Robert Accettura's
Fun With Wordage

There’s an interesting discussion on Slashdot about SSL certificates. It brings up two valid points:

1. Invalid certificates, while providing a secure mechanism between the client/server are extremely annoying to use in Firefox 3 for many people because of the multi-step process. Previously it was just a warning dialog.
2. There are no free SSL certificates that are really “usable” (not throwing up warnings in a many browsers). CAcert.org has likely gotten the most inclusion, but it’s barely anywhere.

Certificates not signed by a trusted certificate authority (CA) give up a warning because of the idea that a certificate authority verifies the certificate belongs to the person whose name is on the certificate. This concept was busted a while back as CA’s started doing “domain validation” to offer lower prices. To “remedy” this, they created EV SSL. EV SSL requires more background checking, but at a higher cost. This means there are three tiers of SSL:

1. Untrusted/Self Signed - Free - The user is strongly discouraged from visiting a site with one of these. Indicates the technologically the channel is secure only.
2. Signed By CA - Variable Pricing - The user is told this is secure.
3. EV SSL - Expensive - The user is told these sites are super awesomely amazing and can cure cancer.

Essentially EV SSL is nothing more than a scheme to charge more. EV SSL is supposed to do what a signed certificate should have been doing all along. By 2012 I’d bet there will be a SEV SSL(Super Extended Validation Certificate). Maybe that would require a DNA and fingerprints to prove identity.

The Problem

It’s 2008 (actually more than half way through it). I still can’t use a secure https connection without either throwing up an error to users (who are always confused by it), or paying a fee? It seems right to me it should be free to use https without any barrier for a technical level of security.

Why is “trust” bound so tightly to encryption? Why can’t a medium be encrypted without being trusted? The technology shouldn’t be tied the way it is to the business side of things.

Trust should be bound to encryption, but encryption should not be bound to trust. Trust is the “needy” individual in this relationship. Encryption is strong and confident. At least it should be…

A modest proposal

I propose that browsers should allow for self signed certificates to be used without any dialog, interstitial or other obstruction provided they are properly formed and not expired. The user interface should indicate that the channel is encrypted and communication is unlikely to be intercepted between the user and the server. It should note if there is any change (just like SSH notifies the user if the signature is changed between sessions). Other than that it should be transparent.

SSL certificates and EV SSL certificates should indicate in the user interface the the site being browsed is not only encrypted, but trusted by a third party the browser trusts. These are suitable for ecommerce, banking etc.

This would allow for things like intranets and other places where encryption is desired, paying for a CA to verify identity is overkill, and “domain verification” is just pointless.

Trust should be bound to encryption. Encryption shouldn’t be bound to trust. Encryption shouldn’t require verification. Encryption should be self-serve.

I’d be curious to know what others thought of the issue.

Google has recently upped their profile in regards to security and privacy. Last week Google made the subtle change of adding a privacy link to the homepage. This is common on most sites, but avoided by Google because they are very strict about cluttering their homepage. Privacy groups have wanted this for years, so this is a pretty large win.

Today Google announced it’s rolling out the ability to remotely sign out other computers from your Gmail account. You’ll also be able to view the IP address, interface (web, mobile, IMAP, POP3), and time that anyone has logged into your account. This is a groundbreaking change in regards to email security.

Now it’s possible for email users to review the logs and see if and when anyone else has accessed their personal email.

I suspect Yahoo, and Microsoft will be working to copy this feature, perhaps with their own enhancements (invalid password logging maybe?). I can also see Facebook and MySpace rolling out a similar feature in the near future. It’s an easy enough enhancement that provides a lot more comfort and security to the product.

Employers going through employees personal email has been hostile waters for a long time including a recent high profile case. This is certain to agitate that. I suspect there are a few companies who will be updating their policies in the next few weeks to try and protect themselves. There will even be a few who will sue Google claiming libel or that Google’s privacy policy should cover you when you log into someone else’s account provided you have one of your own. This is guaranteed to happen.

It’s a good move by Google. This feature greatly enhances the security of Gmail and puts it in a class well beyond what Yahoo or Hotmail currently provide. This is likely the biggest threat to email other than viruses which they all scan pretty well, and phishing, which they also do a decent job with.

This really isn’t very accurate. I don’t know the details of the vulnerability or even if there actually is one, but I question the marketing around the Zero Day Initiatives vulnerability report. The big news seems to be “only 5 hours” after the release.

This isn’t really accurate if you think about it. It would be if Firefox 3 were a tightly controlled product that nobody could see a final version of. Reality is that the entire source code lives in CVS, there are nightly builds, and formal release candidates posted. Could someone have downloaded it after release and found a security issue? Absolutely. Is the timing a little suspicious considering everything was done out in the open? Yes.

It wouldn’t have made any waves if a vulnerability was found in a release candidate. It would have just been patched and a new candidate posted.

The advantage to the open source development process is the transparency through the entire process. The code in the release build isn’t remotely new or surprising. Many people had been running it for days prior to the actual release.

Again, it’s possible it all happened in 5 hours. But I doubt someone discovered a security hole, documented it, then it was verified and confirmed in just 5 hours. Especially considering the open nature of the development process and how easy it is to check things out in advance.

Firefox has a delay when you install extensions as a security mechanism. This is done because it would otherwise be pretty easy for a website to trick someone into installing an extension before they even realize what they are doing (which is obviously a bad thing). See Bug 162020 for details and even an example.

I’ve seen a few sites publicize how to disable this security feature, though I’d point out this is really not a good idea. It’s 5 seconds people. Even if you have 20 extensions installed, your talking about 100 seconds, less than 2 minutes of your life. Seems like a reasonable compromise for the extra security.

Boing Boing TV has a great video on how to hack a RFID credit card for a mere $8. I’ve said it more than once that I don’t trust it yet. This is why. You just removed the best security feature on the card (the ability to keep it and it’s information out of view).

As a commenter noted, the Nokia 6131 NFC includes the following from their tech specs:

• Explore mobile weather and news by touching your phone to radio frequency identification (RFID) tags

That’s right, a built in RFID reader. Just needs software for this particular task. I’m sure that won’t take too long.

If you have a pacemaker or a defibrillator you may want to consider getting a firewall at some point in the future. They could potentially be “hacked“:

But hackers could transmit the same radio signals — causing a defibrillator to shock or shut down, or divulge a patient’s medical information — without needing a programmer, researchers found in a laboratory test of one model from Medtronic.

I’m surprised there’s no authentication at all on these things. Considering it’s implanted, it should at least require it’s own serial number to be sent back to it to suggest the sender is authorized (presumably because they have the serial number of the implanted device). By not responding to commands for 10 minutes after 3 wrong guesses, it would take a long time to hack. That’s pretty basic, and not foolproof (what about a mistyped serial number during an emergency?), but a start.

I said a while back RFID credit cards still have to prove themselves. Today I saw this interesting story on CNet:

As part of his presentation Wednesday, Laurie asked for someone from the audience to volunteer a smart card. Without taking the card out of the volunteer’s wallet, Laurie both read and displayed its contents on the presentation screen–the person’s name, account number, and expiration clearly visible.

You can find a ton of information including code and the hardware necessary to duplicate this his website RFIDIOt.

Another real potential issue is companies using RFID for security badges. Considering how easy it is to read and duplicate, potentially anyone who can get close to someone walking into an office can capture the data necessary to produce their own ID card. In this case only matching the photo stored by the company on their computer system (not the one on the badge) to the person’s face is security. So for those offices who don’t have security staff doing this, anyone could theoretically get in.

The best security mechanisms are the most simple and discrete. Credit cards are naturally pretty secure if used correctly. Nobody can abuse a credit card unless they know the number. Nobody can read it through a wallet. The wallet in this case is a great security feature. To read it you need to either visually inspect it for the numbers, copy it, get an impression of it, or swipe it through a reader. All things that require intimate contact with the actual card. Impressive security for some old technology isn’t it?

I’ll stick with swiping a credit card for the foreseeable future. Your only not liable for a stolen credit card if you and your credit card company mutually agree it’s stolen or being misused. Otherwise you may be on your way to an expensive dispute. Regardless it may have hit your credit, and you’ll spend a lot of time sorting it out and getting it corrected. Bad credit costs you money. Some individuals make it sound like it’s just a phone call and your done, but people who have had their credit card stolen sometimes spend several months fighting to save their credit.

The other night I was reading about this new security flaw, and for some reason I couldn’t figure out why it was a security flaw. Why couldn’t you just download Firefox and open the file yourself? I presumed I was just tired, and went to bed.

Ends up I wasn’t the only one who didn’t think it was a vulnerability. Mike Shaver has more info on it. If someone wanted to get that information, they don’t need to get people to visit a hacked server. They can just download Firefox and open the file itself. No big deal.

Theoretically a custom enterprise build made by a company for use on it’s network could be modified, but I doubt it. Even if it was, it wouldn’t really contain anything very useful.

Always take things posted on a tech site with a grain of salt, unless they are confirmed by multiple experts. Slashdot ran the story a little premature.

According to Wired the Boeing 787 Dreamliner connected the networks for passenger services to critical flight systems:

The computer network in the Dreamliner’s passenger compartment, designed to give passengers in-flight internet access, is connected to the plane’s control, navigation and communication systems, an FAA report reveals.

Here’s what a Boeing spokesperson had to say:

…it is employing a combination of solutions that involves some physical separation of the networks, known as “air gaps,” and software firewalls. Gunter also mentioned other technical solutions, which she said are proprietary and didn’t want to discuss in public.

Would it really be that much more costly to create 2 networks. One for the important stuff like navigation and control systems, and another completely independent network for passengers to download porn? Networking gear isn’t that expensive. Internet access at 35,000 feet is high latency anyway.

I’m really not so sure I’d feel comfortable knowing that the same network that’s carrying a Rob Schneider movie to the guy in 11F is also carrying packets intended for the horizontal stabilizer.

Maybe I’m just paranoid. After all, I’m not to comfortable with the Airbus A380 apparently running windows in the cockpit.

Hopefully they get it all figured out quickly.

Wasn’t sure what this is all about, but according to Little Snitch 2.0 (which is awesome by the way) the Calculator in Mac OS X 10.5 (Leopard) apparently phones home. Based on the URL http://wu-calculator.apple.com one would assume that’s checking for updates (wu typically stands for web update). Though I find this somewhat odd considering Mac OS X has an update system that’s all encompassing. I decided to take a closer look. Earlier it was said that 10.5 was phoning home, though that turned out to not be the case.

So I did a little sniffing around (literally packet sniffing), and here’s what I found. On load it sends the following (seemingly blank) request to apple for currency conversion info. The response is the exchange rate. I’ve got a copy for reference below for anyone who wants to see. Calculator seems to use CFNetwork to communicate (not surprising). What’s interesting is that this info doesn’t seem to be cached, every time you load calculator it’s requested.

So yes, it does technically ping the mothership, but no it doesn’t seem to send back any data worth being concerned about. The only thing noteworthy is the cookie. The cookie itself is characteristic of Omniture, an analytics company (who provides analytics services to Apple among many of the largest sites on the web). This seems like a side effect of the implementation (likely sharing stuff from webkit). I don’t think Omniture is pinged during this transaction, so unless Apple were recording that cookie and matching it against web analytics data. I’d consider that extremely unlike even if I put a tin foil hat on my head. I guess Apple could further neutralize any privacy concerns by modifying the implementation to not send a cookie. At that point they would only have your IP to go by (which could be behind a proxy and therefore isn’t very reliable). I don’t think think this is a privacy risk, but also don’t think it would be so bad for Apple to modify and drop the cookie to make it more anonymous. Or at least give the option to not request data every time.

(more…)