[bestbits] IGF registration form completely unencrypted

Alex Comninos alex.comninos at gmail.com
Tue Sep 17 13:56:00 EDT 2013


Hi All

I had raised earlier the issue that the IGF online registration form
was on an HTTP connection and thus unencrypted.

I was in part wrong. It turned out the registration form was
encrypted, by embedding an HTTPS form in an HTTP site. Despite this
being very bad practice, and subject to some vulnerabilities, it
offered basic encryption.

It seemed that if someone wanted to register for the IGF, but feared
that their personal information on the registration form may be
intercepted by someone on the same network, they could in effect most
likely do this without worry (for most adversaries). Bob believes that
he can register for the IGF without Alice, who controls the network
finding this out, along with his personal information, including
passport information.  I think that this is a minimum expectation for
an event like the IGF.

However, considering the methodology of delivering confirmation of
registration, Bob was completely mistaken, Alice knows he has
registered for the IGF, In addition, Alice knows his passport number,
email address, date of birth, and other personal information. Why?
Well because the confirmation of registration was provided by means of
an unencrypted HTTP link to a server that contains his registration
document. For example from the email below:

Dear Mr. Alexis Comninos,

Your registration form...For visa issuance facilitation, you are
kindly requested to visit: http://igf2013.or.id/visa-info/.

....snip....

You can download a copy of your registration form at:
http://www.intgovforum.org/cms/wks2013/registration/IGF-Registration-Confirmation-**********_****.********@*********_381.pdf

...snip...

Best regards,

The IGF Secretariat

What happens in this scenario?

Assumptions: Bob has his own device, is using either an offline mail
client that is set to make make encrypted connections to a server, or
an online client (e.g. Gmail using and HTTPS connection) which he
accesses through HTTPS. Bob is however using an intternet connection
through a public connection/wifi hotspot/untrusted network, beknownst,
or unbeknownst to bob, Alice is on the network, running a free easy to
use packet sniffing utility (e.g. Wireshark). Bob opens his email from
the IGF secretariat.

What does Alice find out.

1. Bob accessed a URL
http://www.intgovforum.org/cms/wks2013/registration/IGF-Registration-Confirmation-**********_****.********@*********_381.pdf
2. From the above URL, someone is registering for the internet governance forum
3. From the above URL, Passport or Travel Document Number
4. From the above URL, email address, and thus possibly first and last
names of registration
5. That bob was the 381st person to register for the IGF.

If alice then follows the link, she downloads the publically
available-to-anyone-with-the-link-pdf and finds out: Title, Last Name,
First Name, Email, Date of birth, Delegation/Country, Organisation or
Agency, Stakeholder Group, Region, Passport/Identity document number,
Type of Identity Document and validity, Country of Issue of identity
document, Telephone Number and
Permanent Official Address.

tl;dr dont download your confirmation of registration on an
unencrypted connection, someone may see some of your personal
information. A censored version of the email I received in
confirmation of registration is below. It is similar to the one you
may receive, should you have you registered for the IGF, it has the
same vulnerabilities.

---------- Forwarded message ----------
From: Internet Governance Forum <igf at unog.ch>
Date: 17 September 2013 18:29
Subject: Confirmation of your registering to the 8th IGF meeting in Indonesia
To: alex.comninos at gmail.com


Dear Mr. Alexis Comninos,

Your registration form has been processed and you have been registered
as a participant at the Eighth Meeting of the IGF. The Meeting will
take place at the Bali Nusa Dua Convention Center (BNDCC) in Bali,
Indonesia, from 22 to 25 October 2013. Please visit the Host Country's
Web site for logistical details at http://igf2013.or.id/. For visa
issuance facilitation, you are kindly requested to visit:
http://igf2013.or.id/visa-info/.

=== Badging ===

Badges will be issued on site before the Meeting starts. Participants
are required to go to the badging desks at the BNDCC with a printed
copy of the registration form and a government issued picture ID.

The badging desks will be open from Saturday 19 October 10:00 hours
and participants are encouraged to collect their badges as early as
possible after arrival to avoid congestion.

You can download a copy of your registration form at:
http://www.intgovforum.org/cms/wks2013/registration/IGF-Registration-Confirmation-**********_alex.comninos@gmail.com_381.pdf

This registration confirmation will also help you through your visa
application. Kindly attach a copy of this form to your application.

We look forward to your participation at the IGF Meeting in Bali.

Best regards,

The IGF Secretariat

Email: igf at unog.ch



...
Alex Comninos | doctoral candidate


On 9 September 2013 17:09, Alex Comninos <alex.comninos at gmail.com> wrote:
> Hi All
>
> Embedding HTTP in HTTPS is still very bad practice, there are many
> possible vulnerabilities it can present, outlined here:
> https://developer.mozilla.org/en-US/docs/Security/MixedContent
>
> Kind regards,
> Alex
>
> ...
>
>
> On 9 September 2013 15:59, William Drake <william.drake at uzh.ch> wrote:
>> Hi
>>
>> On Sep 9, 2013, at 3:10 PM, Alex Comninos <alex.comninos at gmail.com> wrote:
>>
>> On 9 September 2013 15:06, Robert Guerra <rguerra at privaterra.org> wrote:
>>
>> Someone correct me if I am wrong - but this isn't the first time the issue
>> of having an insecure registration site has been raised.
>>
>>
>> IGF 2011 had an http registration and I raised it then, 2012 utilised
>> HTTPS, I am not sure of the others.
>>
>>
>> Saw this message and shot the secretariat a note, since it's their site.
>> Chengetai's response is below.
>>
>> Cheers
>>
>> Bill
>>
>> —————
>>
>> From: Chengetai Masango <CMASANGO at unog.ch>
>> Subject: Re: [bestbits] IGF registration form completely unencrypted
>> Date: September 9, 2013 3:37:20 PM GMT+02:00
>> To: William Drake <william.drake at uzh.ch>
>> Cc: IGF <IGF at unog.ch>
>>
>> Hi Bill,
>>
>> We have an https link
>>
>>
>> https://comanche.vervehosting.com/~wgig/igf/cms/wks2013/meeting_attendance_registration_2013_IGF.php
>>
>> I will add the link to the form.
>>
>>
>> on the server side its all encrypted so that's fine.


More information about the Bestbits mailing list