Secure Transactions

[Tim]

On Sat, 2014-08-30 at 20:18 -0700, Tod Merley wrote:
> What sort of security issues are indicated by redirection?

Wasn't me that suggested there were any.  It were you that said you
thought they were.

But anyway...  If you browse to your bank's domain name, they may bump
you to another address of a particular page in their service.  As you
log in, the same thing will happen.  And as you browse through their
site, you may find that a link points to one page, yet you end up at
another address.  That's just how their site works.  They never thought
to start at just <http://bank.example.com/>, but set their system up to
start from <http://bank.example.com/cgi/blargle-floogle>, and shove you
over into that other address as a redirect.  And should they re-organise
some other part inside their site, instead of rewriting all the pages
with the new addresses, they'll set up redirects for the server to
translate the old addresses into the new ones.

Some also make handy shortcuts for their customers, as a convenience to
them, so they can have a string of simple addresses to tell people to
use (such as bank.example.com/loans and bank.example.com/savings) that
lead to much more difficult to type addresses.

This is all normal stuff.

On the other hand, if a hacker has got into the site, and managed to
slip in a redirection that moves you way from the site's own pages, and
onto the hacker's ones, that's a security issue.  And if a hacker has
hacked a bank, I'd abort trying to use it completely.  That's something
the real service has to fix up, it's not something that you could step
around to keep on doing your banking.

Web forums are probably more of a likely redirection issue for casual
abuse.  Where someone has managed to craft a post to the forum that's
included some JavaScript that the forum hasn't stripped out and thrown
away, and suddenly the site is sending out code that a hacker wants,
instead.  So, your PC help site suddenly has fake "scan your computer
for viruses" and other crap attached to it.

I don't have forums, or guest books, or anything that outsiders can
publish to my website, but I'm forever seeing things in the logs that
are malicious.  They're trying to find CGI/PHP/etc scripts (that I don't
have), so that they can abuse the script to do something nasty.  And I
find search queries that have nothing to do with my site, and referrers
back to gambling or adult sites (they're just hoping that links to them
might get published somewhere on the site, automatically).

> What would they be doing (or not doing) in the programming from their
> end which would cause this?

Without seeing what they're doing, who could know?  But I'm more
inclined to believe in programming errors for login failure, than other
things.

I see the same thing when I log in to Fedora.  I've typed the password
perfectly, but sometimes I'm bounced back to the login page as if I've
mistyped it.
> 
> Could problems with DNS or other parts of the IP stack be involved?

If you've already connected to the site, then you've got working DNS
answers cached.  Your browser is going to keep connecting to the same IP
for the same domain name, for as long as the data is cached.  Even with
ridiculously short time-out periods, of a few seconds, most browsers
will use what they found out, the first time, until they're closed down
again.

> Why would closing the browser and shutting off the machine and finding
> a more secure internet connection not help?

Why do you think rebooting is going to help?  It's not windows, and the
rest of the outside world isn't going to know whether a three minute
break in trying to reconnect to a site is due to you reading a page for
a long time, or you've rebooted.
> 
> Is it possible for someone to hijack an internet connection in a way
> which would allow them to see my responses to the bank/storesite but
> would not allow them to receive and re-transmit to me the "my picture
> and text" page?

Read up about "man in the middle attacks."  I'd only be trying to
explain the same thing, and someone's bound to be able to explain them
better than I can.

> Since I am planning on using the browser (and install) only to do the
> occasional internet transaction how is flushing cache and cookies
> likely to help?

If a browsing problem has occurred because you've cached a bad result,
then flushing the cache means that your browser doesn't re-show you the
bad result, but downloads fresh data.  Usually, hitting the refresh
button overcomes such a problem, sometimes holding down shift while
reloading the page forces a cache flush and redownload of that
particular page, even if caching time periods suggest your browser
should simply redraw what it already had.

If the server is keeping tabs of your progress with a site using
cookies, and something has gone wrong, then dumping the cookies may be a
simple way to wipe the slate clean, and have another go.


-- 
tim at localhost ~]$ uname -rsvp

Linux 3.15.10-200.fc20.i686 #1 SMP Thu Aug 14 16:12:39 UTC 2014 i686

All mail to my mailbox is automatically deleted, there is no point trying
to privately email me, I will only read messages posted to the public lists.

George Orwell's '1984' was supposed to be a warning against tyranny, not
a set of instructions for supposedly democratic governments.