Users Ignore Bad Certificates Way too Often (Blog Post #3)

If you’re anything like most users, you might be actively putting yourself at risk with your web browsing behavior. A study conducted by Berkeley and Google presented at the 2013 USENIX Security Symposium found that Google Chrome users click through 70.2% of all SSL Warnings. Although there are occasionally reasons that you might be warranted to bypass a security warning, if you don’t understand what the warning means, that’s not a decision you should make.

When using the web, have you ever seen a page like any of these?

edge-ssl
Microsoft Edge

firefox-ssl
Mozilla Firefox

safari-ssl
Apple Safari

chrome-ssl
Google Chrome

You would think that all the bright colors, bold red text, and strongly worded instructions to abscond would keep users away. Some browsers won’t even let you proceed until you navigate through an “advanced” menu and state you’re going against the browser’s recommendations but time and again I see people ignore everything. I’ve seen everyone from pilots filling out sensitive paperwork to computer science students skip past these pages without pause only to later admit they had no idea why it popped up.

These pages are each respective browser’s response to a bad certificate. Using some complicated math, websites present the user a certificate to prove they aren’t an imposter. If that certificate does not check out, the browser let’s you know like in the above examples. If you aren’t expecting to see this page, you really should not proceed. There are some common misconfigurations on your end that can cause this type of error but you should focus on your problems before putting your safety on the line.

One common reason for this error to occur is that your browser does not trust the authority that issued the certification. For a certificate to be valid, a Certificate Authority (CA) must vouch for/sign the certificate. What if you don’t already trust that certificate authority? Someone else can sign for that authority! By having more-important certificate authorities sign for less important CAs, a chain of trust is established. Eventually your browser will recognize one of these CAs as it works its way up the chain. Once it finds that trusted link, your browser can trust everything else.

CAs

Problems arise when you don’t trust any of the links in the chain. Consumer computers have common root certificate authorities (purple in our illustration) installed by default but some organizations choose to have their own chain of trust. This practice is common in high-security and military organizations or academic institutions. It is very easy however to install additional root CAs so this should never be an excuse to ignore a warning. Just contact the organization in question and request their root CA.

Another possible reason you might see this warning on a legitimate webpage is that your computer’s clock/calendar is incorrectly set. Certificates are only valid for a set period of time so if your clock is misset your browser might think the certificate is not yet active or expired. Changing the clock is similarly easy and should be no reason for you to bypass a warning.

If it is not a misconfiguration, chances are that the webpage you are trying to view is not what you think. You could be presented false information by the imposter, have any data you enter siphoned away for malicious purposes or even be at risk of a malware infection simply by opening the webpage. Whatever the imposter’s goal, you should want no part of it and you will gain very little by visiting the fake page.

You would think that this would be common knowledge but time and again I see my classmates put themselves at risk bypassing warnings. The unfortunate truth is that people simply are not adequately educated on the subject. This can change but only with your help. Tell your friends to heed warnings and practice safe browsing habits. If you like this post, share it and more than anything, stay cyberfluent.

Users Ignore Bad Certificates Way too Often (Blog Post #3)

What is Cyberfluency? (Blog Post #2)

The term “digital native” gets passed around a lot nowadays. Originally, the term was coined Marc Prensky to describe children after the information revolution primarily to highlight the learning needs of these new youth. He argued that they would view the world in a different way after being exposed at a young age to the wonders of the internet. In his actual writing, he tries to expose many of the negative effects of on-demand culture on modern children however, modern use of the term carries a more positive connotation referring to how easy it appears for children born into the information age to use computers. Unfortunately, this is just an appearance. The common use of this term alone shows that the motivation exists but without backup, this motivation goes unutilized.

As we talked about last week, by the time digital natives get to college they’ve lost this technical drive and are suffering for it. Marc Scott has a really excellent post on a similar subject. I won’t go too far into detail on it since you should read it but he basically pulls lyrics from The Offspring and says “the kids aren’t alright.” He argues that, while the drive and motivation exist, developing minds aren’t given the tools the become cyberfluent. They become facebook-fluent, youtube-fluent, and meme-fluent but for all their time they are never given the resources or direction to really understand the computers they use daily in a valuable way.

Cyberfluency is exactly as it sounds: fluency in cyber security. Although the problem exists elsewhere besides in security, I’ll be focusing on this field because of it’s reaching effect on those without a working fluency in the field.

Here’s a test to see if you are cyber fluent:

Explain the following sentence:

“[Superfish has] the same root CA private-key for every computer. This means that hackers at your local cafe Wi-Fi hotspot, or the NSA eavesdropping on the internet, can use that private-key to likewise intercept all SSL connections from Superfish users,”

  • Robert Graham as quoted by Thomas Fox-Brewster for Forbes (article)

If this had you scratching your head you might not be fluent.

On a basic level, what this means is that affected users could visit seemingly secure lookalikes of trusted sites (banks, facebook, etc.) only to enter their credentials right into an attacker’s site. There’s more implications than just that example but at minimum, that should concern you if you have a Lenovo brand laptop. Sadly, I have encountered numerous classmates who, after the second, and now third time this has happened have failed to show enough concern to protect themselves.

Cyberfluency is not mastery or expertise in the field of cyber security but a simple working knowledge of the tools and services you use every day. You use a Certificate Authority (CA) every time you open an SSL (encrypted/HTTPS) session to Facebook. Ask you technofile kids if they know the implications of Lenovo’s shenanigans and judge for yourself if they are cyberfluent or just natives to Facebook.

Join me every week as I explore this type of literacy, cybercrime, and the problem’s educational root. You too can become cyberfluent and I hope I can help get you there.

What is Cyberfluency? (Blog Post #2)

Hate the Job Market? Employers do Too. (Blog Post #1)

College students often have trouble finding rewarding employment after graduation but there are numerous high-paying industries with negative unemployment fighting over their peers. While recent graduates don’t have too much trouble finding employment, according to a study by CareerBuilder more than half (51%) of recent graduates end up in jobs that don’t even require a degree.  If the goal of higher education is to prepare students for the working world, a 49% success rate is unacceptable. Colleges owe their students a core curriculum that prepares them for the modern world.

This low rate of degree-utilization makes sense considering degree choice. The job search site Glassdoor.com shows more than 50,000 postings for Software Engineering alone but according to MatchCollege.com, less than 2,000 Software Engineering degrees were issued last year. Even combined with the 20,000 Computer Science degrees issued last year, this would provide for less than half the postings and this doesn’t include similarly in-demand programming, tech support, and systems engineering jobs.

The most affected career by this lack of employable candidates is information security. In fact, a quick google search for negative unemployment quickly reveals how much of an issue it is for the computer security career field.

Ironically, Americans are earning degrees more often than ever before in history but technical graduates are still in huge demand. Students often claim that these degrees are too difficult or that they aren’t smart enough to earn these highly valuable degrees. As a computer engineer, I can guarantee that lack of intelligence is not the problem.

Often knowledge and experience is confused with intelligence. That’s where the problem lies. If you go back to that list of popular majors, all those unwanted degrees have one thing in common — they all tie in to the skills most students already have from previous classes. Business, liberal arts, psychology, and law all rely on communications and writing skills. Even the more technical popular majors have a foundation in mandatory material; biology is mandatory for Freshmen at every university I can find, and I can’t think of anyone who claims they aren’t smart enough for accounting. For every general education class that requires students to solve technical problems, there are three history classes. Students are fed an unbalanced diet of general education and this is hurting their future prospects.

While I don’t want to downplay the importance of these liberal arts requirements, their original goal was to create well-rounded, adaptable students who can succeed in a variety of environments. It’s plain to see that in the evolving educational landscape it is doing the exact opposite. By neglecting technical general education, students lose the confidence to further pursue the most in-demand majors. Student’s choose invaluable and over-filled majors not because they don’t have the work ethic or intelligence but because they know nothing else.

Hate the Job Market? Employers do Too. (Blog Post #1)