Cross-Browser Fingerprinting, Operation Kingphish and More.
Friday is here and the week is winding down. Sometimes staying abreast of cyber security-happenings can feel almost impossible. Before this week is over, we wanted to take a moment to highlight our favorite stories and the best articles that were published this week:
Understanding Chrome’s Security UX
Over the past year, Chrome has been making regular changes to its security UX and UI. That’s all the buttons, messages, and interactions that have to do with security features. The bulk of the changes are focused around HTTPS, as it’s one of the most common secure protocols you interact with in the browser.
This week, Chris Palmer, an engineer working on Chrome, shared a detailed rundown of Chrome’s current security UX. It is a great post for those interested in an in-depth explanation around some of Chrome’s recent changes, for instance the recent move of the certificate details button into Developer Tools.
This post by Eric Lawrence, another engineer on the Chrome team, is a great companion piece which shows examples of all the current states of Chrome’s “Security Chip,” which shows the status of the HTTPS connection.
HTTPS Interception Harming Security
A recent study conducted by a veritable supergroup of members from the SSL community has found that HTTPS interception – the practice of decoding HTTPS connections for monitoring – is significantly more common than previously thought. Previous studies estimated interception took place in less than 1% of HTTPS connections. This new research found evidence of up to a 10% rate of interception.
They also found that products performing interception (network middleboxes and anti-virus software) had inferior SSL/TLS capabilities which often resulted in weakening user’s protections. We summarized their key findings earlier this week.
New Cross-Browser Fingerprinting Method Enables More Pervasive Tracking
A pair of researchers from Leigh University in Pennsylvania have developed a new cross-browser fingerprinting method.
Cross-browser fingerprinting is the act of uniquely identifying you via your web browser by comparing a large set of features and settings. Usually the combination of operating system, fonts, extensions, and other features creates a unique profile known as a “fingerprint.”
Browser fingerprinting can be used to track your activity across websites. It is a method regularly used to target you with tailored advertising.
People who wanted to preserve some anonymity could split up their activity by browser. For instance, keep all personal browsing to Chrome and all work-related browsing to Firefox.
What sets this new cross-browser fingerprinting method apart is that it identifies your computer, not your browser, which defeats this compartmentalization.
Ticketbleed Vulnerability (Only) Affects F5 Devices
Last week an engineer at Cloudflare discovered a new HTTPS vulnerability affecting devices made by F5. The vulnerability has been named Ticketbleed, and it has been compared to the infamous Heartbleed bug because of similarities in how they work (and their similar names).
But while Heartbleed gave most of the internet a good reason to be scared, Ticketbleed only affects a few thousand websites. We talked about why Ticketbleed is not the next Heartbleed.
Operation Kingphish Targets Qatar Journalists and Activists
A complex phishing campaign against activists in Qatar has been uncovered. The attacker, who is unknown, but may be a state-sponsored actor, targeted around 30 people.
Named Operation Kingphish, the unknown assailant attempted to “steal credentials and spy on the activity of dozens of journalists, human rights defenders, trade unions and labour rights activists, many of whom are seemingly involved in the issue of migrants’ rights in Qatar and Nepal.”
The phishing campaign used similar techniques to the attack that compromised Jon Podesta’s email account during the 2016 US Presidential Race.
Claudio Guarnieri, a Technologist at Amnesty International, gave a full run down of the phishing campaign full of screenshots and details. If you are looking for a quicker read, Motherboard’s Joseph Cox wrote an excellent summary.
The Cloudflare TLS 1.3 Stack Is Audited
The Info Sec community loves audits, especially when it deals with cryptography.
That’s because one of the most difficult challenges in building secure systems is ensuring your code is working properly. Bugs and unexpected behaviors can cripple whatever security goals you have, and independent audits helps ensure that any mistakes you may have made are found.
The SSL/TLS community is very familiar with the problems that bad code can cause. This week’s Ticketbleed bug is the latest example.
As a bit of good news, Cloudflare announced that their TLS 1.3 implementation has been audited by the NCC Group, a well-known company that provides auditing and consulting to cyber-security companies.
The Cloudflare TLS 1.3 implementation is built on top of the Go standard library “crypto/tls”. Go is a newer programming language created by Google that has been well-received as a safer alternative to C.
TLS 1.3 will be a significant milestone for the industry and represents the first new protocol version in nearly a decade. It involves significant changes from TLS 1.2 and will involve wide-spread deployment of new cryptographic methods. Combine that with Cloudflare’s scale, and the relative youth of Go, and you can see why it would be important to make sure everything is working smoothly.
NCC Groups’s Cryptography Services gave Cloudflare’s implementation a good review, writing “[our] team found a small number of issues during the review—all of which were promptly fixed—and was pleased with the quality of the code.”