TLDR: The community demanded a fix, and hover.com have fixed the issue, and without to the best of our knowledge disclosing any personal information or customer passwords to any third parties*.
* Yes your email provider will know, and possibly some routers your traffic passed through (such as your ISPs). Change your password now and it’s minor problem solved.
Security is an easy thing to make a mistake on, and a notoriously difficult thing to get right even when everyone is trying really hard.
A security mistake can and does happen to the best in the technology industry. When I boot into Ubuntu Linux and Mac OS X, I’ve seen both needing patches every other week. Skype (pre-Microsoft acquisition) allowed users to be rootkitted on the Mac. I see Microsoft shipping updates to fix bugs in their operating system every month like clockwork. Even Google got hacked by China. RSA had their SecurID tokens compromised.
Tucows has been around since 1994, and is the parent of hover.com, created in 2008 through the merger of their 3 domain registrars – NetIdentity, It’s Your Domain (IYD), and Domain Direct. That’s a lot of legacy, things like as they said, needing telephone support. Even the best developer needs some time to test their code, and changing an authentication system which could adversely affect millions of users needs thorough testing.
Today it is very hard to defend the practice of storing a customer password, and I don’t and won’t. Neither does Ross Rader, Hover’s GM. Strong cryptographic hashing is a requirement for any modern website, and hover.com is clearly working hard on that transition.
Ultimately, it needs to be placed in perspective. The threat to me is similar to that of all Django sites using SHA-1 by default, which is considered “weak” as the best known attack has a theoretical complexity of 2^51 hash function calls. It is a possible and unnecessary risk, and in general to be avoided, but far from a proven breach of security.
I first alerted Hover to this issue when I first used them – on July 2, 2011 (Sydney, Australia), as part of my first real attempt at having a presence I control online (shout out to Leo Laporte – go TWiT). I was catching up on Security Now! Episode 306, when I heard something a monkey could likely be trained to do (and thus also likely a malicious crawler/script roaming the net):
“Marc Beaupre in Montreal, Quebec said one way to know whether the site stores your password in cleartext is whether they send the password itself when you perform account recovery”.
Trying and finding hover.com vulnerable, I gave them 2 months which I deemed a reasonable time to communicate and have them understand the threat and update their systems (though I’d be interested in what is a reasonable time, especially from people who have implemented an update like this).
(Personal details omitted)
I honestly didn’t know of the HackerNews post on July 5 until today (and have been quite sick and more interested in my honours thesis the past couple of weeks), and I think others likely have pointed out the issue as well. Since they claim to have been working on it since last Spring and implemented their final fix in 48 hours, it is good that the community effectively jolted them into action sooner.
Since I use a password manager, I don’t really care that a >20 character monster once-used random password may have possibly gotten loose, and again the issue has been fixed. For those who have been using Hover for a little longer or may have reused their Hover password elsewhere, it’s always a good idea to change your password once in a while.
Hover, with Tucows legacy is also a very-well established provider with clear policies and procedures, which is important. I’d frankly like my domain registrar to be predictable rather than capricious or sexy – it’s infrastructure which should be boring and dependable.
For the above reasons, I’m not planning on switching unless someone suggests an alternative that is clearly better, and so far I haven’t seen one. That doesn’t mean I’m not open to the idea, and to the community at large – please feel free to suggest better alternatives if they exist and provide evidence of their past track record with regard to security, privacy and usability.
Remember, we’re all still human, and there are always slower fish, “mom & pop” sites, and so forth out there – for example http://itestate.com.au/ doesn’t even use HTTPS for customer logins (which is why I’ve only ever paid on pickup if I needed some cheap PC stuff from there). Not everyone should need to be a security expert just to have a site on the net, but sadly that’s the trend if you don’t outsource the hassle to someone else like SquareSpace.
Like most things in security, it’s far too easy to let little things be blown way out of proportion. While I’ve cut my share of Java, Python and C# code, I haven’t personally implemented Django BCrypt or something similar so I don’t know how hard it really is and what the pitfalls could be, let alone migrated millions of user accounts, or had to consider issues like malicious users with motives attempting account fraud. Full credit to Ross Rader for handling the issue amicably.
And if you’ve read all that, my sincere thanks because this is really just a post for selfish old me – so I can be clear in my head what really went down.
I can’t believe I forgot this – a huge thank you to Steve and Leo for nearly six years of Security Now! podnetcasts, without which I would never have written this post or learnt so much about how security works.