The Internet’s Original Sin
This is a mostly non-technical post where I wanted to talk about the concept of application original sin. Every application has original sin, meaning it was conceived. Any application had to start somewhere. It started with a single line of code, to be precise. Or maybe it started before that with touching a file in a directory. That user had to have file permissions to write the file, the file itself took test data, wrote into test databases, and so on. On and on the application development went until it was complete with its very first version. But that’s very rarely where it stops. Often you can find an application living well into future years, being molded and expanded upon. But all the while it stemmed from that original sin, making it very hard to change beyond what it was originally intended to do.
Last night Jeremiah and I spent a good long while on the phone talking about cross site request forgeries. The short of it is that we are all pretty screwed. The internet is so incredibly flawed that there is essentially no hope at the moment. But what would it take to fix it? The first thing that popped into my head was Wordpress and how they created nonces for certain tasks. Sure, that’s nice and all, but the amount of websites that are vulnerable only because they run Wordpress is pretty small. Any open source package has got a higher chance of fixing these flaws (if anyone ever got around to fixing them all and releasing a new package). But even that is pretty unlikely.
Then you start thinking about all the other applications that are completely proprietary. Each one of them would need to be modified, not just to stop CSRF, but also XSS since XSS can often read nonces. Ouch! Given that a huge percentage suffer from both of those attacks, I don’t see this happening anytime in the near future. So what do we do? Are we really and truly that screwed?
Mozilla contacted Jeremiah, Billy Hoffman and I to look at the new cross domain XMLHTTPRequest standard they are thinking about building into Firefox. There was only one small new hole introduced by creating something that I think would make most security people wince. Why’s that? Because it’s already so broken! Adding another function that allows you to break security in another way doesn’t change your actual attack surface area by much. Sure there will be downstream dumb things that are created with the applications that are built off the technology itself, but it’s not like this is mind blowingly bad security - at least it’s not much worse than how browsers currently function. Not to pick on Firefox in particular, because every major browser company is at fault here (that I’m aware of).
I got this message from a friend today, “seriously seriously? I’ve got to surf around with Javascript AND CSS turned off?” He didn’t even mention Java, VBScript, Flash, ActiveX and a host of other things. I’m afraid due to cross site request forgeries it’s far worse than that even. Every image, every included style, every iframe and frame, everything that’s embedded in any way, can cause CSRF. It’s the “holy crap that’s bad” vulnerability that affects nearly every site out there. The only trick is getting the right person to perform the action and that’s really not as hard as it may sound. Not to mention all of the insane amount of information leakage found on the internet. I’ll have to write a paper on this topic sometime. It’s ridiculous how much information you can get from a single hit to a webpage, it really is.
Ultimately, the point here is what I think we all feared. The Internet just was never designed to be secure. It’s suffering from it’s original sin - it was conceived and built with ease of use in mind, not security. And due to new technologies being built on top of it all the time, we can’t even retrofit at the pace that the technology is evolving. When the experts in the field are telling browser companies, “It’s so messed up anyway, there’s no sense in worrying about creating equally insecure functions at this point” you know you’ve got problems.
March 2nd, 2007 at 1:22 pm
Interesting read… I never thought of it that way before
March 2nd, 2007 at 2:16 pm
An excellent, excellent post. I’ve been singing this for years now. The web was designed to share phone lists and geeky physics documents, and in no way had *any* security in mind. All of the security things we think of now (HTTP auth, cookies, SSL, etc), are bolt-ons.
The two things that give it up for me is that it’s a request-response clear text protocol (nothing wrong with that, but there’s no ability to have repudiation or state in there) and that code and data are mixed (always a bad idea)
I would have to agree that at this time we are hosed. I think it can be pulled back to some level though - it *is* possible to write secure web apps, but it takes *effort*, which I dont think many people are that interested in doing. Not just because it’s hard (and there’s not that many people out there who really understand the issues, so that limits things), but also because it’s loss-leader in that it costs with little benefit (unlike functionality, users dont see security until it gets in the way) other than in rare circumstances(based on attacks vs volume, users, use cases, etc) , and then it’s often too late.
It’s a risk vs reward thing, and seems to me at the moment that a lot of companies are just accepting the risk, or are downplaying it a lot (if they even appreciate it at all).
March 2nd, 2007 at 4:05 pm
Same feeling here. Even today I was showing a friend of mine the devastating security implications of tabbed browsing (and I’m really guilty here, it’s not uncommon for me to have 30-40 tabs open…. actually 20-30 are currently poiting to your & grossman materials wich is kind of “risky”
).
Http and current browser security models (cross domain posts & gets) were not intended for security in all this new scenarios: mashups, tabbed browsing, gadgets, etc.
I really don’t see how to fix the model until we have something like content restrictions. I won’t oppose to cs xmlhttp, as long as it is explicilty allowed by the destination resource. It’s not easy… as it could have severall implications, bandwith and so on, but I really don’t see any other way.
Simple cross domain xmlhttp will defeat every csrf defense based on nonces like seen on sammy… it’s not even thinkable.
In a way the model we have today is a great example of how not to defense in depth… all ends up in 1 or 2 restrictions wich can by bypassed even on tiny tiny minor mistakes.
March 2nd, 2007 at 4:31 pm
I have to say that I believe CSRFs to be the single most awesome security flaw available as often there’s no real evidence anything odd is going on (unless you’re sniffing packets and see the outgoing requests). I’ve actually thought a lot about what you wrote recently, because I realized how simple it’d be to target a specific, and key user such as an administrator.
March 2nd, 2007 at 6:59 pm
I somewhat agree with you, but at the same time, I somewhat disagree.
Would you say that safes (yes, those big ol’ metal things in banks) 100 years ago were built without security in mind?
The fact that that series of tubes is so incredibly insecure at this point is because the technology, or should I say, the understanding of how they were built is more wide-spread now. Think of the old style locks for example. Very few, and I mean VERY FEW, knew the mechanism of how they worked. Eventually that knowledge became widespread, and it forced the lock manufacturers to develop something more advanced.
The recent broadcasting of the “bump key” is a perfect example. This key is nothing new. It has been around for a while. Fortunate for us, and unfortunate for lock manufacturers, this knowledge is now widespread. Next step, build something better.
So now Mozilla has taken the step to actually request assistance in building a better browser. That’s a pretty good indication that maybe future versions of their browser will not be so insecure.
Evolution.. Make something idiot proof, someone will make a better idiot.
-Mauricio
March 2nd, 2007 at 8:48 pm
I rather think about how to fix it, that’s the hardest part.
But obviously, 2007 is defenitly the year of total browser compromise. And there are many unseen or unthought ways, waiting to be discovered. I’m really impressed by the finds.
But I still hold on to my initial standpoint;
It can be a risk, but it must be viewed into context. Otherwise you’re just a prisoner which falls in love with it’s chains. I don’t see a major threat, the biggest security threat to mankind ever performed is Windows itself. It should be banned into eternity.
So far for the sharkiness.
March 2nd, 2007 at 9:17 pm
Yeah. Its bad. So what are anyone’s Best practices to deal with it? Can I browse the net with lynx? What about mosaic 2.0? Amaya sometimes renders a page readable, odds are it will probably crash due to its own stupidity before it could do anything harmful to me.
What about simply talking directly to webservers in raw HTTP? If I can derive some set of rules about how to interact with the response from the webserver and what parts are sale to look at, can’t a “secure browser” be built? Granted, it won’t be “standards compliant” and most of the pages ( anything with any script ) wont work. But it would be a step in the right direction. The internet wasn’t designed with security in mind, but maybe thats not such a fatal flaw. Security should be where its needed, and not where its not. HTML, CSS, JavaScript ect might be fatally flawed but I think your too pessimistic in your outlook ( although that *is* a great trait for security researchers).
Where you see hacks and add ons with SSl, cookies, ect, I see adaptability and resiliency.
But until this new Secure Web 4.0 comes out, I think I’ll limit my exposure as much as possible. Hello lynx.
March 2nd, 2007 at 9:27 pm
@MikeA - You’re exactly right, bolt on security only works if you do that. So while you might feel safe because your own site has bolted on that security, think of how many sites out there either don’t know how or just can’t get it done because of escalated priorities that take precedence. It’s a never ending battle. Which is good for our professional careers as security folks, but bad from a user’s perspective. The internet is a tough place to be right now.
@Rui - Yes, mashups are a whole other level of bad-ness I haven’t even bothered to mess with. It reminds me a lot of single sign-on where you are trusting all your security on the lowest common denominator of trusted parties in the consortium. I don’t trust the concept of your browser doing more than one thing at one time, that’s why I actually do use burp proxy very frequently when I’m visiting suspicious sites. I like to see what my browser thinks I want to have happen to me before it really does. Scary stuff.
@Awesome Andrew - Even worse than that, once you clear your cache all the evidence is gone. So you may have hacked into some machine totally unbeknown to you, however, in the logs it’s clear your IP address was at fault. Talk about an easy way to frame someone!
@Mauricio - I think the major difference here is that safes really were designed with security in mind. With safes, you still have to have either some equipment or fore-knowledge of the combination mechanisms and even then in many cases you still need some assistance with the technology (special equipment) to break into them. In the same way you still see people using MD5 even though it’s been found to be fairly weak and super easily cracked using rainbow tables. Unlike the Internet where all you need is the browser everyone uses and a vague understanding of how the internet works. I would dare say most people who read this site have never manually telneted to port 80, nor do they need to. It’s just not required to exploit things. Script kiddies have it pretty nice right now.
While I do agree that some movements have been made in the recent history to tighten things down, there are more holes being found each day than patches being released by FAR. Especially if you look at the last 12 months. It’s just a war the browser companies aren’t winning at the moment. And worse yet, as new technology is being built it gets easier and easier. But I do agree, both browser companies have been very forthcoming with new changes, and asking for assistance. Unfortunately the things that will help them the most are also things consumers would hate. Security is only part of the battle. A higher priority is market share, of course, and if your browser is unusable, it’ll make it hard to gain more market share. Simply economics override basic security every time. That’s why I never have considered myself a security purist.
@Jungsonn - I think your point is well received, however, I think we have proven many times that the context is a more of a given than something elusive (XSS can lead to many nasty things, not just an alert box, CSRF can do more than request an image from a remote site, etc…). The attack vectors are only an ends to those means. I have started to correct the press when I talk to them by stating that XSS and CSRF are not attacks, they are gateways to the attack. I’m assuming people have an idea of how to use any of the tools and vectors mentioned on this site to their advantage. But if that’s not clear, I can try to drag out the examples into more detail.
But a few times you’ve mentioned I couldn’t steal _your_ credit card number. I would caution anyone reading this board not to use themselves as examples. We are anything but average internet users. If that’s not obvious, look at the statistics of the users who have your particular operating system and browser configuration. If you know more than ten people who have that configuration, I’d be very surprised - making you a statistical oddity and also statistically irrelevant. Hacking webapps is largely based on stats - it’s more of an art than a science in a lot of ways. That’s why I don’t use some obscure browser to test these exploits - I only use what is statistically relevant.
Also, yes, Windows has had a lot of holes, but it is also by far the most usable operating system in terms of applications written for it and ease of use (sorry, Mac, you need about 100,000 more apps to come close to Windows). If you wrote that many tools on top of any operating system and had to support all the stupid things that every user wants, it would turn any operating system into swiss cheese. So yes, Windows does have a lot of security holes, but line for line, I haven’t found Linux or BSD to be terribly better.
Besides, the browsers are the great equalizers anyway. Firefox works on Linux basically the same as Windows. Who cares what OS you’re running if I can force your browser to transfer money from your bank on your behalf? People think too one dimensionally these days. Stealing information and credentials is ridiculously easy and it’s only getting easier.
March 2nd, 2007 at 9:39 pm
@spider - I’m actually working on an exploit for wget… lynx is still safe for now.
But I would hardly call myself pessimistic. It’s a reality. All of these attacks have happened. None of them are theoretical only, except maybe the anti-DNS pinning stuff, but even that is getting some press. Most of the attacks I talk about either have already happened or only haven’t happened because no one knew about them until I published them. Give it time, every one of these attacks will see the light of day over the next 2-3 years, mark my words.
Unfortunately no one is going to use lynx. And by no-one I think it’s wise to acknowledge that the one user who does is the exception that proves the rule. Everything in statistics. I don’t care about one user, I just care about one user who can do what I need done for me as an attacker. If that happens to be the one user who is dumb enough to type their password into a text box, that’s fine. Whatever it takes to make a buck or to perform the exploit necessary. Everyone has gotten used to using the Internet now and they aren’t willing to go back (even security experts).
One of the questions on Jeremiah’s tests was actually asked by me originally - “What operating system are you using to type this survey?” A huge percentage of security people said Microsoft despite how many of those same people would claim that they disliked MS. They have gotten used to it. They are unwilling to go to a crippled platform for day to day tasks. I include myself in that list by the way (even though I was using FreeBSD as I typed it funny enough).
Anyway, my point is, people who claim that they want a secure browser only say that while other security people are listening. Most people want a usability first, security second (even most security people). Look at the web itself for proof.
March 2nd, 2007 at 9:45 pm
Yah, the whole architecture of most exploits, virusses, trojans, 99,99% limits to windows platforms. It’s just that bad, and then I ain’t talk about the daily woes of the webdeveloper which tried to make things look the same as they do in FF. *sigh* -a big one-
But, for real. I really like to have an open discussion of the real threat. I’m not trying to bust balls here, I only want to look at it from a broader viewpoint. We care about security, but let me tell you that many people I know, don’t care about it. they even don’t now the risks. And to be honest, the risks are HUGE. Stealing info, Reconfiguring Routers, Stealing CC inf and all because of JavaScript mostly. -I leave the trojans and other Microsodft stuff out of the picture here- but even with that:
You boot up windows, and your’re in danger.
I know what you’re trying to say about the browser independance, but the people who use Firefox mostly have a security awareness. The people who just don’t know how even HTML works, have MSIE and do banking business. Well, can you blame them? yes I think I can. but guess what; most are insured against thse things and get there money back or have a 50$ risk on their CC.
Still, I really do believe that most CC rips are done in restaurants and bars, where they just clone your card. It’s that simple, no hacking, just copying the strip and go to an ATM to withdraw money.
it’s not that I think it’s trivial, 4 real. that’s not the case. There are excellent finds by many. But I really tend to see it in perspective with real world exploiting and a real risk or threat, which often does not occur as many times as we tink it does.
March 2nd, 2007 at 9:57 pm
@Rsnake
No, I believe the threat is real and attacks are ongoing, I just think that things can be improved. I don’t think the internet is inherently flawed. I understand the numbers game is the important one, especially approaching the situation as a developer. The application is as safe as the stupidest user’s behavior. I was just using lynx et all as an example of a browser that still provides some utility with out risking anything. Of course, usability is a major factor as well and often can over rule some security concerns. There is a trade off. Your work is evidence of the imbalance between the two factors. The current “web 2.0″ makes too many trade offs in favor of usability ( ie ajax) at the expense of security,
March 2nd, 2007 at 10:18 pm
I agree that both XSS and CSRF are simply a gateway for greater attacks even when they are perfectly capable of performing functions themselves. Logically it’s better for malice users to combine them with trojans, spyware, or any other form of malware in order to really reap the fruits of their labor. Who’d simply want a cookie when they could have keystrokes recorded leaving everything under the sun potentially exposed.
I tried to point this out to an online buddy who runs (he’s one of four administrators, and one of a couple of supposed PHP coders) a popular Neopets clone. The owner of the site “allegedly” knew about several exploits I had found in their system, but did not (and still has not) fixed them, and as a programmer (a really lazy one) I tried to impress upon him that in order to run a site, let alone a business, these are the types of things they need to analyze, and correct. At the same time I was trying to convince him I could have fired off some program using the holes his site got hit with SQL
March 2nd, 2007 at 10:21 pm
injections leading to the exposure of thousands of plaintext passwords belonging to all their players (some with paid accounts). Sorry this was broken up, but the Wii has a character limit on its trial browser (though the full Opera browser will debut this month).
March 2nd, 2007 at 11:01 pm
Listen all, there’s reason to be optimistic. Not optimistic because it will get better, DNS is hackable after how many years? Optimistic that these security holes just don’t matter.
Oh, they matter in a microcosmic way, if it’s my Dad’s PII that gets stolen, then I’ll be really unhappy. However, they don’t matter in a macrocosmic way. The Internet keeps chugging along, growing so fast no one can keep up with it. Growing so fast that all the phishing, DNS hijack, XSS, targeted trojans, massive DDOS and 10×6 botnets in the world don’t make the damn thing even hiccup.
Probably all of us reading this blog make money because we are hackers. We should say a little prayer for K&R, Cerf, Lachman, Joy and all the rest for creating a system so open, so powerful and so simple that the whole world can run on it. Thank god, they were not worried about security — our lives would be a lot less fun.
I feel lucky that I get to stand on their shoulders and help make it bigger and better.
March 3rd, 2007 at 3:12 am
@Rsnake, RE reply comment *way* above
I know that you look at it from a user standpoint, across the entire internet, but a lot of us don’t/can’t. Certainly an admirable view, but a bit like solving world hunger. If we try and focus on *all* sites, *all* users, it becomes and intractable problem. Let’s start with what can be done, and go from there.
I would feel safe if my site was bolted down. Also, from a professional standpoint, I’m quite happy giving clients info on how to avoid the current attacks and what the best practices are. You only fix/address what affects *you* and, I know that this is going to sound bad, but screw the rest. The mom & pop store selling hand-dripped candles is never going to get it, or do anything about it, so write them off as a loss. Not a big loss though - sorry guys, sucks to be in your position. Survival of the fittest and all that. The rest should be able to design/architect/develop a site that that is *adequately* secure (cant be 100% sure right) to a level they are prepared to live with no matter how bad the rest of the environment is like. Yep, one site can attack another, visiting a “bad” site can make your browser do strange things, but hasn’t that always been the case? (TCP attacks, BHO’s, etc). What is the “attacks vs normal traffic” ratio? That would be interesting stats to know/find out, as if it’s in the 1:1,000,000 range what does that tell me about the level of risk that’s out there I’m facing (one quantify the “we’re all screwed” premise) and perhaps we can adjust tactics accordingly
The web is still in its infancy (especially where security is involved), but we’ll catch up sooner or later, or it will just die - a Mad Max landscape of littered wasteland, with some small pockets of civilisation
I don’t like to float the words “silver bullet” out there, (thanks Fred) and I’ll have to share the “Jack and the Beanstalk” analogy/store with everyone at some point, but frameworks (ASP, J2EE, etc) look to me to be the major thing that makes the difference (obviously you can still screw up royally in everything, but a good framework makes it easy to do the “right” thing, and harder to do the “wrong”). This one glimmer of hope may turn things around one day.
March 3rd, 2007 at 9:06 am
I’m a security person so I jump up and down about all these things and shake my head on a daily basis. The internet and just about everything on it is “broken” from a security perspective, so I’m with you there.
However is it that bad in the grand scheme? I think that the vast majority of Internet users have never experienced any significant bad outcomes (loss) as a result of a computer security problem. Sure there are small fraction who are totally ruined but compared to the total number of users, it’s small. There aren’t a lot of airplane crashes but when they do go down, oh man teh suck. Yet we all still fly.
The world has a lot of “bad outcomes” war, plague, financial ruin, natural disasters, global warming, etc. These are all the outcome of the realization of a risk. Some people have had their credit cards stolen, identity used for fraud, money wired away, MySpace hacked, eBay hacked, etc. These are all losses for someone. But they compare low on the list of all the bad things that could happen to us.
Let me pull some stats out of my ass. I think that the percentage of internet users who have had a significant and permanent (devastating) loss as a result of a security vulnerability is very small.
With all the vulnerabilities out there the Internet still grows, more commerce is done online, more people have broadband, more web sites feature invasive rich content, and more users cozy up to the Internet. More or less users and businesses accept the risks. I’ve never heard any internet user (customer, family member, business, etc.) every say “This just isn’t worth it! I’m off!) It sucks but everyone still uses it because it is worth it.
Our job as security people is helping users balance the risk. We try to make it suck less so more can get done.
I think that there will come a day where we reach Internet security critical mass. That is when these 3 things happen:
1. The value of the assets connected to the internet increases to the point where the damage from the loss of the asset will exceed people’s threshold for pain.
2. The number of people who profit from the bad outcomes increases to the point where everything and everyone is threatened, the majority of the time
3. The pervasiveness of the vulnerabilities increases to to a point where everything can be exploited, all the time, with little effort
But as us security folks do what it is that we do, we help to defer that day by suppressing each of these. We help push the growth trend up and to the right.
I’m not disagreeing with your post RSnake, just adding another take on the situation. We’re all in this big economy together, progressively rolling forward on this road covered in poo.
March 3rd, 2007 at 2:25 pm
The real problem is our assumption that a general purpose web browser is the proper tool for handling sensitive information, like banking transactions, HR files, CC orders, and database or system administration.
If we were all using the web as Sir Tim imagined it, we wouldn’t really care about XSS and CSRF. Oh, it might be annoying to have DELETE requests sent on your behalf, but those resources would all be backed up on a proxy somewhere, ready to be restored. Who would bother? Like defacing Wikipedia, it’s only fun in a few high-profile cases.
I guess that’s what you mean by original sin? But the original sin (conceiving of the web and browser as being privacy-free and stateless) is pretty minor, as compared to the sins of an industry that built itself up by ignoring those design limitations and forging ahead anyway.
Thanks for post, very thought-provoking.
March 4th, 2007 at 7:32 am
Porn isn’t a sin?
March 4th, 2007 at 9:39 am
I really like to point you guys to this video about CC skimming in bars/restaurants and see how simple it actually is.
http://www.youtube.com/watch?v=sexUus0igWs
Much easier than hacking VISA’s database and get away with it.
March 4th, 2007 at 1:27 pm
Yeah but strapping a CC skimmer to your leg and physically putting yourself at the scene of the crime (In this case, your job) has a high a MUCH higher risk to reward ratio for the attacker. Much easier to remain unemployed, socialy awkward, and sit your mom’s basement underwear hacking shopadmins.
Hacking VISA’s db??? Why try to rob the federal reserve bank when you can knock over a local bank? Just go own some small web merchant that is big enough to have a custom cart but small enough not to understand security.
I still think using plastic on and off line is worth the risk. I don’t worry about it. And now I don’t carry around cash that can be robbed from me.
March 4th, 2007 at 5:39 pm
Nice post, but consider this: as you say the net wasnt designed with security in mind; given this, isnt it more correct to say that current usage of the net is problematic rather than the net is “broken”? A dog eating its own feces isnt broken, but its owner may understandably want to try and train the dog not to do that, so in that respect working with the browser makers is sensible.
March 6th, 2007 at 10:45 pm
Is there no hope? What is a developer to do in order to create a secure website? (I expect that there are shades of “secure.”) There is so much (endless) information on how to break into sites, etc., but where can a developer go to get good information on how to build in security to a new site?
March 7th, 2007 at 2:51 am
[…] tema, arcinoto, è ripreso da un post interessante, citato da Wired. Sono d’accordo con il contenuto del post, che mi sembra il classico momento […]
March 7th, 2007 at 9:30 am
webdevguy - there is hope for singular websites, sure, in fact the steps to secure most websites is clear and easy. But as far as the internet at large? It’s tough to say right now. One of the best places to get the information you need is actually the forums: http://sla.ckers.org/forum/ Everyone in there is really helpful and knowledgeable.
September 11th, 2007 at 7:04 pm
A lot of people on this thread have a lot to say about whether or not we’re truly screwed and I think the basic idea is that we were never screwed to begin with. I think it’s important to think about the fact that you are looking at this from the perspective of a web coder and programmer. Think about what you’d see in the future and potential of the internet and everything we all set out to do everyday if you didn’t know anything about it. We have security problems, sure, but no one cares. What people care about is being able to connect with people all over the country in just a few minutes or even instantly! Security issues or not, isn’t what we do supposed to be about connecting people to the people and things they love the most? Ultimately, I think we’re never screwed. Things started poorly, true. Some of the most successful ventures in the world started poorly or with little belief and security. If you were back in the 70s and saw a picture of a certain group of hippies and were asked to join their company without knowing much about it would you do it? If you answered yes, congrats, you’re a millionaire. If you answered no, shame on you, you passed on Microsoft.