NetFirms is a web hosting service that operates in both Canada (www.netforms.ca) and United States (www.netfirms.com).
Last year NetFirms were bought out by The Endurance International Group, Inc. Once the transition from the
Netfirms old OpenBSD servers to The Endurance International Group Debian Linux servers I have noticed the Login page for their Control Panel has broken encryption.
I reported my concerns regarding the broken encryption via their
feedback form twice but never got even an acknowledgement that they
received the complaint. The security issues were never addressed. The
second contact even provided instructions on how to fix the situation. I
have to admit it took me quite a while to find what I thought was
causing the encryption to break.
To explain why the encryption is broken requires a bit of background
on Secure Socket Layer (SSL), Transport Layer Security (TLS),
Certificates and how they work together to create an encrypted server.
SSL and TLS are protocols for encrypting data before it is sent between a
server and a client and back. For either SSL or TLS to be encrypted and
decrypted by both the server and client as well as provide proof that
the data was not changed while being transmitted a certificate of
authenticity needs to be added to the encryption at the server side
before any data is sent. Any unencrypted data or object that is added to
the transmition provides a backdoor to the encrypted server. Here is
were it get complicated - when there is an object like an image or CSS
file that is included on the encrypted page that resides on an uncrypted
server is sent without being encrypted. Because the file resides on an
unencrypted third party server (the server may belong to the same
company but is on a different public accessible network) it provides a
path to the data on the encrypted server after it has decrypted the
received data. In other words the unencrypted CSS or image file causes
the encrypted data to be accessible via the third party server after it
has been received and decrypted by the secured server and is visible in
clear text.
There is one file that is breaking the security of the page. The page the encrypted data is been sent to is unencrypted: input type="hidden" name="destination" value="http://www2.netfirms.com/controlpanel".
Now how stupid is that? In fact once a person has logged in nothing is
encrypted. What this means is any hacker is able to intercept the
modifications being made to account including updating site(s) and add
their own code or make other changes to the account. Now imagine if your
bank's or investment broker's site were like that? You login using a
half ass login page with broken encryption and enter an uncrypted area
to do your banking. Anyone will be able to see your bank account
balances, transfer funds, create a new payer for paying bills etc. Ok,
so NetFirms is not a bank. But they host web sites. Cyber-terrorists and
cyber-criminals are now targeting web site as a means for recruiting
computers into bot.net zombie networks.
Imagine you are a NetFirms client and you have a very popular site
attracting thousands of visitors every day. One day, while updating your
site a cyber-criminal intercepts the transmition between your computer
and Netfirms' servers to include a Trojan, key-stroke logger and a
backdoor in your updates. All visitors using Windows will become
infected. (Linux users will be affected until they shut down the
computer.) Because this will be easily discovered, the cyber-criminals
will prefer to attack the database server. Or they may create a new
domain, at your expense, that they use to lure people to. What I have
been seeing is cyber-criminals are going after blogging platforms like
WordPress and Joomla. NetFirms supports WordPress, Joomla and Drupal.
As you may guess, I am looking for a web hosting service that takes
security seriously. If you have any suggestions, leave a comment below.
UPDATE: Earlier this month (January), after discussions with NetFirms on Twitter regarding the broken encryption of their login page, which included screen capture of the login page with Seamonkey and Firefox and instructions on how to fix the encryption issue, the issue was fixed within minutes of me threatening to take my complaint onto Facebook. Apparently, NetFirms was not worried that Twitter has over three hundred million users. But they were more concerned that Facebook's almost one billion users being alerted to the broken encryption.
It turns out that there were CSS and/or JavaScript files on the encrypted server that were referencing files on standard servers. This required the NetFirms IT guys to go through all their CSS and JavaScript files on the encrypted server to find and rectify the the error. I hope they will encrypt the client area.
What I do not understand is why encrypt just the login when the client area is unprotected. By this, I mean the cost of encrypting one page and a million pages are the same - it only takes one Certificate of Authenticity (CA) and a https server. Why not maximize client security and experience by placing the client area on the same server as the login page. Just ensure all image, CSS and JavaScript files and all the files they reference are on encrypted servers also.
I know that I threatened to take my business to GreenHost It. The reality is it can be time consuming to move a database powered site from one hosting service to another. But it is even more time consuming to rebuild one's website reputation once the site has been compromised and used for harmful purposes. By not encrypting the client area, it is possible to use a man-in-the-middle attack to gain access to a client's account and reek havoc with the site. So I challenge NetFirms to encrypt the client area before either (a) my site is compromised or (b) my plan comes up for renewal in July. When I leave, I will be taking my clients with me.
Subscribe to:
Post Comments (Atom)
Was this ever resolved? I've recently had my email on Netflix compromised?
ReplyDelete