Perpetual IT

Converting websites from HTTP to HTTPS over the last decade must count as one of the most successful quiet security upgrades ever to affect web browsing.

Using an HTTPS site means that your browser and the site establish an encrypted connection which can’t be snooped on by ISPs, rogue Wi-Fi access points, or anyone else trying to monitor the content of that traffic with bad intent.

It’s not universal yet, but with search engines such as Google downgrading sites that stick with HTTP, and popular browsers marking them as ‘not secure’, unencrypted web connections are surely heading for extinction.

There are some HTTPS security caveats worth mentioning, but before getting to them we’ll start with the news that that Mozilla’s Firefox will, from May’s version 76, offer the option to browse in an HTTPS-only mode.

It won’t be the default for now, only an option that can be turned on, but if the past is any guide it will eventually become something that has to be turned off in future releases.

This presumably is how the industry plans to force the final few percent of HTTP sites offline, making it hard for users to browse to them in the first place.

That said, according to the brief description offered, when a user visits a site not offering HTTPS, they’ll be given the option to continue if they choose to. That will probably also disappear in time because it’s an obvious point of failure should users get used to overriding the setting for the sake of convenience.

Given the decline of plain HTTP, you might be wondering why any of this is necessary. The short answer is to block the browser from reaching the small number of sites that cling to HTTP, closing the small but still plausible security risk they pose in some circumstances.

Another objection is that users could just type HTTPS into their address bar for themselves. While true, there are going to be times (clicking on malicious HTTP links for instance) it would be easy to overlook. HTTPS shouldn’t be something users have to remember to pay attention to.

What about mixed content?

This is where a site uses HTTPS at domain level but fills its pages with things like images, JavaScript, audio, and video that are fetched via HTTP. This creates new man-in-the-middle security risks that undo good work done by HTTPS.

It’s an ancient problem – browsers have been throwing up warnings about mixed content for years (in Firefox it’s currently a gray padlock with a diagonal red line through it) with Internet Explorer’s baffling notifications dating back as far as version 3.0.2 in 1997.

Firefox 76’s answer is to attempt to upgrade mixed content to HTTPS or simply block them from loading at all. On sites that still have this issue, that could cause gaps that would normally be filled by such content, which at least makes it easy for website owners to see the problem.

The caveats…

Of course, users can already do the above in Firefox, including controlling mixed content, by installing the HTTPS Everywhere plugin. Integrating it into Firefox just turns this function into something that is updated and maintained as part of the browser rather than as a separate feature, which follows the path taken by many once-optional browser security and privacy functions.

It also needs to be reiterated that while making HTTPS connections the default is a good thing, it is not a magic forcefield against bad actors.

There are still misconceptions around this point, including in official advice where you’d least expect it. For example, security blogger Brian Krebs recently discovered the following message buried on the website of the US Census Bureau:

The HTTPS:// ensures that you are connecting to the official website and that any information you provide is encrypted and secure.

The bit about information being encrypted is true but HTTPS does not ensure that you’re connecting to the official website.

As a recent Naked Security article explained, HTTPS is also very popular with crooks running fake websites. Just because a site uses HTTPS does not mean it is a good site.

TLS 1.0 and 1.1 reprieved…

The minor irony in Mozilla’s enthusiasm for HTTPS security is that after announcing earlier this month that Firefox 74 had finally abandoned support for the TLS 1.0 and 1.1, older versions of the protocol which underpins HTTPS, the company later decided to reinstate support. The company explained at the time:

We reverted the change for an undetermined amount of time to better enable access to critical government sites sharing COVID19 information.

Even privacy and security can be limited by real-world events.

Latest Naked Security podcast

One of the most popular Dark Web hosting services, Daniel’s Hosting (DH), has been slaughtered. Again.

Daniel Wizen, the German software developer who runs DH, said that this time, the provider of free hosting services is kaput… at least for the foreseeable future… which he also said, more or less, last time, in September 2018, when hackers rubbed 6,500 sites off the Dark Web in one fell swoop.

Wizen acknowledged the attack in a post on the hosting provider’s portal, saying that the recent attack happened last Tuesday – 10 March – during the small hours. At least, that’s when all databases associated with hosting Dark Web sites were deleted.

DarkOwl – a darknet intelligence, tools, and cybersecurity outfit that keeps an eye on DH and other Dark Web goings-on and which analyzed the September 2018 breach – spotted Wizen’s post and shared it on Twitter on 10 March. That’s the same day that Wizen says his hosting database got knocked out.

As Wizen tells it, he found that a new database had been created that had user permissions. He can’t do much with that, though: without his hosting database, he can’t figure out who they are and how they got full permissions on the platform.

According to ZDNet, the attack took down 7,600 sites. Wizen says he’s not entirely sure when it happened, nor who did it. If anybody has ideas about what vulnerability might have led to the attack, or ideas for future versions or feature requests, he’s invited them to share input on his open source project.

Wizen also invited supporters to chip in to help out his efforts: invitations that suggest that he’ll likely resurrect the hosting provider at some point. At this point, he’s fed up, he says. He gives freely of his time, which adds on to his full-time job. It’s time-consuming, he said, particularly given the work it takes to “keep the server clean from illegal and scammy sites.”

I spend 10 times more time on deleting accounts than I can find time to continue development. At this time I do not plan on continuing the hosting project, but this doesn’t have to be the end.

How clean are the servers at Daniel’s Hosting? When DarkOwl analyzed the demolished sites at the time of the 2018 attack, its analysts found that out of 6,500 sites, the world lost the following – not all of which are what you’d call “I’d eat from that plate” clean:

• 657 of the hidden services had the title “Site Hosted by Daniel’s Hosting Service” and little else (but may have been used for something other than serving web content).
• 457 of the hidden services contain content related to hacking and/or malware development.
• 304 were classified as forums.
• 148 were chatrooms.
• 136 included drug-specific keywords.
• 109 contained content related to counterfeiting.
• 54 specifically mentioned carding information.
• Over 20 referred to weapons and explosives.

DarkOwl says stay tuned: it’s now preparing an analysis of what the Dark Web lost from last week’s attack on DH.

Of course, not all sites on the Dark Web are devoted to illegal activity. Some are there for the privacy-minded, and/or for those living in areas of tight government censorship and repression.

According to ZDNet, by design, the hosting service doesn’t keep backups. Wizen thinks that the attack only affected the backend database account, not the accounts of users who had been hosting sites on his platform. Still, he said, users should “treat all data as leaked” and change their passwords if they reuse them on other sites. Which, of course, underscores the fact that none of us should be reusing passwords, be we political dissidents or whether we’re up to more unsavory activity (though we have a tough time feeling sympathy for the latter if their credentials get hacked).

Better safe than sorry, Wizen says – particularly given that he hasn’t had much time to figure out what, exactly, happened:

[As] I am currently very busy with my day-to-day life and other projects, I decided to not spend too much time investigating.

Latest Naked Security podcast

The FBI on Tuesday shut down Deer.io, a Russia-based platform catering to cybercrooks that offered turnkey online storefront design and hosting and a place where they could sell and advertise their wares, including ripped-off credentials, hacked servers, hacking services, gamer accounts and more.

Earlier this month, the bureau nabbed the guy they think was running the show: 28-year-old Kirill Victorovich Firsov, whom the FBI arrested on 7 March 2020 in New York City. He’s been federally charged with unauthorized solicitation of access devices, which carries a maximum penalty of 10 years in prison, though maximum sentences are rarely handed out.

Deer.io was a top market for stolen accounts: a place where crooks could buy and sell credentials for hacked accounts siphoned off of malware-infected computers, PII, and financial and corporate data.

The unsealed indictment claims that Deer.io started up around October 2013 and claims to host over 24,000 active shops. Up until the FBI jammed a stick in its spokes, the platform was doing brisk business, with sales exceeding $17 million, selling hacked accounts for video streaming services like Netflix and Hulu and social media platforms such as Facebook, Twitter and Vkontakte (the Russian equivalent of Facebook). It was also selling phony social media accounts, which are popular for crooks running online dating scams.

Court documents claim that Firsov is a Russian hacker and allegedly the administrator of Deer.io. He not only managed the platform, the indictment alleges; he also advertised it on other forums that catered to hackers.

A federal complaint says that the criminally inclined could order a variety of things on Deer.io virtual stores, which offered hacked and/or compromised financial and corporate data from US and international victims and PII such as usernames, passwords, taxpayer IDs, dates of birth and victims’ addresses. It was as easy as ordering from Amazon: you could get to the Deer.io platform with a web browser, and from there you could get to storefronts running under the Deer.io domain.

Visitors could search for hacked accounts from specific companies or PII from specific countries. Users could also navigate through the platform, scanning stores advertising an array of hacked accounts or cybercriminal services for sale, the Department of Justice (DOJ) says.

Purchases were also conducted using cryptocurrency, such as Bitcoin, or through Russian-based money transfer systems. The Deer.io platform removed any friction involved in setting up shop: it gave shop owners an easy-to-use interface that enabled automated purchase and delivery of criminal goods and services.

After a client purchased access, the site held their hand to guide the newly minted shopkeeper through an automated set-up to upload their products and services and to configure cryptocurrency wallets to collect payments for purchases. All that, for bargain basement prices: the DOJ says that as of 2019, cybercriminals could buy a storefront directly from the Deer.io website for 800 Rubles per month (the DOJ says that was about USD $12.50, though at current rates, it’s even cheaper: it’s down to about USD $10 or £8.50). The monthly fee was payable by Bitcoin or a variety of online payment methods such as WebMoney, a Russian version of PayPal.

The FBI’s investigation included a Deer.io shopping spree. Earlier this month, agents made these buys:

• About 1,100 gamer accounts, including usernames and passwords, for under $20 in Bitcoin. Those accounts often have linked payment methods that hackers can use to make purchases on the real owners’ dime.
• About 999 individual PII accounts for about $170 in Bitcoin.
• On the same day, it bought another 2,650 accounts for about $522 in Bitcoin. That bought them names, dates of birth and US Social Security numbers: all the data you need to do identity theft and pull off financial fraud.

These purchases confirmed that Deer.io shops were selling the real deal: it was all authentic information, as opposed to fake data.

Firsov is scheduled to make a 16 April appearance before the Southern District of California Court, which issued the order to seize Deer.io.

Latest Naked Security podcast

In this episode, Greg looks at why the WhatsApp Martinelli hoax has come back in a big way, Duck decompiles some coronavirus-themed Android malware, and Anna tells you what ZoomBombing is and why you really, really need to get the security settings right on your Zoom meetings.

Join host Anna Brading with Sophos experts Paul Ducklin and Greg Iddon.

Listen now!