Cloudflare slams AWS egress fees to convince web giant to join its discount data club Cloudflare on Friday accused competitor Amazon Web Services of massive markups and hindering customer data portability, even as it invited the cloud services giant to join its discount data initiative known as the Bandwidth Alliance. "AWS’s bandwidth pricing is bonkers," said CEO Matthew Prince, via Twitter. "And they stand …
A content deliver network, substituting a fake cert, issued by itself or partner companies, in place of the actual real certificate, is a man-in-the-middle attack.
It was found to be a problem, Google has caught lots of countries faking its own certs, India, Egypt, even USA: Symantec was caught issuing fake Google certs:
https://www.pcmag.com/news/google-slams-symantec-over-fake-certificates
Is it a big problem? Do bears shit in the woods? Yes its a big problem! You cannot secure your banking, web instrumentation, IoT devices or anything else if any certificate authority can fake any website certificate.
Add a Content Delivery Network (CDN) to the mix, and these fake certs can be issued PER USER and PER DEVICE, since the content deliver network controls the delivery of the website targetted at that user. On a PER USER basis the CDN can swap in the fake cert. The chance of INDIVIDUAL USER detecting those certs as fake is nill. These per user fake certs go undetected.
Avoid CDNs, you're exposing your customer data.
It's not enough to avoid CDNs, routes can be force by returning false data to skew routing algorithms, they can be force by returning false DNS queries, I've seen examples of this myself recently. You need to USE CERTIFICATE PINNING too.
If you don't believe me, here's Digicert FUDding Certificate Pinning:
https://www.digicert.com/blog/certificate-pinning-what-is-certificate-pinning
Look at an example, how piss poor their claims are:
"Sometimes CAs must revoke your certificates. Maybe an audit shows the certificates have previously unknown issues, like misspellings in the subject name or invalid entries in the OU fields. Industry standards say the CA has five days to revoke your certificates, but you pinned them in your client code. How can you push out updates to all your clients in five days to start using your new replacement certificates?"
Why would a GOOD certificate authority try to stop you using a certificate verification mechanism designed to stop a ROGUE certificate authority issuing fake certs? A man-in-middle attack that has been done many times by ROGUE certificate authorities. My personal suspicion is that they are ROGUE, and that widespread use of pinning would throw up lots of "hold up, this site isn't supposed to have a DIGICERT certificate, something is rogue here".
Improvements need to be made to CERT PINNING too.
I want to be able to set all certficate authorities as untrusted, trusted, or "ask me per website", with a "always reject for this site" or "always accept for this site", for the latter.
I want a mechanism in Firefox to report certs I am suspicious of, for investigation, and to automatically report pinned violations.
You backdoored the internet and you undermined your security, and now you're bitching because your security is undermined.
It sounds like you should be writing an extension for Firefox. That behavior regarding certificates is more complex than a browser typically supports--you can easily remove or distrust a certificate, but providing the data on each load isn't going to get added. It should be easy enough to implement by someone willing to write the code though.
Yeh, I've been looking at it, but I'm struggling though, base in it on Gecko View code, but GeckoView is an alien world to me, I tend to write in Java or C++ or C.
I think if I can find more concrete examples of clearly false certificates and can kick up enough stink about it, then a "pin" next to the cert will magically appear in ALL browsers.
So for example this one:
The certificate for incapsula.com issued by GlobalSign CloudSSL CA - SHA256 - G3
Cert id: 50:D0:13:F5:6C:2F:F9:07:8B:6B:E4:FE:6C:1B:59:9D:39:B1:33:07
Issued: Mon, 31 May 2021 07:07:59 GMT
It has a zillion alias, but includes such things as online UK banks
uat-api.digital.evanquis.co.uk
Which is evanquis online banking, an online UK bank, shares a cert with a zillion other domains! I quick visit to its website and that bank uses a cert from DigiCert Inc, not from Global SIgn.
Can you, for a minute imagine that a bank agreed to share a cert with tens or hundreds of other domains, such that any one of those could impersonate the bank?
Now you might say, those sites could not impersonate the banks because they lack the technical ability. BUT I do not even believe that GlobalSign has been checked the identity of all those alias domains?
*.banpais.hn = Spanish online bank, issued by DigiCert Inc not GlobalSign
*.aah-point.com (=UK distributor of Pharmaceuticals, cert by Corporation Service Company not GlobalSign)
www.telemessage.com (=Israeli messaging service)
*.befgives.org = HOLDING DOMAIN!
nestlemilo.com.vn (= Nestle site using a LetsEncrypt certificate).
campaign.fibi.co.il = This is an israeli bank, using a Digicert, but this subdomain has a Global Sign Cert/
*.prav-pit.ru = Nestle site for Russia, normally uses Lets Encrypt cert.
*. dorseywright.com = NASDAQ is on here
There are banks, there are messaging, there are big sites like Nestle, that you could plausibly see adverts from, and think those adverts are from Nestle, but this cert says others.
There are also some weird sites:
*.lisaboslett.com
Lisa Boslet... psychic medium....
at 14113 Robert Paris Ct, Chantilly, VA
https://www.google.com/maps/@38.8791964,-77.4378311,3a,75y,40.68h,75.03t/data=!3m6!1e1!3m4!1sXHQQ1F0jzlR726j0GcOqUw!2e0!7i13312!8i6656?hl=en
The Google street view and website picture shows "DCI", which seems to be software company in Chantilly or a government software contractor:
https://www.indeed.com/q-DCI-Solutions-l-Chantilly,-VA-jobs.html
A company that works for the US government at Fort Belvedere:
new
Software Engineer
DCI Solutions3.0
Fort Belvoir, VA
$140,000 - $170,000 a year
Work directly with the government PO team and act as part of the Gov PO/PM team to ensure best practices and methods for the best quality product.
The utter STENCH of the clown show here. That cert should not exist. I cannot believe Nestle would be happy here. I cannot believe the banks included in this cert would be happy.
On the surface this looks like a legitimate company offering DDNS defense. "DDNS and ransom attacks are on the rise.... we protect you using our tried and tested tech" like thing
You run a big website for a major European operation, Bayer, Nestle, Online banks etc.
They contacted you offering their services. Perhaps they're regularly mailing you commercials for those services? You keep the contact just in case you need it.
You get hit with a DDNS attack. Some Randsomware perhaps a bloke in China, perhaps he wants Bitcoin as payment, or he'll DDNS your website?
And you call the company and use their CDN services or cyber defense services.
Your web admin, changes the IP address to their requested server. They can serve your content now, they *are* you.
But you get added to a massive shared cert, but you don't see that, because the cert is selectively served to people. Your query to your domain shows your real cert. But others are getting the impersonated cert.
So in that example cert I showed:
This cert, imcapsula.com issued by GlobalSign nv-sa, subject key id
50:D0:13:F5:6C:2F:F9:07:8B:6B:E4:FE:6C:1B:59:9D:39:B1:33:07
Issued fairly recently: Mon, 31 May 2021 07:07:59 GMT
It lists online banks ( UK bank uat-api.digital.evanquis.co.uk Honduras Spanish language bank: banpais.hn ) Nestle sites, Monsanto (=Bayer) sites, etc.
You can well imagine a Randomware attack against those sites, and them using this company.
But then it shares the cert with a Paypal site selling wheels for dogs with crippled hind legs:
https://www.huggiecart.com/
And dead sites without even a cert:
quasimodem.com
It's not encrypted, why would you be serving a certificate for a site. Can you imagine these sites getting DDNS attacked and them hiring a big security company? No I cannot imagine it myself.
And somehow this cert was ISSUED??? A certification authority could see nothing wrong with this cert and issued it!
For real?
????? Maybe its automated?
Or is it an automated thing, perhaps they create a cert, and can add new domains to the cert by simply serving a special token later?
So you give them your DNS, they login to the already issued cert, click 'add alias' or similar, it requires they serve up a key file from that domain to confirm the domain is their own.
They control your DNS, they are impersonating your site, so they can serve up the token and add you to their magic big cert. Perhaps that's how it works GlobalCert? I don't know your control panel.
Can they also delete alias automatically????
????
I want a pin, next to the cert in the browser. "Always trust this authority for all sites" , "always accept this authority, but for this site only", "never accept this authority ever for anysite",
Global Cert would be on my "never accept this authority ever for anysite".
There are like 10-20 sites I visit regularly, yet there are hundreds of authorities and millions/billions of certificates. I a happy to lose a lot of the web to secure those 10 sites from false cert attacks.
How many of these certs are out in the wild, from content deliver networks, and quasi security sites? How many of them have been created? How many websites can be impersonated by psychic domains, and poodle wheelchair sites using these certs?
Shocking news just in, "Cloud providers, who make money for per/GB storage, charge almost nothing to take in data but charge shed loads to let you take your data out!".
My "bleedin' obvious" alarm is off the chart! Seriously, why you moaning now? All the providers have done this for years. I remember signing up for Glacier back around 2012 and that was stated clear as daylight in Amazon's docs, "Put your data in for almost nothing, storage will cost almost nothing, taking it out is where we will charge you and here is how much per GB.".
Indeed.
I think Glacier is more or less fair in the way it is priced. Sure, getting your data back wholesale is expensive and could be cheaper but how often will you need to do a full restore from Glacier?
The important thing to remember with Glacier pricing is that Amazon knows you're probably carrying cybersecurity insurance so ultimately it's not the business using the service that will pay for the restore, it's the insurance company.
I've been drafted in at a firms firms during disaster recovery where this has been the case.
The same applies for data recovery from disks that have been "wiped" by malware. The cost is almost always chalked up to an insurance claim.
My advice to firms out there that think recovery is expensive is to get insurance to cover the cost. It's relatively cheap compared to the actual costs of recovery. The only gotcha is they will insist on you bringing your IT security up to a standard that they will accept. E.g. MFA on everything, no local admin rights or accounts anywhere, 3-2-1 backups, regular user training and testing, you get the gist.
If you want the premium to be even cheaper change as many servers as you can to Linux. I did that for one client and it alone halved the premium. Which was a nice surprise because the actual reason to swap to Linux for a lot of servers was licensing costs, specifically escaping CALs and SQL licensing. They were a pretty big firm with dozens of servers and thousands of users.
The only MS tech they have left is clientside OS and Office365. They still have centralised domain authentication and all that good stuff, it's just not on Windows servers.
They saved about £50k-£100k in licensing per year maybe more because we only did rough calcs on it before it became very unappealing to the client.
It's true though, AWS must make huge money on the bandwidth charges, they charge whatever costs for the cloud services and full retail on the bandwidth as well. Of course, this is just Cloudflare wanting to get you a discount on AWS, but make it up by you paying them for egress charges instead essentially.
Most, even big projects, could run on a handful of modern servers. It used to bother me that some clients were spending tens of thousands per month on something that wasn't mission critical and could run on a dedicated server with redundancy for under a grand.
Their argument was most often that this way they save money on devops and don't have to care about "infrastructure". Fair enough, but it's the same thing that is happening with other areas of economy, like people are now too scared to repair their own things and so on.
Every bit must now be taken care of by one or another big corporation and people are told they wouldn't be able to do it themselves.
And they believe that.
It's funny that company completely does not question why they have to spend so much - well, if they have doubts, a big corporation sales team can take them for a lunch and sweet talk into buying even more products they don't really need or promise "deals" that turn out to be even more expensive.
Then when an employee feels they are underpaid, there are always millions reason why they shouldn't be paid more.
This does deserve serious attention but why single out AWS?
Using the 80x cost from the blog, we get 98.8% profit margin for AWS. If they did offer 27% discount quoted, that would still be 98.3%. An improvement, yes, but still atrociously high so really they should call them out together.
Add to that that GCP starts at a 22% higher cost so a 27% discount on is just a tiny amount less than AWS.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
