'Secure' in Chrome Browser Does Not Mean 'Safe'

[Dan N]

I am using Wordfence security service for a long time now and I was never disappointed.
Their expertise seams genuinely and highly professional but this time I want to mention about an article they shared publicly on their website.

This thread is also a "take that! and inform yourself better" for some, who believe that using a SSL certificate make the site/service bulletproof .
Wordfence posted two articles about HTTPS, the first one is talking about how the encrypted connection is decrypted in order to become "readable" (so SSL becomes useless) and the second article which makes me a bit confused is also posted on their website

This morning we are publishing a public service post showing how malicious phishing sites are getting valid SSL certificates from certificate authorities. In Chrome, this means that a phishing site is labeled as 'Secure'.

We also show that even if a certificate authority realizes they issued a certificate to a malicious site, when they revoke that certificate, Chrome still shows the site as 'Secure'. The fact that the certificate is revoked is buried deep in Chrome developer tools where most people won't find it.

We think this is something every online user should know about and we explain how to protect yourself and your friends and family against the large number of phishing sites that are now installing free valid SSL certificates and are shown as 'Secure' by Chrome.

You can find the full post on our blog....

Is SSL (HTTPS) useful and secure? - Yes , only when direct visitor-website connection is established
Is SSL certificate delivering a HTTPS connection bulletproof? - Nope if a 3rd party service/function must decrypt the connection in order to read data... The next logic question is... Can be exploit with malicious intent? Yup.

 

[Dan N]

Another security reply.
Check if your home router is vulnerable
https://www.wordfence.com/blog/2017/04/check-your-router/

 

[Guy]

Can an anonymous proxy or a VPN patch it?

 

[Reckly]

I'm not sure if it's okay for me to discuss such things while I'm dying of the flu, but i think it's important.

Is SSL (HTTPS) useful and secure? - Yes

Yes and no. The problem is - SSL is not secure. It is outdated technology. There is a thing called TLS. It's much better than SSL (since TLS v1.1). But both SSL and TLS sites have "HTTPS" thing and chrome gives them the green 'secure' label. Correct me if i'm wrong. So I would recommend to check what certificate is being used by the site you're interested in. For example, Chaturbate main page has TLS v1.2 certificate.

And there is a table stolen from russian wiki page about SSL.

 

[Puffin]

I'm not sure if it's okay for me to discuss such things while I'm dying of the flu, but i think it's important.

Yes and no. The problem is - SSL is not secure. It is outdated technology. There is a thing called TLS. It's much better than SSL (since TLS v1.1). But both SSL and TLS sites have "HTTPS" thing and chrome gives them the green 'secure' label. Correct me if i'm wrong. So I would recommend to check what certificate is being used by the site you're interested in. For example, Chaturbate main page has TLS v1.2 certificate.

And there is a table stolen from russian wiki page about SSL.

Agreed.

Any website can be checked using this ssl labs tool
https://www.ssllabs.com/ssltest/index.html

CB, MFC, Ambercutie all acccepting TLS v1.2

 

[weirdbr]

For example, Chaturbate main page has TLS v1.2 certificate.

I think you mean 'TLS v1.2 standard' - the certificate characteristics are completely independent of the standard being used.

Can an anonymous proxy or a VPN patch it?

Nope. And this issue affects even VPNs.

This is a issue that so far has not had a good technical solution/proposal - all clients of encrypted content must rely on the certificate chain and in this case, the folks at the top/middle of the chain (Certificate Authorities) are failing on their job and letting the wrong people get valid certificates for hostnames that they don't own.

The biggest thing that can be done (until a technical solution is devised) is what browser vendors are doing: they track certificate validity and try to identify certificates that are either invalid or badly issued. Once they get that data, they go back to the companies issuing those invalid certificates and try to work with them to fix this mess - first by doing the required audits (done by external auditing companies) to identify how those certificates were issued incorrectly, then to fix the processes that allowed it to happen.

Usually the CAs do what is needed, but sometimes they don't (see for example the Symantec case). In this case, browser developers have a powerful hammer: they can lower the trust level of the CA, meaning that any connection protected by a certificate issued by that CA will show as anything other than "secure". Once enough browser vendors do that, the certificates from that CA become worthless and the CA either goes broke or has to quickly fix their issues to have the trust level re-upped.

Now, in the mean time what some browsers/apps have been doing is called certificate pinning: Chrome for example has a built-in list of which certificates it should expect to see being used by any real Google domains, so if you ever try to access a server that claims to be google.com and has a 'valid' certificate but it is not the one Chrome expects, you will get a gigantic warning telling you something fishy is going on.

Now, back to the VPN case - the vast majority of VPNs use certificates (sometimes together with usernames/passwords/2-step auth) in the same way a browser does, so all it would take for a third party to intercept your traffic is to get a certificate claiming to be your VPN provider and voila - they can see all you are accessing.

 

[Dan N]

Well, I'm no expert but I do use a VPS and deliver content via HTTP and when "requested" via HTTPS ... the website from my signature.
Some collaborators (I never use "clients") asked if it is secure for them to use our service with HTTP. For their own comfort the service has a valid certificate installed and yes we can deliver a "secure" connection via HTTPS --- which from what I've read and informed myself is not bulletproof . The Wordfence security plugin (we use that on our WP platform) has some pretty interesting answers related to online security and I wanted to share some of their expertise with ACF forum and its members.

 

[JerryBoBerry]

Another security reply.
Check if your home router is vulnerable

Can an anonymous proxy or a VPN patch it?

One thing that should be pointed out, that article is referring to certain models of modem routers that are provided by the ISP to their customers. And most of them affected are routers used by German and Irish ISP customers for Deutsche Telekom and Eircom. If you bought your own router, they would not have access to it in any way to use that port or leave it open. So it wouldn't apply in that case.

 

[weirdbr]

If you bought your own router, they would not have access to it in any way to use that port or leave it open. So it wouldn't apply in that case.

Sure, that specific flaw wouldn't apply, but the sad reality is that the majority of routers sold to end users are full of flaws - some exploitable only locally, some exploitable remotely... It's gotten to a point that someone is currently running a botnet called 'bricker', which exploits flaws on consumer-grade routers and IoT devices and tries to damage them to ensure no one can use them for attacks - maybe as a 'good samaritan' trying to protect the internet at large or just someone being an ass trying to cause as much damage as possible.