Tag Archives: security

… or not migrating to Cloudflare

www.cloudflare.com

Several days ago I wrote a blogpost about my Cloudflare migration. I have done a bit more research since then and unfortunately, there are a few nasty little snags that could really hurt your website if you use Cloudflare without considering some of the nastier implications of the way in which Cloudflare and similar services work.

Main issues

There are two main issues, as described by an interesting blogpost on the blog of Sven Slootweg. Sven is the former administrator of AnonNews.org, and a security researcher. He was also suspected of being part of LulzSec, a very high profile group of hackers. I’ve read most of his posts now and I take them very seriously.

What he states is basically that

  • CloudFlare offers services that are very insecure by default [1];
  • CloudFlare has a business model that depends on them being the “Man in the Middle” with access to a lot of traffic [1];
  • CloudFlare does not mitigate DDOS attacks, unless they are quite small and only affect your webserver [1];
  • Some other minor issues, which I’ll skip. You should read the references for things like issues with Tor [2], SEO rankings [3], website impersonation [4], etcetera, to determine whether they apply to you.

The main problem with the security is that while the user may consider his or her experience to be encrypted (by SSL), the path from CloudFlare to the origin server is not. Now, consider an enduser in a country with an oppressive government who uses your CloudFlare-fronted website. CloudFlare may have a local server in that country. Suppose the user visits a page on the governments blacklist and leaves a nasty comment. Normally, SSL would encrypt all traffic and the government couldn’t intercept the traffic and look inside it. Well, not unless they were using a bit more resources than a simple scanner. But with CloudFlare the traffic between the CloudFlare local server and the webserver hosting the incriminating page, that traffic goes over the border *unencrypted*. Ouch. In some countries, your user will not survive this experience. And the user isn’t even warned: the browser tells the user that everything is fine. Even an SSL test (https://www.ssllabs.com/ssltest/analyze.html?d=www.grundsatzlich-it.nl) will say so. But it’s not. Oh, and if you have a front-end that accepts credit card information, that information will *also* travel the entire internet unencrypted. Not as dangerous as the first scenario, but probably not something you’d like to see as someone using a webstore.

Now, you can actually use the option to also encrypt the traffic between CloudFlare and your server. Let’s just say it’s not the default and requires a bit more expertise than just “point and click”. However, it’s not that difficult. That still leaves CloudFlare as the single point where a lot of web traffic goes through – entirely unencrypted. Sven Slootweg comments that:

This may not sound that bad – after all, they’re just a service provider, right? – but let’s put this in context for a moment. Currently, CloudFlare essentially controls 11% of the 10k biggest websites, over 8% of the 100k biggest websites (source), and almost 5% of sites on the entire web (source). According to their own numbers from 2012(!), they had more traffic than several of the most popular sites and services on earth combined, and almost half the traffic of Facebook. It has only grown since. And unlike every other backbone provider and mitigation provider, they can read your traffic in plaintext, TLS or not.

And finally, the DDOS issue. CloudFlare uses a method that mitigates against DDOS attacks by putting up a front page that asks you to enter a CAPTCHA. Apart from the fact it blocks bots, even backup bots, this doesn’t actually stop any big DDOS attack against something other than your web pages since it doesn’t block attacks by inspecting the packets but just relies on the CAPTCHA and stands in front of you. Dedicated DDOS mitigation works by making sure the packets never reach the real servers – CLoudFlare actually lets the packets reach their servers and relies on having “enough servers”. Given the new threat environment with DDOS attacks now going up to 600 Gbit/sec thanks to the “Internet of (apparently quite insecure) Things”, this may not be enough. Certainly, for the money you have to pay for the mitigation service it’s probably more effective to pay a dedicated DDOS protection service. Since CloudFlare is also responsible for hosting many of the DDOS-service provider websites, paying them for DDOS protection feels a bit like paying protection money to the Mafia.

The verdict

If you use CloudFlare to avoid buying a real certificate to secure your blog on “Human rights in Russia”, or run a webstore that accepts creditcard payments on your own webpages instead of using a payment processor page, you’re opening your users up to huge risks. And pleading innocent is less and less an option now that this information is out there. You can actually get better protection but CloudFlare will always be a Man in the Middle. Sven’s blog lists a number of alternatives if you can’t accept that.

However, for websites like mine, it’s not a big deal to accept less security. After all, before I migrated to CloudFlare the entire site was in cleartext. It’s slightly more secure now than it was, and thanks to this information I will make it more secure in the near future by using a better certificate.

If you move to CloudFlare like I did, you need to carefully weigh the pro’s and cons – better than I did, at least – before moving. But for a lot of blogs it may still be a very good option. If however your webshop or political blog is hosted by CloudFlare, you’d better do some checking before you post or pay. When in doubt, do not enter.

References

2016
[1] http://cryto.net/~joepie91/blog/2016/07/14/cloudflare-we-have-a-problem/
[2] https://blog.torproject.org/blog/trouble-cloudflare

2015
[3] https://salt.agency/blog/seo-rankings-cloudflare/

2014
[4] https://scotthelme.co.uk/tls-conundrum-and-leaving-cloudflare/
[5] https://scotthelme.co.uk/cloudflares-great-new-features-and-why-i-wont-use-them/

Server-test
[6] https://www.ssllabs.com/ssltest/analyze.html?d=www.grundsatzlich-it.nl

Migrating to CloudFlare

www.cloudflare.com

I recently added CloudFlare as cache in front of my website. Not only does it provide worldwide local caching of my website, it also improves security by adding in an easy manner all kinds of features you’d otherwise find hard to arrange. It’s still a hassle, but not as much as it used to be.

The standard CloudFlare plan is free. Yep. And you can’t beat the value. The following features are part of it:

  • Caching at a server that is local to your visitors, improving their browsing speeds. Pretty nice and worth the price all in and of itself.
  • Analytics in an easy dashboard. You can get this by incorporating Google Analytics on your pages, true, but here it’s already in the product. However, CloudFlare also has a nice button that allows you to add Google Analytics to all of your pages, if you really want it, without changing your website in any way.
  • Safe browsing over SSL for people visiting the CloudFlare cache, at no charge.
  • DNSSEC can be turned on, securing your DSN entries (DNS translates the name of your website into the IP-address you need to actually get there) against rogue DNS-servers that change the IP-address to their own sites, so they can intercept the traffic or just spoof your website and change pages around. Could be quite embarassing if you are a dissident or well-known political figure, or a bank.
  • A “web firewall” that tries to catch spambots and scrapers before they even reach your website. The more advanced options are paid, but the free option is pretty nice. It has, for instance, the option of asking suspect browsers to authenticate their “humanity” before allowed to access your site. This is enabled by default.
  • IPv6 to IPv4 translation. If you’re on a provider that does not provide IPv6 website hosting you should move ASAP anyway, but suppose you can’t? In that case you have the option of pretending to your rather outdated server that the request is actually an IPv4 type request. Could be useful.
  • An option called “Apps”. Apps are small features you can enable that are provided by 3rd parties. One of these for instance is “A Better Browser” which warns users of older browsers that they should upgrade. Once again, no code on your website changes and you can turn it on and off quite easily. Other apps provide analytics, more security and monitoring but almost all of these are paid options.
  • Email-address obfuscation. For the truly paranoid, you can turn all your emailadresses on the site into addresses that cannot be harvested by the scrapers they said they would stop. I don’t bother with this, but feel free.
  • Hotlink protection. This is pretty nifty if you have a site with a lot of images, and people blogging about them link directly to your site from their article. That means their pageviews count against your bandwidth. With this option you can prevent those requests from being served.

These options are all easily accessible through a set of buttons as displayed here: cloudflare-buttons

Pretty nice all by itself. But I’ll discuss the setup and two main features in more detail.

Setup

The setup is easy. Just sign up and add your website. The main thing you need to get working is the nameservers. If you cannot change the nameservers for your website, things will get really tough because that is how CloudFlare works. If you cannot change them, contact your provider. If your provider does not allow nameserver changes, move away to another that does support it. Otherwise none of the newer features of the internet will work unless your provider agrees to provide them to you. That won’t be cheap.

After you get the nameservers changed, you have to log out and wait a few hours. By then the change will have been recognized by CloudFlare, and now you can actually use its features. The two most useful features are of course caching and encryption, which I explain below in a bit more detail.

Caching

The caching features of the CloudFlare platform help you in the sense that small DDOS attacks won’t bring down your website or hurt your direct provider. Big ones will mean you have to pay up (a lot), but it’s better than your direct provider shutting down your website for a minor DDOS assault, right? They also have the option named “always online(tm)” that provides a cached copy of your website, if it is offline on your own side. Note that this only goes for the popular (cached) pages but these are the most important ones anyway. Of course, caching can be disabled (temporarily) by turning on “development mode”.

Encryption

Encrypting the website gives you the option to have browsers come in over SSL. And this is very interesting because browsers are now signalling by default that your site is untrusted if it is not protected by SSL. The CloudFlare option provides SSL for your website from visitor browser to CloudFlare, but if you don’t add something more, it will still be unencrypted between CloudFlare and your original website.

If you trust the channel between your website and CloudFlare, this is still pretty safe. For most websites it’s a major improvement because they go from no SSL at all, to SSL between visitor and cache. But if you want more it’s pretty easy. Most website hosting companies provide you with the ability to place a self-signed certificate on your website, and CloudFLare can be set to acknowledge that certificate. You could also set CloudFlare to acknowledge only certificates signed by a trusted authority, increasing the security of your channel either further, or reducing it to zero, depending on who you trusted as certificate provider. In my case, I go with the self-signed certificate.

DNSSEC is however a bit more involved. I was unable to get this working because my hosting provider does not provide me with the ability to add a “DS” record to the DNS-server. I’m still looking into it. HOWEVER… my provider has automatic DNSSEC as long as I use their nameservers… This effectively means that I am going to have to do without DNSSEC *or* CloudFlare. Given the risks involved (minor) I’m going to stick with CloudFlare for a while, but I may be returning to the provider I have. I would really like them to have this though.

Summary

All in all, I can highly recommend CloudFlare. It’s free, it’s easy and provides immediate benefits for most websites. If you’re big enough to already have most of this it may be less interesting, but for 90% of the internet this is a step forward.

Update

Update 09-okt-2016: I’ve written a new article about why you should be careful when moving to CloudFlare, as it is not quite as suitable as I thought for websites that require actual security and encryption.

Encryption is not a silver bullet

Have I been pwned?Recently, well-known security researcher Troy Hunt, responsible for the website Have I been pwned? described how someone lost 324000 records with full creditcard details, including security codes, by posting them on a public server. There were two parties suspected of the data breach, but neither could find any breach at first. So both parties stated categorically that there was no breach, all data was 100% encrypted and completely secure on their servers so the problem had to lie elsewere. And they were right, all the data was encrypted.

Now, encrypted data should be safe. And to be honest, encryption is more and more the mainstay of securing your data. Firewalls can be breached, servers and companies infiltrated, but if the data is encrypted it should remain secure even if you publish it on the internet. This is somewhat correct – barring adversaries like national intelligence services, who are very likely to be able to decrypt most schemes at the moment. It’s well known that the Dutch National Intelligence and Security Service (AIVD) is investing heavily in quantum computing research, for instance, which means that the NSA probably has one working right now. But apart from those entities, it’s still quite hard to crack decently encrypted data.

That is why in the new SQL Server edition, SQL Server 2016, it is now possible to keep the data encrypted all the time. Only the client can decrypt the data with their own keys. Barring vulnerabilities in the implementation this is a huge step forward: it is impossible for the database administrators to access data they aren’t allowed to see and the loss of a key only affects data stored for that client. Both are very important steps forward to enable clients to trust databases in the cloud. Which is one reason why Microsoft is pressing forward on this, because they will become entirely dependent on Azure in less than a decade, according to their own predictions. This means that trust in Azure will be a make-or-break issue for the company and their focus on improvements in security reflects this knowledge.

And let me be clear: this is a huge leap forward. The old situation could encrypt some data with server-side keys, but when you made a backup it was decrypted. And in several other scenarios it didn’t work if your data was encrypted. But now it works all over the database, you can set it up quite easily and even choose whether columns are encrypted in a deterministic way that gives the same result every time you encrypt the same value, which enables searching and joining, or random: every time you encrypt the value is different. The latter gives more protection from attackers who encrypt “likely values” and see if they match, which is a classic attack against password-files (see: rainbow tables / dictionary attacks).

In the picture you can see how it works by storing the keys on the client:
Always Encrypted SQL Server 2016

This means we can now store creditcard information and sensitive information in the cloud while not having to rely solely on the goodwill of the Azure database administrator.

There is unfortunately also a downside. The fact that data is now safer does not mean it is safe in all circumstances. The way “always encrypted” works has consequences for your implementation that could blow your encryption scheme right out of the water if misused. So while the temptation to store sensitive but potentially very interesting data because hey, “it’s encrypted” and thus safe, can overcome common sense and even regulations, we should still firmly ignore that temptation.

Because the case I linked in the beginning showed everyone that even if data is encrypted, it is not always safe. In the case which I quoted at the start of the article, the data was encrypted too, and it still leaked. The reason was that the encryption keys were known to the organisation involved and used to decrypt data for analysis. That decrypted textfile was then stored on a publicly accessible server. Encryption cannot mitigate that scenario if the keys are part of the webapplication and the owner of the application can also access the data. Anyone who can get to the keys, can decrypt the information. After that, the security of the data once again depends on what that person does with it – such as putting it on a public server.

This is the reason that if you want to process creditcard information, for instance, you need to be PCI compliant. This is a set of regulations drafted by the financial industry that tell you what data you can store and how. Very sensitive details such as the security code should NEVER be stored. They don’t give security regulations for the storage of the security code: storing it violates all the rules, no matter what you do. The case with Regpack shows that this is still true. What you store will eventually leak, even with encryption. Once quantum computers become available widely, all current encryption schemes are broken and that nicely encrypted data on the internet that wasn’t a problem… is suddenly readable text.

So while “always encrypted” is a step forward, you still need to be very careful about what you store and it still needs to be secure – processing encrypted data on an insecure platform means your data is just as insecure, as the data can be intercepted in memory. While solutions are in the works (Philips, IBM and others are working on homomorphic encryption schemes) this is currently not an option.

recommendations

My recommendations on this subject are as follows.

  • Do not store any data you are not allowed to store.
    If you do this anyway and lose the data, you will get fined or even shut down when this comes to light.

  • Do not store any sensitive data you do not have to store.
    Everything you store is a security risk, if you don’t store anything there are no risks. Being smart about what data to store is a big part of any security strategy.

  • If you do store sensitive data, let the owner of the data hold the key to that data if at all possible.
    After all, a file where every line is encrypted with a different key you don’t have, is a file that will be pretty hard to decrypt and certainly can’t be decrypted by accident by one of your employees.

  • If you cannot do even that, and your application does the encrypting, make sure the decryption key is locked in hardware like a smart card that is NOT reachable on any computer without physical presence.
    Violating this simple rule was what destroyed the Dutch Public Key provider Diginotar.

Some companies prioritize time-to-market and lower cost over data security. But eventually, those companies will be destroyed over that practice. The current digital environment is just too hostile to survive such practices for very long.