Are your credit card details safe? Network Solutions .com domain name purchase or renewal only allowed via obsolete SSL version 2
Today we tried to renew a .com domain name which is registered with Network Solutions, the company, which although no longer holding the monopoly, is still the registrar for the majority of .com and .net domain names.
The run up to Christmas is the busiest time of year for both "bricks and mortar" and "e-commerce" retailers. One of the standard security barriers which, although not infallible, is used to protect the privacy and security of personal data and of online credit card transactions via the world wide web, is the use of Secure Sockets Layer(SSL) or Transport Layer Security (TLS) session encryption between a web server and a web browser. This technology is not perfect, but it does offer protection against whole classes of attacks and without its widespread use, things would be even worse than they are today.
So why were we unable to complete the credit card transaction on this major e-commerce website ?
SSL is usually implemented through the use of a Digital Certificate which forms part of of a the default system of one way trust, where the web browser checks the web server. More sophisticated and expensive two way trust, where both the web browser and the web server check each other, is possible, even on the Internet, but is only really used in pre-registered web browsers, by customers of a particular financial institution, or is restricted to intranet systems used by big companies and governments.
However when we filled in the form on the Network Solutions website, and got to the bit asking for credit card details, we should have been conncected to a Secure Sockets Layer protected page.
What then happened was, with Mozilla Firefox we got a pop up dialog box message saying "You cannot connect to www.networksolutions.com because SSL version 2 is disabled"
We tried Microsoft Internet Explorer, which is still used by the the vast majority of people, and got no such message, the session just eventually timed out.
Was this e-commerce web site under specified for the Christmas rush, or was it under Denial of Service attack, or was there a problem with the Digital Certificate
The unencrypted web pages were ok, and the secure web form seems to reside on the same server.
Checking with Netcraft we could see that probably http://www.networksolutions.com was running Netscape-Enterprise/6.0 web server software on the Solaris 9 operating system when Netacraft last queried it at 22-Dec-2004 09:48:04 GMT and it has probably been doing so since 6-Aug-2004, before which Network Solutions was on the VeriSign infrastructure (the two companies merged earlier in the year)
We inspected the Digital Certificate, after having switched SSL version 2 back in in the web browser), it seemed ok.:
Version 3
Serial Number 1F6D 649A 5DCF 20E6 E608 17AB AD23 F7CF
Signature Algorithm sha1RSA
Issuer OU = Secure Server Certification Authority
O = RSA Data Security, Inc.
C = US
Valid from: 08 September 2004 00:00:00
Valid to: 08 September 2006 23:59:59
Subject: CN = www.networksolutions.com
OU = Registrar
O = Network Solutions, Inc.
L = Herndon
S = Virginia
C = US
Public Key:
3081 8902 8181 00E7 35D4 780A A510 66C2 2280 F76E
20B0 A89F 320F 87F8 8D24 AF55 DB3C B6A9 78F9 2AA2
567F E4C7 93A4 AF67 D050 947B 02C1 EF96 90B4 F97B
F4F2 2ED4 2BB7 5DDC B2B6 3AB3 9110 D2E4 A889 4817
57F6 BA78 DF2C AC93 C8F3 7E12 4FA0 E253 B8C4 424F
7744 36E9 F58E 4700 2709 B556 237C 72B9 FDB3 CC00
6B31 0EE2 35A8 D8AE C470 5034 CDE4 C102 0301 0001
Basic Constraints: Subject Type=End Entity
Path Length Constraint=None
Key Usage: Digital Signature , Key Encipherment(A0)
CRL Distributiion Points: [1]CRL Distribution Point
Distribution Point Name:
Full Name:
URL=http://crl.verisign.com/RSASecureServer.crl
Certificate Policies: [1]Certificate Policy:
PolicyIdentifier=2.16.840.1.113733.1.7.23.3
[1,1]Policy Qualifier Info:
Policy Qualifier Id=CPS
Qualifier:
https://www.verisign.com/rp
Enhanced Key Usage: Server Authentication(1.3.6.1.5.5.7.3.1)
Client Authentication(1.3.6.1.5.5.7.3.2)
Authotity Information Access: [1]Authority Info Access
Access Method=On-line Certificate Status Protocol(1.3.6.1.5.5.7.48.1)
Alternative Name:
URL=http://ocsp.verisign.com
1.3.6.1.5.5.7.1.12
30 5F A1 5D A0 5B 30 59 0_.].[0Y
30 57 30 55 16 09 69 6D 0W0U..im
61 67 65 2F 67 69 66 30 age/gif0
21 30 1F 30 07 06 05 2B !0.0...+
0E 03 02 1A 04 14 8F E5 ........
D3 1A 86 AC 8D 8E 6B C3 ......k.
CF 80 6A D4 48 18 2C 7B ..j.H.,{
19 2E 30 25 16 23 68 74 ..0%.#ht
74 70 3A 2F 2F 6C 6F 67 tp://log
6F 2E 76 65 72 69 73 69 o.verisi
67 6E 2E 63 6F 6D 2F 76 gn.com/v
73 6C 6F 67 6F 2E 67 69 slogo.gi
66 f
Thumbprint algorithm: sha1
Thumbprint : 7537 5442 0ED1 BA6C 7ED1 A883 0BF6 7664 976D 7526
Perhaps someone at Network Solutions should read:
iPlanet Web Server, Enterprise Edition Administrator's Guide, Chapter 5 Securing Your Web Server
"During a secure connection, the client and the server agree to use the strongest cipher they can both have for communication. You can choose ciphers from the SSL2, SSL3, and TLS protocols.
Note
Improvements to security and performance were made after SSL version 2.0; you should not use SSL 2 unless you have clients that are not capable of using SSL 3. Client certificates are not guaranteed to work with SSL 2 ciphers."
So it is probable that instead of checking the SSL 3 and TLS 1 checkboxes, for some reason only the older, weaker, obsolete SSL 2 protocol configuration tick box was checked.
Given the various security holes involving remote buffer overflows and denial of service attacks on various bits of software using SSL version 2, and given that improved SSL version 3 and TLS version 1 are avialable in almost every web browser thes days, we always switch off SSL version 2 when configuring our web browser software, on the assumption that there should be no problems with any major e-commerce retailer taking credit card transactions, in the 21st century.
Of course, we were wrong to make this assumption.
In practical terms, once the SSL version 2 session has been initiated, it is probably as secure as an SSL version 3 or a TLS version 1 encrypted session, as the actual cipher algorithms and computer software are the same. Howver the risks of Man-in-theMiddle attacks and Denialof Service attacks is greater with SSL v2, which is why SSL v3 and TLS 1 were developed in the first place.
Obviously if you are the majority of people who, through ignorance, are happ to accept the default security settings in your web browser, which has SSL version 2 support turned on by default, then you will probably not have noticed any problem.
However, one really does expect better from a major online e-commerce company, that does virtually all of its business via e-commerce, and which is owned by the company which supplies most of the world's SSL Server Digital Certificates. If they do not have the management procedures in place to regularly and independently review the security of their front end, customer facing web servers, which generate almiost all of their income, then what confidence can a customer have that the rest of their systems are being run to the highest professional standards ?
If even these world experts can misconfigure their own e-commerce servers, then what hope is there for the UK Government, its favourite Big Consultancies and favourite Big IT Outsourcing companies to be able to make secure a project such as the National Identity Register, where the privacy and security risks are so much greater ?
Comments
Strange, I had the same problem with Godaddy.com
Posted by: secure email | April 26, 2007 6:19 PM