After slamming the NDP website, I feel I owe an explanation. Particularly about the security scare. You see, when I write for casual reading, many of the finer details are glossed over. In all the excitement, it’s easy to forget what the real problem is. It becomes worse when non-technical folks cannot appreciate what the real issue is about.
Then, the post goes viral, and the main points get paraphrased, and the message gets murkier and murkier. Techie folks who read my original post should already know exactly what is going on, and need no further clarification.
For the not so techie people, let me clear this up. First of all, the NDP website has not been hacked. Oh well, if it is, I didn’t know. I’ve never suggested that the website has been hacked. The situation, thus, is really not all that bad after all. Except that, actually, it’s not at all good either.
The crux of the matter is this. The NDP eballot microsite does not use SSL. Perhaps you might know it as that “HTTPS” bit in the website address. SSL is used to encrypt the communication from your browser to the web server. It ensures that no one in-between can eavesdrop and learn about the contents of your communication.
SSL is used, or at least it ought to be used, anywhere on the web where it is important or beneficial to hide your web surfing data from snooping people. SSL will not prevent someone from discovering that you’ve visited a certain website, but it will prevent them from knowing what you’re looking at or what you’re doing within that website.
When you use your bank’s Internet banking website, for example, it will use SSL for all communications. That’s because you don’t want anyone else to see your account, or perform transactions with your money. Yes, you need an account number and password to login, but if the communication is not encrypted, malicious users may be able to get hold of your password too. Your password is just another piece of data. (As added security, Singapore banks are mandated by MAS to implement 2FA, or two factor authentication, so it is not sufficient for a malicious user to just have your password.)
The NDP ticket balloting microsite does not use SSL. That means, potentially, some people in the right places can easily and trivially listen in on your browser communication with the website. Who are these people in what kind of right places?
To begin with, it’s all the network engineering staff who manage any piece of network equipment or network link between you and the NDP website. Your plaintext, unencrypted, there-for-all-to-see web surfing traffic has got to travel on some network link and through some network equipment. Whoever has access to them can potentially see the traffic you’re sending. These people don’t have to be physically there. It’s on the network, it can be accessed remotely.
Next, anyone who can physically access those said network links and network equipment can potentially also look at your traffic. Here, I’m not talking about network engineers like in the above, but other people like cleaners, delivery people, air-con service technician, and so many other unrelated staff. Of course, it does take people skilled in the right networking knowledge, who know exactly what to do, to pull this off. Notice I didn’t say about IT security there, because you don’t quite need much security knowledge to carry out this security attack.
Are you thinking these are just a rare few groups of people? Not quite. Your traffic has to go through so many places. For example, in our fibre broadband, your traffic does have to go through OpenNet fibre cables, Nucleus Connect’s (or some alternative) active network layer, then the retail ISP you subscribed to for your fibre Internet service.
In fact, you could potentially be that person with privileged network access. Setup an open Wi-Fi network, and if your neighbour happens to connect to your Wi-Fi network and use it to submit his NDP ticket ballot application, you could be privy to that information. Of course, you do need to know how to do it.
I haven’t even begun to talk about more serious types of malicious attackers. The bad guys could have remotely gained privileged access to one of these network through which your traffic has traversed. The bad guys could have performed a DNS cache poisoning attack, so that your web browser accesses another website, other than the real one, which the attacker controls. A malicious attacker nearer you could carry out ARP poisoning attack to reroute your Internet traffic. There are so many things malicious attackers can do.
The NDP website traffic also traverses Akamai, a large Content Distribution Network (CDN). Akamai helps front websites for a few purposes, mostly to increase access speeds to end-users and to take the load off the backend websites. With Akamai in the picture, they become another potential risk. Now, I’m not saying Akamai is bad. However, that the NDP website is having yet another service provider handling its plaintext unencrypted traffic cannot be a good thing.
All of the above vulnerabilities could be thwarted by using SSL. These are among the reasons why SSL is important and needs to be used.
With all due respect, Lieutenant Colonel (LTC) Jason See cannot legitimately declare that “no personal information had been compromised”. He simply would not know if it has been leaked. He could say the NDP website has not been hacked, but there is no way to guarantee that personal information has not been leaked out somewhere else.
SSL should be used anywhere that you don’t want the contents of your web surfing traffic to become public knowledge. The acid test is this. If there is some data you don’t want plastered up on the wall in a public area for any passerby to see, that means it is sufficiently personal and confidential, and if this information is sent on the web, that ought to be encrypted with SSL.
I should mention that there are also other purposes of SSL. For example, it also helps you establish the authenticity of the website and the contents that you are receiving from it. Sometimes, it is critical that you know that the information you received is legitimate.
There is little excuse not to use SSL. It’s often not used when it ought to be used for two reasons: the website folks didn’t think, or they don’t care. Or, perhaps, even both. You see, IT systems are often designed without security considerations from day one. Security is usually an afterthought, bolted on after everything else has been sorted out. Worse, sometimes security gets its deserving attention only after the system has been hacked. This is one of my pet topics, but I digress. I think the NDP website folks just didn’t consider the security aspects at all.
Although there are costs (near zero) and performance (easily mitigated with today’s technology) considerations, they are hardly good reasons to avoid using SSL these days. The bottom line is really just this: If you need it, just use it. If you don’t (when you need to) use it, it’s most likely because you forgot about it.
In the big picture, this lack-of-SSL is really a minor matter. It’s still important. Just not quite in the same league as the real security attacks. But then again, considering that an organisation charged with the responsibility to defend Singapore can overlook this little issue, one wonders how important security plays in their hearts.
Many people treat the physical world and the virtual world as galaxies that are infinitely separated, and one has nothing to do with the other. The truth is that the world of physical security and the virtual world of IT security is very intertwined. You cannot have one without the other.
Incidentally, that screenshot of the “tool” I used… it’s simply part of the Chrome web browser. The same thing is there in Safari, and an equivalent in FireFox. In Chrome, you can launch this by pressing Cmd-Alt-I, then click on the Network tab. Then, go some place with your browser.
Although security was indeed one of the primary points in my original post, I think the deeper message was much broader than just about security. IT security is hot, it’s something that sells, so I guess all the attention got focused on it.
A basic trace would have shown that the traffic is constrained within Singapore. Too bad for the minuscule minority who use this function overseas.
Anybody who tries to sniff such traffic would already be in violation of Computer Misuse Act. If the person was using privileged access, then Official Secrets Act would come in. The Singapore environment is heavily dependent on legislation and heavy penalties in lieu of good codes.
By the way, if one is using “free” WiFi, one should be very, very concerned about traffic being sniffed since most ISP provided routers are password protected. Anybody providing such “free” services may be up to no good. If one were to use the default router passwords to access a WiFi network uninvited, they are already contravening Computer Misuse Act.
Hey Zit Seng,
“In Chrome, you can launch this by pressing Cmd-Alt-I, then click on the Network tab. Then, go some place with your browser.”
It should be “Ctrl-Shift-I”, at least for Windows 🙂
I am also curious why plaintext unencrypted traffic to Akamai is bad if the site is in http? Akamai is just used to serve static assets (img/css/js) which is of no use to any people even if it can be sniff.
isn’t it about the form page which does not SSL?
http://eballot.ndp.org.sg/eballoting.php
yah akamai can consider as an ISP already..
The eballot form is also submitted in plaintext to Akamai servers. Yeah, they didn’t just route static assets. Everything is fronted by akamai.
eballot.ndp.org.sg. 191 IN CNAME http://www.ndp.org.sg.edgesuite.net.
http://www.ndp.org.sg. 201 IN CNAME http://www.ndp.org.sg.edgesuite.net.
In the latest Internet Explorer on Windows (duh), there is similar developer tools functionality as well. F12 is the key to invoke the tool. You may want to update that factoid in as well. 🙂
The eballot form is also submitted in plaintext to Akamai servers. Yeah, they didn’t just route static assets. Everything is fronted by akamai.
eballot.ndp.org.sg. 191 IN CNAME http://www.ndp.org.sg.edgesuite.net.
http://www.ndp.org.sg. 201 IN CNAME http://www.ndp.org.sg.edgesuite.net.