Yes, You Should Probably Have A TLS Certificate
This entry was posted in General Security, WordPress Security on September 18, 2018 by Mikey Veenstra 9 Replies
Last week’s article covering the decision to distrust Symantec-issued TLS certificates generated a great response from our readers. One common question we received, and one that pops up just about any time SSL/TLS comes up, is how to determine when a site does and does not need such a certificate. Spoiler: Your site should probably have a TLS certificate.
A subject of some discussion in the web community surrounds the use of TLS certificates and the implementation of HTTPS that these certificates allow. While their use is critical on sites where sensitive data from visitors may be involved, like payment data or other personally identifiable information (PII), the debate concerns the use of HTTPS in cases where users aren’t providing sensitive input. In today’s post, we’ll take a practical look at the difference between HTTP and HTTPS traffic, and discuss the benefits of being issued a certificate regardless of the way users interact with your site.
What’s TLS? Is It Different From SSL?
Before we really dig in, let’s clear up some terminology for anyone who might be unfamiliar.
HTTPS (short for Hypertext Transfer Protocol Secure) allows for the secure transmission of data, especially in the case of traffic to and from websites on the internet. The security afforded by HTTPS comes from the implementation of two concepts, encryption and authentication. Encryption is a well-known concept, referring to the use of cryptographyto communicate data in a way that only the intended recipient can read. Authentication can mean different things based on context, but in terms of HTTPS it means verification is performed to ensure the server you’re connecting to is the one the domain’s owner intended you to reach. The authentication portion of the transaction relies on a number of trusted sources, called Certificate Authorities (CA for short). When a certificate is requested for a domain name, the issuing CA is responsible for validating the requestor’s ownership of that domain. The combination of validation and encryption provides the site’s visitors with assurance that their traffic is privately reaching its intended destination, not being intercepted midway and inspected or altered.
TLS, or Transport Layer Security, is the open standard used across the internet to facilitate HTTPS communications. It’s the successor to SSL, or Secure Sockets Layer, although the name “SSL” has notoriously picked up common usage as an interchangeable term for TLS despite it being a deprecated technology. In general when someone brings up SSL certificates, outside of the off chance they’re literally referring to the older standard, they’re probably talking about TLS. It’s a seemingly minor distinction, but it’s one we hope will gain stronger adoption in the future.
I Shouldn’t Use TLS Unless I Really Need To, Right?
There’s no shortage of conflicting advice across the web regarding when to implement TLS and when to leave a site insecure, so it’s no surprise that a lot of strong opinions develop on both sides of the issue. Outside of cut-and-dry cases like PCI compliance, where payment transactions need to be secure to avoid a policy violation, you’ll find plenty of arguments suggesting cases where the use of TLS is unnecessary or even harmful to a website. Common arguments against the wide use of TLS tend to fall into two general categories: implementation and performance.
Concerns about implementation difficulties with TLS, like the cost of purchasing a certificate, difficulty in setting up proper HTTPS redirects, and compatibility in general are common, but are entirely manageable. In fact, TLS has never been more accessible. Let’s Encrypt, a free certificate issuer which launched in early 2016, has issued just under two-thirds of the active TLS certificates on the internet at the time of this writing. Following the flood of free certificates into the marketplace, many popular web hosting companies have begun allowing Let’s Encrypt certificates to be installed on their hosted sites, or are at least including their own certificates for free with their hosting. After all, site owners are more security-conscious now than ever, and many will happily leave a host if TLS is a cost-prohibitive endeavor.
Other pain points in the implementation of HTTPS, like compatibility with a site’s existing application stack, are no different than the pain points you’d see following other security best practices. Put simply, avoiding the use of HTTPS because your site will break is the same as avoiding security updates because your site will break. It’s understandable that you might delay it for a period of time so you can fix the underlying issue, but you still need to fix that issue.
The other arguments against widespread TLS are those of performance concerns. There’s certainly overhead in play, considering the initial key exchange and the processing necessary to encrypt and decrypt traffic on the fly. However, the efficiency of any system is going to depend heavily on implementation. In the case of most sites, the differences in performance are going to be negligible. For the rest, there’s a wealth of information available on how to fine-tune an environment to perform optimally under TLS. As a starting point, I recommend visiting Is TLS Fast Yet? to learn more about the particulars of this overhead and how best to mitigate it.
My Site Doesn’t Take Payments, So Why Bother?
Each debate ultimately hinges on whether the site owner sees value in HTTPS in the first place. A lot of the uncertainty in this regard can be traced to unfamiliarity with the data stored in HTTP requests, as well as the route that these requests travel to reach their destination. To illustrate this, let’s take a look at the contents of a typical WordPress login request.
The request contains a number of interesting pieces of information:
- The full URL of the destination, including domain and file path
- User-Agent details, which describe my browser and operating system
- My referer, which reveals the page I visited prior to this one
- Any cookies my browser has stored for this site
- The POST body, which contains the username and password I’m attempting to log in with
The implications of this request falling into the wrong hands should be immediately recognizable in the fact that my username and password are plainly visible. Anyone intercepting this traffic can now establish administrative access to my site.
Contrast this with the same request submitted via HTTPS. In an HTTPS request, the only notable information left unencrypted is the destination hostname, to allow the request to get where it needs to go. As far as any third party is concerned, I’m sending this request instead:
Outside of examples as obvious as login security, the thing to keep in mind above all is the value of privacy. If a site’s owner hasn’t installed a TLS certificate, even though the site is purely informational and takes no user input, any traffic to that site can be inspected by the user’s ISP, or even the administrator of the network they’re connected to. This is notably problematic in certain cases, like when someone might be researching private medical or legal matters, but at the end of the day the content of a site is irrelevant. Granted, my hat probably contains a bit more tinfoil than most, but there’s no denying this is an era where browsing habits are tracked wherever possible. Real examples exist of ISPs injecting advertising into unencrypted traffic, and the world has a nonzero number of governments happy to inspect whatever traffic they can get their hands on. Using HTTPS by default shows your site’s users that their privacy is important to you, regardless of whether your site contains anything you might consider private.
The internet at large is rapidly adopting improved security standards, and the majority of web traffic is now being delivered via HTTPS. It’s more important than ever to make sure you’re providing your users with the assurance that their traffic is private, especially with HTTP pages being flagged as “Not Secure” by popular browsers. Secure-by-default is a great mindset to have, and while many of your users may never notice, the ones who do will appreciate it.
Interested in learning more about secure networking as it pertains to WordPress? Check out our in-depth lesson, Networking For WordPress Administrators. It’s totally free, you don’t even need to give us an email address for it. Just be sure to share the wealth and help spread the knowledge with your peers, either by sharing this post or giving them the breakdown yourself. As always, thanks for reading!
STOLEN APPLE IDS USED IN STRING OF DIGITAL PAYMENT THEFTS IN CHINA, SAYS REPORT
Popular Chinese e-transaction giants Alipay and Tencent Holdings are warning users that hackers used hijacked Apple IDs to steal cash from customers’ accounts, according to a Bloomberg report Wednesday. It’s unclear how much the hackers stole.
Alipay said in a blog post that it’s working with Apple to figure out how the hackers got in. The company warned that customers may be vulnerable to theft if they’ve linked their Apple IDs to Alipay accounts, WeChat Pay or credit cards. Alipay suggested users lower their transaction limits to prevent large amounts of money from being stolen.
When reached for comment, Apple didn’t directly address the stolen Apple IDs.
“We encourage customers to create a strong password and turn on two-factor authentication to protect their accounts,” an Apple spokesperson said in an emailed statement.
Tencent, which developed the popular chat app WeChat, reportedly said it’s also contacted Apple. It advised users to safeguard their Apple ID. WeChat has more than a billion users worldwide and can be used to pay for basically everything in China.
Alipay operates under Ant Financial, which is controlled by Jack Ma, the billionaire co-founder of e-commerce giant Alibaba.
Alipay and Tencent Holdings didn’t immediately respond to requests for comment.
RUSSIA GRU CLAIMS: UK POINTS FINGER AT KREMLIN’S MILITARY INTELLIGENCE
The UK government has accused Russia’s military intelligence service of being behind four high-profile cyber-attacks.
The National Cyber Security Centre says targets included firms in Russia and Ukraine; the US Democratic Party; and a small TV network in the UK.
A Russian foreign ministry spokeswoman described the accusation as a “rich fantasy of our colleagues from Britain”.
World Anti-Doping Agency computers are also said to have been attacked.
Files later emerged showing how British cyclists Sir Bradley Wiggins and Chris Froome had used banned substances for legitimate medical reasons.
At the time, some of the attacks were linked to Russia – but this is the first time the UK has singled out the GRU, the Russian military intelligence service.
British police think the men who carried out the Salisbury poisoning in March worked for the same group.
Speaking on behalf of the Russian foreign ministry, Maria Zakharova said the UK’s accusations were “mixed in one perfume bottle”, adding: “Maybe a Nina Ricci bottle: GRU, WADA, Kremlin hackers – it’s a diabolical perfume.”
But Defence Minister Gavin Williamson condemned Russia as a “pariah state”, and said Moscow’s “reckless and indiscriminate” attacks had left it isolated in the international community.
The NCSC said it has assessed “with high confidence” that the GRU was “almost certainly responsible” for the cyber-attacks.
Foreign Secretary Jeremy Hunt said the GRU had waged a campaign of “indiscriminate and reckless” cyber strikes that served “no legitimate national security interest”.
Cyber security consultant Andrew Tsonchev said individuals can get “caught up” in the attacks.
He said: “The more obvious and urgent effect that people need to be aware of is that the services they use – the essential services – are at risk and are actively being targeted for sabotage.”
What is the GRU accused of?
The NCSC says hackers from the GRU, operating under a dozen different names – including Fancy Bear – targeted:
- The systems database of the Montreal-based World Anti-Doping Agency (Wada), using phishing to gain passwords. Athletes’ data was later published
- The Democratic National Committee in 2016, when emails and chats were obtained and subsequently published online. The US authorities have already linked this to Russia
- Ukraine’s Kyiv metro and Odessa airport, Russia’s central bank, and two privately-owned Russian media outlets – Fontanka.ru and news agency Interfax – in October 2017. They used ransomware to encrypt the contents of a computer and demand payment
- An unnamed small UK-based TV station between July and August 2015, when multiple email accounts were accessed and content stolen
Former UK diplomat Lord Ricketts said it was likely the Russians targeted Wada “to distract from the very serious allegations about Russian athletes”, and targeted the Ukraine as they were trying to “destabilise” the region.
But he added other attacks seemed random and might have been part of a “pilot project” to “see what they can do at a point where they wanted to use” cyber warfare.
What has the UK government said?
“The GRU’s actions are reckless and indiscriminate: they try to undermine and interfere in elections in other countries; they are even prepared to damage Russian companies and Russian citizens,” said Foreign Secretary Jeremy Hunt.
“This pattern of behaviour demonstrates their desire to operate without regard to international law or established norms and to do so with a feeling of impunity and without consequences.
“Our message is clear: together with our allies, we will expose and respond to the GRU’s attempts to undermine international stability.”
Lord Ricketts believes rather than the UK participating in an offensive cyber counterattack, the government should continue targeting “dodgy Russian money” with economic sanctions.
By Gordon Corera, BBC security correspondent
Today’s statement is part of a drive by Britain to keep the pressure on the Russian state and specifically on Russia’s military intelligence outfit – the GRU.
Some of these cyber-attacks had been previously attributed by private sector researchers to Russia. Britain had also attributed other cyber-attacks to Russia.
But for the first time British intelligence has singled out the GRU – and not just the Russian state – as specifically responsible for a series of events which hit a wide range of targets.
The statement also collates the range of names that have been publicly linked to the GRU by different security researchers.
Some are well known, like Fancy Bear, and others less well known. The British statement puts them all together in one place and confirms that in the view of British intelligence they all belong to the GRU.
Do other countries carry out cyber attacks?
Russia is not the only state to have been accused of cyber-attacks.
- The UK blamed the Wannacry ransomware incident on North Korean actors in December 2017, as did the US, Australia, Canada, New Zealand, Denmark and Japan
- In March this year, Britain blamed a campaign targeting universities around the world, including in the UK, on the Mabna Institute based in Iran
- China-based groups linked to the state were accused of hacking UK think tanks last year by a US cyber-security company which investigated
- In April, the UK said it had conducted a “major offensive cyber-campaign” against the Islamic State group.
What is the GRU?
The GRU, also known as the Main Intelligence Directorate, is the intelligence arm of the Russian military.
It is different to the former KGB (now known as the SVR and FSB) as it conducts undercover military operations and collects intelligence operations around the globe.
In recent years the GRU has been accused of undercover involvement in the conflict in Ukraine, which saw the Russian annexation of Crimea in 2014.
It is believed that the two men accused of poisoning Russian ex-spy Sergei Skripal and his daughter Yulia, named as Alexander Petrov and Ruslan Boshirov, were GRU agents.
GOOGLE TESTED THIS SECURITY APP WITH ACTIVISTS IN VENEZUELA. NOW YOU CAN USE IT TOO
When Jigsaw tested this privacy app with a few dozen political activists in Venezuela, the company wanted to keep the trial small.
Within weeks, thousands of people around the world were using Intra, a security app used to stop government regimes from censoring the internet and manipulating traffic.
On Wednesday, Jigsaw, a tech incubator owned by Google’s parent company, Alphabet, announced it’s releasing this app to the world.
The app takes on DNS (Domain Name System) manipulation, one of the most common techniques used for political manipulation and spreading malware. Intra creates an encrypted connection between your phone and, which makes it much harder for governments and hackers to intercept that traffic.
“DNS manipulation represents one of the most common forms of censorship in the world,” said Justin Henck, a product manager at Jigsaw. “That’s true for people at risk as well as those who are just trying to live out their lives and understand what’s going on.”
Think of DNS servers like a phone book — something that matches up a domain name that you type in with the website’s IP address, where it’s actually hosted.
When connections aren’t secure, attackers can intercept DNS traffic, directing people to pages infected with malware instead, or completely block out online resources. Venezuela’s government has been known block access to social media applications and news websites through DNS manipulation, according to a study from the Open Observatory of Network Interference.
The practice is widespread, as researchers have found governments in more than 60 countries, including Iran, China and Turkey, using DNS manipulation to censor parts of the internet.
Intra was released on the Play Store on Wednesday morning for free, and Jigsaw had been testing its security features among a small group of activists in Venezuela since the beginning of the summer, Henck said.
They wanted to keep its public beta limited, but the app spread through word of mouth in Venezuela, to the point where activists from around the world started using it.
“People found it useful as a tool they could use to get the access that they needed,” Henck said.
Intra automatically points your device to Google’s public DNS server, but you’re able to point it to change it to other servers like Cloudflare’s 126.96.36.199 through the settings. There’s not much you need to do with it for your encrypted connection — the app really has only one button that you tap to turn on.
This encrypted connection to DNS servers comes by default on the upcoming version of Android Pie, but Jigsaw’s developers realized that millions of people that don’t have the latest updates wouldn’t have that same protection. It’s important to consider when about 80 percent of Android’s users aren’t on the latest version of the mobile operating system.
“There were millions of users that we realized we weren’t going to help just by adding features to Android 9,” said Ben Schwartz, the lead engineer on Intra.
The app should be compatible with 99 percent of Android phones, he said. When Jigsaw’s engineers tested it with Venezuelan activists, the majority of people were using devices from 2011 and 2012, he added.
“It’s been really valuable to be able to reach all those users,” he said.
Security: Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night.
Blockchain Decoded: CNET looks at the tech powering bitcoin — and soon, too, a myriad services that will change your life.