Yet More Security Reasons to Give Microsoft a Miss

In the wake of Microsoft's dire financial results, it might seem a little unsporting to draw attention to more of the company's problems. But its continuing stranglehold on companies and governments around the world means that such measures are...


In the wake of Microsoft's dire financial results, it might seem a little unsporting to draw attention to more of the company's problems. But its continuing stranglehold on companies and governments around the world means that such measures are justified, not least because people are suffering as result – millions of them.

That's not just my hyperbole, but a simple statement of the facts, as this extraordinary story about TheNextWeb%28The+Next+Web+All+Stories%29>South Korea demonstrates:

Korea's reliance on Microsoft's Internet Explorer browser and ActiveX software is being blamed for enabling a spate of hacks that have compromised more than 100 million user records from the country over the past five years.

Operator KT suffered a breach that endangered the records of nearly 9 million customers last year, while online games firm Nexon had more than 13 million user records compromised in 2011. The largest breach in recent times came from SK, the firm behind Facebook-forerunner Cyworld, which is estimated to have had 35 million records nabbed in 2011.

Experts are pointing the finger at the reliance on the Microsoft-made software for these attacks and others in recent years.

Yes, that's the same ActiveX technology that was introduced 17 years ago, and was almost immediately recognised as a huge security risk by experts at the time. Despite that, South Korea not only went on to adopt it for government and commercial transactions, it made it obligatory, forcing everyone in that country to use Internet Explorer.

The results of the government-mandated monoculture are now plain for everyone to see, and South Korea is finally moving to a more resilient approach, but along the way that blind trust in Microsoft products has caused untold damage to large numbers of people.

ActiveX's problems were widely known. But the other story concerning Microsoft and security has only just appeared on the tech radar, even though the underlying issues were well understood two decades ago.

Recent revelations about massive spying by NSA (and GCHQ), and the routine storage of our online communications, have highlighted the importance of encrypted connections across the Internet using SSL. It turns out that there is a technology readily available, called Perfect Forward Secrecy (PFS), that can make it much harder to spy on such connections:

When PFS is used, the compromise of an SSL site's private key does not necessarily reveal the secrets of past private communication; connections to SSL sites which use PFS have a per-session key which is not revealed if the long-term private key is compromised. The security of PFS depends on both parties discarding the shared secret after the transaction is complete (or after a reasonable period to allow for session resumption).

Eavesdroppers wishing to decrypt past communication which has used PFS face a daunting task: each previous session needs to be attacked independently. Even knowing the long-term private key does not help as the session key is not available by simple decryption. Conversely, when SSL connections do not use PFS, the secret key used to encrypt the rest of the session is generated by the SSL site and sent encrypted with the long-term private-public key pair. If this long-term private key is ever compromised all previous encrypted sessions are easily decrypted.

That's the good news. But the question then becomes: which browsers support PFS, and how well? The Netcraft post quoted above provides us with some fascinating data in this regard:

Netcraft has tested the cipher suite selection of five major browsers — Internet Explorer, Google Chrome, Firefox, Safari and Opera — against 2.4 Million SSL sites from Netcraft's June SSL Survey. The support for PFS varied significantly between browsers: only a tiny fraction of Internet Explorer's SSL connections operated with PFS; whereas Google Chrome, Opera and Firefox were protected for approximately one third of connections. Safari fared only a little better than Internet Explorer.

In fact, Internet Explorer failed to utilise PFS 99.71% of the time, compared with Firefox's 66.38% and Chrome's 66.39% - a pretty astonishing gulf. Of course, that's only one side of the equation: another interesting issue is how well the different Web servers do, and Netcraft has put together a fascinating matrix that shows the interaction between different clients and servers. Here's what it found:

nginx, an open-source web server originally written by Russian Igor Sysoev, uses strong cipher suites by default, which has caused some to comment on nginx's SSL performance. With the exception of Internet Explorer and Safari, more than 70% of SSL sites using the web server selected a PFS cipher suite when visited with a modern browser.

The usage of PFS amongst SSL sites using Apache is also fair, around two-thirds of the SSL sites it serves use a PFS cipher suite when visited in Firefox, Chrome, or Opera. Conversely, Microsoft's support for PFS cipher suites is notably lacking; both Microsoft IIS and Internet Explorer only rarely use PFS cipher suites — when used together only 111 (0.01%) of SSL connections between IIS and IE used PFS.

That is, open source solutions not only shine on the client side, but are incomparably better server-side, too.

Until a few weeks ago, PFS support would have been an obscure feature of little interest to most companies. But given the global and continuous nature of NSA spying it becomes a must-have for organisations that wish to make their online communications as secure as possible. So once again the conclusion has to be that anyone using Microsoft's products for secure Web connections is being irresponsible, since they expose themselves and their customers to a far higher risk of being spied upon at some point.

As I mentioned recently, that irresponsibility could soon have major financial and legal consequences if losses are caused as a result. Given the experience in South Korea, where weaknesses in Microsoft's Internet Explorer and ActiveX technology have repeatedly caused massive security issues, that seems to be only a matter of time.

Follow me @glynmoody on Twitter or, and on Google+

"Recommended For You"

Microsoft Internet Explorer SSL security gap ignored HTTPS security flaw uncovered by researchers