The Hacker Factor Blog

The hardest parts of forensic analysis isn't the tools; it's the training. Anyone can buy rubber gloves, swabs for collecting blood samples, and plastic evidence bags. But if you are not trained to properly collect, handle, and evaluate evidence, then the tools and methods are meaningless.

The learning curve is the hardest part. To address this, I've been working on documentation and worksheets for digital image analysis and photo forensics. While there is still a steep learning curve, the investigator can review the worksheets as a checklist for common things to evaluate. The associated documentation provides details regarding the checklist items, in case the investigator needs to review how a particular system works.

An Eye For Details

While luminance gradient and error level analysis draw pretty pictures, the most important tool is basic observation. It is one thing to see the big and obvious signs of manipulation. It is something else to remember all of the fine details.

The folks at Photoshop Disasters recently posted a couple of amazingly bad shopped pictures that clearly illustrate the power of observation for detecting image modifications.

The first picture comes from an ad campaign for fingernail polish. The picture is supposed to show a model and some nail polish. The magical stars that go from her elbow to the picture frame are just artistic. However, it is the fine details that make this such an obvious disaster... Just using your eyes, what stands out as abnormal and not intentionally artistic? Give yourself a minute to look over it, then scroll down and see how many things you noticed.



If you only saw the disconnected leg, then give yourself one point. (If you didn't notice the leg, then go back and try again. As Thall commented at PsD, "That women could birth a horse or two with those hips!") Other oddities include:

• Her waist is out of proportion.
  
• There is a black triangle between her torso and floating leg. The artist forgot to cut out this area.
  
• Her left forearm (photo right) is significantly longer than her right forearm.
  
• She has two thumbs on her lower hand. (One thumb could be her foot showing through a strap in the shoe, but it is actually blended into the hand.) Oh, and don't mind the "S" on her finger; other photos show it as a tattoo or something.
  
• Her neck is showing a tendon, indicating that her head is turned. However, her head is looking straight and is not centered on the neck. Yes, they cut off her head and pasted on a different head.
  
• She is missing a clavicle (shoulder bone) -- one is there, but the other was erased.
  
• Her boobs are different sizes, and not in a natural way (unless the left one is half as long and deflated...).
  
• The shadow under her head indicates a bright light to the upper right. But the floating leg isn't casting the same shadow onto the other leg. And the shadow from the sleeve onto her straight arm has a shadow going the other direction. Inconsistent lighting means splices.
  
• Of course, all of these are issues with the woman. Over at PsD, ZaphodQB noticed that the reflection of the black polish does not meet the bottom of the black bottle.

This isn't the full list. What else do you see? No wonder their product is called "Oops!"

The Perfect Model

I'm always looking for good sample images that demonstrate specific points. Ideally, I want one picture that only demonstrates one thing, then another that demonstrates the same thing with more complexity, and finally an example that brings everything together.

From the Oops! example, we know to look for different classes of manipulation. These attributes become our checklist:

• Limbs: Are all of them accounted for? Are all connected? Are they the right proportions?
  
• Reflections: Do items line up properly?
  
• Shadows and lighting: Are they consistent?

Now we can apply this to a new set of pictures.

At Photoshop Disasters, they featured a picture from the French fashion house, Louis Vuitton. However, the web page at Fashion Gone Rogue contains many pictures from the "Louis Vuitton Fall 2010 Campaign" (also available at Fashionologie). It is an homage to digital distortions.

Starting at the top is the banner for Fashion Gone Rogue. Her upper arms are very different lengths. It is also faint (better seen with luminance gradient), but it looks like there is a strap or something going across her shoulder and down her cleavage. (This could be where the artist stopped altering the skin.)

Mirror Mirror On The Wall

The various photos from Louis Vuitton have been equally mangled. Let's use our new checklist...

The picture claims to show three women in a dressing room. Each has different color hair: red, blonde, and brunette.

Limbs
Every person has two arms? Check! Extra fingers? Nope. Legs and feet? Uh... the brunette on the right has an ankle but is missing toes.

Reflections
The right-most mirror (behind the toe-less brunette) is not reflecting anyone in the room. The blonde has her hand up in the room but her hand is down in the mirror. That same mirror also shows a light bulb in the reflection, but the bulb does not exist in the room.

The second mirror from the right shows bulbs but they don't align with the bulbs in the room.

The mirror on the far left shows red's head from the back. However, red's head is not turned to show her back to that mirror. And the mirror's reflection shows the lamp on the wrong side. The reflection does not match the room.

Lights and Shadows
When an item sits next to a illuminated light, it is made brighter. And when items are facing away from the light, they are in shadow. Complex lighting, such as floods, reflectors, and bright ambient lighting, can mitigate shadows.

However, those mirrors have a lot of bright lights. The women should have brightly lit backs. But this isn't what we're seeing. The brunette has bright reflections off her chest but not her back. The blonde has a bright clavicle but an under-lit neck. The pile of junk in the back has a brown fabric thing above the handbag; it is lying next to a light bulb and not lit up.

This isn't a comprehensive list and there are other oddities that are not in our checklist. For example, the blonde's dress seems to have a layering issue with red's chair. The dress fabric suddenly becomes semi-transparent and you can see the chair through it.

Frankly, I kind of doubt that these three women even posed together for this picture.

Some of the pictures in this series are much worse than others...


Dear Louis: While fabrics may be diaphanous, people are not. And while models may be vamps, they are not vampires. Please fix the left mirrors. You know, the ones with the time-delay reflections that show the brunette in two alternate positions and don't reflect the blonde.

Dress For Success

While I can criticize these ads for pasting in people, changing reflections, and digitally altering lighting, I have to give Vuitton one piece of credit:

Beyond expected color enhancements (applied to the entire picture) and spicing blends (expected from a composite image), I have not detected any modifications to the clothing. Well done. Unlike Ralph Lauren and Victoria's Secret, Vuitton's pictures do not appear to be a product bait-and-switch.

When I was much younger (and had hair), I was an early adopter of new technologies. I had a touch screen on my computer back when this meant affixing a semi-transparent plastic sheet to the monitor and plugging it into the joystick port. I had one of the first Apple ][c computers (with amber monitor), I remember the excitement when EGA superseded CGA graphics, and I actually bought AMI Pro when it first came out for OS/2.

Unfortunately, there are three big problems with being an early adopter. (1) New technology is usually buggy, (2) new technology lacks support, and (3) new technology will probably become outdated quickly. The plastic touch screen didn't work very well and was very hard to program. Touch screens didn't become popular until the technology matured -- two decades later. EGA was quickly replaced by VGA and SVGA. And AMI Pro was so buggy that I ended up writing my dissertation in WordPerfect. (I still think that 1992's WordPerfect 5.2 is better than today's Microsoft Word.)

Due to my past experiences, I'm rarely an early adopter of new technologies. For example, I didn't buy my first DVD player until years after DVDs came out. Shortly after DVDs came out, there was a rumor about a better technology. Just as records were replaced by CDs overnight, I didn't want to start buying DVDs when everyone was switching to HD DVDs. I waited until I was sure that DVDs were not superseded. And I'm glad I waited; BluRay beat out HD DVDs, but the slow adoption rate tells me that my DVDs won't be outdated in the near future. (I know two guys who spent a small fortunes on their betamax and laserdisc collections.)

Wireless Broadband

More and more, I'm finding myself in situations where I need network access. Hotels, for example, either have very slow access for free, or no access at all. I hate driving 10 miles to find a bookstore or coffee shop that has free WiFi, and I cannot justify spending $12 to $25 per day for a hotel's paid Internet service. Besides the outrageous prices, there are limitations regarding when the 24-hour period ends. Some hotels are 24-hours from purchase, others are noon-to-noon or midnight-to-midnight. And if you shutdown your computer, then you may forfeit your paid 24-hour service.

More than once, I've found myself in an airport or parking lot and needing Internet access. I almost missed a contract because I couldn't get Internet access during a two-hour layover -- I had to wait 5 hours before I could get online.

Because of this, I've finally decided to break down and buy one of those wireless broadband services. Oh, what a nightmare! Right now, I'm just pricing and comparing services. Some of the things I have found so far:

• Unless you go with one of the big four (Sprint, Verizon, AT&T, or T-Mobile), you will likely not have coverage outside of a limited number of metro areas. Cricket's coverage map, for example, says that they don't offer 3G over most of Silicon Valley.
  
  
• Most either want a 2-year contract (with a $200 - $400 cancellation fee) or offer a no-contract option. Currently with T-Mobile, the only difference is the cost of the device (no contract means paying full price for the device), but there is no difference in the monthly rate. Verizon has a no-contract rate that is really expensive. They want as much as $15 per day for the days you use it (that matches most hotel's $12-$25 rate, and I don't have to buy a special device for hotel Internet access and hotels usually don't have a bandwidth limit).
  
  
• They all seem to offer two to three levels of Internet access. The lowest level is usually 50MB to 250MB per month. The mid range is 3GB to 5GB per month (a DVD is 4.7GB, so you can do the math -- it's 2-3 Hulu feature films per month). A few providers offer "unlimited" bandwidth, but then you're talking $60-$80 or more per month. That's really expensive for something that I really would only use when I am not in the office.
  
  
• Every single one of them says that they support Mac and Windows. Uh, what about Linux? I have that "Early adopter means buggy code" fear...
  
  
• While nearly all wireless broadband providers support 3G networks, some provide support for newer networks. For example, Sprint is rolling out their 4G network. T-Mobile is offering "HSPA+". And WiMax isn't dead yet. To me, this sounds like DVD vs BluRay vs HD DVD all over again -- but with a two-year contract that will lock me into the loser. I really want to wait until this settles out, but I'm hitting a business necessity.

Measuring Network Usage

Each of these services charge based on bandwidth usage. However, they don't really tell you much about it. For example, is 250MB per month a lot or a little -- for checking email, surfing the web, and doing basic business tasks (not downloading videos or playing online games).

While there are many programs for measuring real-time network usage, I couldn't find a program to tell me the cumulative total usage. Command-line programs like 'netstat -i' show the total number of packets, but not the total number of bytes. 'ifconfig' and 'nload' show the current byte totals, but that's from the start of the network interface and not from when I say "start measuring now!"

Anyway, using nload, I decided to monitor my network usage. Checking email, reading the web sites I usually read (CNN, USA Today, Photoshop Disasters, Facebook, and typical Google searches), and running VNC over SSH to access my office systems.

The net result? I consumed 50MB in the first 30 minutes. That's half of the allocation of Verizon's $15 pay-by-day plan and 25% of T-Mobile's monthly 200MB allocation. Over the course of the day, I will probably use between 200MB and 750MB of bandwidth. (I'm not always surfing the web.) Any plan offering less than 1GB per month is an expensive rip-off. (Your mileage will vary based on how you use the Internet.)

Fortunately, I'm only going to need this type of service for 1-2 hours per day and not more than 10 days per month. That comes out to about 20 hours at 100MB per hour, or 2G per month. However, that's based on today's usage. I'm very likely to see overages as I approach the middle of a 2 year contract and my needs expand.

Defcon!

Defcon is coming up next month. One of the big problems with Las Vegas is that there really is no good, free Internet on the Strip. Krispy Kreme (in Excalibur) and Coffee Bean and Tea Leaf (Planet Hollywood) offer hit-and-miss free WiFi -- when it works, it works well enough, but when it is down, they rarely know how to reboot the router. All of the Starbucks (in every hotel) only offer fee-based services -- if they offer WiFi at all. The Apple Store in the Fashion Mall has free WiFi, but that isn't exactly convenient. None of these free locations are open 24-hours a day.

Nearly all hotels offer fee-based Internet in your room. Some are wireless only, others have wired but you might need to bring your own cable. (I've been in too many hotel rooms where the in-room network cable was busted.)

Defcon does offer free WiFi to attendees, but I won't go near it. It is an actively hostile network. Even if you are not worried about someone hijacking your SSH or SSL connection (with client-side certs), they can still DoS your connection and attack the server's IP address. Oh, and don't think that Tor or SSL (without client certs) will save you -- last year, I heard that the Wall of Sheep ran their own Tor node as well as used man-in-the-middle attacks on SSL.

With Defcon coming up, I'm looking for a solid, reliable, secure-enough solution for Internet access. If I go 3G, I still won't use it at the conference... but back at the hotel room should be fine. (Right?) Is 3G the way to go? Are there other options? Which providers are best and include support for Linux? Hopefully this year I will guess correctly and choose well for the duration of a two-year contract. Oh, and what do people use in other countries? I might travel in the future and BlackHat in Europe sounds fun!

A little over a week ago a US intelligence analyst was arrested for submitting classified documents to Wikileaks. I have some serious issues about this arrest. While the analyst may have thought he was doing something ethically right, he went about it by doing something legally wrong. For example, while some of his wikileaked materials probably did need to be exposed (like the mistaken killing of two journalists and the subsequent cover up), how many operations and soldiers lives were put in danger by the leak?

I can hear some people right now saying "Huh? What?" Think about it. With the exception of leaked videos, the general public do not know our full, technical capabilities. As I recently heard on an NCIS repeat: the schematics for Air Force One are a secret. Hollywood just guesses at the layout. But here is SPC Bradley Manning, showing how things are really done. This is information that the enemy can use against us. By leaking an uncensored video with audio, Manning may have done far more harm than good; he exposed a cover up, as well as processes, procedures, and technologies that the United States and its allies use against real terrorists and threats to our nation.

There were also better ways to expose a cover-up. For example, he could have anonymously contacted a congressman. This would make the information public without releasing the video. Any anti-war congressman would have been a good choice.

While Manning may have thought that he was ethically correct in releasing the video, I cannot think of anything that would make leaking "an entire repository of classified foreign policy" documents, "260,000 classified U.S. diplomatic cables", or "a classified Army document evaluating Wikileaks as a security threat" ethically correct. Manning's actions look like treason to me.

From Bad to Worse

Wikileaks is intended as a forum for anonymous whistle blowers. If you are going to do something anonymously, then do it anonymously. Don't go around telling people that you were actually behind it. And if you're going to tell someone it was you, then don't tell it to a reporter. And of all the reporters you could talk to, don't choose one who has a history of unethical behavior!

That's right: Manning chatted with Wired's Adrian Lamo. When people create lists of hackers, they always include the notorious ones: Kevin Mitnick, Jonathan James (aka c0mrade), Max Ray Butler (aka Max Vision), Kevin Poulsen (aka Dark Dante), and others -- including Adrian Lamo (aka The Homeless Hacker). Even lists that don't list the "most notorious" include Lamo. (Thanks Adam for the link.)

Is there any reason to think that Lamo would not turn in Manning? I think not. Frankly, there are few reporters that I trust (very few). Most are more interested in sensationalism than accuracy. That, along with Lamo's established ethical lapses makes me distrust him more than most reporters. Manning put his trust in a reporter with a criminal record, and the reporter exposed his source for notoriety.

Looking for the Good

Every list of "hackers" that I found online mentioned the evil ones. The lawbreakers, criminals, and socially deviant ones. However, not all hackers are evil. I've recently had conversations about identifying good hackers. (Thanks to Mike, Bill, R., and the Internet Storm Center's handlers for the great insight.)

When it comes to naming hackers, people immediately recall the bad guys. I mean, everyone has heard of Kevin Mitnick, but who can remember the name of the guy who caught him -- without consulting Wikipedia or Google? (answer: Tsutomu Shimomura; half credit if you remembered John Markoff.)

Perhaps one reason is the postage stamp mentality. The US Post Office won't put someone on a stamp until they are dead. The reason: Bad people may continue to do bad things without harming their reputation. However, a good person may screw up at the end and tarnish everything they have previously done. So someone who is an awesome, positive role model and hacker today could be tomorrow's villain.

The other problem comes from the large number of good hackers who are better known by their software than their own actions. For example, Snort is an awesome piece of software, but who can remember that Martin Roesch created it? Roesch is a good guy hacker, but his software is better known than him. The same goes for Tatu Ylonen and Bjorn Gronvall (SSHv1 and SSHv2), Giorgio Maone (NoScript), and many other people.

The real question is: What sets a notable good guy apart from the rest? If writing good code is good enough, then certainly Flash, HTML, and Photoshop could also be included. (Their developers were not intentionally evil...) But can you actually say that someone changed how we act (or react) in a positive way?

I guess what I'm really wondering...
If you had one team of evil villains (Mitnick, Lamo, Poulsen, etc.) on one side, who would you stack against them as memorable good guys on the other side? (Mitnick vs Frank Abagnale Jr. -- after Frank turned good; Poulsen vs Mudge? Lamo vs ?)

Here's my short list of good guy hackers who's influence is far more than just code.

• Jim Christy and Clifford Stoll. They cracked the Hannover Hackers and brought international awareness to hacking as cyber espionage. Before that point, nobody realized the threat and all discussions were theoretical. Jim went on to found the Pentagon's first digital forensic lab and was the director of the Defense Cyber Crime Center (DC3) -- the first and largest computer forensics lab. (It just goes to show that a $0.75 accounting error can lead to more than a few pennies.)
  
  
• Mark Rasch. He spent nine years as the head of the United States Department of Justice computer crime unit. During that time, he was responsible for investigating the Hannover Hackers, Kevin Mitnick, and Robert T. Morris. He also helped the FBI and Treasury Department develop their procedures on handling electronic evidence.
  
  
• Phil Zimmermann. Without Phil, public crypto would probably still be nothing but underground software and munitions. Phil is more than just PGP -- today's PGP was created by a slew of developers. The remarkable element is how Phil paved the way for the world to use cryptography.
  
  
• Marcus Sachs. A voice of reason, advising Presidents and helping set national policies on cyber threats. He's a hacker who's influence is more than just a piece of code. Marcus also heads the Internet Storm Center -- the ISC handlers are like the Super Friends or Justice League. (Is Swa Frantzen the Belgium equivalent of Gleek?)
  
  
• Jeff Moss (aka Dark Tangent). While not known for code or exploits, this geek has put together a world-renowned set of hacker conferences: Defcon and Black Hat. More earth shattering updates come from one week of these conferences than an entire year of Patch Tuesdays.
  
  
• Bruce Schneier. This cryptography guru continually exposes security theater, where peddlers use snake-oil and provably inaccurate beliefs to influence and set policies.

A couple of people mentioned Dan Kaminsky. Dan's a nice guy and has done oodles of good things by making vulnerabilities public -- and I am still in awe of how he handled that world-wide DNS update. However, he likes to get drunk while giving presentations at Defcon and other conferences... While Dan is fun to watch, public drunkenness doesn't exactly scream "role model".

There are plenty of other people I could add to this list. I'm curious who other people think should be listed here. Remember the requirements: good guy, computer security or computer forensics, hackers, and most of all, influence beyond their immediate field or software.

Last week was entertaining. I had the opportunity to assist in an interesting project -- part development, part forensics, and part penetration testing. Fortunately for me, I had a couple of Firefox plugins that really made the work easier. All of these plugins can be found by using the Tools -> Add-Ons menu under the Firefox web browser, or by going to https://addons.mozilla.org/en-US/firefox/.

NoScript

The NoScript plugin is an absolute must-have. As far as I am concerned, it should be part of the default Firefox installation. This plugin stops all JavaScript, Flash, and other objects from automatically starting. You can also block access to some web servers, or if you really like a site, then you can add it to a white-list of permitted, trusted sites. If there happens to be something you want to run, you can permit it on a case-by-case basis.

From a user's viewpoint, this is awesome. You don't have to worry about an unknown site sending malware to your browser. In my case, I didn't want to download videos, Java, and other stuff that would waste my CPU cycles and bandwidth.

Httpfox

When evaluating any kind of web-based service, either as a developer or as an auditor, you need to know what is being transmitted across the network. Usually I use Wireshark or Snort. The problem is, these only work well if you use HTTP and not HTTPS. With HTTPS, you cannot see the traffic inside the tunnel (without compromising the tunnel).

Fortunately, I had Httpfox. This plugin is like having Wireshark in the browser! It shows you all data that the browser sends and receives -- the URLs, request and response headers, cookies, post data, and query parameters.

This plugin is great for auditing, but does have a few minor limitations. Specifically, if any of the values are longer than the visible fields, you don't get scroll bars. You can work around this by copying values to the clipboard, but that isn't an ideal solution.

Firebug

While Httpfox shows the network traffic, Firebug shows the HTML content. And this isn't just the HTML that was sent to your browser... it is the HTML that is displayed. If the web page includes JavaScript or active CSS content that alters the web page, then Firebug will show you the rendered values.

Besides viewing the page, you can also edit the currently-displayed web page. If you are testing parameters, playing with web forms, or trying out different style sheet settings, then this is a must-have.

Finally, you can click on the little arrow icon and it enables an inspector. As you hover the mouse over various elements on the web page, Firebug displays the active HTML elements (both HTML code and style sheet values). As a web developer, you've probably had times where you wondered "Where do I define that border?" Well, the inspector quickly answers this.

Add N Edit Cookies

This plugin is an oldie but goodie. Httpfox shows you queries, but does not allow you to edit. Firebug allows you to change the active HTML, so you can edit query parameters and URLs, but you cannot alter cookies. The "Add N Edit Cookies" plugin completes the set by allowing you to view and edit cookie values. (There are two versions of it. One is for older browsers and the other is for newer browsers.)

There are a couple of other plugins for editing cookies. However, I like this one because it is simple to use.

All Together

With these four plugins, we were able to easily access our web services, debug the network traffic, view and test dynamic web content, and even validate cookie settings. With NoScript, we were able to restrict the content that the server sent to the browser and control exactly when different calls were made.

In the old days, we would need to hack the SSL tunnel and use custom scripts to manage queries. Today, we can evaluate and modify the system in real-time and with just a few plugins.

In my blog entry on random thoughts, I mentioned that Google plans to offer SSL for web searches (HTTPS instead of HTTP) and that SSL was a placebo. A couple of people asked for more information about my claim. The problem is, most criticisms about SSL don't cover everything. (And it would be egotistical for me to mention that all of these points are covered in my first book, Introduction to Network Security.)

Here's a quick summary of the problems with HTTP over SSL (aka HTTPS).

Strengths

Let me start by covering what SSL really does. Secure Socket Layer (SSL) is not a cryptographic algorithm. Instead, it is a framework. There are a wide variety of algorithms for data encryption (e.g., AES, DES, Triple-DES, Blowfish), encoding (8-bit, 256-bit, 64-byte), chaining (e.g., CBC), checksums (e.g., MD5 or SHA1), and key exchange systems (Diffie-Hellman, RSA, etc.).

These different algorithms can be combined. For example, ADH-AES256-SHA says to use an Anonymous Diffie-Hellman key exchange with 256-bit AES encryption and a SHA1 checksum. Since some combinations don't really make sense or are cryptographically weak, there are some pre-defined combinations. SSLv1 defines a set of combinations that work well, SSLv2, SSLv3, and TLS offer revisions to the "good enough" cipher sets. (And I'm not going down the weak SSL cipher options in this blog. Let the cipher punks argue the fine details.)

So what does SSL do? It provides a framework for an SSL client to negotiate ciphers with an SSL server. In effect, the client says "I support the following ciphers" and the server says "I'll choose this combination!" SSL also permits the client and server to renegotiate ciphers during the communications.

This is a huge strength for SSL; it allows clients and servers to negotiate algorithms and talk the same cryptographic language. However, like most tools, SSL can be applied incorrectly. And that's the problem with HTTP over SSL.

HTTPS

HTTPS uses certificates for authentication. Basically, there is a trusted third-party who can validate the certificate. The connection dialog looks like this:

1. The web browser connects to the server using SSL.
   
2. The server sends a server-side public certificate to the client.
   
3. The client connects to the certificate authority and says "Yo! I got this server information. Is it valid and authentic?"
   
4. The trusted third-party checks the data and sends back a yes or no.

If the challenge succeeds, then the rest of the SSL negotiation is performed (e.g., let's use RSA with AES256 and SHA1) and they start using the agreed ciphers for encoding the HTTP traffic. (The crypto is a little more significant, but this generalization gets the point across.)

There's a few problems with this system and they lead to the placebo effect.

SSL Hijacking and Client-Side Certs
After establishing the SSL connection, the network traffic is secure enough. You're not going to worry about someone taking over your session or seeing your data transfer.

However, the initial negotiation can be compromised. One example is the "man in the middle" attack (MitM). Your initial SSL connection is intercepted by a hostile system. (Rather than connecting to your bank, another server sees the request and responds before the bank can respond.) It issues the server challenge using a valid certificate. The third-party says "yes, its authentic" even though it is for a different server. Then, your browser is securely connected to the MitM and the MitM forwards all requests to the bank. In this attack, your traffic is encrypted... but the attacker is part of the encrypted path and can see everything!

Part of the server-side information is the name of the trusted third-party. Thus, the attacker can control both the server and the "trusted" party who does the authentication. Of course, why even need a third party? Some servers self-verify (I am the server AND you can trust me) -- that's bad because there is no "third-party" to trust.

Relying on the Human
The biggest problem with HTTPS comes from the web browser. Browsers don't just reject bad certificates. Instead, they prompt the user. (As if the user knows better...) Sample prompts include:

• Self-signed alert: The server is using a self-signed certificate. Accept? (Yes/No)
  
• Unknown certificate authority: The server has specified a trusted third-party server that the browser has never seen before. Accept? (Yes/No)
  
• Expired: The server's certificate has expired. Accept? (Yes/No)
  
• Failed: The server's certificate could not be validated. Accept anyway? (Yes/No)

With humans, we know what we want to do. You want to go to your bank. You want to visit that web site. You know that if you do not accept the bad/invalid/unauthenticated certificate, then your browser will block your access. So you accept it -- since that is the only way to continue. And by accepting, you are approving a no-security option.

For real security, the browser should reject the connection without prompting the user. I mean, seriously, if the server certificate is bad (invalid, unverifiable, or expired) then there is no way a human can safely say "use it anyway". An invalid certificate should generate an error, and the error should say that the server is not acceptable.

Little Locks
As if prompting the user was not bad enough, SSL connections are associated with a small picture of a lock (or key) in the web browser. This gives the impression that SSL is secure, when it really isn't. For example, one of the available ciphers is the "null" cipher -- it does not encrypt data. Even though the data is transmitted in plain text, you will still get the little lock... because the lock means "SSL" and not "secure".

There are also issues around when the lock appears. For example, "https://www.paypal.com/" links to a bunch of different servers (paypal.com, paypalobjects.com, ebaystatic.com, and paypal.112.2o7.net). However, clicking on Firefox's lock icon (bottom right corner) will only show you the details for the main web page's SSL connection and not for the connections to subsequent servers. Also, the little lock will only appear if the first/main URL uses https, even if the dependent links on the page use SSL.

Client-Side Certificates
The common HTTPS configuration only uses server-side certificates. This allows the client to authenticate the server (assuming you trust the third-party authentication server). However, this does not authenticate the client with the server.

The best security method uses server certificates to authenticate the server and server-assigned client-side certificates to authenticate the clients. Now, a MitM cannot intercept traffic because it cannot authenticate or validate the client-side certificate. This is a very secure method.

Unfortunately, (AFAIK) no online banks provide client-side certificates. This is probably because the browser's user interface makes client-side certificate installation difficult. Supporting these means a whole new level of Help Desk Hell.

Leaving the Tunnel
Assuming no MitM and a validated connection, SSL creates a secure tunnel for passing traffic between the web browser and server. This makes you safe, right? Well, yes... as long as the developers of the web site don't switch you from SSL to non-SSL. Unfortunately, this is very common. You may login to Yahoo! Mail using SSL, but pictures, ads, and text may still be sent to you from outside the SSL tunnel.

Here's a fun experiment for Firefox users: Connect to a site using SSL. View the page information (Tools -> Page Info). Does every URL used by this page begin with "https" and use the same server? Every instance of a non-SSL connection or a different server means that you could be passing information outside of the SSL tunnel.

Misunderstood Security
Between marketing, magazines, and bad online advice, regular users have learned to equate "SSL" with "Security". But seriously, where is the security in SSL? It's in the name: Secure Socket Layer. (Kind of like the confusion created by calling the web programming language "JavaScript" -- it isn't Java and isn't a script. Thank you marketing.) Remember: SSL is a framework for negotiating secure communications; it is not secure communications.

Unfortunately, regular users are under the impression that using SSL will stop their connections from being hijacked, safely transmit data, stop phishing, and prevent them from downloading viruses. The truth is, SSL without certificates can be easily hijacked, users may still transmit data in plain text, users may (and usually do) choose to bypass the available security, and SSL does nothing to block harmful sites. A server infected with a virus can easily pass the virus to browsers via HTTP or HTTPS -- but with HTTPS the virus will be transmitted more securely. (Yippee! Nobody hijacked your session that downloaded a virus!) Some phishing sites even use registered server-side certificates -- they can impersonate your bank and use SSL without a problem.

Why Bother?

These are not the only problems with SSL, but these are some of the big ones. With all of these issues, why do we even use SSL?

I refer to SSL as "better than nothing" security. It isn't ideal, does not mean you are safe, and does not stop malicious sites from sending you hostile information. (For servers, SSL also does not stop anyone from attacking your server.) However if you have no other option, then SSL is better than sending data in plain text. You may not know who received your data and may still be using a MitM, but at least other people won't be able to see your traffic. And frankly, until a better solution is developed and becomes widely adopted, SSL is the only realistic option right now.

Consider SSL to be on par with WEP security for wireless networks. WEP is easy to crack, uses a weak password, and is not the recommended solution. But, it is better than nothing.