The websec digest #5
About two weeks ago, another major data breach hit the web. The hack of AdultFriendFinder and associated sites reveals personal information of more than 400 million users. The obtained information includes email addresses, IP addresses and passwords. The passwords were stored in a weak fashion, since about 99% of them are allegedly already recovered.
Because of a server-side vulnerability in the WordPress auto-update mechanism, an attacker could have automatically pushed code to millions of WordPress sites, thereby compromising approximately 27% of the web! Fortunately, this frightening vulnerability has been resolved before disclosure, but it could have been a lot worse!
You have probably heard about Qualys’ SSL Server Test, which checks the quality of your HTTPS deployment and gives you a grade between F and A+. You might want to know that the current criteria for calculating the grade are about to change in 2017. Here’s an overview of the upcoming changes, as well as an overview of the midterm plans for the grading system.
Another piece of positive news: OWASP released the Core Rule Set 3 (CRS3) for ModSecurity, allowing you to easily install the web application firewall in front of your applications. Major changes in this version are the drastic reduction of false positives, as well as the sampling feature, allowing you to try out the rules on a small percentage of all your traffic.
To conclude, I wanted to highlight two upcoming features in Firefox. First, Firefox 50 will support cookie prefixes, a (dirty) trick to enforce cookie security properties more strictly. Second, an upcoming version of Firefox will explicitly mark forms that are about to submit credentials over HTTP as insecure. Two great developments that will hopefully lead to more secure web applications!
There are two upcoming events at our research group that I wanted to inform you about:
- On December 6 and 7, you can attend the Web Security Essentials training course, which will show you where your applications are vulnerable, how you can protect them, and which best practices you should be applying today! More information and registration.
- On December 13th, we’re hosting an informal industry event on Software Defined Networking (SDN), which is an excellent opportunity to engage in interesting discussions with my colleagues or myself. More information and (free) registration.
As usual, you can find the full list of events on my speaking page.
Philippe De Ryck