The dangers of HTTPS

Discussion in 'privacy general' started by Paranoid2000, May 6, 2004.

Thread Status:
Not open for further replies.
  1. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Most of us may associate the HTTPS protocol (encrypted web traffic) with security and safety - entrusting it with passwords, credit card numbers and other sensitive information. However, this protocol is being used in links by some advertisers and this has some concerning side-effects.

    If anyone relies on an external filter or firewall to control web content (cookies, Java/VBScript, ActiveX, etc) then this filter will not do any filtering on HTTPS traffic (since all it sees is the encrypted data). So a site can, by using an HTTPS link, plant cookies or run code regardless of what restrictions you have set.

    The only exception to this that I know of is Proxomitron when the OpenSSL files libeay32.dll and SSLeay32.dll have been installed (availble from the "SSL Addons Section" of the Proxomitron Files page) and the Config/HTTP/Use SSLeay-OpenSSL box has been checked. Note that this will cause your browser to issue a certificate warning whenever you visit an encrypted website since it will see Proxomitron's certificate rather than the website's (see the Proxomitron readme for more details). Without these OpenSSL files, Proxomitron can do no filtering on HTTPS traffic.

    Browser-based controls on active content should work as normal (since the browser sees the decrypted traffic). However most browsers do not provide the same level of control as a purpose-built filter.

    Opera users can set their browser to prompt whenever an SSL connection is started - this will provide warning of any links to third party sites. To do this, in File/Preferences/Security/Authorities... check the "Warn before sending data to sites certified by this authority" box for each certificate authority (40 plus). Once this is done, Opera will prompt whenever a secure connection is started, giving you the chance to abort it. I do not know of an equivalent setting for Internet Explorer or Firefox/Mozilla - if anyone does, please post the details.

    Real-Life Examples
    Doubleclick have used this technique on secure parts of other websites. Since these typically deal with processing actual orders, it does provide them (in conjunction with other information) with an excellent record of online users' purchase history.

    However the most widespread user appears to be Paypal. Every site that requests donations via Paypal has an HTTPS link to Paypal's website for their icon. Furthermore, Paypal's home page includes a web-bug triggering another HTTPS connection to Omniture (102.112.2O7.net - note the last O, not a zero) which can include extra information as parameters to the URL like hardware details (like screen resolution) and the account number that you are making a payment to (I have queried this with Paypal but received no proper explanation).

    These connections can be blocked by creating the appropriate entries in your Hosts file (see elsewhere on this site for details on this), but this does assume that you know which domains to block. Non-Opera users can use HTTP monitoring software like Charles (shareware) or the free HTTPLog plugin for Outpost firewall to keep track of URLs visited in order to identify suspicious ones.
     
  2. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    i just DL the dlls for proxomitron, but im not sure where to put them on xp home. where do they go?
     
  3. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Copy them into the Proxomitron folder and then check the "Use SSLeay/..." box in Config/HTTP for Proxomitron.
     
  4. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    thank you Paranoid2000, ill do both now :)
     
  5. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    it worked, i ticked the box with the dlls installed. i havent checked yet but, there was an extra dl,l msvcr70.dll, i put that there too. whats that for?
     
  6. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    im sorry its a microsoft dll i didnt realise. thanks again, Paranoid
     
  7. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Excellent info. Thanks.

    Nick
     
  8. optigrab

    optigrab Registered Member

    Joined:
    Nov 6, 2002
    Posts:
    624
    Location:
    Brooklyn/NYC USA
    Do any well-known, shared HOSTS files includes these domains? Like the mvps hosts? or hpguru's hosts file?
     
  9. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Doubleclick will usually be included in hosts file blocklists (though they do add new servers and domains so keeping the list updated is a good idea). However I doubt you'll find a list including Paypal given the number of people who have legitimate use for it. This would be better handled on a connection-by-connection basis - either by using Opera with the configuration changes suggested above or by running Proxomitron with the OpenSSL DLLs (this should cause all browsers to popup warnings on every HTTPS connection due to Proxomitron's certificate not matching the domain requested).
     
  10. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Just to update this thread - I recently had the *ahem* pleasure of purchasing something from CompUSA's website. Not only does every stage of the ordering process get reported to 2 other websites (data.coremetrics.com and tracking.rangeonlinemedia.com - these can be blocked if you have followed the steps listed above) via HTTPS but personal details are included in the URL itself when an order is confirmed - notably the item(s) purchased, order number, email address used and the price paid.

    The only good thing here is that CompUSA's Privacy Policy page mentions this (right at the bottom!) and offers an Opt Out.
     
    Last edited: Oct 19, 2004
  11. LuckMan212

    LuckMan212 Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    252
    Thanks for the excellent information Paranoid2k... this is quite troubling indeed. I did not realize that my order details were being shuttled off to some evil marketing companies... I used to trust that little http://netez.com/2xExplorer/buttons/secure.gif

    can't trust anything anymore.... :'(
     
  12. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    i think those are just the .dll's you need for the https protocal. you can probably find out more below.
    http://www.openssl.org/
     
  13. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    yea, i was thinking that just before you posted and searched my HD - (hence the thread i started in software and services, very, very fast HD searcher) i only have the .dlls with proxo so there must be other .dlls which do the same thing o_O , maybe some MS dlls. im going to try and find out. someone will probably know though, i hope.
     
  14. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    ZA may have its own implementation of SSH (e.g. for its VPN feature) which uses this file. Or it may be something completely different which just happens to have the same filename. However, this sort of question should be addressed to Checkpoint and has little bearing on the issue raised in this thread.
     
  15. Pigitus

    Pigitus Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    97
    Location:
    USA
    Or maybe ZA wants to address the very problem you raised in this thread? That is, that firewalls do not check content of HTPPS traffic. Maybe ZA is trying to remedy this problem and has the DLL tool needed to check HTTPS content--as Proxomitron does.

    The test could be made: go onto a site where Proxomitron reveals that cookies are sent through HTTPS and see if ZA (or the best of ZA: ZA Pro) can catch the cookies.

    But the redirection issue is even more interesting. If, when I transact with my bank online, it wants to communicate an information to a contractor with whom it has an agreement, that's one thing. I may not like it, but my bank may think this is a critical managerial issue for itself. End of story. However, beside this scenario, just about anything else sounds like trouble to me.

    Thanks for raising my awareness about HTTPS.
     
  16. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    To check HTTPS content, ZoneAlarm would have to include a proxy server (updating browser settings accordingly to use it) so that the browser connected to it, setting up an encrypted connection. The ZA proxy would then set up a separate encrypted connection to the website in question. This is how Proxomitron works and is the only way to view HTTPS traffic (unless a weakness is found in SSL encryption, allowing it to be easily cracked).
    I see no reason why online banking would be any different here. Ultimately banks are businesses and if they can boost their margins by passing on data (especially in a fashion which would not be noticed by the vast majority of Internet users) then they are going to consider it at some point.

    The main deterrent is likely to be legal requirements - but if the actual data sent lacks personal identifiers (it could subsequently be matched against personal data held elsewhere to restore them) and the transfer is done by the browser itself rather than the website, then this may avoid legal sanction in some cases.
     
  17. Pigitus

    Pigitus Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    97
    Location:
    USA
    Pranoid2000,

    Thanks for additional information about the double connection to the site in order to sniff content.
     
  18. Pigitus

    Pigitus Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    97
    Location:
    USA
    Spanner,

    Thanks. It's a commercial Web proxy debugger. $50. A bit spicy. But it's good to have the option of getting such a product, especially since the proxomitron.info site was misbehaving today, and I could not download from it.
     
  19. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    I did mention Charles as an option in my initial post but did not actually test it out - what was your view of it? However I have been using another program which does a similar job, Privoxy, which is free and runs as a proxy server. Its main role is as a web filter (based on JunkBuster) but it also shows URLs visited in its main window so can be used as a monitor.

    Configuration is by editing a text file so it is a little harder to use - but it can be used to SOCKSify web browser traffic which is necessary for using the Tor anonymising proxy.
     
  20. Pigitus

    Pigitus Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    97
    Location:
    USA
    Thanks. Infromation is noted.
     
  21. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    In my original post, I mentioned that visiting the Paypal website would trigger a connection to Omniture also (102.112.2O7.net) - this no longer seems to be the case.
     
  22. erikguy

    erikguy Registered Member

    Joined:
    Jul 5, 2004
    Posts:
    236
    Location:
    Salem, OR
    Hey Paranoid, I found this setting in IE that forces it to warn you when entering "secure" sites. Is this the equivalent of what you were talking about in your first post? Alternatively, can you tell me if it addresses the issue of contacting third party sites as this seems to be the topic of this thread?
     

    Attached Files:

  23. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    I believe that setting will only alert you if a webpage includes both plain and encrypted content, not about connections to other sites. However this should be easy to test out yourself (I don't use IE myself so cannot confirm this).
     
  24. erikguy

    erikguy Registered Member

    Joined:
    Jul 5, 2004
    Posts:
    236
    Location:
    Salem, OR
    Plain and encrypted content? What kind of site has such a setup? Actually I remember doing my taxes on Taxactonline a couple years back and IE informed me that there were secure and non-secure items on the page and asked me if I wanted to display the non-secure items, they turned out to be ads. Next time I logged on I chose not to display them of course. The setting I'm talking about in my last post makes IE tell you when you're about to enter an HTTPS site as a first party not third. I don't know however if it addresses the issue your discussing in this topic.
     
  25. erikguy

    erikguy Registered Member

    Joined:
    Jul 5, 2004
    Posts:
    236
    Location:
    Salem, OR
    Hey Paranoid, you there? I'd really like a response to my last post, please.
     
Thread Status:
Not open for further replies.