Forgot your password?
typodupeerror

Comment: Use Firefox w/ the Certificate Patrol add-on (Score 1) 403

by franl (#32775106) Attached to: Tunneling Under the Great Firewall?
Certificate Patrol (https://addons.mozilla.org/en-US/firefox/addon/6415) watches for changes in SSL certificates and alerts you to those changes, so you can decide if someone is pulling an SSL MITM attack on you. If the Chinese routers are running SSL interceptors (e.g., Cisco's IronPort or Bluecoat's ProxySG), then you will see alerts that the SSL certs you last got from within the US are different in China.

Comment: Re:Self-signed certs are vulnerable to MITM (Score 1) 272

by franl (#32617650) Attached to: Firefox Extension HTTPS Everywhere Does What It Sounds Like

[...] this should come with a warning from a browser, no question, but my users will know the site and the cert.

Knowing the site doesn't help if a MITM is watching all the sensitive traffic flowing in both directions. And will your users really know the cert? Do your users have cert hashes memorized, or are they using the excellent "Certificate Patrol" Firefox add-on (https://addons.mozilla.org/en-US/firefox/addon/6415) that alerts users to changes in certs over time?

Comment: Re:Much needed extension (Score 1) 272

by franl (#32617532) Attached to: Firefox Extension HTTPS Everywhere Does What It Sounds Like

The fact that, when users visit your site, their browser will flip out, raise a "security warning" and lie to them saying your certificate is "invalid".

It depends on what "invalid" means. A lot of people consider an SSL/TLS cert to be valid if the signature chain contains only trusted CAs. If joeblow.com uses a self-signed cert (and joeblow.com is not itself a trusted CA), that cert is useless for validating the identity of the server. Yes, you get encryption, but that's only half of what SSL/TLS is for.

Comment: Re:Dangerous (Score 2, Interesting) 104

by franl (#32240396) Attached to: Scientists Propose Guaranteed Hypervisor Security

The world's shortest explaination of Godel's Incompleteness Theorem by Raymond Smullyan.

We have some sort of machine that prints out statements in some sort of language. It need not be a statement-printing machine exactly; it could be some sort of technique for taking statements and deciding if they are true. But lets think of it as a machine that prints out statements. In particular, some of the statements that the machine might (or might not) print look like these:

P*x (which means that the machine will print x)
NP*x (which means that the machine will never print x)
PR*x (which means that the machine will print xx)
NPR*x (which means that the machine will never print xx)

For example, NPR*FOO means that the machine will never print FOOFOO. NP*FOOFOO means the same thing. So far, so good.

Now, lets consider the statement NPR*NPR*. This statement asserts that the machine will never print NPR*NPR*.

Either the machine prints NPR*NPR*, or it never prints NPR*NPR*. If the machine prints NPR*NPR*, it has printed a false statement. But if the machine never prints NPR*NPR*, then NPR*NPR* is a true statement that the machine never prints.

So either the machine sometimes prints false statements, or there are true statements that it never prints. So any machine that prints only true statements must fail to print some true statements. Or conversely, any machine that prints every possible true statement must print some false statements too.

Comment: Re:This is why I use HTTPS... (Score 1) 172

by franl (#31712584) Attached to: NJ Court Upholds Privacy of Personal Emails At Work
Matt Blaze blogged recently about the sad state of SSL/TLS certs at http://www.crypto.com/blog/spycerts/. He writes:

A decade ago, I observed that commercial certificate authorities protect you from anyone from whom they are unwilling to take money. That turns out to be wrong; they don't even do that much.

Unfortunately, through a confluence of sloppy design, naked commercial maneuvering, and bad user interfaces, today's web browsers have evolved to accept certificates issued by a surprisingly large number of root authorities, from tiny, obscure businesses to various national governments. And a certificate from any one of them is usually sufficient to bless any web connection as being "secure".

For instance, Firefox 3.6 comes with a CA cert built-in from TÜRKTRUST Elektronik Sertifika Hizmet Salaycs, whoever they are. It's self-signed and doesn't expire until 2015. There are well over 100 CA certs in Firefox 3.6. We basically have to trust every one of those organizations not to snoop our SSL traffic. There has to be a better way.

Comment: Re:This is why I like gmail (Score 1) 172

by franl (#31712472) Attached to: NJ Court Upholds Privacy of Personal Emails At Work

[...] or run a script to fetch the cert from the site (using the openssl command-line util) and compare it to a known-good copy of the cert before you visit the site.

Such a script would do something equivalent to these manually entered commands:

$ echo | openssl s_client -connect mail.google.com:443 |
sed -ne '/^-----BEGIN CERTIFICATE-----$/,/^-----END CERTIFICATE-----$/p' > gmailcert.txt
$ diff gmailcert.txt knowngood-gmailcert.txt

Of course, file knowngood-gmailcert.txt should be under your physical control at all times (i.e, on CD/DVD or mounted read-only via TrueCrypt). If the certs fail to match, it's either because your SSL traffic is being intercepted by a MITM attack or the old cert expired and a new one was issued (this will happen periodically). If it's the latter, you can fetch the updated cert via a trusted channel (i.e., not from work) and repeat.

The certs obtained this way will be base64-encoded. To dump one in human-readable form, do this:

$ openssl x509 -text -noout < cert.txt

Comment: Re:This is why I use HTTPS... (Score 1) 172

by franl (#31712192) Attached to: NJ Court Upholds Privacy of Personal Emails At Work
HTTPS won't help you if your company's IT department has admin access to your machine. SSL interceptors are commercially available that can do a Man-in-the-Middle (MITM) attack on your secure connection (thus exposing your encrypted traffic to snooping). See http://searchsecurity.techtarget.com.au/articles/35660-TUTORIAL-How-SSL-encrypted-Web-connections-are-intercepted for details.

Comment: Re:This is why I like gmail (Score 1) 172

by franl (#31711520) Attached to: NJ Court Upholds Privacy of Personal Emails At Work

Would this not also require a redirect to a domain other then mail.google.com?

Nobody other then google should be able to generate a certificate for mail.google.com

SSL interceptors (such as the one made by Bluecoat) work by intercepting IP traffic bound for port 443. They pull a MITM attack on you by making a new SSL connection to the actual site, extracting the site's public key from the real cert, wrapping it in a forged cert that is signed by their CA cert. All the IT department has to do is install the interceptor's CA cert into each employee's browser (IE lets the domain admin do it remotely) so that the forged cert appears to be valid. So you either check for IT-installed CA certs in your browser (the Certificate Patrol add-on helps with Firefox), or run a script to fetch the cert from the site (using the openssl command-line util) and compare it to a known-good copy of the cert before you visit the site.

Comment: Re:This is why I like gmail (Score 1) 172

by franl (#31709216) Attached to: NJ Court Upholds Privacy of Personal Emails At Work

While I might not like that google reads all my email, at least I can be sure that it gets from their servers to my computer without being read by snoopers.

Unless you verify that the cert your browser gets for mail.google.com has not been replaced by SSL interception software, you cannot be certain your mail isn't being snooped by your employer (or even your employer's upstream provider). A nice tool for detecting changed SSL certs is the Certificate Patrol add-on for Firefox (https://addons.mozilla.org/en-US/firefox/addon/6415).

Comment: Re:What is "more random"? (Score 1) 395

by franl (#31247618) Attached to: New Method for Random Number Generation Developed

Quantum mechanics would like to have a word with you.

And Chaos Theory as well. Hell, you can get lots of very random bits by running the Entropy Gathering Daemon (http://egd.sourceforge.net/) configured to fetch weather satellite photos of the Web. It's not quantum randomness, but chaos works too.

Security

Visa Says No New Processor Breach After All 38

Posted by kdawson
from the yeah-sure dept.
Buzz has been building for the last week about what might be a new data breach at a credit-card processor. No, not Heartland, a different one. Now Computerworld is reporting that Visa claims there was no new breach. Whom to believe? "In actuality, Visa said in a statement issued today, alerts that it recently sent to banks and credit unions warning them about a compromise at a payment processor were related to the ongoing investigation of a previously known breach. However, Visa still didn't disclose the identity of the breached company, nor did it say why it is continuing to keep the name under wraps."

FORTH IF HONK THEN

Working...