[NLnet] 'Dutch students produce improved security mechanism for the web'

Wed Feb 9 10:14:18 CET 2011

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

'Dutch students produce improved security mechanism for the web'

                                     Amsterdam (NL), February 9th 2011

Two student researchers doing an internship at NLnet Foundation have
produced a working, inexpensive solution to protect internet users
against certain forms of identity theft in the browser. Web site
operators traditionally rely on often expensive and awkward browser
certificates to protect the communication with their users against
abuse, but over the last five years the technical community at large has
become increasingly aware that this system is still wide open to abuse.

The solution presented by Danny Groenewegen and Pieter Lange from the
University of Amsterdam is to make use of the possibilities offered by
the recently upgraded domain name system of the internet (DNS) to
automatically let the browser of the end user verify certificates
through an independent and secure channel. This validation through the
so called 'trust chain' of DNSSEC does not only provide more security
for users - at no cost to them - but also gives web site owners more
freedom to deploy the cryptography of their choice. In addition to the
security benefits the new method significantly lowers operation cost for
deployment for owners of web sites, because everyone can now set up a
completely secure website instantly in an automated way, rather than the
current more complex method where they depend on external parties.

"Once a not entirely trustworthy certificate authority is included in
browsers, it can silently generate valid certificates for any domain on
the planet. It is like a bank handing out money from your bank account
as soon as a piece of paper with your bank account number and a human
signature on it says it is okay - without checking who signed it," says
Michiel Leenaars, director of Strategy at NLnet foundation. A rogue
certificate is not visible without additional manual steps, and a
website identifying itself with a rogue certificate even produces the
same reassuring 'padlock' that users are taught to trust. The system
proposed and built by the students from the University of Amsterdam
recognises these rogue certficates based on their unique fingerprint
published in DNS, and is able to shield the user from impersonators - so
called man-in-the-middle attacks.

In the recent hijack of social network Facebook in Tunisia in January
2011, it became obvious that when the Tunisian government sought to gain
access to user accounts from citizens it could use the certificates of
its own certificate authority (Certification.tn) to intercept seemingly
protected traffic.  A number of other governments - including the Dutch,
Japanese and Taiwanese government - as well as private companies and
security researchers have successfully registered their own CA and these
are now part of the large set of trusted certificate authorities in
various modern browsers. "Access to an actual Certificate Authority is
not even required to create a rogue certicate, as another option is to
modify valid certificates issued by Certificate Authorities that still
use outdated cryptographic technologies", says prof. Cees de Laat of the
University of Amsterdam, "sometimes such use of weak cryptography is
intentional, as the name of one such Certificate Authority ("MD5
collisions inc.") points out". In security terms a cryptography
collision is the situation where two certificates share the same
fingerprint.

Although the current amount of lost data and identity theft through this
type of attacks is unknown, a recent global survey by the Electronic
Frontier Foundation of the entire publicly reachable web (also sponsored
by NLnet foundation) found many worrying examples of abuse of SSL
certificates out in the wild. With a rogue certificate it becomes
possible to perform a successful man-in-the-middle-attack, which include
running software on your local computer as well as criminals
intercepting sensitive internet applications such as banking
and e-government.

Over the last couple of months a working group in the Internet
Engineering Task Force has been debating on various technical issues and
policies to standardise the way in which these certificates are put in
the DNS, based on a number of different proposals from the technical
community including DNS security researcher Dan Kaminisky. By creating a
configurable, user-friendly open source plugin for the popular Firefox 4
browser that is able to parse the different available candidate options,
the students from the University of Amsterdam are the first to offer an
end-user ready solution. Although the students insist on calling it a
proof of concept, it does offer usable real-world protection. "Given the
fact that you can offer immediate relief for people in difficult
political situations, we urge web site owners to start offering the
enhanced security as soon as possible, so that users have a choice", say
Lange and Groenewegen, "Once you set up DNSSEC, which is a best practise
anyway, it only takes minutes. It really is a no-brainer."

The plugin can be downloaded for Linux, Mac OS X and Microsoft Windows
for free at: https://os3sec.org

A five minute description for webmasters how to protect users of their
website can be found here:

https://os3sec.org/technicalbackground.html

The EFF HTTPS Observatory: http://www.eff.org/observatory

Tax-deductible donations for the further development of the plugin and
related open source development can be made to the DNSSEC fund at NLnet
foundation. NLnet is open to grant proposals to other DNSSEC related
projects, as well as other projects that improve the internet. More
information on submission dates and conditions here: http://nlnet.nl

Please contact Michiel Leenaars at m.leenaars [at] nlnet.nl.

- -----------

Not for publication:

More information:

Michiel Leenaars
Director of Strategy
NLnet Foundation
Science Park 140
1098 XG Amsterdam
Nederland

Telefoon/Phone: +31 (0)20 8884251
Mobiel/Cell phone: +31 (0)6 27050947
m.leenaars [at] nlnet.nl

*** About NLnet Foundation

NLnet Foundation is a widely respected private charity fund supporting
open standards and open source worldwide, and has over the years
actively contributed to (internet) standards, open source projects and
subsidiary or enabling activities such as the development of GPLv3.
NLnet foundation is an independent organisation whose means came
initially from interest on a very substantial own capital formed in
1997 by the sale of the first Dutch Internet Service Provider. Its
private capital ensures an absolute independent position. The articles
of association for the NLnet foundation state: "to promote the exchange
of electronic information and all that is related or beneficial to that
purpose". NLnet believes in open standards and open source. At the
moment, dozens of projects and organizations are supported financially.
Amongst them: research laboratory NLnet Labs, the Free Software
Foundation, KSplice, TOR, SPEAR, NAT64 and the Internet Society.

                                            More info: http://nlnet.nl
                                      For logo's: http://nlnet.nl/logo

*** About System and Network Engineering at the University of Amsterdam

The University of Amsterdam is ranked among the top 15 universities in
Europe and the top 50 world-wide, and its founding dates back to 1632.
System and Network Engineering is the only academic Master in The
Netherlands specifically designed for students with the need for
specialized and in-depth knowledge of IT systems and networks. The
Master programme is unique because of the focus on Open Standards, Open
Software and Open Security. It has an internationally renowned teaching
staff, with extensive experience in both the research and working field.
It has a highly motivated, trained and international student population,
selected by a fairly strict admission procedure. The Master's programme
in System and Network Engineering has been accredited by the
Accreditation Organisation of the Netherlands and Flanders (NVAO). This
means that upon successful completion of the programme, students will
receive a legally accredited Master's degree in System and Network
Engineering and the title of Master of Science (MSc).

The System and Network Engineering (SNE) Research group at the
University of Amsterdam researches cross-domain interaction between Grid
resource providers, optical and hybrid networking, resource descriptions
using semantic web and programmable networks for the Future Internet and
high performance data processing.  In collaboration with SURFnet and
SARA, UvA has access to high-speed optical test bed installations in the
optical photonic backbone of SURFnet in the Netherlands and
internationally in the Global Lambda Integrated Facility (GLIF). SARA
and UvA collaborate in the creation, maintenance and utilization of a
state of the art Lambda Grid experimentation laboratory, which is very
well connected to NetherLight. UvA is a founding member and key
contributor to CineGrid, GLIF and OGF.

                    More info: http://www.science.uva.nl/research/sne
                                                   https://www.os3.nl
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk1SWukACgkQPPKB2FVlk1/oQgCfQkK0tqm0GiqzA9IVuNO852CO
NUoAnA9ChXPEx+0GfmXRDJCbpwZX7fTV
=7+lI
-----END PGP SIGNATURE-----