Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 Internet speed test! ×

Comment Use Firefox w/ the Certificate Patrol add-on (Score 1) 403

Certificate Patrol (https://addons.mozilla.org/en-US/firefox/addon/6415) watches for changes in SSL certificates and alerts you to those changes, so you can decide if someone is pulling an SSL MITM attack on you. If the Chinese routers are running SSL interceptors (e.g., Cisco's IronPort or Bluecoat's ProxySG), then you will see alerts that the SSL certs you last got from within the US are different in China.

Comment Re:Socks + SSH tunnel (Score 1) 403

SSH's -D option activates the built-in SOCKS proxy in the SSH client, so all you have to do is:

ssh -D 8080 -N trustedhost

then configure your browser to use a SOCKS5 proxy on localhost:8080 (and also to use the proxy for DNS lookups, otherwise you leak the DNS names of the sites you browse to).

Comment Re:Self-signed certs are vulnerable to MITM (Score 1) 272

[...] this should come with a warning from a browser, no question, but my users will know the site and the cert.

Knowing the site doesn't help if a MITM is watching all the sensitive traffic flowing in both directions. And will your users really know the cert? Do your users have cert hashes memorized, or are they using the excellent "Certificate Patrol" Firefox add-on (https://addons.mozilla.org/en-US/firefox/addon/6415) that alerts users to changes in certs over time?

Comment Re:Much needed extension (Score 1) 272

The fact that, when users visit your site, their browser will flip out, raise a "security warning" and lie to them saying your certificate is "invalid".

It depends on what "invalid" means. A lot of people consider an SSL/TLS cert to be valid if the signature chain contains only trusted CAs. If joeblow.com uses a self-signed cert (and joeblow.com is not itself a trusted CA), that cert is useless for validating the identity of the server. Yes, you get encryption, but that's only half of what SSL/TLS is for.

Comment Re:Dangerous (Score 2, Interesting) 104

The world's shortest explaination of Godel's Incompleteness Theorem by Raymond Smullyan.

We have some sort of machine that prints out statements in some sort of language. It need not be a statement-printing machine exactly; it could be some sort of technique for taking statements and deciding if they are true. But lets think of it as a machine that prints out statements. In particular, some of the statements that the machine might (or might not) print look like these:

P*x (which means that the machine will print x)
NP*x (which means that the machine will never print x)
PR*x (which means that the machine will print xx)
NPR*x (which means that the machine will never print xx)

For example, NPR*FOO means that the machine will never print FOOFOO. NP*FOOFOO means the same thing. So far, so good.

Now, lets consider the statement NPR*NPR*. This statement asserts that the machine will never print NPR*NPR*.

Either the machine prints NPR*NPR*, or it never prints NPR*NPR*. If the machine prints NPR*NPR*, it has printed a false statement. But if the machine never prints NPR*NPR*, then NPR*NPR* is a true statement that the machine never prints.

So either the machine sometimes prints false statements, or there are true statements that it never prints. So any machine that prints only true statements must fail to print some true statements. Or conversely, any machine that prints every possible true statement must print some false statements too.

Comment Re:This is why I use HTTPS... (Score 1) 172

Matt Blaze blogged recently about the sad state of SSL/TLS certs at http://www.crypto.com/blog/spycerts/. He writes:

A decade ago, I observed that commercial certificate authorities protect you from anyone from whom they are unwilling to take money. That turns out to be wrong; they don't even do that much.

Unfortunately, through a confluence of sloppy design, naked commercial maneuvering, and bad user interfaces, today's web browsers have evolved to accept certificates issued by a surprisingly large number of root authorities, from tiny, obscure businesses to various national governments. And a certificate from any one of them is usually sufficient to bless any web connection as being "secure".

For instance, Firefox 3.6 comes with a CA cert built-in from TÜRKTRUST Elektronik Sertifika Hizmet Salaycs, whoever they are. It's self-signed and doesn't expire until 2015. There are well over 100 CA certs in Firefox 3.6. We basically have to trust every one of those organizations not to snoop our SSL traffic. There has to be a better way.

Comment Re:This is why I like gmail (Score 1) 172

[...] or run a script to fetch the cert from the site (using the openssl command-line util) and compare it to a known-good copy of the cert before you visit the site.

Such a script would do something equivalent to these manually entered commands:

$ echo | openssl s_client -connect mail.google.com:443 |
sed -ne '/^-----BEGIN CERTIFICATE-----$/,/^-----END CERTIFICATE-----$/p' > gmailcert.txt
$ diff gmailcert.txt knowngood-gmailcert.txt

Of course, file knowngood-gmailcert.txt should be under your physical control at all times (i.e, on CD/DVD or mounted read-only via TrueCrypt). If the certs fail to match, it's either because your SSL traffic is being intercepted by a MITM attack or the old cert expired and a new one was issued (this will happen periodically). If it's the latter, you can fetch the updated cert via a trusted channel (i.e., not from work) and repeat.

The certs obtained this way will be base64-encoded. To dump one in human-readable form, do this:

$ openssl x509 -text -noout < cert.txt

Comment Re:This is why I use HTTPS... (Score 1) 172

HTTPS won't help you if your company's IT department has admin access to your machine. SSL interceptors are commercially available that can do a Man-in-the-Middle (MITM) attack on your secure connection (thus exposing your encrypted traffic to snooping). See http://searchsecurity.techtarget.com.au/articles/35660-TUTORIAL-How-SSL-encrypted-Web-connections-are-intercepted for details.

Comment Re:This is why I like gmail (Score 1) 172

Would this not also require a redirect to a domain other then mail.google.com?

Nobody other then google should be able to generate a certificate for mail.google.com

SSL interceptors (such as the one made by Bluecoat) work by intercepting IP traffic bound for port 443. They pull a MITM attack on you by making a new SSL connection to the actual site, extracting the site's public key from the real cert, wrapping it in a forged cert that is signed by their CA cert. All the IT department has to do is install the interceptor's CA cert into each employee's browser (IE lets the domain admin do it remotely) so that the forged cert appears to be valid. So you either check for IT-installed CA certs in your browser (the Certificate Patrol add-on helps with Firefox), or run a script to fetch the cert from the site (using the openssl command-line util) and compare it to a known-good copy of the cert before you visit the site.

Comment Re:This is why I like gmail (Score 1) 172

While I might not like that google reads all my email, at least I can be sure that it gets from their servers to my computer without being read by snoopers.

Unless you verify that the cert your browser gets for mail.google.com has not been replaced by SSL interception software, you cannot be certain your mail isn't being snooped by your employer (or even your employer's upstream provider). A nice tool for detecting changed SSL certs is the Certificate Patrol add-on for Firefox (https://addons.mozilla.org/en-US/firefox/addon/6415).


Visa Says No New Processor Breach After All 38

Buzz has been building for the last week about what might be a new data breach at a credit-card processor. No, not Heartland, a different one. Now Computerworld is reporting that Visa claims there was no new breach. Whom to believe? "In actuality, Visa said in a statement issued today, alerts that it recently sent to banks and credit unions warning them about a compromise at a payment processor were related to the ongoing investigation of a previously known breach. However, Visa still didn't disclose the identity of the breached company, nor did it say why it is continuing to keep the name under wraps."

Slashdot Top Deals

Optimism is the content of small men in high places. -- F. Scott Fitzgerald, "The Crack Up"