Wednesday, March 30, 2011

Signs of Broken Authentication (Part 4)

So today's post is the last of the series of “Six Signs of Broken Authentication”.

So let's review. Thus far, we have covered the following red flags:
  1. Restricting the maximum length of a password.
  2. Restricting the set of characters you are allowed to use in your password.
  3. Mapping all your password characters to digits 0 through 9 so you may enter it via an ordinary telephone keypad.
  4. No password lockout.
Today, we will be covering the last two warning signs of broken authentication:
  1. Missing or inappropriate use of SSL/TLS
  2. Password reset via poorly implemented “security questions”

Red Flag #5: Missing or Inappropriate use of SSL/TLS

You go to a web site and you notice that that login page is not using https (i.e., HTTP over “Secure Socket Layer” (SSL) or “Transport Layer Security” (TLS)). Or for those of who've been trained to look to see if the little lock is showing, you notice that it is conspicuously absent.

Of course, there are the obvious signs and—depending on which browser you are using, your particular browser configurations, and which browser plug-ins you may be using—the not so obvious signs that things are awry.

Let's start with the more visible ones and then we will follow up with the less obvious ones.

Note: In the rest of this ensuing discussion I will be using the term “SSL” to refer to both SSLv3 and TLSv1 unless otherwise specified. Also note that this list is not complete, but is intended to cover the most common and egregious issues. Post a reply to this blog to provide your feedback if your favorite one is missing.

The Web Site's Login Form Is Not Using SSL/TLS At All

Setting up an SSL site when the only thing that needs protecting is users' passwords seems like such a waste of time to many IT teams. And sure, there's always the argument to be made that if the rest of the site isn't using SSL at all, is there really that much to be gained? (But, that's probably not the right question to be asking to begin with; the more appropriate question is “what is your threat model?”. Only after answering that can you answer whether the rest of your site should be using SSL/TLS or not.)
One might think this is an uncommon practice and that major sites would never make such a faus pax, but until rather recently, the general login pages for Facebook did not default to use SSL.
Now this practice might be OK in the world predating open Wi-Fi hotspots, but nowadays it is trivial for someone to snoop the ether for user name / password combinations not transported over SSL. That combined with the fact that the average netizen (certainly not you astute folks reading this blog! :) has a tendency to reuse a small handful of passwords makes capturing someone password a potentially valuable exercise to those ready to exploit such things.
So while Gene Spafford's advice of “Using encryption on the Internet is the equivalent of arranging an armored car to deliver credit card information from someone living in a cardboard box to someone living on a park bench” may have been appropriate advice when LANs were over traditional Ethernet, with the advent of open Wi-Fi hotspots such advice is outdated at best.

The Web Site's Login Form Uses SSL, But the Form Is Displayed Using http

Today, it seems to be in vogue for web sites to have a link to the login form directly off their main page. This seems to be especially popular with telecommunications companies and their residential “My Account” portals; witness Qwest, Verizon, and AT&T.
Now, while these sites do post the login requests to their respective servers using https, the fact that the login forms are displayed on an non-https page is somewhat disturbing.
The issue is that a man-in-the-middle (MITM) attacker can mirror the main site, but alter the login page so that the authentication is redirected to a rogue site used to capture your password. (Depending on their sophistication, some may pass through your password to the actual intended site, while others may simply return a “login failed” indication.) Often this attack occurs using a technique known as “pharming”, whereby an attacker—usually placed conveniently near an open Wi-Fi—hijacks DNS requests to a web site. If it is one they have set up a mirrored rogue site for, the DNS request returns something with a similar name. The attacker may also attempt to obfuscate the URL by various means in hope that their social engineering attack won't be noticed.
What you, as users, can do to make things safer: Most of these sites will redirect you to a more bare bones, all SSL, login form if you simply click on their “Submit” or “Login” buttons from the main (non-SSL) containing page. For example, if you were to click on the “Sign In” button from Qwest's main page, you will be redirected to, which of course is using SSL. From there, you can verify the certificate, in particular that it belongs to whom you think it should, to make sure this is the site that you intended to visit.

The Web Site's Login Form Uses SSL, But the Form Is Using Components Not Using SSL

This is similar to, but in general not quite as bad, as the above case. Here there is some component of the login page that is not using SSL whereas the rest of the page is. Generally, this is caused by the site using vanilla http to load an image, some JavaScript, or a cascading style sheet. Also, generally most modern browsers will provide some sort of warning for this (although many people have disabled this warning because they see it so often).
In theory, such a thing can still be exploited by a MITM attack, although the difficulty of this varies greatly depending on what the pages are that are loading over vanilla http, whether that page is cached in a proxy somewhere, and many other variables. This attack is usually much more difficult than simple DNS hijacking. If a proxy cache is involved and the specific page is cacheable, then sometimes a proxy cache-poisoning approach will work for an attacker. (This can be accomplished in many different different ways, such as HTTP response splitting, HTTP request smuggling, DNS cache poisoning, etc. The details are beyond the scope of this blog post.)
Generally, if you see this warning in your browser, you can either choose to heed the warning or take your chances. If you decide to take your chances, you might at least wish to explore why the warning is being issued. From Firefox, you can do this by right-clicking on a page and selecting 'View Page Info'. From the 'Page Info' dialog box, select 'Media'. In the top section, right click and choose 'Select All', followed by right click 'Copy'. Then paste the copied addresses into a text editor and search through them. But caution: unless you understand HTTP, HTML, and web application security, you are are better off just reporting this situation to the web master. There be dragons in these waters, so tread carefully.

The Web Site's Login Form Uses GET Rather Than POST

The default action for HTML forms is to make an HTTP POST, but occasionally a web developer will use an HTTP GET for the HTML form's “action”. While both work, a GET will pass the form parameters as query parameters. HTTP web servers generally log all GET requests including any query parameters are part of the requested URL. In such cases, your user name and password likely will end up in someone's log files. Furthermore, by default these parameters will also go into your browser's history, so if you are using a web browser from a kiosk (probably a bad idea in in the first place) your user name and password ends up there as well.

The Web Site Uses a Dubious Certificate

[Note: This subsection could probably be called “Why Certificates and Public Key Infrastructure Do Not Work”, but that's a topic for another day. If interested, Google what CS professor and cryptographer Peter Gutmann has written about the subject.]
When a web site is configured to use SSL, the web server will be configured to use an X.509 server-side certificate. Often these certificates are not correctly configured. Generally, these misconfigurations will cause a warning in your browser. (I will not attempt to describe the wording warnings here because they vary greatly depending on which browser you are using and even with browser version. However, the browser developers put these warnings there for a reason and you should generally heed them when they advise you to “run away”, the law of “dancing pigs” not withstanding.)
Here are some of the more common certificate-related problems.
  1. Self-signed Certificate or Certificate Not Signed by Trusted CA
    Your web browser has several dozen “trusted” (by the vendor of your browser, not necessarily by you) certificates issued by various Certificate Authorities (CAs). An SSL server certificate issued by one of these trusted CAs will be trusted by your browser because it was properly signed by a trusted CA. But occasionally, in an attempt to save money (or because of general cluelessness of the IT staff administering the web site) a web site will use a self-signed (i.e., self-issued) certificate instead of one signed by a trusted CA. (A variant of this is that they will sign a certificate by one of their internal CAs that your browser does not trust.) In either case, your browser should issue a warning if you have not disabled this specific warning. (If it doesn't, it's time to switch to a different browser.)
    The problem here is that for self-signed certificates, anyone can create one, so unless you can trust this specific self-signed certificate (for example, by verifying beforehand and out-of-band that this specific certificate's fingerprint from a trustworthy source), a MITM attack is again possible. (Not trivial mind you, but certainly possible.) If you must use such a site, you are strongly advised to choose a unique password for it. And if that site happens to be your bank..., well, then I'd advise you to find a new bank, at least until their IT staff gets it fixed.
  2. Certificate's CN Does Not Match Host Name of Web Site for Login Page
    Earlier, I mentioned Eugene Spafford's quote about how using encryption on the Internet overkill. This never meant that SSL was useless. Indeed, in pre-open Wi-Fi times, arguably the most important purpose of SSL was the server-side authentication that your browser performed as it made an SSL connection. This server-side authentication consists of validating that the digital signature on the SSL server-side certificate is valid and was signed by one of your browser's trusted CAs as well as ensuring that the host name on the SSL server certificate matches the host name that your browser believes that it is trying to connect to. To do this, your browser compares the host name portion of the URL it is visiting to the 'CN' (Common Name) on the SSL server-side certificate. If there is a mismatch, your browser will issue a warning.
    This server-side authentication is important in preventing simple phishing attacks. Without this check, an attacker could redirect your browser to a rogue site that (say) looks like your bank's site and get you to authenticate to their site instead, thereby handing over your bank account to them. So, as users, don't get into the habit of just accepting mismatched host names on certificates or you will be setting up yourself for future phishing attacks.
  3. Site Is Using A Revoked Certificate
    Either a CA or the owner a certificate may “revoke” a certificate because they believe that the private key associated with the public key on the certificate has been compromised. So chances are, if you encounter a revoked certificate on a web site, you are dealing with a rogue web site set up to mimic the real web site's appearance. Stay away and notify those running the site that you were originally intending to visit as it is possible (though unlikely) that the site's legitimate owner has accidentally put the revoked certificate back up.
  4. Certificate Supports No Revocation Checking
    Your browser relies on hints on the SSL server certificate or the signed CA's root certificate for details whether or not a certificate has been revoked. Your browser does this by examining these certificates for certain optional extensions which instruct it how and where to check for revoked certificates. (The details are again beyond this particular blog post.) Furthermore, depending on your browser and its version, this revocation checking may or may not be automatically enabled in your browser. If it isn't enabled, your browser generally won't be able to detect revoked certificates with the exception of those revoked certificates built into the browser itself. (Check your browser's documentation for details of how to enable revocation checking for your specific browser version.)
    However, occasionally, a browser will use a cheap(er) CA and that CA might not support revocation checking. (I suspect most CAs do; perhaps even all, if they support X.509v3 certificates at all. But it certainly is a possibility. I'll leave that as an exercise for the users of all the browsers to check if all your browser's built-in CAs support revocation checking. If any of the CAs have issued version 1 X.509 root certificates, these probably do not support revocation checking because they do not support certificate extensions.) Also, I cannot speak as to which, if any, browsers would issue a warning for such CAs. If you know, please post a comment to educate us.
Finally, you will notice that I did not include “Expired Certificate” in this list of dubious certificates. I would describe that as a “pink” flag, not a red flag. The primary reason for CAs expiring certificates to begin with is to ensure a continued revenue stream. Yes, there are some valid arguments for expiring certificates, but assuming that one takes reasonable precautions to protect the associated private keys and one is using a reasonably sized public/private key size ( 1024-bits for RSA; sorry NIST!), an expiration period of 3 to 5 years should be very reasonable. But as I don't really want to get into the politics of CAs, I am not going to belabor this point. If a certificate has been expired for several years, it probably is a red flag, indicating that the IT staff is either oblivious or apathetic (as this almost always generates a huge warning in almost every browser available). Of course it might also indicate that the site is as popular as a skunk sniffing contest and no one other than the IT staff actually visit their site. ;-)

Red Flag #6: Password Reset via Poorly Implemented “Security Questions”

So is that is? Anything else? Of course. I've saved the best (or would that be the worst) for last? The last authentication red flag on my list of authentication e-v-i-l-s is sites that allow you to reset your passwords based your answer to the ubiquitous “security question”.

You know the ones... They ask you to chose a “security” question such as:
  • What is your favorite sports team?
  • Who is your favorite author?
  • What was the name of the school you attended in first grade?
  • What was your first car?
  • Where is your favorite vacation spot?

etc., and then to provide your answer that they check when you need your password reset.

Depending on whose figures you quote, one hears of help desk assisted password resets running between $50 to $150 per call. Also one hears figures that between 20-40% of all help desk calls are to reset passwords. So given such costs, it is not surprising that companies have decided to automate their password resets. Unfortunately, since most companies don't have a second form of authentication that they support for all of their customers, their self-help mechanism for resetting passwords is often demoted to using “security” questions. Since any more, this practice includes almost every web site authenticating users with a password, one can't use this criteria alone to classify poor security practice. So instead, we will try provide insight on how to recognize the bad from the worse.

We will take a three pronged approach in discussing this topic:
  1. How to recognize bad practice from the worst practice (aimed at both users and developers)
  2. Offer suggestions of how users can make the best of a bad practice
  3. Offer suggestions of how developers can better implement password resets

Recognizing Bad Practice

First, as noted in Good Security Questions,

... there really are NO GOOD security questions; only fair or bad questions. 'Good' gives the impression that these questions are acceptable and protect the user. The reality is, security questions present an opportunity for breach and even the best security questions are not good enough to screen out all attacks. There is a trade-off; self-service vs. security risks.”

So, from an external perspective, how do we recognize the fair questions from the bad questions? distinguishes four criteria. That site states that a “good” (relatively speaking) security question is one whose answer will have these four characteristics:
  1. cannot be easily guessed or researched (safe),
  2. doesn't change over time (stable),
  3. is memorable,
  4. is definitive or simple.
While some sites are getting better at formulating canned questions, few meet all four of these above characteristics. Most web sites still only have questions that lead their audience to very predictable one or two word answers. On the plus side though, more and more sites now are now allowing their users to pose your their own questions (such as “What is my password?” ;-) and answers.

The password reset process typically works by a user starting out by clicking on a “Forgot Password” link. Upon clicking on this the link, the user will be prompted for their user name. Once this is done, most sites prompt you to answer these security question(s) correctly (sometimes you will need to answer multiple questions correctly). After you provide the correct answer(s) to the posed question(s), the web site will send you an email to your email address that you used to register with that web site. That email message will typically contain either a temporary password that you can use at the main login screen or a special link—often only valid for a short amount of time, such as a few hours—and that link allows you to reset your forgotten password. The better designed systems will send you a special link to your email address on record that will allow you to answer your security question(s), and only then—if you answer them correctly—will allow you to proceed immediately to reset your password. This has the advantage of not allowing an adversary to see your specific questions first in order to research them.

However, a few of the sites still allow you to reset your password directly just by answering your security question directly—no email or SMS text, etc. side-channel is involved. A few others have the poor practice of displaying the email address that the new temporary password is being sent do. If their site does the latter, that opens up possible social engineering exploits to their help desk—such as an attacker claiming that they no longer use that email address and could the help desk personnel please change it to this other email address that they now use. Then all the attacker need to is to guess the answer(s) to your security question(s) correctly.

Advice For Users

Fortunately, many ordinary citizens are getting smarter with this, and when posed with some canned question such as “What was the name of the school you attended in first grade?” will answer “spaghetti”. (In truth [seriously], “spaghetti” seems to be a favorite answer of these questions, so you may want to start trying something else, like perhaps “linguine”. :)

Unfortunately, many people don't understand how answer these questions realistically can work against them. For when faced with answering the security question “What was your first car?”, they might answer “1969 Plymouth Satellite” (or in my case, that would be “1909 Ford Model T”...JK; actually it was a “Paleolithic Era Flintstones Mobile”) . But seriously, which is easier for an attacker to do? To guess your 8 character password (assuming that your password isn't “password” :) or to guess the answer to your security question? Generally, it's the latter. It's not to hard for me to write a small program that will guess all reasonable permutations of year, make, and model of cars or all the sports teams or whatever your security question happens to be. After all, how many possible “favorite sports teams” are there? Maybe thousands at the most. Developers could go a long way to help out here by not permitting unlimited attempts at guessing the answer to these security questions, but they seldom do. So it's up to you—as users—to chose some technique to use to defeat this avenue of compromising your web site user account. Pick some standard technique that you remember. For example, maybe add a common preamble to the all your security answers, like “xyzzy-” or “plugh:” or “meh/” or whatever you want. Or you can always answer all such security questions by some common (but secret) pass phrase, such as “I think that all politicians should serve a term in office and then a term in jail.”, etc. But because there is no common recognized “best practice” for password resets, it is going to be a long time until the development community catches up. But then again, “best practice” for a “poor practice” is an oxymoron. As noted from earlier, there are no “good” security questions, only fair or bad questions. So it is up to you, as users, to protect yourself until something better comes along.

Lastly, if you, as users, are able to define your own security question / answer, that can provide a higher level of security than stock questions, assuming that you give your question some thought beforehand. I often advise friends to select a question that might be somewhat embarrassing to them if it were discovered. (Although, use with caution; as users, you can never assume that the developers are actually encrypting the questions and answers.) So, for example, a question like “What was the nick name that bullies used to taunt me with in grade school?” or “What is the name of the girl that I had a secret crush on in ninth grade?” might be appropriate, whereas a question such as “How much money have I embezzled from my last employer?”, not so good. Common sense should prevail here.

Advice For Developers

There is no consensus for what constitutes “best practice” for password resets using security questions / answers. Most likely, this is in part, because most security experts recognize that passwords are a weak form of authentication themselves and these password reset techniques are even weaker. But that said, from a pragmatic perspective—for the moment at least—we need to play the cards we are dealt.
There is evidence that the security industry is starting to pay attention to this issue. For instance, FishNet Security's Dave Ferguson published a white paper on this in 2010 as well as participating in a recent OWASP Podcast on the subject. Based on Ferguson's, OWASP has started on a “Forgot Password Cheat Sheet” (which still needs a lot of work, but its an extraordinary start by Dave Ferguson and Jim Manico). [NOTE: The OWASP “cheat sheet” page is also a bit misnamed as it assumes that the only mechanism to reset passwords is via security questions / answers; if a site were using multi-factor authentication, it probably would be better to involve those other authentication factors in the process, but admittedly, outside the banking / finance industry and the military, multi-factor authentication is a rare practice.]
At the risk of repeating a lot of what is already spelled out in the OWASP Forgot Password Cheat Sheet, here is what I would advise. (I hope to get these comments folded into the cheat sheet in the not too distant future.)
Step 1) Gather Identity Data
Not much to disagree with here except for the obvious don't be collecting social security numbers unless it is something that your site actually has legitimate need for. The same goes for collecting only the last 4 digits of the SSN.
Step 2) Selecting Initial Security Questions / Answers
The appropriate time to require that a user choose security the time the user initial registers with your site. Ideally, allow them to select their own security question. If this is not possible or desirable for some reason, then all them to select from a large set of well thought out security questions. It is a good idea to require that the answer to any security question be longer than some minimal length (say, 8 to 10 characters), otherwise brute force attempts become likely. Finally, regarding the storage of the security questions / answers, questions should be encrypted (especially if they are chosen by the user) and any security questions should be hashed.
Step 3) Send a Time-Limited Token Over a Side-Channel
This is follows the step to verify security questions in the OWASP cheat sheet, but I think it is better that it precedes this verification so as to not even allow the possibility of answering the security questions until one has received this out-of-band token. A random 8 character token is sufficient for SMS, but using something like ESAPI's CryptoToken is better if generating an emailed link. Making this step precede the verification of the security questions increases the difficulty of a potential attacker researching the answers ahead of time (unless there are only a small set of possible questions). In addition, the token usage should ideally be restricted to a particular time duration after which it was created, say two hours or so.
Step 4) Require User Return the Token
The user must return the token sent to her over a side-channel. So they must reply to the SMS text message or click on the link sent to their email address on record. Furthermore, they must do so within the required amount of time, otherwise the token becomes invalid.
Step 5) Redirect the User to a Secure Page to Verify Security Question(s)
If the token is valid, take the user to a page (using SSL/TLS) where they can answer the questions. Do not allow the user to select which question they desire to answer (assuming that there are multiple question / answer pairs; ideally, make them correctly answer them all). Developers should also take precautions to limit the effectiveness of guessing. For example, using CAPTCHAs to reduce the success rate of automated attacks and allowing only (say) 5 consecutive failed attempts before temporarily locking out the account from further attempts to answer the security question. (A temporary lockout of a few minutes should be sufficient.) Finally, if the account is locked out because of N consecutive failed attempts, note it in a security audit log as well as notifying the user via email or an SMS text message.
Step 6) Allow User to Change Password
Once the user has correctly answered all required security questions (one or more, based on risk of potential lost of compromised password), allow the user to change the password. Then (optionally) redirect the user to the login page and require they re-login with their newly selected password. (Requiring that they re-enter their password again will reinforce their password in their mind. Of course, one must weigh this benefit against the inconvenience of the user experience.)


Well, that's enough ranting for this topic of warning signs of poorly implemented authentication practice. Tell me what are your thoughts on this. Have you seen any additional authentication red flags that I've forgotten? If so, let me know.


No comments:

Post a Comment