Hacker Neue

Preferences
skuhn parent
I can't believe that they are outright naming vulnerable sites, that is really classless. Even if the data could be gathered by an attacker now that a vulnerability is known, you don't need to go the extra mile to provide it.
IgorPartola
I disagree. If seeing their name on this list lights a fire under them to fix it that much faster, this is a good thing. Besides, if the you are an attacker capable of exploiting this vulnerability in the wild, this is the first and easiest part of the process. Scanning the top 1M sites would take you no time at all.

Edit: what really is annoying is that the sysadmin guide is "Coming Soon!". That is the irresponsible part: "here look we broke TLS, we'll tell you how to fix it at 11!"

moyix
It is "Coming soon", but if you click on it the section of the page it links to does tell you what to do (disable export ciphers), and furthermore links to a detailed guide [1] on setting up a secure set of ciphers, which even includes an automated configuration generator [2].

To be honest, I'm not sure what more they're hoping to add there.

[1] https://wiki.mozilla.org/Security/Server_Side_TLS#Recommende...

[2] https://mozilla.github.io/server-side-tls/ssl-config-generat...

skuhn OP
I really disagree with your perspective here, but I do concur that a fast fix is desirable for any impacted site. Notifying impacted sites ahead of public disclosure would have been a better move, and particularly ahead of public shaming and attacker targeting.

While these notifications may have gone out, there is no reference to any such thing on the page. Also: do they plan to update this list? Or are these sites to be shamed forever?

edit: and yes, the lack of a steps-to-fix is unforgivable. This feels like a race to be first rather than a race to responsibly release and resolve the issue all around.

Especially considering that the fix is beyond trivial:

  Apache: SSLCipherSuite ALL:!EXPORT
  nginx: ssl_ciphers 'ALL:!EXPORT'
(although you shouldn't use ALL, this is just an example; use https://mozilla.github.io/server-side-tls/ssl-config-generat... if you don't know what to do)
nadaviv
> Notifying impacted sites ahead of public disclosure would have been a better move

Notifying that many effected websites is practically the same as making it public, and could've resulted in letting attackers know about this before the public (and any effected websites that aren't on your list) knows about it and is able to fix that.

elmin
I don't understand why they didn't first contact the website owners. Isn't this exactly what the WHOIS technical contact is for?
ephemeralgomi
There are too many names on that list - not to contact, but to trust. To everyone that you give secret advance notice, you're potentially handing a zero-day.
skuhn OP
That's true. Have they contacted them now? Do these places which will only fix a problem if they're shamed into it actually know that they are on the wall of shame?

More to the point: has a widespread public vulnerability ever before been released alongside a list of everyone who is vulnerable to it? I can't recall such a thing ever happening.

moyix
The same folks providing the list this time around also made one for Heartbleed. It was posted roughly the same time as the initial disclosure, from what I recall.

http://web.archive.org/web/20140411064356/https://zmap.io/he...

skuhn OP
So they did, I wasn't aware of that.

This sort of proves my point from another comment: they stopped updating the list shorting after it was posted, and so all of these domains are forever stuck on the shame list.

Viewing domains from the Alexa top 1M list so many times today also makes it very clear that it is total crap.

emiliobumachar
One cannot realistically expect a secret to remain with that many people.
yeukhon
Just a food for thought (I agree with you that if you call yourself an attacker this is baby stuff enumerating over the top 1M sites): would the author publish google.com or twitter.com if google.com / twitter.com was among one of the affected sites? Would we consider google.com more important than sohu.com and with that we would less likely publish google.com without first notifying Google? You certainly can do your due diligence by notifying everyone on that list, give a one day and then publish the full closure? I don't know. But I am interested in the timeline and looks like this CVE might have been out for a while?

Certainly there is one site ranked #27 but I doubt you will get anything out of reporting that to the site adminstrator. I am pretty sure that site (a Chinese portal and search service) does not have bug bounty.

skuhn OP
google.com was never going to be on the list, because the researchers specifically talked to Adam Langley at Google ahead of the public disclosure [1] and thus provided advanced warning.

Some companies will always receive early warnings about major security vulnerabilities, and that makes sense to gather details about the vulnerability and its exploits, and to minimize the negative impact of an announcement. Other companies get to find out about it the day of the public announcement -- but they don't generally also find themselves on a wall of shame the same day.

[1] https://www.smacktls.com/ under Acknowledgements

mbesto
"The idea of a branded exploit – one that is carefully curated for easy consumption – is a new one. Historically obfuscation, either real or inadvertent, has been the watchword in computer security mostly because not everyone cared about major exploits. Heartbleed, in a way, was different. It was worldwide, very dangerous, and oddly photogenic. Whereas a Java exploit or Adobe Reader problem is “invisible” to the average user, the idea of a hacker watching your passwords scroll, Matrix-like without security systems setting off alarm bells is compelling and frightening. By creating a “bugs 2.0″ page for the exploit, Codenomicon inadvertently allowed the average user to understand and potentially react to the problem."

http://techcrunch.com/2014/04/09/heartbleed-the-first-consum...

EDIT: To the OP, I totally misread your point. I thought you were complaining that people were naming vulnerabilities (i.e. FeakAttack, Heartbleed, etc), whereas you said "naming the sites that had such a vulnerability". I agree with you, it's a bit tasteless. My bad! I'm leaving my comment here anyway, because I do think it's worth noting the benefits of branding a known SSL bug/exploit.

BashiBazouk
How vulnerable is accessing these sites? If I tracert to them, the few that I have tried go from the isp to high tier transit to a cloud hosting company. Doesn't seem like much in the way of attack vector beyond someone with a court order access to servers along the route.
bashinator
Or anyone who runs the wifi in a coffee shop.
Mandatum
And so the argument between "full" and "coordinated" (or "responsible") disclosure continues.

Unfortunately, this way is a lot of the time the only way to get a company to patch. If they do patch at all, that is.

Dylan16807
They're listing sites out of the top alexa rankings.

Anyone can do this scan themselves in minutes.

It's not a mile, it's a tiny hop and enough simpler than writing exploit code that it's negligible.

yuhong
Export cipher suites have been known to be weak for years.
skuhn OP
They have been known to be weak literally since their inception. The entire reason for export cipher suites was to create encryption that could be broken by the US government.

No one should have permitted them since the export control was lifted in 2000.

That does not change the fact that some sites did in fact continue to permit them as 'last resort' ciphersuites, to ensure total browser coverage. This did not compromise site security for users who supported actually secure ciphersuites -- until now.

Responsible disclosure should mean that impacted sites (if they have been identified) should be informed before being publicly shamed. Doesn't matter if they were doing something dumb, it wasn't a known security vulnerability before now.

e28eta
I was very amused to see whitehouse.gov in the list of vulnerable sites.

This item has no comments currently.

Keyboard Shortcuts

Story Lists

j
Next story
k
Previous story
Shift+j
Last story
Shift+k
First story
o Enter
Go to story URL
c
Go to comments
u
Go to author

Navigation

Shift+t
Go to top stories
Shift+n
Go to new stories
Shift+b
Go to best stories
Shift+a
Go to Ask HN
Shift+s
Go to Show HN

Miscellaneous

?
Show this modal