Heartbleed and OpenSSL

Heartbleed

Heartbleed is a pretty nasty security bug. Thankfully it can be fixed by a quick package update (unless you’re mod_spdy among other culprits (this one got me briefly). Then for good measure revoke certs and reissue to make sure nothing is left to chance. Need to make sure everything built on OpenSSL is not impacted.

While at it, I made a few tweaks to SSL configurations to hopefully let more traffic us Forward Secrecy which is a step forward.

What’s disappointing is that security researchers rather than let vendors have a few days to update and push fixes decided to get a domain name and spiffy graphic then 0 day the internet. Not terribly professional.

Slowly Moving The Web To HTTPS

The EFF has a pretty good post on the move to make HTTPS closer to the new normal on the web. It’s hardly normal yet, but it’s improving. Already some of the bigger sites on the internet like Google, Facebook and Twitter are serving up HTTPS for almost everything. They do it for security as well as performance (SPDY).

In the longer run (few years from now) I wouldn’t be surprised if the majority of web traffic starts moving over HTTPS. This will not be well accepted by many institutions including all governments, but it’s certainly better for people, especially those in nations who restrict speech and rights the most. We’ll also see a lot of legislation to only use encryption methods with known vulnerabilities and back doors. I wouldn’t even be surprised if some countries try and break the web by using alternate means of encryption similar to what South Korea did years ago. Obviously fighting this is going to prove important.

QR Codes Compromised By Stickers

QR CodeCriminals have realized that QR codes are not human readable and are taking advantage. Shocking isn’t it? From The Register:

Cybercrooks are putting up stickers featuring URLs embedded in Quick Response codes (QR codes) as a trick designed to drive traffic to dodgy sites.

It’s extremely simple to print out a sticker pointing to a bogus URL and put it on an existing billboard in a public place. A casual user simply uses the QR code and instead of going to the intended location they go to a malicious website. Of course we could require SSL for QR codes so there’s some overhead in creating them (you need an SSL cert), but that still wouldn’t fix the problem correctly.

Humans need to be able to understand their own decision making process. A human pointing at a QR code is a human making a decision to do the unknown. That’s the problem. You can’t combine “decision” and “unknown” and reliably have a good outcome.

Facebook Going HTTPS

Apparently HTTPS is going to be standard for all Facebook users:

As announced last year, we are moving to HTTPS for all users. This week, we’re starting to roll out HTTPS for all North America users and will be soon rolling out to the rest of the world.

Great move, I’m glad they are finally getting to that point. Performance should improve over time as it appears they are on board with SPDY. I think that this will benefit them in the long run. Users win the day it rolls out.

Silent Circle Finally Bringing Security To Mobile?

Silent Circle is a pretty interesting sounding app:

It’s a model for the nested cryptography of Silent Circle. The “safe room” is the iPhone processor, where all the encryption happens. By the time your text leaves the phone, it’s been completely encrypted, unrecoverable without the key. To keep the key safe, Silent Circle uses the ZRTP protocol, a dance of data drops and verifications that’s every bit as intricate as the Southern Command’s network of swipes and codes. At the end of each call, the keys are erased, so nothing can be decrypted after the fact.

This sounds like security done right. Why this is newsworthy in 2012 is what saddens me. This should be the standard, not the exception. Regardless, kudos to these folks for shedding light on what so many others are doing wrong.

Chrome Enables Do-Not-Track

Chrome finally added Do-Not-Track (DNT) to Chromium. They are the last major browser to complete implementation and start giving users a choice in terms of their preference to tracking.

DNT isn’t a perfect solution as it has no enforcement. Regardless it’s a step in the right direction and empowers ad networks to respect users privacy preferences, something that in the past was difficult even for those willing to do so. It won’t solve the problem, but it helps and has a low barrier to entry. That’s a good thing.

Wikipedia’s Jimmy Wales Threatens To Encrypt Wikipedia

Wikipedia’s Jimmy Wales threatened to encrypt traffic to the UK if new tracking laws are implemented:

But if we find that UK ISPs are mandated to keep track of every single web page that you read on Wikipedia, I’m almost certain – err, I shouldn’t speak for our technical staff – we would immediately move to a default of encrypting all our connections in the UK.

Truthfully, we’re going that way anyway. It’s only a matter of time before all websites will be moving to HTTPS for the sake of implementing SPDY or whatever succeeds it. I don’t see a non-secure standard taking hold any longer. Security is no longer considered a bonus, it’s a requirement. Facebook does it by default now, Twitter does it by default now, WordPress.com does it by default now (for SPDY). It’s not just personal communications. Lots of non-personal data is going over HTTPS now. The trend will keep accelerating. It’s no longer as cost prohibitive to implement. Don’t be shocked if this entire blog is HTTPS only in the not too distant future.

On Perception Of The Cloud

Citrix commissioned an interesting survey to see how people define “the cloud”.

Most of the press was focused on:

51 percent of respondents, including a majority of Millennials, believe stormy weather can interfere with cloud computing.

Technically weather can cause your internet connection to go down, so yes it does interfere with your access to cloud computing. If you can’t access it, for all intents and purposes it doesn’t exist. I’d further argue any remotely decent data center is not impacted by “stormy weather”, it would need to be along the lines of “act of god”. A notable difference.

They also focused on:

You’re not alone: While many admit they don’t understand the cloud, 56 percent of respondents say they think other people refer to cloud computing in conversation when they really don’t know what they are talking about.

Again, I’d argue no big deal. You shouldn’t need to know what a utility is anymore than you need to know the molecular makeup of natural gas. You just need to know how to safely operate a stove. Cloud computing is turning computing into a utility. It removes the complexities (how to gather wood to keep with the fire/stove example).

The part that gets me is what was ignored by seemingly everyone else (emphasis mine):

Softer advantages, like working from home in the buff: People offered additional, unexpected benefits of the cloud, including the ability to access work information from home in their “birthday suit” (40 percent); tanning on the beach and accessing computer files at the same time (33 percent); keeping embarrassing videos off of their personal hard drive (25 percent); and sharing information with people they’d rather not interact with in person (35 percent).

We’ve failed miserably as technology professionals if 25% of the population think putting their embarrassing photos in the cloud is a good way to keep them private. This is akin to if 25% of the population said they trusted random Nigerian email’s for their banking needs.

If I were Apple, or Microsoft, or anyone else in the market, I’d be asking myself how to fix this misconception and make security on the desktop visibly superior as well as technologically. Perhaps make disk encryption standard for at least the user data which could be partitioned (especially since adjusting partitions isn’t impossible these days). A lot of privacy is lost in the cloud. It’s also potentially not subject to many of the protective laws the US provides to physical property in terms of search as I’ve mentioned before.

Another Java Attack

There’s another attack on Java via a new zero day flaw. This is why I don’t keep Java enabled in web browsers anymore. If you still do, I’d suggest turning it off. There’s a good chance you won’t miss it.

I’ve yet to get there with Flash, but the day is coming. After the previous post a few months ago, I think I like the idea of a blacklist/whitelist for plugins in general that allow a user to enable them only for specific hostnames. That would make it a bit more intuitive to use plugins when still needed, but gain the security of not having them available for any hostname you happen to stumble upon. The options would be something like:

Enable [plugin name] on [hostname.tld] for:
(This session only)     (Forever)       (Never)

For certain things like YouTube, you could enable Flash forever since Google is rather trustworthy. For other sites, perhaps just the session. For others, maybe never.