
OpenSSL.org hacked? - moeffju
http://www.openssl.org/
======
zaroth
I tend not to click on links advertising pages that are hacked. You know, not
that many zero days on Chrome, but still seems like a risky click, as they
say.

~~~
sillysaurus2

      $ curl www.openssl.org
      TurkGuvenligiTurkSec Was Here @turkguvenligi + we love openssl _

~~~
devdoomari
but what if they set-up the server side so that the server returns different
results depending on the browser/OS?

~~~
dangrossman

        $ curl -A "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36" www.openssl.org

~~~
bengarvey
But what if they return a joke, so funny, that it kills whoever reads it?

~~~
mrjaeger
Then they should split on spaces and only read one word at a time

~~~
HCIdivision17
This is a proven method, but care must be taken to make sure no individual
gets more than on word to translate at a time.

[https://en.m.wikipedia.org/wiki/The_funniest_joke_in_the_wor...](https://en.m.wikipedia.org/wiki/The_funniest_joke_in_the_world)

------
midas007
Yet another example of why to both sign release artifacts AND verify them is
important.

Also, if you're running the public website for a security lib or core FOSS
package, expect more attacks by kiddies trying to build rep... so very
conservative tech choices (mostly static website served from a read-only fs)
and defensive practices are de rigueur.

~~~
peterwwillis
What's the use in a static website or a read-only FS when you can overwrite
what's in RAM, or just attack routing or DNS? Security is a little more
complex.

~~~
orclev
The point is to minimize attack surfaces. If you're serving static content
that's one less path for an attacker to potentially exploit. With only static
files exploits are limited to those contained in the web server or the OS
network code. With a read only filesystem certain classes of privilege
escalation are eliminated.

Attacks on routing or DNS are more difficult to deal with, but at least it
isn't your server being compromised, and if you're using HTTPS properly then
the certificate should show as invalid at least.

So yeah, security is complex, but his advice was spot on. The fact that you
seem to call it into question says that you don't know much about security.

~~~
peterwwillis
Are you kidding me?! At the very least suggest Grsec, SELinux, containers! Who
gives a shit about "certain classes" of privilege escalation? Are you securing
your webserver against 5th graders or actual hackers?

If you want to minimize your attack surface, what he suggested is quite
possibly the least effective possible thing anyone could do. I point out just
a few of the more important issues to consider first, and you tell ME I don't
know about security? I don't know what kind of systems you secure, but mine
don't rely on 'mount -o ro,remount /' as a defense strategy.

~~~
midas007
You're missing the bigger point: enumerating every possible defense is beyond
the scope of a comment AND does not exclude any technique by omission. If
you'd like to raise technologies in a civil manner, please. Just don't start
getting defensive and name calling. [1]

[1]
[http://ycombinator.com/newsguidelines.html](http://ycombinator.com/newsguidelines.html)

------
grogenaut
I said this in a lower thread but I figured it's better up here.

Why is there not a standard for links of this type in browsers. Eg <a
href="url" sigurl="url to sig" sigalgo="algo to calculate
signature">OpenSSL</a>

That's a simple way to go but I really think it's as generally insecure as
reading a signature form a url that is advertised by a website. It's also why
I rarely bother.

But if browsers were good about this then it could be done in a much better
way which is to sign the application with a real peer verifiable signing
method. Such as the SSL cert that covers the site behind the open source
project .

now this only works for projects that have SSL certs. Another method would be
to have a clearing house that can do 1-1 with github et al and a re cert, like
a oss cert organization. A final good way would be to use the beauty of git
and use the source checksums and a repeatable build process (which is fricking
hard) and come up with a way to give a signature for oss applications based on
a git commit and check that back to the public git repository.

really I think knwon public keys for oss projects and branches would be the
real answer. And the security gating for newbs would be like windows and linux
which check the public signature of the application before they run them from
the web and make the end user feel safe instead of doing nothing.

Browsers have a good share in this responsibility as well. Standard domain
security should work well here as well. Better than what we have.

I leave this to more entreprenurial minds to make this work and I'd love some
real telegraph style sinkers to point out the flaws. This is must me talking
after a belated xmas dinner. but I think I'm kind of on course.

~~~
jessaustin
Yeah the public key used for signing has to be communicated via a different
channel, otherwise we're spinning our wheels. I think DNSSEC is headed in the
right direction, but hasn't arrived yet.

But that's if we're talking websites in general. For the specific use here,
installing "trusted" software packages, far better solutions already exist and
already protected the users of OpenSSL.

------
gtklocker
What is a good reason for openssl.org not to utilize HSTS[1]?

    
    
      $ curl -I https://www.openssl.org/
      HTTP/1.1 200 OK
      Date: Sun, 29 Dec 2013 03:57:54 GMT
      Server: Apache/2.2.22 (Ubuntu)
      Accept-Ranges: bytes
      Vary: Accept-Encoding
      Content-Length: 15686
      Content-Type: text/html
    

[1]:
[https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security)

~~~
peterwwillis
Because it doesn't need it. Technically no website needs it. Only people who
don't know how to type "https" need it.

~~~
gtklocker
Point is, I should not be able to access a plaintext version of a website
hosting such cryptographically crucial software/information.

It's obvious why it can be a grand target for Man in the Middle, defacement
and worst of all integrity attacks. Apart from preventing many of the latter,
implementing HSTS could have really mitigated the problem. Anyone who had
already visited the site wouldn't see the defaced page. Furthermore, they
could get added to an STS preloaded list[1], making the attack invisible to
anyone using a modern browser.

If you are interested, the Wikipedia page[2] does a fair job at explaining
more about why HSTS is needed.

[1]:
[https://src.chromium.org/viewvc/chrome/trunk/src/net/http/tr...](https://src.chromium.org/viewvc/chrome/trunk/src/net/http/transport_security_state_static.json)

[2]:
[https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security...](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security#Applicability)

~~~
peterwwillis
Or maybe they should have plaintext access, because then they can get the
software if they don't have an SSL-enabled HTTP client, and they can compare
the digital signature of the sources later via 3rd parties.

But this is all crap, really. OpenSSL is a library distributed across tens of
thousands of independent providers all over the internet. Nobody needs to get
it from the main site, and even if they do, there's a multitude of ways to
tell if it's the real deal or not. If you know what OpenSSL is, you can type
in "https" and be totally secure without HSTS. Even if you needed HSTS (which
you don't), who's going to the OpenSSL.org website time after time that HSTS
would even be useful?

People make way too big a deal over half-baked countermeasures that don't
apply to every case. You find me the person who's downloading vanilla OpenSSL
libraries from the main site over multiple visits and is at risk of a client-
side MITM and _not_ verifying their sources, and i'll show you someone who's
going to get owned even without a MITM.

~~~
dionyziz
You seem to have completely missed the fact that HSTS can be combined with an
STS preloaded list, to which the previous comment author also gave you a
reference to read. HSTS is TOFU (trust-on-first-use) by default, but the TOFU
portion can be upgraded to a full PKI-based authentication mechanism just fine
using preloaded lists, which doesn't require any previous visits whatsoever.

Furthermore, it's just embarrassing to see such attacks on these high-profile
sites. If they can't defend their site (even for users who don't type
"[https://"](https://")), who is to say their library is secure? These kinds
of attacks threaten the confidence we have on our fundamental cryptographic
building blocks and should be avoided.

~~~
peterwwillis
In reverse:

1\. These attacks don't bear at all on cryptographic building blocks, because
any script kiddie can brute force a login or fuzz an input, etc. Has nothing
to do with crypto _at all_. Has nothing to do with their code _at all_.
Completely different systems with completely different attacks with incredibly
different requirements... it's worlds apart. There is nothing about defacing a
website or even MITM that could ever be compared to breaking a crypto library.

2\. HSTS is quite a bit different from the PKI of TLS. That said, what you are
basically saying is "HSTS is the same thing as HTTPS when you add the URL to
the browser's STS whitelist". (Which could be avoided altogether if you just
type "https")

So what your argument _really_ boils down to is: a crypto library is worthless
because we _really need_ to use HSTS because OpenSSL.org users are too stupid
to type "https".

Not only is this inaccurate and nonsensical, it's just a crappy security
model. Now I have to manage HSTS exactly the same way TLS certs are managed
and basically reproduce one protocol into a pseudo-protocol and juggle both,
keeping things like RFC 6797 in mind. Suddenly the complexity's gone up
enormously over time, only to prevent MITM on the client, and we don't even
consider whether or not the content was compromised before the connection of
the client to the server.

Even if the server is hacked, you still have absolutely no guarantee if the
content was modified, because you're not verifying the content once you
download it. But sure. Let's freak out about the possibility of a one-sided
MITM to the client over HTTP (which every idiot knows is not secure _by
design_ ), because that's clearly the most important or likely attack to be
worried about right now.

------
HCIdivision17
For when the page is fixed, it currently says:

TurkGuvenligiTurkSec Was Here @turkguvenligi + we love openssl _

~~~
hobs
Yeah I dont see it at this point, so fairly fast turnaround.

~~~
grogenaut
I've wondered this for quite a while but why isn't there a standard for
browsers like <a href="bigassfile" checksumhref="checksumhrefforbigassfile"
checksumalgo="shashamd19">Download with check</a> I mean no one ever checks
them anyways so it's not like they're useful. The second step would to be to
provide a reputable repo of software version -> checksum lookups so I didn't
have to trust a given server for that. This is me thinking and drinking and
I'd love comments.

~~~
erichurkman
You run right back into if you don't already trust the signer of the checksum,
you can't trust the checksum, either.

The next logical step is some kind of third party authority, and then you
right right into the Certificate Authority problem set, including code signing
licenses like Apple and Windows use.

Some F/OSS systems are starting to use similar systems, like the newer Python
package distribution systems.

~~~
grogenaut
Yes I agree. See my more fully fleshed out statement parallel. But checksums
are currently pointless from a secuirty standpoint.

------
Aaronn
Posted on Twitter an hour ago:
[https://twitter.com/Turkguvenligi/status/417099879463129089](https://twitter.com/Turkguvenligi/status/417099879463129089)

"openssl.org/ owned ;)
[http://zone-h.org/mirror/id/21425720](http://zone-h.org/mirror/id/21425720)
…"

------
davvid
Does anyone have any details about how this was done? Was it a compromised
admin account, a local root exploit, social engineering, etc? I'm eagerly
awaiting the post-mortem.

~~~
lucb1e
No, and this is what makes it non-news. Especially since it links to the
hacked webpage. Neither really Hacker nor News...

~~~
mackwic
Hopefully, hacker has a meaning far more open than "security guys" or
"security guys that know how to break things".

Sorry to prefer build things and creating value than destroy it.

I wonder why so many security guys are so condescending and contemptuous...

------
rhgraysonii
Forgive me for the ignorance but why is this significant if at all? Honestly
curious, not being facetious.

~~~
0x0
If they can replace the front page html, they could probably also replace the
source code distribution with a backdoored/trojaned tarball. Or someone else
might already have done so, since who knows how long ago, using the same
exploit.

~~~
userbinator
But would they also be able to replace the public key of the authors in all
the _other_ places it appears on the Internet?

~~~
dionyziz
That. That's why the authors PGP-sign their sources. Furthermore, some of us
maintain GPG trust paths, so replacing it on every other place on the Internet
would still be futile.

~~~
dmix
There is also benefits of using decentralized distribution channels like
bittorrent. So a single source can't be compromised.

------
louwrentius
The fact that the OpenSSL maintainers haven't communicated about this issue
yet make me feel very uncomfortable.

~~~
ams6110
Currently posted:

29-Dec-2013: Web site defacement. Investigation in progress, more details to
follow.

------
srl
Other pages are still up (although I haven't checked that they're unmodified)
- it does appear the attacker didn't bother to bring anything but the front
page down.

~~~
phaed
They did that on purpose, their intent seems to be to bring awareness rather
than destruction.

~~~
stusmall
An email works too :)

~~~
phaed
Awareness with a side order of boasting.

------
s3yfullah
Zone-H Mirror >
[http://www.zone-h.org/mirror/id/21425720](http://www.zone-h.org/mirror/id/21425720)

------
jscheel
Their security certificate still appears valid.

------
kenrick
Who is in the favicon?

~~~
dangrossman
Nobody; it's the text "OpenSSL" squished into 16x16.

~~~
kenrick
ok

------
wzy
they're back...

------
almosnow
Is this the site that offered you free SSL certs?

~~~
borplk
No

~~~
almosnow
Oh sorry, 'apt-get' has spoiled me (somehow I've never knew what was the
official home of openssl).

Not cool at all, and apparently the guys running the site haven't took notice
yet.

