Skip to content

Updates on OpenSSL CVE-2009-3555 (client renegociation)

5 April 2010, 10:40 am

So there are some news from the front of OpenSSL CVE-2009-3555 (see this and this for the history).

Now the latest version of Apache mod_ssl (2.2) embeds an option to reactivate old way client renegociation :

SSLInsecureRenegotiation on

Check the official doc for more details. With this option activated, you can now safely upgrade openSSL and mod_ssl without breaking your clients. They should have done it from the begining, shouldn’t they ?

The next step will be to move on to the new protocol definitely, to solve for good the CVE-2009-3555 vulnerability. For that we have to wait for the browsers to support it.

Firefox has started to work seriously on it and we can expect some support in the next releases (some settings will be possible through about:config).

They even created a test site. This screenshot was taken from Google Chrome (5.0.366.2, openSUSE repo) which already has support for the SSL protocol :

Filed under Admin, Cryptography, Linux, Security, System, Web, openSUSE. Tagged , , , , ,
2 Comments

Possible use of SSL rogue certificates for spying purposes

4 April 2010, 10:48 pm

Recent work of security researchers on SSL MiTM attacks have shown how fragile the whole Internet security design could be.

But whereas some of these attacks concerns CA with insufficient security policies (md5 collisions) or some level of social engineering against the user (sslsniff), this paper alerts us on a more serious and stealth threat.

It explains brilliantly, providing us with real case scenarios, how a CA (probably under the authority of a government agency or a similar powerful organisation) can create a rogue certificate that will be silently trusted by our browsers.

The problem relies in the chain of trust : a root CA delegates trust to intermediate CA, which can at this point generate any “valid” certificate they want, even for a domain they shouldn’t sign.

Excerpt :

<< As an example, the Israeli government could compel StartCom, an Israeli CA to issue an intermediate CA certificate that falsely listed the country of the intermediate CA as the United States. This rogue intermediate CA would then be used to issue site certificates for subsequent surveillance activities. In this hypothetical scenario, let us imagine that the rogue CA issued a certificate for Bank Of America, whose actual certificate was issued by VeriSign in the United States. Were CertLock to simply evaluate the issuing CA’s country of the previously seen Bank of America certificate, and compare it to the issuing country of the rogue intermediate CA (falsely listed as the United States), CertLock would not detect the hijacking attempt. In order to detect such rogue intermediate CAs, a more thorough comparison must be conducted. >>

In such a case, no browser will ever send an alert, so even the most experienced and most paranoid users would be easily cheated. It makes it very easy for an agency to conduct a man-in-the-middle attack, sniffing all of the user activity.
So here is a need for an add-on.

As a Firefox user, I am using Certificate Patrol. It basically alerts the user whenever the certificate of a site changes. The inconvenience is that it requires a long learning period and it also generates quite a lot of false positive (when a certificate is renewed, for instance).

Adi Shamir and Phil Zimmerman, the author of the paper above, plan to publish a new add-on, Certlock. It will check carefully all the chain of trust for a certicate and send out an alert whenever a detail is incoherent, for instance when the country of the parent’s certificate is different from the country the rogue certificate is pretending to be.

I really hope Certlock is coming soon.

Filed under Cryptography, Security, Web. Tagged , , ,
Comment

Deleteyouraccount.com to easily get rid off social networking

4 April 2010, 7:31 pm

Deleteyouraccount.com is a very convenient website if you consider deleting your account from one of these social networking sites that are everywhere now. Of course, they all do their best to make it difficult, trying to hide it and discourage you. Here Deleteyouraccount comes to help.

I will still take a few days of thoughts, but I am seriously considering deleting my Linkedin account. I once got invited to it and got trapped.

My private data are certainly useful to Linkedin, but all this stuff has been totally useless to me so far. One of the things I really hate is that it tends to  increase the number of contacts artificially even though the relationship is not sincere.

I have a number of “contacts” that I barely know or keep in touch with, whereas I don’t need Linkedin to communicate with the people I truly appreciate.

Less social networking, more human reliationship, more freedom, more privacy : sounds good.

Filed under Privacy, Web, openSUSE. Tagged 
2 Comments

My new toy

16 March 2010, 10:16 pm

No, it is not a computer this time. And yes, it is off topic, but I wanted to thank a Japanese friend for his gift and, at the same time, promote his work :

He owns a small company in Hokkaido producing a number of wood toys. He is an artist and designs them, which are all hand made and from the local wood.

In our industrial society, where all toys are made of plastic in chinese factories, it is refreshing to see such authentic and nice wood toys.

So think about it for your kids. His website is only in Japanese for now but if you are interested, drop an e-mail and my friend will certainly answer to you shortly (last link in the menu page).

Filed under News, Off-topic, Web, openSUSE.
2 Comments

SecurityFocus changing

12 March 2010, 10:19 pm

A big change on Security Focus is going to happen. Except the vulnerability database, most of its content and resources are going to move to Symantec. RIP.

Filed under Security, Web. Tagged 
Comment

bugmenot.com

8 March 2010, 8:34 pm

I just discovered the BugMeNot service today.

It offers a database of logins shared by the community to login to free websites that require free registration.

This is usually annoying to subscribe to such a website just to download a freeware or read an article, and it often makes people choose unsecured or random logins.

They even provide an extension for Firefox. Thanks to this great website, you are probably going to save a lot of time.

Filed under Web. Tagged ,
Comment

Packetlife.net

20 February 2010, 9:54 am

I added a new link to Packetlife.net, which is a really amazing website about networking, with focus on Cisco stuff.

The work that the author made is truly impressive : blog, cheat sheets, gentle forum and even a lab (I haven’t test because I don’t need it, but if you are a student, it is great for students and so far I have never seen any other website offering it), all integrated with a quality level that is rare to find even on professional website.

This is one the best website I have never seen in all categories and certainly the best about Cisco networking. If you are interested in this topic, visit there right now.

Filed under Cisco, Network. Tagged 
Comment

Simulated massive cyber attack filmed by CNN

18 February 2010, 8:32 am

This video, while “amusing”, is quite interesting :

Though not many details are given, I am quite skeptical about the possibility of such a massive attack.

However, it shows well that security is not just a technical matter. It has many implications in law, politics, economics, and a whole information system must be prepared to that, starting with our leaders.

That would be a HUGE effort for our politicians here in France – if they ever care…

Filed under Defense, Hacking, Security. Tagged ,
Comment
« Older Entries
Newer Entries »