ZeroBin icon indicating copy to clipboard operation
ZeroBin copied to clipboard

Published 20 hours ago verified publisher icon sebsauvage

HTTPS - Certificate issues on sebsauvage.net

Open rugk opened this issue 9 years ago • 5 comments

It's very bad for such a sensitive service to use the Cloudflare service. Cloudflare (free) SSL services are basically HTTPS with MITM built-in. More information e.g. here: https://scotthelme.co.uk/cloudflares-great-new-features-and-why-i-wont-use-them/

A better way is to use own certs. And there are CAs whcih offer free certificates, so you can actually use them. E.g. StartSSL, WoSign or (when it finally launches) Let's Encrypt, which also makes it much easier to configure your server.

PS: This also applies to @gboddin's mirror which also uses Cloudflare'S SSL cert.

rugk avatar Oct 19 '15 12:10 rugk

@rugk I agree but let's think a bit :

It depends of the level of privacy you want to acheive : no cleartext informations never touches the wire as long as no javascript is inserted by cloudflare/google analytics/ect ... ( which I made sure to disable ).

All Cloudflare sees is encrypted data since they won't get the key from the url fragment either.

They admitingly get your IP and date at which you posted/viewed (but they don't know what you actually posted/viewed).

For the MITM part : they also have the opportunity to alter the response going to your browser, sure, but if you use an hosted service like mine or the author's one, this is actually always true, so ... no loss for you here.

Feel free to host yourself without a CDN, it's the only improvement I can see to your need.

Hope it helps gain some perspective.

gboddin avatar Oct 19 '15 14:10 gboddin

I think of ZeroBin as a software (which you should install on your own server and there is virtually no excuse of not doing that ;-) ) rather than a service. There are certainly some public ZeroBins out there, some of which have security issues at different levels.

Please note that @sebsauvage is only active here shortly every 2-3 years here, so it is unlikely this will be changed in the forseeable future.

ulikoehler avatar Oct 19 '15 15:10 ulikoehler

@gboddin Of course the MITM part is the bad thing. Cloudflare can inject any JS and send the encryption key used to itself.

And of course the hosting provider can do the same. But you may trust your hosting provider more than Cloudflare. And obviously it's good to have not so many actors in the connection Additionally Cloudflare just breaks the whole concept of HTTPS with their MITM certificates. If you use Flexible/Universal SSL you even end up with a unencrypted connection from the host server to Cloudflare. When using Keyless SSL Cloudflare at least uses a system to manage a full encrypted connection, but that's another technology you have to trust and which could have weaknesses. "Full SSL (Strict)" is the only basically acceptable way to go there.

Also have a look mat the article from Scott I've already linked to (It's a good read!). He also speaks about the problem of the hosting provider:

This blog isn't hosted on hardware I own [...], it's a virtual container alongside many thousands of others hosted on DigitalOcean. They have access to all of my traffic and my private key, much like Amazon or any other cloud hosting provider would. Is bringing this 3rd party into my circle of trust any different to bringing in someone like CloudFlare? [...] Hosts need to be responsible and ensure that if they are using encryption, that at any point our data is on a public network, it is encrypted. The temptation is there for too many to act in an irresponsible way and CloudFlare seem to be supporting that behaviour.

@ulikoehler Yes as a software for self-hosting it's nice. It would just be good if the "main server" would set a good example when it comes to security. :smiley:

What's much more worse is that http://sebsauvage.net/paste/ does not redirect to HTTPS, so it effectively leaves all this data unprotected. All JS encryption does not help anything if you can tamper the JS to encrypt/decrypt it.

Besides this the website now returns a fake certificate: sebsauvageinterception sebsauvageinterception2

(full cert)

Whether this connection was intercepted or it's just a misconfiguration (although this would mean @sebsauvage - or wait..., no... - Cloudflare has broken something there) - okay, no. It's obviously a traffic interception by celrec.com which seems to be near the remote Cloudflare server where this stuff get's transferred from. This started in the last minutes. Obviously some/a people/organisation(s) is/are quite interested in reading this data from http://sebsauvage.net.

rugk avatar Oct 20 '15 19:10 rugk

FYI https://sebsauvage.net/paste/ still has this certificate problem...

@gboddin And https://paste.siwhine.net is down BTW.

rugk avatar Nov 15 '15 09:11 rugk

Any news about the certificate issues?

rugk avatar Feb 02 '16 16:02 rugk