows­er or com­put­er.

If this sounds vil­lain­ous, well, that’s because it is. Do note that the tech­nique Steve is describ­ing can only be prac­ti­cal­ly and read­i­ly imple­ment­ed on com­put­ers that an insti­tu­tion con­trols. A per­son­al­ly-owned com­put­er that an insti­tu­tion’s IT depart­ment does­n’t have access to can’t be tricked out with a pseu­do-CA.

The con­se­quences of this spoof­ing are pret­ty seri­ous:

Instead of con­nect­ing to the remote web serv­er, the brows­er is “secure­ly” con­nect­ed only to the local Proxy Appli­ance which is decrypt­ing, inspect­ing, and log­ging all of the mate­r­i­al sent from the brows­er. It inspects all con­tent to deter­mine whether it abides by what­ev­er arbi­trary poli­cies the local net­work is enforc­ing. Its users have NO pri­va­cy and NO secu­ri­ty. Or per­haps it just silent­ly logs & records every­thing for pos­si­ble future need. Either way, it has obtained full access to every­thing the user enters into their web brows­er.

While SSL/TLS inter­cep­tion can­not be pre­vent­ed when a user does­n’t have con­trol over the com­put­er he or she is using, it can almost always be detect­ed, because cer­tifi­cate spoof­ing results in a fin­ger­print­ing mis­match between the pub­lic key and the pri­vate key (which the insti­tu­tion run­ning the pseu­do-CA does­n’t know).

In the course of his research into cer­tifi­cate spoof­ing, Steve dis­cov­ered, as I men­tioned ear­li­er, that EV cer­tifi­cates can­not be spoofed in Fire­fox or Chromium/Chrome, owing to the way that those browsers are made:

Since both Mozil­la’s Fire­fox and Google’s Chrome/Chromium brows­er projects are ful­ly open source, we were able to inspect the way EV cer­tifi­cates are val­i­dat­ed.

They main­tain their own pri­vate inter­nal lists of trust­ed EV cer­tifi­cate author­i­ties and will ONLY dis­play the green EV col­oration when the server’s cer­tifi­cate has been signed by a chain of cer­tifi­cates ter­mi­nat­ing in one of those known root author­i­ties. This means that they can­not fall prey to EV spoof­ing the way Inter­net Explor­er was designed to.

The EV han­dling with­in Opera and Safari are unknown. They are closed source browsers, and they do not appear to pub­lish any for­mal state­ments about their han­dling of EV cer­tifi­cates. (If any­one does have any defin­i­tive infor­ma­tion about Opera or Safari, please drop us a line.)

If the above is Greek to you, don’t fret.

Here’s the take­away that you need to know: If you’re con­nect­ing to NPI’s web­site in an open source brows­er like Fire­fox or Chromi­um and your brows­er address bar does­n’t par­tial­ly turn green, it means the con­nec­tion is not ful­ly secure.

The absence of the green field might occa­sion­al­ly be due to the pres­ence of mixed con­tent. That’s when a page you’re access­ing over HTTPS loads embed­ded con­tent like images or scripts over a reg­u­lar ‘ol HTTP con­nec­tion that isn’t secure.

We haven’t scoured every sin­gle page and post on nwprogressive.org yet to remove all of the hard­cod­ed HTTP pre­fix­es that may exist. But we’ve cor­rect­ed enough that you should see the green field most of the time.

If you nev­er see it, it’s quite pos­si­ble that your secure brows­ing is being inter­cept­ed. To know for sure, you’d want to com­pare cer­tifi­cate fin­ger­prints (if you know how… if you don’t, you could ask a tech-savvy friend, or con­tact us for assis­tance.)

When an insti­tu­tion lacks the pow­er to sniff or inter­cept Inter­net traf­fic, it some­times blocks use of HTTPS alto­geth­er, which is real­ly unfor­tu­nate.

The Belle­vue School Dis­trict does this, for exam­ple. I know they do it because I’ve logged onto their guest Wi-Fi net­work before and dis­cov­ered that it’s not pos­si­ble to secure­ly con­nect to any web­site. It does­n’t mat­ter what it is.

Because this domain now only accepts traf­fic over HTTPS, it’s not going to load at all on a pub­lic Wi-Fi net­work where HTTPS is blocked. That’s a con­se­quence we are will­ing to live with. None of us should be using an Inter­net ser­vice provider or Wi-Fi net­work where HTTPS has been blocked any­way.

Projects not host­ed at nwprogressive.org are not yet set to require vis­i­tors to use HTTPS, but will be soon. Per­ma­nent Defense will be next — it already has its CA-issued cer­tifi­cate. After that, we’ll move on to Pacif­ic NW Por­tal.

Mak­ing web­sites secure is hard work, so it may be a few months before we’re done. But the effort has been and will be well worth it.

If you have any ques­tions or com­ments about the secu­ri­ty upgrades we’ve made here, please don’t hes­i­tate to get in touch or leave a com­ment here. In either case, your mes­sage to us will be trans­mit­ted over an encrypt­ed con­nec­tion!

Adjacent posts

  • Donate now to support The Cascadia Advocate


    Thank you for read­ing The Cas­ca­dia Advo­cate, the North­west Pro­gres­sive Insti­tute’s jour­nal of world, nation­al, and local pol­i­tics.

    Found­ed in March of 2004, The Cas­ca­dia Advo­cate has been help­ing peo­ple through­out the Pacif­ic North­west and beyond make sense of cur­rent events with rig­or­ous analy­sis and thought-pro­vok­ing com­men­tary for more than fif­teen years. The Cas­ca­dia Advo­cate is fund­ed by read­ers like you: we have nev­er accept­ed adver­tis­ing or place­ments of paid con­tent.

    And we’d like it to stay that way.

    Help us keep The Cas­ca­dia Advo­cate edi­to­ri­al­ly inde­pen­dent and freely avail­able by becom­ing a mem­ber of the North­west Pro­gres­sive Insti­tute today. Or make a dona­tion to sus­tain our essen­tial research and advo­ca­cy jour­nal­ism.

    Your con­tri­bu­tion will allow us to con­tin­ue bring­ing you fea­tures like Last Week In Con­gress, live cov­er­age of events like Net­roots Nation or the Demo­c­ra­t­ic Nation­al Con­ven­tion, and reviews of books and doc­u­men­tary films.

    Become an NPI mem­ber Make a one-time dona­tion

2 Comments

  1. Wow, I had no idea about cer­tifi­cate spoof­ing. Kudos to NPI for car­ing so much about the secu­ri­ty and pri­va­cy of your vis­i­tors! Not enough web­mas­ters do.

    # by Aaron Terry :: April 24th, 2015 at 3:25 AM
  2. You’ve cer­tain­ly set a good exam­ple for oth­ers. Thank you for doing this.

    # by Shanice Mack :: May 14th, 2015 at 8:49 PM