Pages: 1
  Print  
Author Topic: https (Browser security)  (Read 3435 times)
Offline (Female) IsmAvatar
Posted on: May 03, 2013, 05:26:28 PM

LateralGM Developer
LGM Developer
Location: Pennsylvania/USA
Joined: Apr 2008
Posts: 886

View Profile Email
Basically, the announcement is that I've renewed our self-signed certificate and enabled SSL on this site, meaning that you can now use https for security while browsing and logging into the enigma website, forums, etc.

However, that's hardly in english, so I'm going to dumb it down into something you guys can actually understand and read, and in the process I'm going to show my ignorance of the technologies and probably explain something slightly incorrectly. Feel free to correct me, but I think I will get the gist of it, so...

Http is a great way to send and receive plain text, and maybe even some binary data like images and files. But it's not exactly secure. If you log in over http, the following happens:
You generate some packets with your username and password, and send them in the general direction of the server. This information is pretty much plain text. Along the route, it will go through your network, to your router. Then, your router sends it off to your ISP, and it bounces around the internet before it gets to the server ISP, the server's router, and then the server. At any point along that line, a number of computers can easily "sniff" those packets and see what's in them. Anybody on your network can (connected to your router). Your router can, but they're never set up to, because it's useless information for them to keep storing packets. Your ISP can. After that, it bounces around the internet, where not many people really care about it. Then it gets to our server's ISP, router, and server, where nobody's going to sniff it because we pay good money for that server, so it's going to be secure.

There is encryption, and there's a fairly standard way of doing that, and that's called HTTPS, courtesy of SSL. When you use https, your packets are encrypted at your computer. People can still sniff it, but they can't see what's inside. Eventually it gets to the server, and the server knows how to decrypt the packet because it more or less told your computer how to encrypt it (also, the server sends you back encrypted data, which only you can decrypt, so that's nice. Makes loading a page use a tiny bit more cpu, but hey, encryption ftw).
This is done through the magic of certificates and signing and keys and other stuff I won't bore you with. But the certificate is important to explain because it is "self signed". When the server is telling you how to encrypt it, you want to make sure you have the right server, and that our server isn't just someone pretending to be our server.

We provide a certificate, and your browser needs to trust it, because nobody else can provide our exact certificate, but they can provide their own certificate and pretend like its ours. To prevent this from happening, we can ask some other company will sign our certificate - preferably a company that is known to do good signing. Your browser has a list of a bunch of well-known ones already written in. Which means that if our certificate is signed by a company that your browser knows, it will automatically trust our certificate - there's virtually no chance that you're being phished.

However, we haven't asked some other company to sign our certificate (yet), because it costs money, and some of them (like digicert, probably the best-known one) cost hundreds of dollars. We're not paying that. So we've self-signed our certificate until we can find a cheap signer (we're looking into it and we'll make a decision very soon).

So, if you want to use our website/forums securely, you need to navigate your browser to https://enigma-dev.org at which point your browser should hopefully yell at you and say "This certificate is self-signed! Are you sure you trust this website?!" and you need to decide if you trust it's us, or if you think it's a phisher. Since we just set this up, it's unlikely that anybody phished it that quickly, so I'd say it's fairly safe to trust it. In firefox, this is done by "I understand the risks - Add an exception".

The alternative is to continue sending your password to the server as plaintext. If someone's going to phish, it'll be even easier to steal your password that way, rather than all the hastle of setting up a certificate and stuff like that. So frankly, there's no reason not to trust our certificate - even if it is phishing, because what's the difference?

At any rate, NOTE, if we get our certificate signed by someone else, we'll probably need to replace our certificate. Your browser will automatically recognize that one, so you won't need to take any steps, but the old certificate won't be valid. So you could just wait until then, rather than taking the extra steps to trust our self-signed (possibly temporary) certificate - and we'd understand. It's your choice. Our self-signed certificate is provided for those who want that extra layer of security, especially in their own network (even in the meantime).

I've mainly done this for myself, since I'm on a network with a bunch of people who are network programmers and use packet sniffers on a daily basis.

Anyways, there you go. Now you can use our website through https.
Please make sure you see the Lock icon next to the URL (in firefox at least. Or whatever it is on other browsers) before submitting your password.

Enjoy
-IsmAvatar
Logged
Offline (Male) Josh @ Dreamland
Reply #1 Posted on: May 03, 2013, 05:40:53 PM

Prince of all Goldfish
Developer
Location: Pittsburgh, PA, USA
Joined: Feb 2008
Posts: 2955

View Profile Email
Let me clarify a few points

  • Once your password makes it to our server, it is safe, but it is not stored. Our server only handles your password long enough to screw it up. The server screws it up in two, highly methodical ways, so that two different passwords will not look the same after being screwed up. The screwed up password is what we store on our server. It would take a lot of processing power to get the original password back from the screwed up version, but it only takes a little processing power to do the screwing up. Hence, your password can be checked, but not retrieved.
  • Our server doesn't necessarily tell your computer how to encrypt your data, it just tells it to encrypt it using a special number. The number is special because it was generated as a pair with another number. You can encrypt a message using the number we give you, but you can't decrypt it. No one can except the server. So, other people could send messages to the server pretending to be you, but since only you know your password, they would not succeed. However, if someone pretended to be ENIGMA's server, and they gave you a bogus number, your computer would encrypt your password with their number, and they'd be the only ones who could decrypt it. Then they'd have your password. That's why self-signing is bad. Adding a third party to verify a certificate is valid allows you to ensure that you have the correct number, with which it is safe to encrypt your password.

Thus, self-signed certificates aren't perfect, but they're still better than nothing, because now the hacker actually has to do more than monitor packets going through his server or access point. He'd have to intercept ENIGMA's certificate and replace it with his own, bogus one, and get your computer to use it instead of the real one. So, by all means, use https for logging in. Just do so with awareness of why Firefox is bitching that the connection is not trusted.

All of this, of course, raises profound questions as to why the fuck we don't just distribute a public key to everyone, have them sign their password with it, then just decrypt the bitch before hashing it. If there is a good answer to that question, then by God, I don't know it.
« Last Edit: May 03, 2013, 05:46:39 PM by Josh @ Dreamland » Logged
"That is the single most cryptic piece of code I have ever seen." -Master PobbleWobble
"I disapprove of what you say, but I will defend to the death your right to say it." -Evelyn Beatrice Hall, Friends of Voltaire
Offline (Unknown gender) Sabriath
Reply #2 Posted on: May 06, 2013, 01:49:29 AM
Member
Joined: Nov 2011
Posts: 3

View Profile
Quote
All of this, of course, raises profound questions as to why the fuck we don't just distribute a public key to everyone, have them sign their password with it, then just decrypt the bitch before hashing it. If there is a good answer to that question, then by God, I don't know it.

The MITM (man in the middle) scenario allows for the password to be hacked upon creation.

Although most of what has been said is somewhat accurate, the reason why a 3rd party signature is better than self-signing is to cause less chance of MITM.  Think of a RAID setup for your hdd...say you had 3 drives striped with no parity (no security), and one of those drive fails, you just lost all of your data.  However, if you parity a drive, and a drive fails, it can be restored.  An MITM may occur between a client and host, but less likely between a client and 2 simultaneous hosts.

When it comes to the cloud, nothing is 100% "safe"....but if third-party signature was 99%, then self-signing would be around 70%.  Quite honestly, you don't NEED to pay some third-party site for a cert, if you have windows server, it comes with the ability to create certificates, all you have to do is host it on another IP address from the server, and have the site point to it (iirc).

*shrugs*
Logged
Offline (Female) IsmAvatar
Reply #3 Posted on: May 06, 2013, 07:59:07 AM

LateralGM Developer
LGM Developer
Location: Pennsylvania/USA
Joined: Apr 2008
Posts: 886

View Profile Email
However, so could a MITM. As such, browsers have a list of trusted signers, and if you're not on that list, it raises a warning anyways.
Logged
Offline (Male) Josh @ Dreamland
Reply #4 Posted on: May 08, 2013, 09:19:29 PM

Prince of all Goldfish
Developer
Location: Pittsburgh, PA, USA
Joined: Feb 2008
Posts: 2955

View Profile Email
I was speaking of an alternative to a self-signed SSL certificate, rather than an end-all, fix-all policy. I'm looking for cheap alternatives that won't make Firefox bitch.
Logged
"That is the single most cryptic piece of code I have ever seen." -Master PobbleWobble
"I disapprove of what you say, but I will defend to the death your right to say it." -Evelyn Beatrice Hall, Friends of Voltaire
Pages: 1
  Print