Monday, February 10, 2014

FirstLook.org fails at security so far

The new venture from Glenn Greenwald and Pierre Omidyar, "FirstLook.org", has launched with their first news articles. It has technical flaws in its security.

To start with, the website violates your privacy and tracks your behavior -- even when you have DoNotTrack set in your web browser. This is sort of an unforgivable lapse for a website setup to report on the violation of privacy by the NSA. In my browser, they send the cookie contents of "initial_referrer: http://t.co/241PQdNjwr", which tracks the fact that I came to their website by following a link from this tweet by Pierre Omidyar. (If you haven't yet gone to their site, please click on the link above so that they'll track you coming from this blogpost -- for the lulz).

Some are praising them for being the first news site based on SSL, meaning that whatever you do on their site is safe from the prying eyes of the NSA. This praise is undeserved, as the SSL is not quite working yet. 

The most noticeable flaw is that when you visit the homepage you get a warning: "this page contains other resources that are not secure". Sometimes this warning means you can be hacked. In other cases it doesn't. Here it looks relatively safe, as it's just the video downloaded from Vimeo player. But no matter how safe, it's breaking the promise of an encrypted connection, and teaches users to ignore crypto warnings.

The Qualys "ssllabs.com" site has a great tool for assessing a site's SSL security. The results for FirstLook.org are a failing grade, at least in light of the adversary (the NSA). The site supports TLS_RSA_EXPORT_WITH_RC4_40_MD5, meaning the NSA can downgrade the connection into something they can crack. The site fails to support "forward security" for many browsers, meaning the NSA can either get a court order demanding encryption keys, or crack eavesdropped data over many years. They don't support SNI for some browsers, meaning that some browsers will get nasty warning messages about the domain name being wrong.

The site has scalability problems. People are already reporting getting "503" error codes and the site has only been live for a few hours. One problem may be that they use Apache, which is well-known to be hard to scale (competing software like lighthttpd and nginx are easier to scale). The Chrome "audit" tool also gives poor grade, showing that many resources on the site are not cached, and thus, must be re-requested. These scalability issues aren't necessarily an SSL concern, but exacerbate problems with SSL.


I don't know if the site is just "security washing" (just giving the appearance of security) or are really committed to the idea. Assuming they are committed, and that these are transient problems, I would hope that they document their efforts. Security is a tradeoff -- there are good reasons why competing media sites don't go to this level of effort. A commitment to SSL means a guy in Yemen can't access the website, both because of his export controlled 40 bit browser and his satellite connection causing SSL problems. A commitment to "do not track" disrupts how the business earns money and prevents some otherwise cool features you'd get with tracking the reader. Documenting all these issues, both the good and bad, would be a great boon to security for everyone.


For your reading pleasure, here is the full HTTP request headers from one of my queries. As you can see, DNT:1 is enabled, and the cookie is tracking me nonetheless:

GET /assets/javascripts/underscore-min.js HTTP/1.1
Host: firstlook.org
Connection: keep-alive
Cache-Control: no-cache
Accept: */*
Pragma: no-cache
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.107 Safari/537.36
DNT: 1
Referer: https://firstlook.org/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Cookie: mp_ce2f59c033d995c677576fc3e9758d98_mixpanel=%7B%22distinct_id%22%3A%20%221441a8fb2157f0-0eb4ceedf-404c0028-3e8000-1441a8fb216a3e%22%2C%22%24initial_referrer%22%3A%20%22http%3A%2F%2Ft.co%2F241PQdNjwr%22%2C%22%24initial_referring_domain%22%3A%20%22t.co%22%7D; __utma=238902935.1222969571.1392015029.1392015029.1392015029.1; __utmc=238902935; __utmz=238902935.1392015029.1.1.utmcsr=t.co|utmccn=(referral)|utmcmd=referral|utmcct=/241PQdNjwr; _ga=GA1.2.1222969571.1392015029

2 comments:

Wheaties said...

did you possibly mean forward secrecy instead forward security?

Marc Mantione said...

The site is getting an A- from ssllabs now.