Update 2017.08.07
We see no indication that anything has changed so the advice below is still our advice.
This whitepaper was created in response to customers questions
In 2016.07.29 the WPAD exploit hit the news.
So … here is how it affects MCC and MC products and what steps you should take.
In a nutshell, the concern is,
- if you log in at Starbucks (or any WiFi hotspot), some software can be compromised.
- All MCC products (MCe, MCxLE, LoginHub etc..,) are un affected (safe from) the WPAD exploit, so use them anywhere you want with any browser you want.
- MC-MRO is not safe unless you use Edge, so use Edge or follow the advice below, or don't access MRO from WiFI hotspots.
- MC-Express is not safe unless you use Edge, so use Edge or follow the advice below, or don't access MRO from WiFi hotspots.
Update 2016.07.28
An article that shows 'why' IE 11 and Edge do not have this vulnerability, and discussion of ways to 'fix' it for other browsers until other browsers implement the IE 11 and Edge solution.
Executive Summary:
The report (starting 2016.07.26) is that HTTPS is not secure at WiFi hotspots etc.., http://arstechnica.com/security/2016/07/new-attack-that-cripples-https-crypto-works-on-macs-windows-and-linux/
Aside: More and more browsers are dropping support for features in HTTP (technically 'insecure' locations such as HTTP over the internet) and more and more they are going to be showing warnings. Chrome especially is trying to force everyone to HTTPS (except for those on an intranet) ASAP. As this happens, we expect customers are going to be thinking about security and expecting HTTPS to provide them with full security. We also have a few customers now that follow these things closely, and indeed, we recommend HTTPS for all new and upgraded installs.
The warning does NOT apply to Maintenance Connection Canada applications (Such as MCe/MCxLE, LoginHub, DataHub and our older products no longer for sale such as the Tablet Hybrid).
- DOES apply to the Maintenance Connection applications such as MRO and MC Express because the URL contains everything needed to bypass security.
Recommendation to users:
- Only run MRO, MC Express, Technician Work Center, Reporter and Service Requester
- from a known secure spot such as the customer's own Intranet,
- r make sure WPAD is turned off (This is not possible on all devices – I don't know for example, how to turn it off on cell phones or iPad/OSX laptops) (Note: in any places where they are doing this exploit – they will probably make WPAD a requirement to use the network, and you won't know whether that is the reason they have WPAD a requirement.)
- r use a VPN. (This will give you a protected tunnel.)
- No recommendations for MCe/MCxLE – they are safe from this exploit. But for added security against unknown future potential breaches, you could also use a VPN.
- We provide (at an hourly rate) assistance for setting up VPN's and turning of WPAD (where possible) for those customers that want such assistance.
Reports HTTPS not being as secure as possible
Specifically, it was demonstrated that the URL's can be sniffed from HTTPS at WiFi hotspots etc.., when WPAD is enabled.
The exploit essentially works with most (or all of) the browsers we support and all the operating systems we support.
It is ONLY the URL that is made visible to the spy/attacker.
This means there is only a security risk if a URL contains ALL the information needed to log in.
There are indications that IE and Edge may provide some protection against this exploit, unfortunately, this is harder to test without a sample of the exploit to run.
LoginHub
LoginHub explicitly encrypts all passwords before sending them to the server. And while the base Maintenance Connection does pass passwords through in clear text, they are not passed through on the URL.
How to see if specific software is at risk:
The easiest way is to copy the URL from one computer to another. If it lets you in – you are vulnerable to this exploit. If it does not let you in – either you are completely safe from this exploit or in some cases the hackers would have to know something explicit about the application's encoding of the URL in addition to this exploit.
Sample URL's
Note, the 'insecure ones are taken from a 'safe' location so these will not work for you to breach my servers! They are showing the URL's – to verify what I am saying, take the URL from one browser to another and you'll see you can login with MC Express or MRO simply by copying the URL.
Prior to today, we have simply stated that we felt there was 'a risk' that the MRO/MC Express ones could 'someday' be a breach. Someday has come.
LoginHub:
http://iismc7/mc_web/onsite/loginHub/
Secure.
MCe/MCxLE:
This is a LIVE URL so you can see what happens if you sniff out the MCe URL (It does not give you access unless you already have successfully logged in – so no breach.)
https://dev.mccdemo.com/mce/App/cNZOAKKNURT/
MRO:
Needs VPM or one of the other recommendations to be secure.
MC Express:
Needs VPM or one of the other recommendations to be secure.