Index
2014-07-30 09:25Joe Yoder : [NF] Clarification on web security
2014-07-30 09:39Stephen Russell : Re: [NF] Clarification on web security
2014-07-30 09:47Jean Laeremans : Re: [NF] Clarification on web security
2014-07-30 10:15Dave Crozier : RE: [NF] Clarification on web security
2014-07-30 10:27Ted Roche : Re: [NF] Clarification on web security
2014-07-30 10:40Ken Dibble : Re: [NF] Clarification on web security
2014-07-30 10:54Ted Roche : Re: [NF] Clarification on web security
2014-07-30 11:23Ken Dibble : Re: [NF] Clarification on web security
2014-07-30 13:59Joe Yoder : Re: [NF] Clarification on web security
2014-07-30 14:08Ted Roche : Re: [NF] Clarification on web security
Back to top
[NF] Clarification on web security

Author: Joe Yoder

Posted: 2014-07-30 09:25:34   Link

I have a client who does business with a food supply company with an

extensive web site (gfs.com). Food orders are placed on the vendor website

using Chrome running on Windows Server 2003 via remote desktop session.

My client has been getting warning messages that, since they are running

XP, their access will be cut off soon as Microsoft has dropped support for

XP. I contacted the vendors sales rep and explained that Microsoft is

continuing support for Server 2003 until 2015 and that by that time my

client will have migrated to Server 2008. She was satisfied that this will

be satisfactory.

When the client got yet another warning message and I learned that the

vendor's support people believe that that RDP browser connections will not

be allowed in the future I decided that I had better try to clear things

up. The support people could not tell me what criteria is used to

determine whether or not to accept a connection. They believe their system

relies on their SSL certificate for that purpose. I contacted the

certificate vendor, Network Solutions, to try to determine the criteria

used to determine whether or not to allow connection to a browser.

The time I spent with Network Solutions support resulted in the conclusion

that the SSL certificate only assures a browser based client that the site

is safe for encrypted data transfers. There is no service available to

verify that the browser wishing to connect is running on an approved

operating system.

I am guessing the people I talked to at the food vendor's support

department don't actually write code and are simply misinformed about how

things work.

Any suggestions on how to resolve this?

Thanks in advance,

Joe

--- StripMime Report -- processed MIME parts ---

multipart/alternative

text/plain (text body -- kept)

text/html

---

_______________________________________________

Post Messages to: ProFox@leafe.com

Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox

OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech

Searchable Archive: http://leafe.com/archives/search/profox

This message: http://leafe.com/archives/byMID/profox/CABQeDnW5koMGN5kyKEBVyyVOos3YK2Fz8OQ_n5R8zRqR4hBSkw@mail.gmail.com

** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.

©2014 Joe Yoder
Back to top
Re: [NF] Clarification on web security

Author: Stephen Russell

Posted: 2014-07-30 09:39:16   Link

On Wed, Jul 30, 2014 at 9:25 AM, Joe Yoder <joe@wheypower.com> wrote:

> I have a client who does business with a food supply company with an

> extensive web site (gfs.com). Food orders are placed on the vendor website

> using Chrome running on Windows Server 2003 via remote desktop session.

>

> My client has been getting warning messages that, since they are running

> XP, their access will be cut off soon as Microsoft has dropped support for

> XP. I contacted the vendors sales rep and explained that Microsoft is

> continuing support for Server 2003 until 2015 and that by that time my

> client will have migrated to Server 2008. She was satisfied that this will

> be satisfactory.---------------

>

--------------------

You have to ask the question, is the business with this vendor more

valuable that a new server ? Just a guess but did you have a value on

Server operation per year and if you do is that amount that high?

I would skip server 2008 altogether and consider 2012. Sure it is a lot

more secure that what you are running today and it looks a lot different at

times as well.

We just upgraded to 2012 servers both hard iron for data as well as 50 in

virtual virtual. We have all ERP Apache apps running in their own virtual

server, and each app will have a Test as well as a Prod server. All are

in Server 2012.

--

Stephen Russell

Sr. Analyst

Ring Container Technology

Oakland TN

901.246-0159 cell

--- StripMime Report -- processed MIME parts ---

multipart/alternative

text/plain (text body -- kept)

text/html

---

_______________________________________________

Post Messages to: ProFox@leafe.com

Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox

OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech

Searchable Archive: http://leafe.com/archives/search/profox

This message: http://leafe.com/archives/byMID/profox/CAJidMYJKV2aG4mvCVYA12q6k1KnOnASU-qAdb4GGpv8AomeQgg@mail.gmail.com

** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.

©2014 Stephen Russell
Back to top
Re: [NF] Clarification on web security

Author: Jean Laeremans

Posted: 2014-07-30 09:47:31   Link

I would skip MS full stop.

©2014 Jean Laeremans
Back to top
RE: [NF] Clarification on web security

Author: Dave Crozier

Posted: 2014-07-30 10:15:56   Link

+1 on Server 2012

Dave

-----Original Message-----

From: ProFox [mailto:profox-bounces@leafe.com] On Behalf Of Stephen Russell

Sent: 30 July 2014 15:39

To: ProFox Email List

Subject: Re: [NF] Clarification on web security

On Wed, Jul 30, 2014 at 9:25 AM, Joe Yoder <joe@wheypower.com> wrote:

> I have a client who does business with a food supply company with an

> extensive web site (gfs.com). Food orders are placed on the vendor

> website using Chrome running on Windows Server 2003 via remote desktop session.

>

> My client has been getting warning messages that, since they are

> running XP, their access will be cut off soon as Microsoft has dropped

> support for XP. I contacted the vendors sales rep and explained that

> Microsoft is continuing support for Server 2003 until 2015 and that by

> that time my client will have migrated to Server 2008. She was

> satisfied that this will be satisfactory.---------------

>

--------------------

You have to ask the question, is the business with this vendor more

valuable that a new server ? Just a guess but did you have a value on

Server operation per year and if you do is that amount that high?

I would skip server 2008 altogether and consider 2012. Sure it is a lot more secure that what you are running today and it looks a lot different at times as well.

We just upgraded to 2012 servers both hard iron for data as well as 50 in virtual virtual. We have all ERP Apache apps running in their own virtual

server, and each app will have a Test as well as a Prod server. All are

in Server 2012.

--

Stephen Russell

Sr. Analyst

Ring Container Technology

Oakland TN

901.246-0159 cell

--- StripMime Report -- processed MIME parts --- multipart/alternative

text/plain (text body -- kept)

text/html

---

[excessive quoting removed by server]

_______________________________________________

Post Messages to: ProFox@leafe.com

Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox

OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech

Searchable Archive: http://leafe.com/archives/search/profox

This message: http://leafe.com/archives/byMID/profox/18725B8CD2D5D247873A2BAF401D4AB22A5497CB@EX2010-A-FPL.FPL.LOCAL

** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.

©2014 Dave Crozier
Back to top
Re: [NF] Clarification on web security

Author: Ted Roche

Posted: 2014-07-30 10:27:27   Link

On Wed, Jul 30, 2014 at 10:25 AM, Joe Yoder <joe@wheypower.com> wrote:

>

> My client has been getting warning messages that, since they are running

> XP, their access will be cut off soon as Microsoft has dropped support for

> XP. I contacted the vendors sales rep and explained that Microsoft is

> continuing support for Server 2003 until 2015 and that by that time my

> client will have migrated to Server 2008. She was satisfied that this will

> be satisfactory.

>

Windows XP is no longer supported NOW:

http://www.microsoft.com/windows/en-us/xp/end-of-xp-support.aspx

Your client needs to update their workstations to a better operating

system. ALL operating systems are better than Windows XP.

Right now, they are in danger of a "Zero Day" attack that can compromise

their Windows XP machines, and once a foothold in their network is

established, potentially contaminate every machine on that network, and

every network that network connects to.

As for SSL, (https in the browser, sometimes a little padlock) all that

does is ensure that an encrypted connection exists between the two

endpoints of the client application (browser) and the destination (web

application). This simply ensures that anyone who can see that network

stream of data ("a man in the middle") cannot read the data. However, if

the browser endpoint is compromised, all the data going over that

connection could be read, monitored, stolen or altered.

Replace your Windows XP workstations with anything: iPads, X-Boxes,

iPhones, Android phones/tablets, Linux machines, even updated Windows

machines -- and the problem gets kicked down the road, until the next round

of updates.

Microsoft Server 2003 is also on its way out and ought to be replaced, too:

http://support.microsoft.com/lifecycle/search/default.aspx?alpha=windows+server+2003&Filter=FilterNO

Why not Server 2012? Then, you're only two years out of date. Or, again,

any other OS: OSX or Linux.

--

Ted Roche

Ted Roche & Associates, LLC

http://www.tedroche.com

--- StripMime Report -- processed MIME parts ---

multipart/alternative

text/plain (text body -- kept)

text/html

---

_______________________________________________

Post Messages to: ProFox@leafe.com

Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox

OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech

Searchable Archive: http://leafe.com/archives/search/profox

This message: http://leafe.com/archives/byMID/profox/CACW6n4vvmyV9UCY2F11hgPNHVvtFvhqrYyfRD4KdG3ZGiEpqmQ@mail.gmail.com

** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.

©2014 Ted Roche
Back to top
Re: [NF] Clarification on web security

Author: Ken Dibble

Posted: 2014-07-30 10:40:40   Link

>Your client needs to update their workstations to a better operating

>system. ALL operating systems are better than Windows XP.

>

>Right now, they are in danger of a "Zero Day" attack that can compromise

>their Windows XP machines, and once a foothold in their network is

>established, potentially contaminate every machine on that network, and

>every network that network connects to.

With all due respect, FUD.

This claim has been made for over a year. Something like 30% of OSes were

still XP a year or so ago, and supposedly the day after MS stopped

"support" the world was going to come to an end with a massive zero-day

attack. So far, no fire to go with all the smoke.

There was one issue discovered with *IE* on Windows XP, not the OS itself,

and MS issued a patch even though XP is no longer "supported". If that

happens again, I bet they do it again.

Again, the older your OS is, the less likely it is an actual target for

real, not theoretical, malware that is actually in circulation today.

>As for SSL, (https in the browser, sometimes a little padlock) all that

>does is ensure that an encrypted connection exists between the two

>endpoints of the client application (browser) and the destination (web

>application). This simply ensures that anyone who can see that network

>stream of data ("a man in the middle") cannot read the data. However, if

>the browser endpoint is compromised, all the data going over that

>connection could be read, monitored, stolen or altered.

SSL certificates are a form of blackmail. You pay in order to get somebody

to issue an opinion that your encryption is good. That does not mean your

encryption is not good if you don't pay to get the certificate.

Ken Dibble

www.stic-cil.org

_______________________________________________

Post Messages to: ProFox@leafe.com

Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox

OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech

Searchable Archive: http://leafe.com/archives/search/profox

This message: http://leafe.com/archives/byMID/profox/5.2.1.1.1.20140730113504.01efbb30@POP-Server.stny.rr.com

** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.

©2014 Ken Dibble
Back to top
Re: [NF] Clarification on web security

Author: Ted Roche

Posted: 2014-07-30 10:54:40   Link

On Wed, Jul 30, 2014 at 11:40 AM, Ken Dibble <krdibble@stny.rr.com> wrote:

>

> Again, the older your OS is, the less likely it is an actual target for

> real, not theoretical, malware that is actually in circulation today.

And, with all due respect in return, we continue to disagree on this point.

WinXP is a marvelous target for bad guys. Little old ladies (and guys,

until recently, my dad among them), have Windows XP machines hooked up to

the internet, often poorly, often out-of-date with updates, hanging off

half-decent internet connections cable and DSL, running 24 hours a day.

These are _perfect_ machines to harvest and take over in

command-and-control botnets to churn out spam and participate in DDOS

attacks. These happen, every day , and botnets of millions of compromised

machines (feel free to search the web for this info yourself) are running

everyday.

And offices are filled with clueless clerks who love to play games or visit

sketch sites on their breaks and lots of small- and medium-sized businesses

host botnets, too.

While the bad guys have control of your machine, it's pretty trivial to

pick off your credit card info, tax return and compromising selfies, too.

This is happening today, every day. Even if you refuse to believe it.

> SSL certificates are a form of blackmail. You pay in order to get somebody

> to issue an opinion that your encryption is good. That does not mean your

> encryption is not good if you don't pay to get the certificate.

>

You can always self-sign certificates, and establish your own web of trust.

We do for many of our applications.

--

Ted Roche

Ted Roche & Associates, LLC

http://www.tedroche.com

--- StripMime Report -- processed MIME parts ---

multipart/alternative

text/plain (text body -- kept)

text/html

---

_______________________________________________

Post Messages to: ProFox@leafe.com

Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox

OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech

Searchable Archive: http://leafe.com/archives/search/profox

This message: http://leafe.com/archives/byMID/profox/CACW6n4uzOTAHDoCYZN9YAkCn8jogQHVriNfqipnJ5h0XGNmKUw@mail.gmail.com

** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.

©2014 Ted Roche
Back to top
Re: [NF] Clarification on web security

Author: Ken Dibble

Posted: 2014-07-30 11:23:00   Link

>This is happening today, every day. Even if you refuse to believe it.

All of which is equally applicable to every other Windows OS, and is a

greater threat because there are more of them in use today, in toto, than

there are of XP. People don't patch Vista or Win 7 or Win 8 either. They

don't patch IE on those OSes, and idiots keep writing new web-based

software that won't work on more secure browsers. They don't keep their

anti-malware software up to date on those new OSes either. Nothing has

magically changed about this going from Win XP to a newer OS.

MS OS security is not "improving" as a whole; they just continue to fix

what they can identify as broken as a result of demo or real attacks. Every

day somebody figures out a new way to attack a new OS, and then that has to

be fixed. The newer the OS, the more people are trying to attack it.

Relatively fewer people are figuring out new attacks for old OSes. How many

people do you think are working on new ways to attack Windows 2000 today?

How many people will be working on new ways to attack Windows XP in 2

years, as compared to today?

Anything can be hacked; any security can be broken (just ask the NSA);

nothing is safe. That is true today, and it will be true five, ten, and

twenty years from now, for Windows and any other OS. The fact that some OS

designs are harder to crack than others is irrelevant. If the motivation to

crack it is high enough, it will be cracked. There is no magic design "fix"

that entirely removes the danger. It can't be done.

Today the bad guys aren't script kiddies goofing around to impress their

friends. They are organized criminals, rogue governments, and terrorist

organizations. They are principally looking to steal money, and

secondarily, to develop options to damage or destroy critical IT

infrastructure. Malware development costs them money, and they play the

percentages. If a "hack" doesn't offer those opportunities in a big way,

they don't spend time on it.

Older OSes are safer from current malware development than newer OSes,

because the motivation to break newer OSes is much greater, because it is

more remunerative in those two ways, than the motivation to attack older

OSes. This isn't rocket science; it's common sense.

And the extent to which people do not keep their OS, browser, and

anti-malware software up to date does not vary between OSes. So this source

of problems is constant; it is not greater for XP than for 8.1. And there

is more Vista, 7, and 8.1 combined running today than XP. Again, common sense.

Last time we had this discussion, I cited overwhelming evidence from the

web that Android phones are the biggest target for current malware. I don't

remember what the percentage was then, but as of January of this year, it

was 99%:

http://www.v3.co.uk/v3-uk/news/2323418/android-and-java-top-security-targets-for-malware-and-hacks

Java applications are also strong targets according to this article, but

that's not OS-dependent.

Ken Dibble

www.stic-cil.org

_______________________________________________

Post Messages to: ProFox@leafe.com

Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox

OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech

Searchable Archive: http://leafe.com/archives/search/profox

This message: http://leafe.com/archives/byMID/profox/5.2.1.1.1.20140730120127.01f06498@POP-Server.stny.rr.com

** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.

©2014 Ken Dibble
Back to top
Re: [NF] Clarification on web security

Author: Joe Yoder

Posted: 2014-07-30 13:59:41   Link

I should have been more specific about my question. I am not challenging

the assumption that one needs to eliminate XP. My client is a small

non-profit who relies on donated machines when they are available. The

plan at this point is to use Terminal Services Sessions with Wyse thin

clients and do all processing on the server. This allows me to maintain

one OS and permits swapping Wyse terminals between users at will. The

point at which this scheme breaks down is when a vendor insists that they

will only accept connections from a browser runnng on Windows 7 or Windows

8. It is my impression that Windows 7 is a subset of Server 2008 and

Windows 8 is a subset of Server 2012. I suspect that web programmers need

to keep this in mind when they write code to accept or reject a connection

based on browser and OS combination.

What I set out to do was find who or what controls what browser and

operating system configurations are accepted for connection by the GFS.com

site. The GFS technical people seem to have an inflated understanding of

the role of the SSL certificate. Ultimately I need to help them correct

that understanding. I suspect that inspection of their site code by

someone who knows web programming would reveal what their criteria is. I

have done very little with web programming. Can someone point me to a good

starting point for this issue?

Thanks,

Joe

On Wed, Jul 30, 2014 at 12:23 PM, Ken Dibble <krdibble@stny.rr.com> wrote:

>

> This is happening today, every day. Even if you refuse to believe it.

>>

>

> All of which is equally applicable to every other Windows OS, and is a

> greater threat because there are more of them in use today, in toto, than

> there are of XP. People don't patch Vista or Win 7 or Win 8 either. They

> don't patch IE on those OSes, and idiots keep writing new web-based

> software that won't work on more secure browsers. They don't keep their

> anti-malware software up to date on those new OSes either. Nothing has

> magically changed about this going from Win XP to a newer OS.

>

> MS OS security is not "improving" as a whole; they just continue to fix

> what they can identify as broken as a result of demo or real attacks. Every

> day somebody figures out a new way to attack a new OS, and then that has to

> be fixed. The newer the OS, the more people are trying to attack it.

> Relatively fewer people are figuring out new attacks for old OSes. How many

> people do you think are working on new ways to attack Windows 2000 today?

> How many people will be working on new ways to attack Windows XP in 2

> years, as compared to today?

>

> Anything can be hacked; any security can be broken (just ask the NSA);

> nothing is safe. That is true today, and it will be true five, ten, and

> twenty years from now, for Windows and any other OS. The fact that some OS

> designs are harder to crack than others is irrelevant. If the motivation to

> crack it is high enough, it will be cracked. There is no magic design "fix"

> that entirely removes the danger. It can't be done.

>

> Today the bad guys aren't script kiddies goofing around to impress their

> friends. They are organized criminals, rogue governments, and terrorist

> organizations. They are principally looking to steal money, and

> secondarily, to develop options to damage or destroy critical IT

> infrastructure. Malware development costs them money, and they play the

> percentages. If a "hack" doesn't offer those opportunities in a big way,

> they don't spend time on it.

>

> Older OSes are safer from current malware development than newer OSes,

> because the motivation to break newer OSes is much greater, because it is

> more remunerative in those two ways, than the motivation to attack older

> OSes. This isn't rocket science; it's common sense.

>

> And the extent to which people do not keep their OS, browser, and

> anti-malware software up to date does not vary between OSes. So this source

> of problems is constant; it is not greater for XP than for 8.1. And there

> is more Vista, 7, and 8.1 combined running today than XP. Again, common

> sense.

>

> Last time we had this discussion, I cited overwhelming evidence from the

> web that Android phones are the biggest target for current malware. I don't

> remember what the percentage was then, but as of January of this year, it

> was 99%:

>

> http://www.v3.co.uk/v3-uk/news/2323418/android-and-java-

> top-security-targets-for-malware-and-hacks

>

> Java applications are also strong targets according to this article, but

> that's not OS-dependent.

>

>

> Ken Dibble

> www.stic-cil.org

>

[excessive quoting removed by server]

_______________________________________________

Post Messages to: ProFox@leafe.com

Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox

OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech

Searchable Archive: http://leafe.com/archives/search/profox

This message: http://leafe.com/archives/byMID/profox/CABQeDnWnh7c6Ty6wpBJ0Uz3vKveE7RuWXfTe-zjKzR=kaqmJGA@mail.gmail.com

** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.

©2014 Joe Yoder
Back to top
Re: [NF] Clarification on web security

Author: Ted Roche

Posted: 2014-07-30 14:08:10   Link

Well, Joe, that's a totally different question.

The way a web application determines information about which browser is

making a request is querying something called the "user agent." The user

agent setting for a browser can easily be changed using a plugin. A quick

web search should get you up-to-date info on this.

Good luck!

On Wed, Jul 30, 2014 at 2:59 PM, Joe Yoder <joe@wheypower.com> wrote:

> have done very little with web programming. Can someone point me to a good

> starting point for this issue?

>

>

--

Ted Roche

Ted Roche & Associates, LLC

http://www.tedroche.com

--- StripMime Report -- processed MIME parts ---

multipart/alternative

text/plain (text body -- kept)

text/html

---

_______________________________________________

Post Messages to: ProFox@leafe.com

Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox

OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech

Searchable Archive: http://leafe.com/archives/search/profox

This message: http://leafe.com/archives/byMID/profox/CACW6n4si3YWiPYn4f5dPO-dZGN9EYWHWPuZzcpkkydhDdnEouQ@mail.gmail.com

** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.

©2014 Ted Roche