Become a fan of Slashdot on Facebook

 


Forgot your password?
Close
typodupeerror
×

Comment Re:Full Disclosure (Score 1) 171

by StartCom (#26316265) Attached to: Do the SSL Watchmen Watch Themselves?

Correct, specific plans exist for various scenarios. Concerning the web-of-trust, there are some inherent problems without a unifying institutional body. See, security has some clear rules which are easier to enforce in a corporate environment. Specially if you work at StartCom ;-)

And yes, I heard about "Perspectives", so it might have currently a single-point-of-failure problem. Personally I don't believe that it should provide a means for self-signed certificates. It might however provide a good additional layer to existing efforts.

Comment Re:Full Disclosure (Score 1) 171

by StartCom (#26315265) Attached to: Do the SSL Watchmen Watch Themselves?

I'm quite pleased to receive a A- :-)

The reason for not disclosing anything before is perhaps quite easy to understand. Minor events are logged in the ongoing events logs and no further actions are required. Events in the magnitude of issuing a certificate wrongfully due to a bug and which requires modifications to the systems, require detailed reporting (as seen in the "critical event report"). Those reports were reviewed in time by relevant parties and will be presented to the auditors during auditing. A major event like a CA key compromise (we don't sign directly from the root) would have to be made public and handled according to the "disaster recovery guidelines". In such an event, all software vendors, subscribers and the general public must be informed immediately.

The event which happened recently wasn't a major event, but obviously important enough to act accordingly and issue the critical event report. Important to note that no third party could have relied on and have taken damage. Therefore the resolution was appropriate. The disclosure was done in order to prevent any rumors and false accusations about what did and what not happened (once it was published by Mike).
Security

Perfect MITM Attacks With No-Check SSL Certs 300

Posted by kdawson from the stuck-in-the-middle-with-you dept.
StartCom writes "In a previous article I reported about Man-In-The-Middle attacks and spotlighted an example showing that they really happen. MITM attacks just got easier. In the attack described previously, untrusted certificates from an unknown issuer were used. Want to make the attack perfect with no error and a fully trusted certificate? No problem, just head over to one of Comodo's resellers. Screenshots and disclosure provided at the link."

Comment Re:Lemons. (Score 1) 4

by StartCom (#26206357) Attached to: Disclosure: No-check SSL Certificates...
According to the work done over at Mozilla, this shouldn't happen. The Mozilla CA Policy clearly requires domain control validation. Being myself part of the team which reviews CAs, I must say that there is a failure. It's unfortunate, because domain validated certificates do have a value and are excellent for protecting low-value sites like blogs, portals, webmail etc. But the practice disclosed in the article is certainly not going to work!
Security

Submission + - Disclosure: No-check SSL Certificates... (startcom.org) 4

Submitted by
StartCom
StartCom writes: "In a previous article I reported about Man-In-The-Middle (MITM) attacks and if they really happen. Unfortunately it does happen as some testimonials confirm. Now it's even easier because in the attack described previously, untrusted certificates from an unknown issuer were used. Want to make the attack perfect with no error and fully trusted certificate? No problem, just head over to one of Comodo's resellers.

And here the disclosure: In order to confirm for yourself, edit the hosts file at your computer and add the following entry:"
Security

Submission + - Securing Websites Economically (startcom.org)

Submitted by
Eddy Nigg
Eddy Nigg writes: "With a world-wide recession looming around the corner, budget conscious web site operators will look for ways to save resources wherever they can. Securing and serving multiple web sites from the same server always required a digital certificate and dedicated IP address for every site and domain. Needless to say this can add to the yearly expenditures quite a bit.

Unfortunately the most popular web server of the Internet, Apache, which serves roughly 45% of all secured hosts doesn't support SNI officially. Due to some wrangling and finger-pointing, this important feature is only planed for a future release, most likely version 2.4. And this means that it might take some time still...

Fortunately there is a solution complete with test case available..."
Security

Submission + - MITM attacks - do they really happen? (startcom.org)

Submitted by
Eddy Nigg
Eddy Nigg writes: "Apparently MITM attacks are in the wild and they use illegitimate, self-signed certificates for their attacks. A few days ago this bug report was filed with Bugzilla. The connection of this unlucky reporter was hitchhiked as he was using a wireless internet access point. It didn't prevent him to click all his way through the warnings and error messages in order to access those sites, thinking it's Firefox's fault — would he have inspected the digital certificates used by those sites, he might have understood that he was mislead and attacked. Or maybe not — because one needs a basic understanding about digital certificates and how they are chained to a valid anchor (certification authority certificate root)."
Security

Submission + - Phishing or Legitimate? (startcom.org)

Submitted by
Eddy Nigg
Eddy Nigg writes: "Today I received the email shown below, which looked like a phishing attempt to me, since I don't have an account at Moneybookers.com. The real and the fake site have a certificate issued by Thawte, apparently with the organization details validated. The modified UI feature of Firefox 3 helped me get suspicious about this site, the email source confirmed that this is a well played phishing attempt. Moneybookers Ltd. is registered in London, UK and wouldn't use dial-up provider in France to send legitimate mail messages. So what happened here? I'm not entirely sure, but the most logical explanation would be, that somebody compromised the server of secure-ssl.net. The site belongs to Technologies Iweb Inc. in Montreal, Canada according to the whois records. Does anybody else know something about this scam?"
Security

Submission + - Extended Validation - What it really means (startcom.org)

Submitted by
Eddy Nigg
Eddy Nigg writes: "Im going to give you a better understanding about what extended validation (EV) means and what it really gives to you. EV certificates are touted by many as the solution to the problem. The wonder balsam which will heal the Internet from inadequate authenticity, lack of identification and trust. The only means browser vendors have to positively identify secured web sites...and so the arguments go on...

Without taking away the value EV certificates offer, I believe they have a drawback. A company may exist today, be gone tomorrow. Nobody will be liable for any damage and there is nobody to sue after robbing their customers of their money and closing down. Not one individual is verified and validated for an EV certificate. Therefor next time you'll see the green indicator in Firefox when visiting a web site, ask yourself how green it really is!"
Security

Submission + - SSL Spoofing made easy in Firefox 3 (startcom.org)

Submitted by
Eddy Nigg
Eddy Nigg writes: "If you would build a browser with SSL support, where would you place a prominent indicator for secured pages? Mozilla thinks that the site icon (favicon) is the best place to indicated to the user that he has landed on a SSL secured page. Needless to say that just by changing the site icon to something very similar will be very easy to achieve. Even Microsoft got that better with their browser!

See the images of the upcoming Firefox 3, including the spoof and explanation here."
Mozilla

Submission + - Spoofing SSL in Firefox 3

Submitted by
An anonymous reader writes: In just a few days the new Firefox 3 browser from the house of Mozilla will be release. Except of course if another re-build of the current release candidate has to be made, which would push the publishing of the newest browser to sometime in June. One such reason could be the ease one can spoof the secure mode indicator of secured sites, specially on the Linux platform.

The full story is here: https://blog.startcom.org/?p=86

Slashdot Top Deals

I tell them to turn to the study of mathematics, for it is only there that they might escape the lusts of the flesh. -- Thomas Mann, "The Magic Mountain"

Close