edwardrios Show full post »
MNICHOLS2K
Internet Explorer and Chrome are both reporting that thebrain and webbrain.com's certificates have expired.

"Your connection is not private

Attackers might be trying to steal your information from webbrain.com (for example, passwords, messages or credit cards). NET::ERR_CERT_DATE_INVALID"

Is anyone else seeing this?
Quote
pthompson
Thanks. The issue is now resolved.
Quote
MNICHOLS2K
Thank you for the quick response.
Quote
MNICHOLS2K
SSL vulnerabilities analysis of webbrain.com

Hi WebBrain,

I've run an analysis of the SSL security of the webbrain.com site using the Qualsys SSL Labs online service.
https://www.ssllabs.com/ssltest/index.html

The analysis reports that webbrain.com has not been secured against SSL3 Poodle attack and supports an insecure key exchange mechanism.

I know that the Poodle attack was big news a year or two ago and websites moved to secure against it.

I assume that something may have been missed in the configuration/reconfiguration of your web servers and want to make you aware of the security vulnerability.

Unfortunately, I've been unable to attach the PDF report generated by Qualsys to this message. You can run the report yourself at the link above and the output will provide instructive links about the implications of the vulnerabilities and how to configure and protect against them.

I only came across the Qualsys tool because I'm considering signing up for another web service "YNAB - You Need A Budget", and they provide in their write-up of their security policies that they receive a A+ rating by Qualsys for SSL Security.

I hope you're able to address the issues as I'm understandably concerned about the security of my data.

Kind regards
Quote
MNICHOLS2K
Since posting about the SSL vulnerabilities of the webbrain.com website, I have learned that most modern browsers and operating systems have been patched by their respective developers to prevent the poodle attack exploit from the client-side.

The website https://www.poodletest.com/ will test whether a web browser is vulnerable.

Thankfully, none of the browsers that I use to access Webbrain.com are vulnerable to the poodle attack; e.g., Windows 10 Mobile Edge Browser; Windows 10 Edge Browser; OSX Sierra Safari browser.

Users of older browser though should be warned that they may need to manually disable SSL3 to prevent themselves being vulnerable.

Also, it appears that since January 20, 2015 with java releases (JDK 8u31, 7u75, 6u91 and above) the Java Runtime Environment has disabled SSLv3 by default; The Brain version 8 running on my Windows 10 client is using JDK 8u101 - so unless it has been intentionally enabled, The Brain client should be safe - which I assume it is.

Oracle has provided instructions for checking/disabling the Java Runtime for SSLv3 at:
https://java.com/en/download/help/disable_sslv3.xml

And although I'm now pretty confident that "my TheBrain experience" is safe from the SSLv3 Poodle attack due to security measures implemented client-side,
it should still be dealt with server-side as well.

I've just heard back from Patrick (@theBrain) - as I've just finished researching and writing this- that The Brains' engineers are looking into it.
Quote
zenrain
Thanks MNICHOLS2K for pointing it out and also following up (with both TheBrain and the post). [smile]
macOS 10.13
TheBrain 9.0.250
Quote
pthompson
Thanks for the information.
Quote
MNICHOLS2K
Hi All,

For testing whether your web client is vulnerable to the Logjam Vulnerability (the cipher-strength vulnerability exposed at the webbrain.com website - I was wrong describing it as key exchange), try using the beta SSL vulnerability test at: https://dev.ssllabs.com/ssltest/viewMyClient.html

According to the website, Edge on the latest Windows 10 build and Windows 10 mobile build are not vulnerable to either Logjam or Poodle, therefore I believe I'm safe accessing the webbrain.com as long as I use it from these browsers. Haven't had a chance to test OSX Sierra's Safari yet, but I suspect it will not be vulnerable.

I still do not know the status of the Logjam vulnerability in regards to The Brain windows application which runs on Java. 

The silver bullet for all of this is for security to be implemented at the web server, rather than relying upon client-side security.

Kind regards,
Quote
MNICHOLS2K
Hi All,

I've used Microsoft Message Analyzer to perform a network trace of the SSL connection to webbrain.com when connecting with the Windows 10 Edge Browser and then the latest TheBrain 8.0.2.2 application.

Under both circumstances, the SSL connection negotiated using TLS and a secure cipher.

Interestingly, accessing the webbrain.com using TheBrain application uses a weaker cipher (yet still secure) than when connecting using the Edge Browser.

The Edge Browser session uses the cipher:   TLS_ECDHE_RSA_AES_256_CBC_SHA384
TheBrain 8.0.2.2 app uses:   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

In either case, I'm feeling pretty confident that as long as I'm running on Windows 10 with the latest patches, the Windows 10 client will provide protection against the LogJam and Poodle attacks whether I connect using a browser or the Brain application.  However, anyone living dangerously and still using XP, or some other out-of-support or unpatched operating system, may want to exercise caution until WebBrain removes the server-side vulnerabilities as your client may allow an insecure SSL connection.

I think I've exhausted the subject from my side and will wait to hear back from WebBrain's engineers.

Kind regards


TheBrain8Trace.png
Quote
zsviczian

Hi All,

The above conversation is quite insightful. However to put my mind fully at ease, what I would like to see is an independent security report covering the whole integrated solution: personalbrain, web services and mobile apps. I am looking for a reputable 3rd party penetration test and code scanning report, plus ideally an on-going (annual should be sufficient) process of repeated 3rd party security reviews published on thebrain.com

Is there such a report and regular review process? 

Note, I have read The Brain security whitepaper, but that is an internal document about the intended highlevel design, and not a 3rd party evaluation of the actual implementation.

Kind Regards

Quote
mcaton
Thank you everyone for your interest.  There is a lot of new development happening, as I'm sure you're aware, with TheBrain 9.  Currently, with TheBrain 8 and http://www.webbrain.com, we use Amazon AWS servers/security. By default, synchronization is protected using 128-bit AES Encryption on port 443. This is the same encryption used by the US government to protect classified information.  More general information on Amazon AWS at http://aws.amazon.com/security/ .

TheBrain 9 uses a completely different architecture from TheBrain 8 and we are enhancing security as part of that transition. TheBrain 9 servers are hosted via Microsoft Azure and not AWS. Additionally, passwords are salted and hashed using a unique-per-user salt. We will put together a technical overview of security features of TheBrain 9 as we get further along in the development process or soon after the release. Presently we are busy finishing up betas of the mobile versions and finalizing the desktop release.

Thanks for your interest and questions as they will help us in knowing what the key concerns are which we should cover as well as plan around for future improvements.

Thank you,
Matt

Quote
zsviczian
Hi Matt,

Thank you for the response. I am aware of the developments and expectantly waiting to get my hands on the new Brain Android App. I am also delighted to hear about the technology / design choices.

Based on my experience even the very best developer teams make mistakes and leave doors open. Since The Brain is a digital companion to my mind, with not only raw data but context about my thoughts, security is a similar concern as in case of banking.

I urge 3rd party code scanning using a reputable industry player such as Veracode, and similarly urge penetration testing employing a partner such as KPMG.

Regards,
Zsolt
Quote
mcaton
Zsolt,

Thanks again for your feedback.  Your requests have been documented and shared with our development team.

Thank you,
Matt
Quote
MNICHOLS2K
Hello TheBrain -

As part of your shift to a better security model, please put proactive monitoring in place to detect when your site's certificates expire or are misconfigured.

Currently, the download website https://assets.thebrain.com/ from which version 8.0 downloads has an invalid certificate and/or configuration.  Windows 10 reports that the download cannot be confirmed being from thebrain.com and if you go directly to the website, within the Edge Browser the following is reported:  "

There’s a problem with this website’s security certificate

This might mean that someone’s trying to trick you or steal any information that you send to the server. You should close this site immediately."

Browsing to the site using Chrome from within my client's corporate firewall, the certificate is reported as failed due to a common name mismatch, where the host name is 'assets.thebrain.com' but the common name is '*.cloudfront.net'.

Maintaining and proactively monitoring your certificates and public key infrastructure is no longer optional now-a-days.  It does not fill me with confidence that this is the third time over three separate occasions, I've reported to TheBrain that your public websites' certificates are invalid or misconfigured.  You really should be proactively monitoring and managing these things.

Please get on top of certificates.  Seeing that public-facing certificates are not being proactively monitored and maintained doesn't make me confident that the our data on the other side of the "SSL" connection is being looked after.

Please post when the SSL issue has been resolved, so I may confidently download version 8 from your site.  I do not trust downloads coming from unverified web servers.

It would also be nice if thebrain.com would proactively protect its customers by removing server-side website vulnerabilities as I documented in my previous comments above.

Kind regards 

Quote
mcaton
Thanks for posting.  I'll be sure to share this with our development team.

Matt
Quote

Add a Website Forum to your website.

Newsletter Signup  Newsletter        Visit TheBrain Blog   Blog       Follow us on Twitter   Twitter       Like Us on Facebook   Facebook         Circle Us on Google+  Google         Watch Us on Youtube  YouTube       

TheBrain Mind Map & Mindmapping Software     Download TheBrain Mind Mapping Software