
Certificate Transparency: Hacking web applications before they are installed - Tomte
https://www.golem.de/news/certificate-transparency-hacking-web-applications-before-they-are-installed-1707-129172.html
======
ge0rg
Unauthenticated installers have been a dumb idea from day 1. This finally
looks like the right opportunity to get rid of them.

I'm sure that having an additional step to verify your read/write access to
the installation directory (eg. by means of a token file) isn't too big a
hurdle for users, and it will properly close off this attack surface.

~~~
tyingq
Many of them could remain mostly as-is in the case where the database is
local, as they already ask for the database name and password, and don't move
forward until it's right.

So just adding the extra step when a remote database is specified might
suffice, and preserve the easy install for most users.

~~~
hannob
That was my initial idea I proposed as a fix. However I am not really
comfortable with it and came to the conclusion I don't think it's a good fix.

Ultimately that makes a pretty bold assumption: That if you have database
credentials on a host this allows you to control other people's webapps in
some situations. That's not reasonable. I could just be another customer at a
webhoster and I don't think it's reasonable to assume that customers are
allowed to hack each other.

I think a real additional authentication step for all installations is the
right solution.

~~~
tyingq
Sure. Shared hosting usually uses remote databases, though I suppose you could
install a DB locally and fire it up. That assumes you land on the same
physical host as your victim, which isn't likely at all but the smallest
hosts. And, shared hosting is pretty risky anyway :). But I do get your
reasoning.

------
tyingq
That is pretty clever. I hadn't thought about the certificate transparency
feed as a real-time notification of vulnerable installers.

Combined with the popularity of wordpress, the author is right. It's fairly
trivial to use the installer as an arbitrary RCE engine, and then put it back
into it's original state when you're done installing a back door. Also fairly
easy to automate and start building a collection of compromised servers.

I'm interested to see if this results in changes to installers for popular web
software or not.

------
mholt
CT is not only valuable to PKI's integrity, but also valuable for any site
owners, as certificate logs can raise early warnings against phishing or
malware sites that go the extra mile to look secure, before they even go
online.

We should all be using CT logs, and if you own a website, you should be
monitoring your domains. Facebook has a nice little tool to notify you when
new certificates are logged:
[https://developers.facebook.com/tools/ct/](https://developers.facebook.com/tools/ct/)

~~~
PappaPatat
I agree with the value of monitoring the CT's since it provides a lot of
useful information, but since I do not use any FB account (needed for the link
above), I prefer [https://sslmate.com/](https://sslmate.com/) which will warn
(email or api) you when new certificates (for "your" domain) have been logged
to CT.

------
pasbesoin
I'm on Ubuntu 16.04 LTS. I recently had to install something that has Mono as
a dependency, and imagine my surprise and consternation when said Mono
installation, from the 16.0 repositories, sucked down 160+ certificates into
its own store, including the now long-disredited WoSign root certificates.

One reason I stay away from installing very many apps on my phone, is that I
have little confidence in how security is, or isn't, being handled on a case-
by-case basis. And the size of the organization behind the app gives little
indication of what to expect. Whether pointy-haired-boss management or
outsourcing, their apps are often equally or worse crap WRT security.

I guess now I'll have to read this article more thoroughly, and ponder how
whether/how my turning to the browser instead of apps is a problem of itself.

------
tokenizerrr
The linked github repo doesn't have any code.
[https://github.com/hannob/ctgrab](https://github.com/hannob/ctgrab)

~~~
PappaPatat
You where to early, there is now.

------
ToFab123
Easy solution is to run with IP restrictions until website fully configured
and secured

