NetFirms login page is broken

NetFirms is a web hosting service that operates in both Canada (www.netforms.ca) and United States (www.netfirms.com). Last year NetFirms were bought out by The Endurance International Group, Inc. Once the transition from the Netfirms old OpenBSD servers to The Endurance International Group Debian Linux servers I have noticed the Login page for their Control Panel has broken encryption.

I reported my concerns regarding the broken encryption via their feedback form twice but never got even an acknowledgement that they received the complaint. The security issues were never addressed. The second contact even provided instructions on how to fix the situation. I have to admit it took me quite a while to find what I thought was causing the encryption to break.

To explain why the encryption is broken requires a bit of background on Secure Socket Layer (SSL), Transport Layer Security (TLS), Certificates and how they work together to create an encrypted server. SSL and TLS are protocols for encrypting data before it is sent between a server and a client and back. For either SSL or TLS to be encrypted and decrypted by both the server and client as well as provide proof that the data was not changed while being transmitted a certificate of authenticity needs to be added to the encryption at the server side before any data is sent. Any unencrypted data or object that is added to the transmition provides a backdoor to the encrypted server. Here is were it get complicated - when there is an object like an image or CSS file that is included on the encrypted page that resides on an uncrypted server is sent without being encrypted. Because the file resides on an unencrypted third party server (the server may belong to the same company but is on a different public accessible network) it provides a path to the data on the encrypted server after it has decrypted the received data. In other words the unencrypted CSS or image file causes the encrypted data to be accessible via the third party server after it has been received and decrypted by the secured server and is visible in clear text.

There is one file that is breaking the security of the page. The page the encrypted data is been sent to is unencrypted: input type="hidden" name="destination" value="http://www2.netfirms.com/controlpanel". Now how stupid is that? In fact once a person has logged in nothing is encrypted. What this means is any hacker is able to intercept the modifications being made to account including updating site(s) and add their own code or make other changes to the account. Now imagine if your bank's or investment broker's site were like that? You login using a half ass login page with broken encryption and enter an uncrypted area to do your banking. Anyone will be able to see your bank account balances, transfer funds, create a new payer for paying bills etc. Ok, so NetFirms is not a bank. But they host web sites. Cyber-terrorists and cyber-criminals are now targeting web site as a means for recruiting computers into bot.net zombie networks.

Imagine you are a NetFirms client and you have a very popular site attracting thousands of visitors every day. One day, while updating your site a cyber-criminal intercepts the transmition between your computer and Netfirms' servers to include a Trojan, key-stroke logger and a backdoor in your updates. All visitors using Windows will become infected. (Linux users will be affected until they shut down the computer.) Because this will be easily discovered, the cyber-criminals will prefer to attack the database server. Or they may create a new domain, at your expense, that they use to lure people to. What I have been seeing is cyber-criminals are going after blogging platforms like WordPress and Joomla. NetFirms supports WordPress, Joomla and Drupal.

As you may guess, I am looking for a web hosting service that takes security seriously. If you have any suggestions, leave a comment below.

UPDATE: Earlier this month (January), after discussions with NetFirms on Twitter regarding the broken encryption of their login page, which included screen capture of the login page with Seamonkey and Firefox and instructions on how to fix the encryption issue, the issue was fixed within minutes of me threatening to take my complaint onto Facebook. Apparently, NetFirms was not worried that Twitter has over three hundred million users. But they were more concerned that Facebook's almost one billion users being alerted to the broken encryption.

It turns out that there were CSS and/or JavaScript files on the encrypted server that were referencing files on standard servers. This required the NetFirms IT guys to go through all their CSS and JavaScript files on the encrypted server to find and rectify the the error. I hope they will encrypt the client area.

What I do not understand is why encrypt just the login when the client area is unprotected. By this, I mean the cost of encrypting one page and a million pages are the same - it only takes one Certificate of Authenticity (CA) and a https server. Why not maximize client security and experience by placing the client area on the same server as the login page. Just ensure all image, CSS and JavaScript files and all the files they reference are on encrypted servers also.

I know that I threatened to take my business to GreenHost It. The reality is it can be time consuming to move a database powered site from one hosting service to another. But it is even more time consuming to rebuild one's website reputation once the site has been compromised and used for harmful purposes. By not encrypting the client area, it is possible to use a man-in-the-middle attack to gain access to a client's account and reek havoc with the site. So I challenge NetFirms to encrypt the client area before either (a) my site is compromised or (b) my plan comes up for renewal in July. When I leave, I will be taking my clients with me.