We were always bothered that so many of our smaller clients really couldn't justify adding SSL. We know there are some “free” ssl certs – but they still require different hosting plans and dedicated IP's.
This also would make man-in-the-middle attacks more difficult to retrieve Umbraco login data
Solution
We extended .NET API's to accommodate receiving encrypted data Added
We have added web.config setting to disable our client side encryption
in the event it doesn't work in some edge case
This would allow a
roll out with no impact on existing users until they wanted to enable
it
Future
If you like this direction, we hope to expand this to member login too – but ultimately this feature cannot succeed without buy-in from the core. We need different API's and custom building Umbraco for each release didn't make our business plan for 2016.
Hi David, thanks for the effort. We appreciate the feedback and applaud efforts to contribute! However, since this is security related we must also be careful and I'm going to try to poke some holes in this. First off: we know TLS and the use of certificates is completely secure and no extra effort is required apart from installing a certificate on the server and setting umbracoUseSsl to true in the web.config. This uses encryption that is completely "invisible" to Umbraco.
Two things here that I'd like to shoot at (disclaimer: haven't looked at your code yet):
You say TLS requires dedicated IP's, that's definitely not the case.
You talk about Man in the Middle (MitM) attacks and my first question is: does your solution account for a MitM listening to your login attempt and then just replaying it? So if they issue the same login request that they captured, wouldn't they be able to still log in? The underlying connection isn't encrypted, so they can capture the exact request and without effort try to replay it.
Speaking of replay attacks: let's assume you did somehow deal with the attack in my previous question. Now you've stopped an attacker from finding out what the user credentials are. Now, let's assume that same MitM is still listening: each subsequent request the user makes is authenticated with a cookie.. That cookie is still sent in plain text, so there's nothing stopping the attacker from reading that, saying "thank you very much" and use the backoffice as they please.
I'm not sure if there's something we can do to facilitate mitigations for attack number 3 but if we can it's probably going to be a huge effort. Whereas, we have a simple solution for this that is getting more and more popular for which no extra effort on your (the contributor) end or on our end (a connection protected with a certificate).
This is ongoing and we're already seeing Google and Firefox punishing insecure connections (even if they are on an encrypted connection and only partially insecure) in their browsers. Edge has plans to do the same thing and in the next few years, you will not be able to get a green padlock in your browser unless the site is properly secured.
With that said, I have a firm believe that in a few years from now we'll all be surfing the net over a secure connection and it seems that putting efforts in to make MitM attacks on Umbraco over an unencrypted connection would be a lot of work over little gain.
I don't want to demotivate you from future efforts to contribute and the only reason I'm being a bit aggressive in this post is because I know security is very difficult to get right. I think we need to spend our efforts (yours and ours) on areas where we can make Umbraco more secure even when it is running over en encrypted connection.
I wanted to update this thread - a lot was exchanged privately as to not expose the issue our patch was addressing.
After lots of bouncing back and forth of ideas we were able to implement something in the Umbraco Core that is going to be baked into UaaS. No Javascript and no questionable code from an audit standpoint. SSL is the only true way to protect your Umbraco website. Our patch would/could protect your password, it could not stop some other juvenile attacks.
Fix:
We have a web.config trick, that will allow you to secure your clients /Umbraco/ directory using a wildcard cert that a web development shop, or web host may have on hand.
Requires: URL Rewrite 2.0 to be installed on the server, released > 5/27/2015
The code is pretty simple inside < System.WebServer >:
Client side encryption on Umbraco login
Problem
We were always bothered that so many of our smaller clients really couldn't justify adding SSL. We know there are some “free” ssl certs – but they still require different hosting plans and dedicated IP's.
This also would make man-in-the-middle attacks more difficult to retrieve Umbraco login data
Solution
Future
If you like this direction, we hope to expand this to member login too – but ultimately this feature cannot succeed without buy-in from the core. We need different API's and custom building Umbraco for each release didn't make our business plan for 2016.
Code is Completed
Download Patch File
Hi David, thanks for the effort. We appreciate the feedback and applaud efforts to contribute! However, since this is security related we must also be careful and I'm going to try to poke some holes in this. First off: we know TLS and the use of certificates is completely secure and no extra effort is required apart from installing a certificate on the server and setting
umbracoUseSsl
to true in the web.config. This uses encryption that is completely "invisible" to Umbraco.Two things here that I'd like to shoot at (disclaimer: haven't looked at your code yet):
I'm not sure if there's something we can do to facilitate mitigations for attack number 3 but if we can it's probably going to be a huge effort. Whereas, we have a simple solution for this that is getting more and more popular for which no extra effort on your (the contributor) end or on our end (a connection protected with a certificate).
As extra reading material: Mozilla and Google are aggressively making efforts to completely deprecate the insecure HTTP protocol: https://konklone.com/post/were-deprecating-http-and-its-going-to-be-okay
This is ongoing and we're already seeing Google and Firefox punishing insecure connections (even if they are on an encrypted connection and only partially insecure) in their browsers. Edge has plans to do the same thing and in the next few years, you will not be able to get a green padlock in your browser unless the site is properly secured.
Apart from that, new protocols that make browsing much faster are only coming to HTTPS connections: https://scotthelme.co.uk/still-think-you-dont-need-https/
And as you already mentioned: free certificates are now ubiquitous - https://letsencrypt.org/2016/04/12/leaving-beta-new-sponsors.html
With that said, I have a firm believe that in a few years from now we'll all be surfing the net over a secure connection and it seems that putting efforts in to make MitM attacks on Umbraco over an unencrypted connection would be a lot of work over little gain.
I don't want to demotivate you from future efforts to contribute and the only reason I'm being a bit aggressive in this post is because I know security is very difficult to get right. I think we need to spend our efforts (yours and ours) on areas where we can make Umbraco more secure even when it is running over en encrypted connection.
Thanks! Sebastiaan.
I wanted to update this thread - a lot was exchanged privately as to not expose the issue our patch was addressing.
After lots of bouncing back and forth of ideas we were able to implement something in the Umbraco Core that is going to be baked into UaaS. No Javascript and no questionable code from an audit standpoint. SSL is the only true way to protect your Umbraco website. Our patch would/could protect your password, it could not stop some other juvenile attacks.
Fix:
We have a web.config trick, that will allow you to secure your clients /Umbraco/ directory using a wildcard cert that a web development shop, or web host may have on hand.
Requires: URL Rewrite 2.0 to be installed on the server, released > 5/27/2015
The code is pretty simple inside < System.WebServer >:
Modify this line: https://YourClientWithoutSSL.Fyin.com{REQUEST_URI}
Good luck & be secured.
David Dimmer
Fyin.com
PS Thanks Sebastiaan
is working on a reply...