Decline in WordPress Wow Factor? I’d Be Happy for a Duh Factor

WP Tavern has an article–now with dozens of comments–arguing that the wow factor in major WordPress release is getting few and far between.

Because of WordPress’ maturity and the short development cycle, major features are getting few and far between. By looking at the Beta tab on the WordPress plugin directory, visitors can view projects that may end up in future versions of WordPress. The only project on the page that excites me is the Front-end Editor but based on how long it’s been in development, I’m not holding my breath.

Please excuse me while I throw up in my mouth. The self-hosted version of WordPress is one of the most widely deployed pieces of software on the web, and yet in 2016 users still have to track down a plugin if they want to do something as basic as rate limit logins to prevent brute force password attacks.

At this point, the lack of such a basic feature has to be put down to extremely poor leadership and vision. WordPress is deployed by a lot of novices, and not only should there be a rate-limit feature, but it should be enabled by default.

But hey, what’s minimal security features in a world where the admin UI needs to be redesigned repeatedly or basic features in the editor need to be removed for no good reason?

Squarespace–Support SSL Already

So one day my wife wanted a website to highlight her award-winning pottery. She finds WordPress a bit cumbersome to use and after looking at a number of hosting sites settled on Squarespace. After purchasing a site there, I registered a domain name for the site and we sat down and took a look at what needed to be done to point the domain to the site.

And that’s where things got weird. Because I figured while I was reading Squarespace’s documentation about where to point the domain DNS, I’d also see what the process was for adding an SSL certificate. And the answer was shocking–there is no option to for individuals to use SSL on Squarespace sites.

When you login to Squarespace or set up an e-commerce area, Squarespace sends you to a area that use Squarespace’s SSL certificate. But those are the only times that users will see SSL related to a site they have set up. As Squarespace explains (emphasis added),

Some areas of Squarespace sites are protected by SSL, including checkout for Commerce transactions and wherever you log into your site. However, SSL isn’t currently available for other pages.

We don’t offer the ability to install custom SSL certificates at this time.

This is crazy, and potentially dangerous. Without SSL, browsing Squarespace sites is subject to snooping by third parties. Attackers could potentially perform man-in-the-middle style attacks by intercepting the non-encrypted traffic and injecting malicious code.

One of Squarespace’s competitors, not only supports SSL for the millions of blogs/sites it hosts, but just announced it was using Let’s Encrypt to offer free SSL to every single custom domain on its network.

That Squarespace continues to expose both its visitors and its customers to these sort of risks is inexcusable.

LostPass Phishing Attack Against LastPass

Every few months, someone comes out with a clever attack on LastPass. In January, for example, Sean Cassidy released his LostPass phishing attack that “allows an attacker to steal a LastPass user’s email, password, and even two-factor auth code, giving full access to all passwords and documents stored in LastPass.”

LostPass is a clever phishing attack. Essentially an attacker creates a fake notice that a user’s LastPass session has expired and asks them to log in. The fake version is visually identical to the actual notice LastPass uses, and even technical users would be unable to distinguish between the real notice and a phishing attempt.

LastPass responded by removing the button in its session expiration notices (so users will, presumably, be able to better distinguish fake versions which would need to have some sort of “login” button). LastPass also now requires users to go through an email-based process to approve logins from any previously unknown device or IP address.

LastPass also points the finger at Google, saying it identified these sorts of problems with the way Chrome displays notifications, but that its complaints fell on deaf ears,

A point that was only briefly raised in Cassidy’s research was the role that the browser itself plays in this attack. LastPass has encouraged Google for years to provide a way to avoid using the browser viewport for notifications. As a true solution to this threat, Google should release infobars in Chrome that give extensions the capability to do proper notifications outside the DOM. You can see our plea for this back in January 2012 with still no resolution; please star this issue to help us raise awareness.

It is good that people like Cassidy are out there looking for ways to get around LastPass’ security, and also good that LastPass generally responds to these sort of attacks much more quickly and effectively than a lot of companies. Every time a vulnerability in LastPass is found, people I know ask me whether they should still use LastPass, and my answer so far has always been “yes.”

So far the vulnerabilities that have been found in LastPass are of the sort that I still feel far more secure using it to manage my passwords than using some other password manager or (even worse) some other method for creating and managing the passwords to the dozens of services I have credentials for.

Qubes OS–Security Through Compartmentalization

Qubes OS is a Fedora-based Linux distro that relies on virtualization to minimize potential security risks.

Qubes takes an approach called security by compartmentalization, which allows you to compartmentalize the various parts of your digital life into securely isolated virtual machines (VMs). A VM is basically a simulated computer with its own OS which runs as software on your physical computer. You can think of a VM as a computer within a computer.

This approach allows you to keep the different things you do on your computer securely separated from each other in isolated VMs so that one VM getting compromised won’t affect the others. For example, you might have one VM for visiting untrusted websites and a different VM for doing online banking. This way, if your untrusted browsing VM gets compromised by a malware-laden website, your online banking activities won’t be at risk. Similarly, if you’re concerned about malicious email attachments, Qubes can make it so that every attachment gets opened in its own single-use, “disposable” VM. In this way, Qubes allows you to do everything on the same physical computer without having to worry about a single successful cyberattack taking down your entire digital life in one fell swoop.


Qubes OS Screenshot

Cormac Herley on the Cost of User Effort in Applying Security Policies

Excellent insight from Microsoft research Cormac Herley in his analysis of security advice So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users (PDF):

7.3 User Effort is not Free

In addition to overestimating benefits, advice almost always ignores the cost of user effort. The incremental cost of forcing users to choose an 8-character strong password, as opposed to allowing a 6-digit PIN, is hard to measure, but is certainly not zero. And ignoring it leads to a failure to understand the rational and predictable nature of user response.

There are about 180 million online adults in the US. At twice the US minimum wage one hour of user time is then worth $7.25×2×180e6 = $2.6 billion. A minute of user time per day is a $7.25 × 2 × 180e6 × 365/60 = $15.9 billion per year proposition. This places things in an entirely new light. We suggest that the main reason security advice is ignored is that it makes an enormous miscalculation: it treats as free a resource that is actually worth $2.6 billion an hour. It’s not uncommon to regard users as lazy or reluctant. A better understanding of the situation might ensue if we viewed the user as a professional who bills at $2.6 billion per hour, and whose time is far too valuable to be wasted on unnecessary detail. Echoing Adams and Sasse [21] we might say: the user is your boss’s boss’s boss. This would help ensure that we ask for a minute of user time (the boss’s) only when absolutely necessary.

Workshop on Security and Human Behavior 2014 Recordings

Security researcher Bruce Schneier calls the annual Workshop on Security and Behavior “the most intellectually stimulating two days of my years.” The format of the workshop involves three or four people giving short 7-9 minute presentations about a topic from different angles followed by an hour discussion of the issues raised by the presentations.

Full audio recordings of the presentations from the 2014 workshop are available online and it is fascinating stuff if you’re at all interested in physical/computer security issues.