Tag Archives: security

How websites deal with expired certificates

When life gives you lemons, make lemonade.

Unfortunately, the verification process for our SSL certificate (read more here) has been delayed and on Sunday morning our certificate expired. This will be fixed soon, but meanwhile let’s use this teachable moment to see what happens when your web browser encounters a site it thinks might be a security threat.

I tried to log in to ICS mail with several common web browsers. Here’s what I saw:

Safari

Apple’s Safari presents a very simple error message:

safari

Simple choices: show the certificate to see what the problem is, “Cancel” to get away from the site or “Continue” to proceed to the website. For our purposes, this is easy – click Continue to go to the site (since we know it and know it’s safe). But it really doesn’t inform much or tell you what the problem is.

Internet Explorer

Microsoft’s Internet Explorer is very similar to Safari with its simple message:

internetexplorer

So, Microsoft recommends you don’t continue, but it gives you the option to proceed. It doesn’t tell you much, although there is a “more information” link to get more details.

Chrome

Google’s Chrome browser is a little prettier, but still with only basic information:

chrome1

Nice visuals: a red lock with an X, and the red crossed-out https in the URL bar show that there is a problem with the security. The only obvious option is to click “Back to safety” and avoid what might be a dangerous site. You have to click “Advanced” to see more details:

chrome2

Here you see that the certificate expired. There’s another warning, and a link to proceed indicating that it’s unsafe.

Firefox

Mozilla’s Firefox has a more thorough warning system. This may be off-putting to you at first, but it really gives you the most information and the clearest instructions about what the problem is. First, you get a general warning:

firefox1

A warning saying there’s something wrong, with only one button, “Get me out of here!” If you click “Technical Details” (the orange triangle indicates that there is information below the heading, but it’s collapsed), you see this:

firefox2

The technical details are that the security certificate expired. If you understand what the problem is, you can get more information if you expand “I understand the risks.”

firefox3

Here, Firefox gives you the chance to “Add Exception” if you know what’s going on. This tells Firefox to trust the site despite the problem. When you click here, you get more information and a chance to allow Firefox to take you into the site:

firefox4

Again, here it shows you the problem with the security certificate and lets you confirm that you know what you’re doing.

What to do?

So when you see these kinds of error messages, what should you do? You need to follow the saying that I use all the time:

Think before you click!

Don’t just blindly click on buttons. Don’t panic. Think to yourself, “what is this website? Do I know it? Can I trust it? What exactly is the problem? Do I understand what it is?” Read the information the web browser gives you and try to understand it.

The world is not a simple place. When you go to a shop, do you pull your wallet out? Do you give the merchant your credit card? It all depends. Is this a place you can trust or not? What information gives you the idea you can trust it? Have you been there before? Does it look like a legitimate business? What makes it look that way? Do the people there seem trustworthy?

Similarly, the internet is not a simple place. If you proceed blindly, without thinking and paying attention, you may get ripped off.

In the present case, you know the ICS website. You trust the school. You might hesitate because you don’t know why our security certificate has expired. Maybe criminals have taken over the site, trying to get your information. Perhaps you should check it out and ask someone. (If you’ve read this far, I hope that you realize that this is a problem we’re aware of and are working on it!)

Note: if you add an exception or proceed to this site, it DOES NOT mean that your information is sent in the clear. The site is still using the secure HTTPS protocol to connect, which encrypts your data. The only problem is the validity of the security certificate has expired. Consider a driving license: if yours expires, do you stop being able to drive a car? No, but it’s not verified. This is a problem for us at ICS, but it is not an indication of compromised security.

I apologize to everyone for the inconvenience, but I’m almost glad that we’ve had this type of “teachable moment.” I hope that you pay a little attention to the warning messages you get from your computer and web browser and act a little more thoughtfully on the internet.

Securing our website

JpegSecurity has become a part of all our everyday lives. Our cars get inspected on arrival at work. Our ID is checked and we are signed in and out. Metal detectors are installed in hotels and shopping centers. Schools are no different, and security at ICS is kept high to protect our students.

We can bemoan the necessity of such measures, or we can accept them and appreciate them for what they are: efforts to protect us and keep us safe. In an ideal world, we wouldn’t need security measures. In the real world, such measures are necessary.

What’s true in the real world is true in the online world. Criminals and terrorists operate onlline as they do offline, and individuals and website managers need to take precautions to keep their information, accounts and websites secure.

This week, I am renewing the security certificate for the ICS website and related services. This certificate means that when users log in to our mail, elearning or eportfolio services they can be reassured that their account information, passwords, etc. are being protected. It’s part of the background security that all websites must operate. And it’s important for everyone to know how it works.

HTTPS: website security

When you load a typical website, it uses a communication protocol to send the webpage information to your browser and receive any information your browser sends. That communication is HTTP – “hypertext transfer protocol.” There are plenty of details about how that communication works (and it’s really great!), but the most important thing to understand is that it is an open communication, not encrypted or secure in any way. Any information can be intercepted and read by anyone who cares to try. Think of it like sending a postcard in the mail: your message is written in the open and able to be seen by anyone.

In order to protect passwords and other information (online purchasing, for example), a secure method was created – HTTPS.  You can see this in the URL of your web browser when you go to a website login screen. Not only will you see “https” in front of the URL, you’ll also see a lock icon:

https

This lock icon (and some sites pay for a green “bar of trust”) shows that https is working. It also is a hidden menu. Click on it, and you should see a message similar to the one below:

securitycertificate

This shows that the website is using a security certificate to encrypt the communication. This encryption is tight and prevents criminals from intercepting the information that you enter into the website.

Verifying a security certificate

There’s an additional layer of security that you can see in the screenshot above: verification. At ICS, we used to use our own security certificates to encrypt information. That is something that we can do and it does encrypt and protect the information that is sent over https.

However, anybody can create a certificate, including criminals, so if the certificate is not verified by an independent, recognized authority, web browsers will show an error warning that the website might be insecure. It’s not saying that the site is dangerous, just that it could be. Think of it as someone coming to your door claiming to be from the water company who wants to read your water meter. That person might be a criminal, or might really be someone from the water company. Until they can show some verification that they are who they say they are, you probably won’t trust them.

Therefore, ICS now uses security certificates that are verified by StartCom, one of the recognized security certificate authorities. As part of that, we have to renew our security certificates every few years and verify that we are a legitimate school running legitimate websites.

In order to get a verified security certificate, there are various steps that we have to follow:

  1. I have to verify my own personal identity by providing copies of my passport and national ID card.
  2. We have to verify that the school is a legitimate organization by providing copies of our license from the Ministry of Education.
  3. We have to verifiy that Jim Laney is our Head of School by providing copies of his identification and verification of his position by the Board of Governors.
  4. We have to verify that I am entitled to act on behalf of the school by providing a letter of authorization from Jim.

Whew! It’s a bit of a hassle getting all that documentation together. We also have to verify our physical presence through the mail. It’s not easy …but it’s not supposed to be. If it was too easy, criminals could easily set up fake websites and steal your information. Instead, you can be reassured whenever you log in to our systems that we have been verified to be trustworthy.

What does this mean for you as a web user?

The main thing that any web user should know and do is that HTTPS is set up to protect your information. Whenever you log in to a website or provide information such as credit card details or bank information, you should look for HTTPS. It’s also worth checking a security certificate for sites that you use – banks, shopping sites, etc. – to make sure their certificate is verified. As a real world analogy, would you put your money in a bank that didn’t have security guards? Would you go shopping in a store or mall that didn’t have any kind of security to protect your money, credit cards, or your purchase?

Like in the offline world, online security systems are a necessary fact of life. It’s worth understanding what they are and why they are necessary. Recognize the signs of security systems online (lock, https) and make sure they’re there when you are sending secure information. It’s like the car check in the morning: let it reassure you that people are working to keep you protected.

Pa55w0rds

by Geralt (Pixabay) - license CC0 (public domain)
by Geralt (Pixabay) – license CC0 (public domain)

Passwords are a problem.

Websites require them. They’re hard to remember. They get stolen. You have to change them. They’ve got all those weird characters in them.

Unfortunately, passwords are with us for the forseeable future. Managing your passwords is an important skill for students and adults alike. With security breaches like the recent Dropbox and Snapchat and iCloud password thefts, keeping strong passwords that can be changed and remembered is an important thing for everyone to do.

Various experts will offer various recommendations on how to keep your passwords straight. There are various computer- and web-based password storage systems that will keep strong passwords for you – all you have to do is remember the one password for your password manager and it will give you the rest.

There are, however, two simple ways to manage your passwords easily:

Passphrases

Password Strength from XKCD (licensed CC-BY-NC)

One of the strongest and easiest way to manage passwords is not to use a password at all, but to use a passphrase – a series of words.

This is a very easy way to get a secure and unique code to get into a website, and studies have shown that it is easy to remember and very hard to crack. It’s been popularized by the webcomic XKCD (created by Randall Munroe, an ex-NASA scientist) and has been championed by many security experts. It has been studied recently by researchers at Carnegie-Mellon University and shown to be a very secure method.

Unfortunately, however, there are a couple of problems with it. First of all is the problem of finding several really random words. If the words are not random, it will be easy to crack – either through guesswork or through “social engineering” (if a criminal knows enough about you, he/she can figure out the passphrase). There are systems that can be used to make the words random, but they can be cumbersome and complicated.

The other, and perhaps more difficult, problem with using passphrases is that many systems (bank and credit card sites, particularly) won’t allow them. They will set a limit as to how long the password/phrase can be and require various cases, non-alphabetic characters, etc. It may be possible to build a passphrase using those, but it makes it harder to remember.

Therefore, passphrases are a good system that might eventually supplant passwords and may be used with systems that do not require non-alphabetic characters, but they probably can’t be used widely. I’d recommend you use passphrases when you can, but if it’s going to be confusing for you to have different systems you might want to use option #2.

Cryptic Sentences

This is a method that I have used and championed for years. It’s not my own idea – credit goes to Bruce Schneier, who is an expert on computer security. He wrote about this method years ago and still recommends it. It’s a reasonably simple way to get cryptic passwords that are not too hard to remember.

Start with a sentence that you can remember. Ideally it would be unique to you, like “I broke my arm when I was 7 years old.” You then use the first letter of each word and make slight changes as you wish and as the password system requires. So “I broke my arm when I was 7 years old” becomes IbmawIw7yo or IbmARMwIw7yo!! or something like that.

This is a very easy method for creating cryptic passwords that are easy to remember. Try it!

Managing your passwords

Once you’ve created your passwords, you need to manage them. Here are some basic tips:

Keep them different!

If you use the same password for different sites, then once a criminal has the password he/she can get into other systems. It is hard to break into bank systems. It’s easier to break into Facebook or The Daily Mail. Criminals target soft targets and then use what they’ve got to try to get into other systems. Make sure you use a different password for each system!

You can use some variation of the same password for different sites, but make sure that it’s not easy to guess. Having “passwordGoogle” and “passwordApple” and “passwordBank” means that once one password is compromised, the others are wide open. If instead you use something like “passwordEL” and “passwordEL” and “passwordKN” (not using “password” but something stronger!)  it will be harder to guess. (But don’t just use the last two letters, make up your own system.)

Change them

Security experts recommend you change passwords regularly. The mean ones say you should change them every month or every quarter. That might be a little extreme, but I would recommend you change them occasionally – every year is a reasonable amount. Definitely, you should change your passwords whenever you hear there is some security problem. Don’t put your head in the sand and hope that it won’t affect you!

Remember them

If you need to write them down, don’t put them on a sticky note next to your computer! Write them on a slip of paper and keep them in your wallet or someplace else secure. Ideally, don’t write the password itself down, but some memory jogger. (If my password is “thislittlepiggywenttomarket” my memory jogger might be “swine goes to store.”)

 

At the end of the day, managing your passwords is a chore and a hassle. However, it is also a necessary process – just like keeping your house keys protected and making sure to change your locks if there’s a chance someone has a copy.

Internet security: Heartbleed

The web has been roiled by the “Heartbleed” bug. This problem – it’s not a virus or malware, but something not working right in software (hence a “bug”) – is causing problems for all kinds of websites …and the people who use it.

What is Heartbleed?

heartbleed
Heartbleed is a defect in OpenSSL, one of the software systems which handle secure connections (SSL=”Secure Socket Layer”) between a web browser and a web server. This software means that when you go to a website that needs private or secure information (a password, your bank account or credit card number, etc.), the communication between your computer and the website is secure so that nobody can intercept that private information. (You can tell a site is secure by the https:// prefix to the site’s address (URL) – if you’re loading a webpage with http:// then the connection is not secure.)

The defect in the software allows information to bleed out to anyone or any computer which communicates with that server. The information might include private or sensitive information such as passwords or account numbers. It might not. The problem is, there’s no way of knowing if any private information has leaked out.

If you want to understand exactly how the Heartbleed bug works, check out this XKCD cartoon. It’s a simple but effective demonstration of what happens. Notice that the data being processed by the server is constantly changing, so whenever the request for information from the server happens, the data that’s retrieved changes. Does it include your password? Maybe…

Do I have to worry about it?

man-65049_640
The simple answer is yes. OpenSSL is widely used throughout the internet. Most notably, it is used by Google, Facebook, and Yahoo! – and all of these sites were vulnerable. (This article from BBC News includes a list of some of the most popular sites were vulnerable. Many other sites were also affected… this list is not exhaustive!)

It is not sufficient to simply hope things will blow over. This defect in the OpenSSL software affected the infrastructure of the internet – it affected many systems throughout the web …including sites and services that you may use without being aware of it. You might not have a problem resulting from it, but then again you might. If someone has been able to steal your password, you could wind up being the victim of identity theft or other financial scams. (Read this account by someone whose GMail password was stolen – not related to Heartbleed – and what happened. Friends were conned, mail was lost, and it was a horrible nightmare.)

What can I do to keep my information secure?

The main thing to do is to change your passwords. The important thing is to change your passwords after the OpenSSL software has been updated and new security certificates have been issued. If you do it before this, any criminal exploiting the Heartbleed bug might get your new password.

Ideally, services you use should alert you to the fact that they have patched their systems. (And a proper fix means updating the software and issuing new security certificates, not just updating the software.) Here’s a message I received from Moodle saying their system has been patched (and they did issue new certificates):

moodlesecureIf you don’t get a message from a site, you can check it using a service like this one. Enter the URL (address) for the site and it will check if the system is using the version of OpenSSL that is affected by the Heartbleed bug.

Once you know a system is protected, you should change your password. Any passwords you use should meet these criteria:

  • Your password should be strong. You shouldn’t use an easily recognizable word or sequence of numbers. (“password” and “12345” are two of the most commonly used passwords …they are highly unsecure!!)
    • Ideally, a password should be a random collection of letters, numbers and other characters …such as: kjP87mi%lkj. Unfortunately, such a thing is hard to remember.
    • There are various ways to create memorable hard passwords – here’s one:
      • Make a phrase you can remember, such as “My favorite food is pizza.”
      • Change the case of some of the words, and add in some numbers (you can substitute some numbers for letters) and other characters. If you have a password such as “my FAVORITE!! f00d 15 Pizza?” it will be hard to break.
      • Alternatively, use the first letter of each word (including some numbers and other characters, too) – so you might get a password like “mFf1p”
      • If you can make your phrase more nonsensical or in a different language than English, it will be harder to break. (So, “elephant 74 PURPLE Michael stop!sign” or “BETAM**amesegenalaho!!” would be strong.)
  • Your password should be unique.
    • Don’t use the same password for other sites.
    • You can use variations of your password (“my FAVORITE!! f00d 15 Spaghetti?”) for other sites, but if you repeat a password it really weakens it.
  • Ideally, you should change your password every so often. (It may be a good idea to change your password to sites that had been vulnerable and then patched – such as Google, Yahoo, Facebook – again in a few weeks, after they’ve issued new security certificates.)

There are services that can manage passwords for you if you find this confusing. Some recommended ones include LastPass and the open source KeePass.

Where can I get more information?

Here are some articles I found helpful in understanding this problem and identifying how to deal with it: