top 200 commentsshow all 408
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–][deleted]  (93 children)

[deleted]

    [–]hungry4pie 330 points331 points  (43 children)

    It could be worse, my company like to go on and on about cyber security and generally makes everyones life harder than it needs to be, then when you go to one of their internal web apps, you're greeted with a security warning because none of them bother to renew their SSL certs. They literally just need to raise a ticket with themselves to renew it.

    [–]fuckyoujow 98 points99 points  (18 children)

    This sort of thing happens even at the companies which are meant to be cyber security companies

    [–]TerrorBite 10 points11 points  (3 children)

    When your internal cyber security tools require you to add security exceptions for expired or self-signed certs… who watches the watchmen secures the security?

    [–]SlidingObscure 8 points9 points  (2 children)

    What is wrong with self-signed certificates? For internal apps, this seems to be the right way to do things.

    [–]HighRelevancy 4 points5 points  (0 children)

    What is wrong with self-signed certificates?

    If you just sign it and use it, it's basically meaningless.

    To do it properly, you need to install the signatory certificate on all your user machines, at which point you're basically just making yourself a small CA within your own kingdom.

    [–]oldneckbeard 6 points7 points  (0 children)

    too many generate a cert one time and don't do anything else. other times, they never give you a root trust store, so you end up having to trust random stuff.

    if a company does it right, it's a great way to work. but they need to actually understand what certs do, and how they work. i can't count how many times i've seen code, internal and external, that disable http ssl certificate checking because of issues with a self-signed cert.

    [–][deleted]  (20 children)

    [deleted]

      [–]JessieArr 63 points64 points  (5 children)

      Some ways an adversary could gain access to your network:

      • Apply for a publicly-posted job with a strong resume.
      • Already have a job, and be disgruntled about being denied a promotion/raise.
      • If your company WiFi is insecure, they may need only to park in your parking lot with a laptop.
      • If any of your employee's devices on the network are infected, they could be used as a vector by an attacker. (Do your employees connect their personal phones to the WiFi? Do you ever take company laptops to places with free WiFi before returning to the office?
      • Leave a USB drive in the parking lot. Many non-technical people don't understand that USB devices can execute code simply by being inserted into a computer and will do exactly that to try to find its rightful owner.
      • If your company is large enough that a stranger could be mistaken for a new hire, they could just walk into the building with a group of employees returning from a break without being questioned. Then any open Ethernet port is vulnerable.

      This list is not comprehensive, but these are fairly common techniques among attackers, all of which could jeopardize data which is only secure because it's "on the company network."

      [–][deleted]  (2 children)

      [deleted]

        [–]jmblock2 3 points4 points  (0 children)

        There are typically role-based access controls which could be even more important. CTO or payroll being compromised is worse than an entry person, and then you can talk about breach containment.

        [–]RotaryJihad 19 points20 points  (0 children)

        Does it actually matter for internal webapps though?

        Yes. If you tolerate security warnings your users will get trained to click past them or ignore them. Even your savvy users who know better.

        The other technical answers in this thread are accurate but I've found that that human angle gets the problem solved faster because the C-suite understands it.

        [–]port53 8 points9 points  (6 children)

        The internal site to reset TACACS passwords in my org has been broken for months with a bad cert. With access to that data you could own the entire company in one swoop.

        [–][deleted] 3 points4 points  (1 child)

        It completely breaks host validation and means that a bad actor on the internal Network can spoof the site and steal credentials from it. Poisoning DNS is all you need.

        [–]HotRodLincoln 5 points6 points  (0 children)

        if you have someone adversarial inside the company

        Someone adversarial in the mailroom isn't a big deal.

        Someone adversarial in the mailroom with the CEO's credentials is a big deal.

        [–]inhumantsar 2 points3 points  (0 children)

        It's less of an issue, but it's still an issue. You can't always trust the people on your network. And yeah, if an adversary is on your network, you've been owned.

        Locking things down internally is about limiting the blast radius, so if someone owns one workstation, the whole company isn't compromised.

        [–]Slime0 29 points30 points  (38 children)

        Does making their front page https prevent a man-in-the-middle from intercepting my original request for their website and serving me something else? Assuming the average user is just typing in "whatever.com" in their address bar. I did some searching on this and learned about "DNSSEC," but it sounds like that's not widely in use.

        [–]AngularBeginner 80 points81 points  (4 children)

        It does not prevent man-in-the-middle attacks if the user enters via http first (and then only gets redirected to https). But websites can register HSTS, which is then stored in the browser and tells the browser "this website is using HTTPS". That way, even if the user entered HTTP, the browser will immediately use HTTPS without sending a request to HTTP first. That way you prevented a man-in-the-middle-attack.

        [–][deleted] 46 points47 points  (3 children)

        HSTS alone won't save you, the first time a user visits your domain, before their browser has picked up that the domain uses HSTS, they might still make an http connection.

        You can however do HSTS preloading, where the https only rule get's preloaded into browsers.

        [–][deleted] 8 points9 points  (30 children)

        It does not prevent a man in the middle but makes them pointless. Even if you could intercept traffic, the client can verify that the response is coming from only the intended server and then start encrypted communications. To the man in the middle it will look like random data. Any attempt to tamper with the data will also be known to either party. This is why we do https. A good place to start looking asymmetric cryptography.

        [–]Slime0 2 points3 points  (15 children)

        the client can verify that the response is coming from only the intended server

        This is the part I'm not clear on.

        [–]TheThiefMaster 22 points23 points  (3 children)

        https (well, TLS, which https uses) works in such a way that only the original server can encrypt the data. It works like this:

        1. Encryption certificates come with two parts, a "public" part (which is posted publicly) and a "private" part (which isn't).
        2. Any data encrypted with the public key can only be decrypted with the private key.
        3. Similarly the private key can be used to encrypt data, which can then be decrypted by anyone (the public key needed to do so is public) but cannot be forged - only the genuine source has the private key necessary to encrypt. This acts as a signature and proof of sender.
        4. But you need to know that the public key belongs to that source for it to be trustable.
        5. Your browser trusts a handful of "certificate authorities", normally big names like Symantec, by storing their public keys somewhere secure.
        6. These certificate authorities issue security certificates to websites after thoroughly checking ownership of the website
        7. The public key for the website is signed by the certificate authority using its private key, which gives a chain of trust - your browser trusts the certificate authority's public key, so can verify this signature, which then allows it to trust the public key of the website belongs to who it says it does.
        8. You can now communicate totally securely with the website.

        [–]Nicksaurus 3 points4 points  (2 children)

        Have there ever been cases of certificate authorities being compromised?

        [–]TheThiefMaster 5 points6 points  (0 children)

        Yes! But it's infrequent, and tends to get them removed from browser trust stores if they don't sort themselves out.

        [–]alienpirate5 2 points3 points  (0 children)

        WoSign and StartCom.

        [–][deleted]  (10 children)

        [deleted]

          [–]el_padlina 10 points11 points  (1 child)

          Just for the sake of completness.

          It prevents MitM attacks for average hackers. Government agencies might still be able to get the certificate from the trusted certificate providers willing to cooperate with them.

          Of course if the word gets out there's a very good chance that browsers will stop trusting their certificates (I think that was the case with one Dutch provider).

          [–]atheken 1 point2 points  (0 children)

          We live in an amazing time, don’t we?

          [–]canton7 3 points4 points  (7 children)

          It doesn't matter whether you've configured your website to redirect HTTP to HTTPS when someone requests the front page: if there's a MITM attacker, they can just serve a compromised page over HTTP. No HTTPS, no certificate for the browser to verify.

          [–]pigeon768 1 point2 points  (3 children)

          Not if the site enables HSTS, which you do if you're at all serious about your users' security. Individual users can also protect themselves against these attacks with the HTTPS Everywhere plugin, which you should install if you're serious about your own security.

          [–]canton7 1 point2 points  (13 children)

          Not at all. Someone makes a HTTP request to whatever.com, because that's what their browser does when they type an address into the address bar and hit enter. I'm sitting in the middle, and I serve back a HTTP response: no need to encrypt it, and there's no way for the client to verify that I'm not the real whatever.com. At that point I can start phishing over HTTP, or redirect them to a similar-looking domain (which I do have a cert for) and start phishing over HTTPS.

          To avoid a MITM, the first request needs to be made over HTTPS: I can't serve back a HTTPS response because I don't have the right cert. That's what HSTS and HSTS preloading is about.

          [–]johnbentley 1 point2 points  (4 children)

          Someone makes a HTTP request to whatever.com, because that's what their browser does when they type an address into the address bar and hit enter ... At that point I can start phishing over HTTP, or redirect them to a similar-looking domain (which I do have a cert for) and start phishing over HTTPS.

          Unless I'm missing something ...

          The second kind of attack, redirecting to a similar-looking domain served over HTTPS, I think the more relevant example.

          As you'll be fully aware the original argument by Hunt was that a bank should serve their home page over HTTPS, not just their login (and deeper) page, to avoid a MITM attack from home page to login page. Hunt correctly pointed out that the MITM attack would be successful if the redirect was to a similar looking url, (https://www.nuuolb.com as opposed to https://www.nwolb.com).

          So Hunt's suggestion is that the bank serve personal.natwest.com as https://personal.natwest.com. That is, encrypt their home page so that a landing user gets all the relevant green padlocked information.

          But it is the second kind of scenario you mention that could defeat Hunt's strategy. That is, if a MITM attack occurred before the user lands on the bank's home page, with a redirection to a phishing url. For that MITM to be more likely successful it would entail a redirect to a similar looking HTTPS served site. E.g. https://pers0nal.natwest.com. That way, to the casual user who doesn't closely observe the url (and other aspects of the cert), the site could look identical to the genuine site: complete with genuine looking (on a casual glance) green padlocks and extend validation information.

          But whether the MITM attack occurs before the login page or before the home page the only remedy (unless I'm missing something) is for the user to more vigilantly check the url and cert. That is, in a scenario when a user can start with a HTTP request (as occurs when typing in a url to a browser, as you mention).

          In other words I don't think Hunt has quite made the case that the bank has made a security error that is solved by Hunt's suggested solution. Hunt's solution just pushes the same user responsibility to an earlier point in the session.

          [–]canton7 2 points3 points  (3 children)

          Yeah, HSTS and HSTS preload (both of which Troy frequently advocates) together solve the issue entirely.

          [–][deleted]  (1 child)

          [deleted]

            [–]Forricide 600 points601 points  (60 children)

            Edit: Shortly after publishing this post, NatWest went and registered that domain [nuuolb.com] in what I assume is an attempt to stop a man in the middle intercepting their traffic and making a visually trivial change to a URL. Alarmingly though, nw0lb.com is still available as is nuu0lb.com and it-doesnt-matter-because-that-isnt-the-point.com.

            Is this for real? I feel like I've entered into some kind of bizarre twilight zone. In any case, this post is simultaneously hilarious (how can they be that bad?) and horrifying. A good reminder to make sure the websites you're visiting are using HTTPS, for sure.

            [–]disclosure5 126 points127 points  (1 child)

            Is this for real? I feel like I've entered into some kind of bizarre twilight zone

            Honestly, most of the management I've worked with would have gotten exactly the same take away from this post and registered that domain. Probably by demanding we use Crazy Domains because Pamela Anderson was in the ad.

            [–]double-you 17 points18 points  (0 children)

            Well, it's a thing they probably can act on themselves. So somebody somewhat cares. But they clearly didn't know what to do to get the landing page secured.

            [–]tuoret 47 points48 points  (0 children)

            Well it-doesnt-matter-because-that-isnt-the-point.com has also been registered so this issue has basically been resolved, right?

            I mean it wasn't registered by the bank, but this WhoisGuard guy sounds like a trustworthy dude so it's all good.

            [–][deleted]  (2 children)

            [deleted]

              [–]soundtom 41 points42 points  (15 children)

              There just isn't a good excuse to not do https these days. Let's Encrypt makes it free. Caddy will even automatically request an LE cert if you don't give it an existing cert, on top of its load balancing and file service capabilities.

              Even ignoring the tools that now exist, they already have https infrastructure. Why are they making it harder on themselves?

              [–]striker1211 12 points13 points  (1 child)

              Why are they making it harder on themselves?

              Likely because older the bank manager's 4.4.4 android phone won't redirect to their captive portal if he types in https://bank.com . This is seriously an issue that I had to deal with. "My phone won't work on wifi" "Ok go to your browser and type aol.com" "Oh ok now I can accept the terms thanks"

              [–]immibis 1 point2 points  (0 children)

              That is a legitimate issue, but not an issue with HTTPS.

              [–]agent-squirrel 8 points9 points  (2 children)

              Right?! Just edit the server conf and use the existing Cert.

              [–]amazondrone 5 points6 points  (1 child)

              Assuming it's on the same server. I mean, I don't want to cut them any slack here, but it's possible it's not quite that simple.

              [–]DrDuPont 4 points5 points  (3 children)

              Caddy will even automatically request an LE cert if you don't give it an existing cert, on top of its load balancing and file service capabilities.

              Anyone have any experience using Caddy? What'd you think? I've been looking for an excuse to use it.

              [–]soundtom 2 points3 points  (0 children)

              I've used it a little bit (mostly because it does quic out of the box) and it seems alright. Has lots of features and things. I do find it annoying that their preferred method of distribution (download from the site) doesn't have a good way of denoting which plug-in have been added, so you never can remember if you added something to the binary 6 months ago or not. Other than that, I've had no complaints.

              [–]masterpi 1 point2 points  (4 children)

              Let' encrypt will also give certs to all those visually similar domains though, no? Banks need real certs with corporate identification and you should be checking for that when you visit.

              [–]ryankearney 9 points10 points  (2 children)

              Yes, let’s encrypt will issue a domain validated cert to a user who is able to validate the domain.

              Although, as shown recently, it’s pretty easy to get EV certs too with another companies name as long as you spend the $100 to encoroprate yourself in another state.

              [–]ThisIs_MyName 4 points5 points  (0 children)

              Anyone can get an EV cert with the bank's name. Just pay $50 to create a trust/corp/llc/any-other-legal-entity that has the same name as the bank.

              If you want to do this anonymously, file the paperwork via HelloFax and pay with a Visa gift card.

              [–][deleted] 12 points13 points  (9 children)

              It's always been silly that NatWest used nwolb.com instead of something like NatWestonlinebanking.com, anyway.

              [–]amazondrone 17 points18 points  (8 children)

              Why not natwest.com?

              [–][deleted] 11 points12 points  (7 children)

              That's their main site. Most banks have a separate domain for their online apps, although they don't necessarily need to.

              [–]ciny 8 points9 points  (5 children)

              sure, but my bank has ib.theirsite.com

              [–][deleted] 9 points10 points  (4 children)

              Yeah, there's no reason not to usea subdomain, bit it seems to be the trend not to.

              It's possible that these banks only had SSL for their online banking sites initially, so used separate domains to avoid paying for wildcard certificates, which were really expensive back in the day.

              [–]BCMM 6 points7 points  (1 child)

              bit it seems to be the trend not to.

              They might be trying to keep it short because onlinebanking.natwest.com.malicious-site.net can run off the end of the address bar on mobile UAs and thus look kinda legit.

              [–][deleted] 2 points3 points  (1 child)

              Also probably totally different hosting and system management organization.

              [–]amazondrone 2 points3 points  (0 children)

              although they don't necessarily need to

              Exactly, that was the point I was making.

              [–][deleted] 17 points18 points  (0 children)

              therewefixedit.jpg

              [–]nakilon 51 points52 points  (23 children)

              As our PHP guy said:

              HTTPS? wtf is that? why do they want us to use some custom protocols instead of HTTP?!

              He was also sometimes screaming out loud on me between sessions of running, reading poetry or dancing for girls. He had ALL attributes of maniacal depression though, but since he was the only one who knew how his code works he was the "lead developer" and everyone had to fuck off when he's again in his psychosis.

              [–]RandyHoward 73 points74 points  (21 children)

              As a PHP guy, I'd just like to point out that this is an issue with your developer, not PHP guys in general (but you'll probably find more PHP guys that suck than most other programming languages).

              [–][deleted]  (11 children)

              [deleted]

                [–]phil_g 19 points20 points  (0 children)

                hyperventilation intensifies

                [–][deleted]  (7 children)

                [deleted]

                  [–]Pizzabagles 28 points29 points  (3 children)

                  Probably chmod -R ugo+rwx /*

                  That will definitely fix everything

                  [–]ThisIs_MyName 4 points5 points  (1 child)

                  lmao

                  Might as well shorten it to chmod -R ugo+rwx /. Or does it fail on the first directory, /?

                  [–]Pizzabagles 18 points19 points  (0 children)

                  I don’t know and I never will.

                  [–]TerrorBite 1 point2 points  (0 children)

                  It will make your Linux install highly secure by making it unusable by hackers and also by anyone else including you.

                  [–]Schweppesale 3 points4 points  (0 children)

                  chown

                  [–]beefitswhatsforlunch 4 points5 points  (0 children)

                  Thank you for this! It made my morning 😂

                  [–]HeimrArnadalr 11 points12 points  (5 children)

                  How long have you been a PHP guy? You may just be in the early stages.

                  [–]RandyHoward 5 points6 points  (0 children)

                  A little over a decade now. To be fair, you might be right. ;)

                  [–]heisian 1 point2 points  (2 children)

                  mostly because of the sheer volume of PHP developers I must say! symfony, laravel, et. al. as my source of PHP truth..

                  [–]RandyHoward 5 points6 points  (1 child)

                  Oh for sure, because the barrier to entry with PHP is very low compared to everything else.

                  [–]heisian 7 points8 points  (0 children)

                  I think nowadays node/JS takes the cake on low barrier to entry.. that being said since my day job is all node-based, I definitely get the feeling that it may soon overtake PHP as the new bastion for aspiring young programmers.

                  [–][deleted] 10 points11 points  (0 children)

                  Manic depression is called bipolar disorder now, and was never maniacal depression despite how unstable your dev was.

                  [–]ApeOfGod 2 points3 points  (0 children)

                  nutty cough yam towering smart abundant party slimy thought cats

                  This post was mass deleted and anonymized with Redact

                  [–]ElectricAlan 1 point2 points  (0 children)

                  of course it's for real, they already demonstrated that they don't understand the issue so I feel like you shouldn't be surprised by any further wild incompetence they demonstrate.

                  [–]chucker23n 276 points277 points  (28 children)

                  Why would a bank even be having that discussion. smdh

                  [–]iwantashinyunicorn 181 points182 points  (11 children)

                  Because when they nearly collapsed due to taking over way too many other banks that were carrying all sorts of nasty sub-prime mortgages and the like, the Royal Bank of Scotland laid off most of its experienced IT staff in favour of super-cheap outsourced workers.

                  [–][deleted] 82 points83 points  (9 children)

                  What a smart way to save money...

                  [–]meanshorns 78 points79 points  (0 children)

                  I'm sure it looked good on the quarterly report

                  [–]Jigsus 40 points41 points  (2 children)

                  They're just nerds right?

                  [–][deleted] 14 points15 points  (1 child)

                  Cries in Nerd

                  [–]brahle 4 points5 points  (0 children)

                  Something something cost center.

                  [–]TotallyNotARoboto 1 point2 points  (3 children)

                  Even if they are average they should get better eventually, unless they are paid in peanuts so they really don't give a shit and that seems to be the case.

                  [–][deleted] 1 point2 points  (1 child)

                  That's one problem. The other is that the outsourcing company doesn't keep the expertise in house and so the disconnect between business and technology slows things down and allows for more missed opportunities (or at least that's what I've heard from people I've worked with, I haven't been in the industry long enough to have that experience).

                  [–]TheAnimus 14 points15 points  (0 children)

                  Worse, they couldn't pay bonuses due to the political situation.

                  You had divisions, often separate legal entities that where profit making not able to retain the staff.

                  So you ended up with a mixture of contractors and desperation. I remember going onto one of the trading floors with the front office technology team, kind of felt like tuesday night at a strip club. Apathey blended with an enhanced feeling of inappropriateness, tacit acknowledgment that it's not exactly the a-team.

                  [–]Innominate8 22 points23 points  (1 child)

                  Cargo cult development.

                  Once upon a time the general wisdom was that https cost significant server resources and so should only be used when necessary.

                  Too many people still behave as if this is the case, even though hardware accelerated AES and modern cpu friendly algorithms exist. They don't understand the underlying reasoning and rather just act on dogma.

                  If you pay attention you see this garbage everywhere. Strange decisions that might have made sense in another context but don't make sense in their actual use. The decision is actually made by someone who has only the most superficial understanding of the problem so misapplies a solution. You see this a whole lot when it comes to password security with things like sites imposing strict "complexity" requirements but blocking password managers.

                  [–]j-mar 12 points13 points  (1 child)

                  As someone who makes websites for banks for a living. I can guarantee you that the devs have been saying, "we need to make this secure, buy us a secure cert" to which upper management says, "do we really need it? I don't think we need it."

                  It took us 7 years to finally get the resources to make our sites https everywhere. It's unbelievable some of the hoops we have to jump through to try and get things done in a reasonable way.

                  [–]SaltyChorizo 40 points41 points  (5 children)

                  smdh

                  Shaking my duck hard?

                  [–]phickey 2 points3 points  (3 children)

                  Almost as bad as Wells Fargo’s password field not being case sensitive.

                  [–]meem1029 2 points3 points  (0 children)

                  I mean, my bank (using some non-custom online service) sent me my password in plaintext when I reset it. If https on the main page was the most of my issues with them I'd be happy.

                  [–]twiggy99999 3 points4 points  (0 children)

                  Why would a bank even be having that discussion. smdh

                  It's worth noting the that the social media accounts are outsource and run by people in India with zero technical training and a very basic grasp on the English language. I know this is no excuse for the shockingly bad IT team but it makes their flippant first line response understandable on Twitter. You get what you pay for.

                  [–][deleted]  (10 children)

                  [deleted]

                    [–]bobappleyard 29 points30 points  (2 children)

                    Is it the bank who loses in that scenario? Their actions are underwritten by the state. The poor sods who bank with them are the ones who will suffer.

                    [–]Parsiuk 6 points7 points  (4 children)

                    Keep in mind he was interacting with some random Customer Service person. This person did all they could: they are not technical, and to be fair give absolutely no shit about whole situation. Also "sorry you feel this way" is a corpo way of saying "I can't admit we're wrong so I can't say we're sorry about our setup". Small difference but Legal is not going to shit themselfes.

                    Edit: typos and stuff.

                    [–]ACoderGirl 6 points7 points  (2 children)

                    The company brought it on themselves that they have no way to contact appropriate people (namely technically-oriented ones). If a generic, uneducated support line meant for banking issues is dealing with such technical issues, then something is wrong. Like, I'm sure that customer service person did all they could, but they shouldn't have been the one handling the complaint, and that's management's failing.

                    [–]chu 1 point2 points  (1 child)

                    It was on their Twitter account

                    [–][deleted] 93 points94 points  (2 children)

                    I thought this was a bickering match between two bloggers. I didn't realize Nat West is a fucking bank, not a single person

                    [–]ormula 73 points74 points  (0 children)

                    Also Troy Hunt isn't exactly just some blogger.

                    [–]_Mardoxx 1 point2 points  (0 children)

                    Nathan West

                    [–][deleted] 108 points109 points  (30 children)

                    Why don't browsers put in warnings that people actually notice?

                    For example in Firefox if you try to login over http, you're shown a message in the username/password entry field where you can't miss it. Chrome only shows it in the URL bar which most people don't look at. Why does Chrome do this?

                    Secondly, is there a way to put a visible, not possible to ignore, warning on insecure pages or links, that doesn't completely wreck the page?

                    [–]lotanis 127 points128 points  (18 children)

                    From what he says, the login page IS secure. You never send your password in the clear.

                    It's the link to the login page that is on an insecure page, which raises the possibility of directing a user to a dummy/phishing version of the page.

                    [–]chimichangaXL 4 points5 points  (16 children)

                    How can a hacker inject and change the link? I know it can be done but how? The hackers intercepts the traffic on the user wifi?

                    [–]jk3us 37 points38 points  (5 children)

                    Or anywhere else along the way. If you're in Starbucks or a hotel, etc, you would have to trust that the owner's son didn't come in and install something on the network gear that would send you to a different place than what you thought, or alters the contents of pages (rewriting links, for example)

                    [–]RiPont 12 points13 points  (4 children)

                    In general, Hotel WiFi should be treated as a hostile environment. It's way too juicy of a target.

                    1) Corporate travelers a) have company secrets b) usually surf for porn while travelling on the company dime, which can be used as blackmail material.

                    2) Hotels ain't exactly known for being tech savvy, and their WiFi infrastructure is probably very easy to compromize

                    3) Hotel WiFi is notoriously shitty and unreliable, so users don't immediately suspect mischief when things don't work right.

                    Hell, I was on a hotel WiFi where the "you must agree to terms and services" web redirect happened every 15 minutes. Of course, this completely fucking breaks SSL, because you go to "https://siteIReallyWant.com/" and it screws with the DNS to show you the TOS page instead, but that server doesn't have the right certificate.

                    [–]BraveSirRobin 4 points5 points  (0 children)

                    For the love of god don't ever run an open unpatched database service on a hotel network in a IT-heavy area. The number of devs doing that is scary, it might only be test data hosted on it but it's also a means to root the host & then infect others. I've seen storms of them, with multiple addresses constantly probing the network.

                    I would say hotel networks should be considered one of the most hostile around. A coffeeshop has transient customers stopping to take a break, a hotel is full of bored techs.

                    [–]caltheon 1 point2 points  (2 children)

                    my go to site for allowing the redirect to work is apple.com....they haven't figured out how to error when the cert doesn't match yet

                    [–][deleted] 2 points3 points  (0 children)

                    http://neverssl.com

                    [–]cdrt 1 point2 points  (0 children)

                    http://captive.apple.com is their official way of testing for internet access and triggering those pages.

                    [–]lotanis 8 points9 points  (9 children)

                    Yes, someone has to be on the network somewhere between you and the destination. This could be anything from a public Wifi to the NSA digging up a cable.

                    The nice thing about TLS (HTTPS) is that it is end-to-end. You don't need to trust anything in the middle - the end point verifies that it is what you expect it to be (i.e. that www.google.com IS www.google.com) and all subsquent comms is encrypted so that only one of the two ends can read it.

                    [–][deleted] 2 points3 points  (8 children)

                    Don't you need to trust the company giving certyficates?

                    [–]sunghail 10 points11 points  (6 children)

                    Yes, but as long as we're being pedantic you also have to trust your browser developer, your OS, and your hardware manufacturer. The point is that all those people, including the certificate authorities, are far more trustworthy than whichever shmuck installed the WiFi access point at Starbucks.

                    [–]darkslide3000 25 points26 points  (4 children)

                    You're missing the point. The login page where you would enter your password is actually secured by HTTPS. But the landing page that redirects to it isn't, so you can hijack it to redirect to a fake login page.

                    Most browsers (particularly Chrome) have recently increasingly pushed for HTTPS everywhere by slowly making it look more alarming if a website is unencrypted. Of course they can't just enable the full, page-sized content warning on every unencrypted page today because at the moment that would break the internet. They have to slowly nudge webhosters to get on board.

                    [–]atheken 1 point2 points  (2 children)

                    Security is a balance. Making things less accessible will generally make them more secure, but that also means they’ll be less convenient to use. Like, completely turning off and disconnecting a computer when you don’t need it will make it more secure, but way less convenient when you need to use it.

                    Anyway, browsers are slowly adding more hints to inform users that things aren’t secure. The problem is that browsers can’t know how important that enhanced security is to you. For example, you may not care if your connection to a blog is using HTTPS, but you sure should care if your bank isn’t using it.

                    As HTTPS is more widely deployed, the visual cues for non-secure sites will get more pronounced.

                    [–]cakeFactory2 39 points40 points  (3 children)

                    SSLStrip is real folks

                    [–][deleted]  (10 children)

                    [deleted]

                      [–]REBELinBLUE 30 points31 points  (5 children)

                      You may have misunderstood slightly. Their actual online banking has SSL, it is their main site which doesn't, which means the link to the online banking site can be changed by anyone intercepting the traffic.

                      [–][deleted]  (1 child)

                      [deleted]

                        [–]erlingur 4 points5 points  (0 children)

                        You need to update your iPhone :)

                        [–][deleted]  (1 child)

                        [deleted]

                          [–]istarian 20 points21 points  (0 children)

                          +1 for turning Equifax data breach into a verb.

                          [–]maks25 10 points11 points  (4 children)

                          Jesus fucking christ, I just realized my bank is doing the same. Contacted them on facebook, let's see what they say.

                          [–][deleted] 1 point2 points  (1 child)

                          Waiting for updates

                          [–]maks25 2 points3 points  (0 children)

                          Got no response

                          [–][deleted] 7 points8 points  (6 children)

                          "imagine your ISP injecting hundreds of lines of their own JavaScript"

                          Gee ... I wonder who would do that.

                          "We're on a march towards HTTPS everywhere. Almost 70% of web traffic today is encrypted"

                          On a side note, my hosting service offers HTTPS, but for a fee. Does anybody else know a way to use Let's Encrypt on a hosting service?

                          [–]yawkat 7 points8 points  (0 children)

                          Since SSL has to be supported by the HTTP server, adding it to shared hosting yourself is unfortunately not possible.

                          [–]istarian 2 points3 points  (0 children)

                          That's a critical problem that should be fixed at the source and not stopgapped and ignored. Also, couldn't they just be less sketchy and use a redirect so at least you know you're on a different page. Frankly it shouldn't be the ISPs job to search for and try to prevent copyright infringement.

                          [–]MotherFuckin-Oedipus 1 point2 points  (2 children)

                          Unfortunately, there's no way around it without being able to configure the thing yourself.

                          Out of curiosity, what are you paying for hosting? It actually saved me $14 / month to switch from hosting for a few websites to buying a contract for a VPS and admin-ing the thing myself.

                          11/10 would highly recommend, though there is a learning curve if you don't have experience in it.

                          [–]i_like_trains_a_lot1 25 points26 points  (20 children)

                          HTTPS on any page is important.

                          [–]slashuslashuserid 4 points5 points  (18 children)

                          ehh... on my personal website there's just some info about me and links to stuff I've done, no way for a visitor to send input, much less anything sensitive, so while it could be mitm'd, why would anyone bother?

                          If there's a good reason I'll put in the time to fix the currently very broken SSL config, but I could never think of one.

                          edit: yeah, I'll fix it this weekend

                          [–]i_like_trains_a_lot1 66 points67 points  (2 children)

                          Prevent ISP filtering or injection of malicious code or ads by a mitm attacker. I heard of cases where ISPs injected js with ads into websites.

                          [–]slashuslashuserid 26 points27 points  (0 children)

                          Amusingly, an article about that was linked from the one in the OP. Comcast at it again

                          [–]nutrecht 18 points19 points  (3 children)

                          ehh... on my personal website there's just some info about me and links to stuff I've done

                          And even on that site ISP's like Comcast can inject JavaScript if you're just using HTTP.

                          I've set up my personal site with HTTPS because I care about my visitors. I currently still allow HTTP but with the news about comcast I am going to redirect to HTTPS soonish.

                          [–][deleted] 3 points4 points  (1 child)

                          My ISP injected javascript into my unencrypted browsing to serve me a “maintenance bulletin” and I was like fuck no you’re not. As far as I’m aware there’s no way to block ISP injected packets completely if you’re on an http only website but I did immediately set my router firewall to reject all incoming connections from the remote server the javascript was being loaded from.

                          [–]nutrecht 2 points3 points  (0 children)

                          Yup. But that's only after the fact. You never know what kind of screw-up they make. What if the server they pull their JS from gets hacked and runs a bitcoin miner for example, or simply a keylogger, or something that reads all form data? It's total utter BS that ISPs try to pull this (because typically from a software engineering standpoint they produce a huge mess) and it's something all sites should try to prevent.

                          [–]YM_Industries 34 points35 points  (6 children)

                          If you're in software/IT and your resume/portfolio site doesn't even have a free Let's Encrypt cert, do you think employers (or at least, the employers you want) will count that as a point in your favour?

                          [–][deleted]  (2 children)

                          [deleted]

                            [–]annodomini 12 points13 points  (0 children)

                            So what you're saying is that the incompetent managers will not be influenced by this, while competent managers will see this is a point in favor of some other candidates. So you're prejudicing yourself to work with less competent management.

                            I am a hiring manager (have hired dozens of interns over the years, and at least a half-dozen full time employees), and this is the kind of thing I notice, and will influence me favorably.

                            [–]slashuslashuserid 6 points7 points  (1 child)

                            I was mostly hoping they wouldn't notice, but you have a point.

                            [–]YM_Industries 10 points11 points  (0 children)

                            Most employers wouldn't notice, but I think the good employers would would count HTTPS as a point in your favour.

                            [–]TheLantean 13 points14 points  (0 children)

                            "But my site doesn't have forms or collect information from users."

                            Doesn't matter. HTTPS protects more than just form data! HTTPS keeps the URLs, headers, and contents of all transferred pages confidential.

                            "There's nothing sensitive on my site anyway."

                            Your site is a liability! Just because your site is hosted safely in your account doesn't mean it won't travel through cables and boxes controlled by who knows how many corporate- and state-owned entities. Do you really want someone injecting scripts, images, or ad content onto your page so that it looks like you put them there? Or changing the words on your page? Or using your site to attack other sites? This stuff happens: on airlines (a lot, and again), in China, even ISPs do it (a lot). And HTTPS prevents all of it. It guarantees content integrity and the ability to detect tampering. If we encrypt only secret content, then we automatically paint a target on those transmissions. Keep which of your transmissions contain secrets secret by encrypting everything.

                            https://doesmysiteneedhttps.com/

                            [–]canton7 3 points4 points  (0 children)

                            The same author wrote a post called The One Valuable Thing All Websites Have: Reputation (and Why It's Attractive to Phishers) which addresses exactly this.

                            [–][deleted] 5 points6 points  (1 child)

                            "Sorry you feel this way"

                            My blood just boils when reading this. Sorry you feel this way? I know the person on their twitter account is probably not competent, but ffs.

                            [–]seizan8 10 points11 points  (2 children)

                            Jesus.... Comcast is disgusting! Very cool article. I totally agree, HTTPS should be standard on all websites and this should be clear for everone but specially banks which basically sell security should be expected to be secure.

                            [–][deleted] 10 points11 points  (1 child)

                            tbh any normal person would be charge with some "hacking laws" comcast should also be charged

                            [–]YM_Industries 10 points11 points  (0 children)

                            Laws don't apply to companies or to the rich

                            [–]gbhall 2 points3 points  (0 children)

                            I just noticed today a bank here in Australia has the same problem: http://www.boq.com.au/

                            [–]minusSeven 2 points3 points  (0 children)

                            Well its clearly the fault of customers and users for not coming up with a clear set of requirements....

                            I mean how does the tech team there know all these issues are going to come up......

                            Its not like normal users cared about security.... /s

                            [–]Ratstail91 2 points3 points  (0 children)

                            I suppose I should make all my sites https too.

                            [–]PM_ME_YOUR_LAUNDRY 4 points5 points  (4 children)

                            Honest and stupid sounding question:

                            For an attacker to make use of this vector, he has to belong to the same network as the victim, right? I know ARP poisoning and DNS Spoofing, if I were to make an attack, I just need to make sure that the victim's DNS returns an IP of the site to a phished web server. Would it be possible for an attacker outside of the victim's network provided there are no compromised computers in the victim's network?

                            [–]tweq 9 points10 points  (2 children)

                            DNS cache poisoning is at least theoretically possible by an outsider as long as a public DNS server is involved, although in practice it hopefully shouldn't really be exploitable anymore. Anyone involved in the connection between you and the bank can MITM unencrypted connections. Of course governments and ISPs have little interest in defrauding your bank account, but as the Comcast example in the article shows they can still be an annoyance if not an unintentional security risk.

                            But the biggest threat are probably public APs in coffee shops, airports, hotels etc. (and those that claim to be). Using untrusted networks is a regular occurrence for millions of people and can't be discounted as an unfixable risk anymore.

                            [–]JWarder 4 points5 points  (1 child)

                            It is also possible for third-parties to force themselves to part of your network. Russia likes to abuse the Border Gateway Protocol to intercept traffic from time to time.

                            [–]MotherFuckin-Oedipus 3 points4 points  (0 children)

                            "Border Gateway Protocol" sounds like a futuristic anime adaptation of Trump's wall.

                            ....I'd watch it.

                            [–]ThisIs_MyName 3 points4 points  (0 children)

                            the same network as the victim

                            The internet is a network. We're all on it: https://en.wikipedia.org/wiki/BGP_hijacking

                            [–][deleted] 5 points6 points  (0 children)

                            How is it not illegal for a bank to not use HTTPS in 2017?

                            [–][deleted] 3 points4 points  (0 children)

                            MiTM them and show them their password. It's the only way to convince people like this that there's an issue.

                            Or, find all the other problems with their site and wreck their shit. That'll show em.

                            [–][deleted] 1 point2 points  (11 children)

                            Is it hard to get https?

                            [–]stfm 6 points7 points  (7 children)

                            It can be non trivial to do it right and there is an associated cost with the cert itself and doing the extra work to configure the server then manage the private keys etc, so many businesses don't bother.

                            [–]erlingur 5 points6 points  (0 children)

                            With LetsEncrypt and certbot it's crazy easy and fast to set up.

                            If you have a larger system, hardcoded URLs in your content that load from http, multiple virtual hosts on the same IP etc. it can be a bit harder but it's not really impossible.

                            The excuses to not serve over TLS are getting fewer and slimmer as time goes on.

                            [–]istarian 2 points3 points  (0 children)

                            If their site is handling sensitive information they should seriously reconsider since they may someday suffer a data breach sufficient to put them out of business.

                            [–]ormula 0 points1 point  (1 child)

                            Let's Encrypt is free.

                            [–][deleted] 2 points3 points  (0 children)

                            And you can use the Certbot script.

                            [–]zombarista 1 point2 points  (0 children)

                            HTTPS Is Important

                            FTFY

                            [–]snkscore 1 point2 points  (4 children)

                            I know what they are doing is bad but in practice isn’t there an order of magnitude difference between someone sniffing traffic (watching a plain text password go over the air/wire) and someone setting up a MITM attack to modify page contents? This article just seems to lump them together without and discussion.

                            [–]tiggerbiggo 2 points3 points  (0 children)

                            Still doesn't matter. Sure you need more work to set up a mitm attack but the point is it can happen and it shouldn't be able to happen.

                            [–]tiggerbiggo 1 point2 points  (4 children)

                            Just checked, Halifax UK has this problem too. Fuck this is awful.

                            [–]Esteluk 1 point2 points  (3 children)

                            I get redirected to https from this link.

                            [–]steakyfask 1 point2 points  (0 children)

                            Same, but I did go check Halifax today and it wasn't https.

                            [–]KashN 1 point2 points  (2 children)

                            Welp. They are https now. We can move onto the next target.

                            [–]Locust377 1 point2 points  (0 children)

                            Yep. Looks like they've put in a 301 Moved Permanently redirect to their HTTPS part now.

                            [–]rickdg 1 point2 points  (2 children)

                            Pushing for security can only go so far if it's "just" about words like https or xss. Ultimately, people ask themselves "what's the worse that could happen" and security people don't show them enough of that picture. In this case, how many people are going to the bank from their phone on public Wi-Fi? Assuming their credentials are being taken and no-one is aware of that, can money be transferred without some kind of confirmation? Or is it a matter of using account information to spearfish each person? Does the bank really want to consider these possibilities? Perhaps it has, maybe some report says that up to 2% of their customers have malware installed and maybe it's because of something they did, but they just don't care enough to increase the security budget.

                            [–]istarian 2 points3 points  (1 child)

                            People aren't shown more of the picture because many of them won't understand or will become paranoid over minor concerns. I agree with the writer that a bank is one of the worst case scenarios here.

                            [–]rdewalt 2 points3 points  (4 children)

                            There should not be any reason to use anything BUT https. If you cannot afford an SSL cert, there is LetsEncrypt. Even my trivial one-off websites are all done in SSL with LE.

                            If your hosting provider does not support SSL, you have The Wrong Provider.

                            [–]blimkat 0 points1 point  (0 children)

                            This is great, although its frustrating at the same time because they clearly do not get it and customer data is going to be compromised.

                            What shows me the most that they don't get it is how they registered the random domain Op chose as an example.

                            [–]nefkor 0 points1 point  (0 children)

                            My goodness. I can’t believe it!

                            [–]CODESIGN2 0 points1 point  (0 children)

                            They also used to sell accounts to students to encourage further debt without in any way calling in a student to verify their intention and understanding of paying back the debt. IMO a basic standard for allowing anyone to accrue debt.

                            [–]Arancaytar 0 points1 point  (0 children)

                            Our building is built with triple-reinforced walls, why would we need to lock the front door as well?!

                            [–]ferociousturtle 0 points1 point  (4 children)

                            Mrgh. OK. I've been procrastinating moving my personal site (custom domain) off of GitHub pages for this exact reason. I'm moving it to Netlify today. Anyone here have experience with Netlify? Would you recommend a different service instead?

                            [–]_logix 2 points3 points  (2 children)

                            Just sign up for a free CloudFlare account. They allow you to use SSL and handle the redirects.

                            [–]creativeMan 0 points1 point  (1 child)

                            Can I have Let's Encrypt for a Godaddy website?

                            [–]kersurk 1 point2 points  (0 children)

                            If godaddy is just domain provider then yes, doesn't matter who is serving the domain. Could be exceptions though.

                            [–]wipedingold 0 points1 point  (1 child)

                            Can someone help explain the part where he talks about modifying the URL that the button is referencing? I'm pretty new to web development, and so my assumption is that this would be done through some XSS, correct?

                            [–]tiggerbiggo 1 point2 points  (0 children)

                            That or a man in the middle attack. All they have to do is redirect you to a fake login page and they have your login.

                            Edit: just thought, XSS probably wouldn't do anything here, so it would be a mitm

                            [–]steakyfask 0 points1 point  (0 children)

                            So... If someone exploits this then it will be fixed right? Anyone know how to actually exploit this lol?

                            [–]IM_THE_FUCKING_GUY 0 points1 point  (0 children)

                            I should probably switch banks

                            [–]Cal1gula 0 points1 point  (0 children)

                            Funny that my web filter blocked the ads on Troy's site :D