- http://www.heise.de/security/meldung/Fatales-Sicherheitsleck-bei-Kabel-Deutschland-Vodafone-bedrohte-Millionen-Kabel-Kunden-3054052.html
- http://www.heise.de/newsticker/meldung/AVM-Router-Fritzbox-Luecke-erlaubt-Telefonate-auf-fremde-Kosten-3065588.html
- http://www.heise.de/newsticker/meldung/Anschlussmissbrauch-durch-schwerwiegende-Luecke-bei-o2-3066225.html
Category: Discussion
Web Encryption Starts Moving
HTTPS, X.509, SSL, TLS, STARTTLS, SNI, OpenSSL, DNSSEC: Web encryption is (still) painful. There is not a single problem with web encryption, rather there is not a single thing that has been solved properly. But maybe we are currently reaching the state, where enough wrappers are covering the horror of the past. At least, as long nobody is looking beneath the shell again.
Doing web encryption is still almost a synonym for using OpenSSL, at least server side. This also holds for the task of managing keys and certificates. There are Python, PHP and even PostgreSQL wrappers for certain OpenSSL tasks but in practice those tools turn out to be quite incomplete and clumsy. To ensure a decent SSL setup one has to rely on services like SSL Labs. Maybe as a consequence, (Open)SSL integration in software is bad. For me, Apache2’s mod_ssl is a good bad example. If your configuration contains a certificate which is not valid for a configured key, the complete web server will crash on a graceful reload. Now, Let’s encrypt provides a python client which also serves as wrapper around the mod_ssl configuration.
MySQL’s SSL support is a nightmare. Our mySQL SSL auth setup just stopped working over night with little chance to debug anything. This was one of many reasons to transform our setup to PostgreSQL. PostgreSQL provides a fine grained and transparent (Open)SSL feature set with reasonable error messages, giving a decent example how SSL can work. However, if the server is working, the client is there to play up. For example, Roundcube webmail is stripping all the advanced options from database connections. If you configure SSL security measures for your database connection, those will be ignored silently.
Last but not least, certificate issuance is broken, obviously. Let’s encrypt is doing many things right and the ecosystem may improve. Transparent logs and observation of certificate issuance is also a big step. However, the next building blocks for web encryption like DNSSEC are currently setting even higher hurdles for system administrators. While hackers are not getting tired to promote encryption for everyone, the tools are just not there. Proper encryption has a history of complicated and time consuming solutions, reserving it for organizations and companies with the manpower to work around this pile of shards and to keep up with the evolution of encryption methods. Hopefully, the new momentum in web encryption, especially around Let’s encrypt, will make a wider adoption feasible, some day.