filed in Security Stuff on Jun.25, 2012
This weekend, Conservative MP for Corby and her business partner Luke Bozier launched a new social site called Menshn.
The biggest problem I have with the launch were the blatant untruths about security that went with it and put its users at unnecessary risk. Here’s a quick summary.
Many people pointed out that passwords were being sent over unecrypted links (HTTP rather than HTTPS), yet this is what Louise and Luke were telling their users.
These blatant untruths worry me deeply. It’s not that they misleading people about the security of their site (that’s small beer in many respects), it’s that politicians and politco’s find it so very easy to mislead (lie to?) the public when they have been made aware of the truth. If they can mislead people about something so obvious, what else are they actively misleading us about every single day?
When the public are mislead in such a manner, what hope is there for informed political debate? Who is holding politicians to account? Sure, there’s an argument that they trusted their advisers, but I’m aware of at least 3 people who contacted them to articulate the password issues with Menshn. Selecting which advice to listen to and then spinning that version of the “truth” to the general public is not new (http://www.guardian.co.uk/science/2012/feb/29/scientific-advisers-ignored-lords-report) but it is getting tired. How much longer will the public put up with being fed lie after lie (whether it’s intentional or note)
What’s that? they’re not lying? prove it?
Well. generally proving security is a dangerous game that can land you in court, prison and if you’re really unlucky, wearing an orange boiler suit; however, you can monitor your own traffic on your own computer.
I downloaded a program called Fiddler2, which I use for testing my own code. Fiddler2 looks at the network traffic between your browser and the web server your talking to. It’s incredibly useful for debugging your own site(s), it’s also useful for seeing how other sites protect your data.
He’s is a screen shot of login process on Menshn as it stood on Friday (and up until about midnight Sunday 24th June). Notice that it’s running over HTTP?
What’s the problem with that? Well, in order for your computer to request and obtain a web page from Menshn.com, a network connection must be established which goes over a number of links (other computers, network equipment etc). ANY of those connections have the ability to see ALL of the HTTP network traffic going over them. The following picture shows what any of those computers/devices could have seen in relation to my account.
It may look like gibberish, but the black bars are covering the email I registered with, the password I used and the alias I signed up with on Menshn.
Despite what Louise and Luke may try and tell you. This means that if you logged in prior to around midnight Sunday (24th June) your password was transmitted to menshn.com in clear text. As a number of friends put it, this is like shouting your password to a friend on the other side of a crowded room (it doesn’t necessarily mean anyone intercepted your password though, just to be fair)
What’s the problem with that? It’s only a problem if your computer has been hacked right? WRONG!
If one of those connections is malicious or if any part of the connection is rerouted by whatever means (and there are many), your password (well, anything in clear text) is at risk. Here’s an interesting news article regarding an issues where Internet traffic was rerouted via China for a short period of time http://www.washingtontimes.com/news/2010/nov/15/internet-traffic-was-routed-via-chinese-servers/.
It’s not just the passwords that the bad guys are after either
Something called the session cookie is also at risk, but you don’t need to take my word on that. World leading security expert Bruce Schneier explains the issue in beautifully simplistic terms in his blog in relation to a tool called Firesheep that was used to demonstrate issues in Facebook before they were addressed.
“Firesheep is a new Firefox plugin that makes it easy for you to hijack other people’s social network connections. Basically, Facebook authenticates clients with cookies. If someone is using a public WiFi connection, the cookies are sniffable. Firesheep uses wincap to capture and display the authentication information for accounts it sees, allowing you to hijack the connection.”
Has your password been obtained by hackers?
The truth is that no one will ever really know (unless someone has actually obtained passwords already and goes public – let’s hope not), so the question you have to ask yourself when you’re submitting passwords over any HTTP connections is whether you’re feeling lucky.
A question of trust in politics
The more troubling question is, if politicians and people involved in politics can mislead the public so very easily, what hope does society have when truly critical issues are discussed? (weapons of mass destruction anyone?).
I’d love to hear Louise or Luke be honest and open about the issues they had with the site. Ultimately that would restore some trust and give it’s a users the chance to change passwords elsewhere if they used the same password for other sites. They’d also do well to consider the recent LinkedIn password issues, documented here http://www.theregister.co.uk/2012/06/21/linkedin_class_action_suit_password_leak/
Is it Fixed?
Since around midnight Sunday (24th June), Menshn implemented HTTPS, which is intended to protect the connection between your computer and the web-server. It’s a good start, but NEVER be fooled into thinking HTTPS or the Padlock mean the site you are on is bulletproof. In fact, the bolder the claims of security, the more cautious I’d be.
For some balance, I do like the name Menshn. I found myself, despite my best intentions, thinking of the site every time anyone uttered the word ‘mention’. Probably means the name works well.
Should I be ranting about this? Maybe, maybe not. I’m not trolling though (let’s be clear on that). Well, it’s true that a number of other popular sites have terrible password and other security issues, however, those sites are not run by a Member of Parliament, someone who should serve the public interest. Something sits very uncomfortably with me when I see an MP blatantly mislead the public about something they have been made aware of by many people. Something that they surely wouldn’t have fixed if it wasn’t a problem. To me, TRUST is critical in politicians and it’s never been in shorter supply. That is why I put finger to keyboard.