Browse by Tags

All Tags » General Security » Why is PKI so hard? (RSS)

Apple’s “goto fail” SSL issue–how do you avoid it?

Context – Apple releases security fix; everyone sees what they fixed   Last week, Apple released a security update for iOS , indicating that the vulnerability being fixed is one that allows SSL / TLS connections to continue even though the server...

DigiNotar - why is Google special?

So, you’ve probably heard about the recent flap concerning a Dutch Certificate Authority, DigiNotar , who was apparently hacked into, allowing for the hackers to issue certificates for sites such as Yahoo, Mozilla and Tor . I’ve been reading a few comments...

Woot got my Zune, Zune can’t get my woot!

Quite some time ago, my wife was very sneaky. Oh, she’s sneaky again and again, but this is the piece of sneakiness that is appropriate for this post. I logged on to woot.com one day, as I often do, and saw that there was a 30GB Zune for sale – refurbished...

TLS Renegotiation attack – Microsoft workaround/patch

Hidden by the smoke and noise of thirteen ( 13! count them! ) security bulletins, with updates for 26 vulnerabilities and a further 4 third-party ActiveX Killbits (software that other companies have asked Microsoft to kill because of security flaws),...

Ten key truths

In the spirit of "ten unavoidable security truths", and numerous other top-ten lists, here's a list of ten key truths that apply to public / private key pairs: Your private key has to be private to you. It cannot be created by anyone else...

Corrections to Thierry Zoller’s Whitepaper

Thanks to Thierry Zoller for mentioning me in the FTP section of his whitepaper summary of the TLS renegotiation attacks on various protocols. I’m glad he also spells my name right – you’d be surprised how many people get that wrong, although I’m sure...

My take on the SSL MITM Attacks – part 3 – the FTPS attacks

[Note - for previous parts in this series, see Part 1 and Part 2 .] FTP, and FTP over SSL, are my specialist subject, having written one of the first FTP servers for Windows to support FTP over SSL (and the first standalone FTP server for Windows!) Rescorla...

My take on the SSL MitM Attacks – part 2 – clarifications

Since the last post I made on the topic of SSL renegotiation attacks , I’ve had a few questions in email. Let’s see how well I can answer them: Q. Some stories talk about SSL, others about TLS, what’s the difference? A. For trademark...

My take on the SSL MITM Attacks – part 1 – the HTTPS attack

If you’re in the security world, you’ve probably heard a lot lately about new and deadly flaws in the SSL and TLS protocols – so-called “Man in the Middle” attacks (aka MITM). These aren’t the same as old-style MITM...

When “All” isn’t everything you need – Terminal Services Gateway certificates.

Setting up Terminal Services Gateway on Windows Server 2008 the other day. It’s an excellent technology, and one I’ve been waiting for for some time – after all, it’s fairly logical to want to have one “bounce point” into which you connect, and have your...

Debugging SSTP error -2147023660

Setting up an SSTP (Secure Socket Tunneling Protocol) connection earlier, I encountered a vaguely reminiscent problem. [SSTP allows virtual private network – VPN – connections between clients running Vista Service Pack 1 and later and servers running...

The CWE Top 25 Programming Mistakes

I’ve read some debate about the top 25 programming mistakes as documented by the CWE (Common Weakness Enumeration) project, in collaboration with the SANS Institute and the MITRE . That the list isn’t complete, that there are some items that aren’t in...

Microsoft Security Advisory – MD5 collisions

I would hardly be able to call my blog “Tales from the Crypto” if I didn’t pass at least some comment on the recent Microsoft Security Advisory , and the technical pre-paper on which it is based . To an uninformed reader, the advisory (and especially...

Searching for Weak Debian / Ubuntu SSL Certificates

I've seen a number of people promote packages that have shipped for Debian and Ubuntu, which allow users to scan their collected keys - OpenSSH or OpenSSL or OpenVPN, to discover whether they're too weak to be of any functional use. [See my earlier...

Debian and the OpenSSL PRNG

[PRNG is an abbreviation for "Pseudo-Random Number Generator", a key core component of the key-generation in any cryptographic library.] A few people have already commented on the issue itself - Debian issued, in 2006, a version of their Linux...

In Defence of the Self-Signed Certificate

Recently I discussed using EFS as a simple, yet reliable, form of file encryption. Among the doubts raised was the following from an article by fellow MVP Deb Shinder on EFS: EFS generates a self-signed certificate. However, there are problems inherent...

Can't I trust the Postal Service? Part 2 - the certificate.

In part 1 of this mini-series , I talked about how the US Postal Service had deployed only part of the certificate that they had bought, and that this resulted in either an irritating dialog (in IE 6, and other browsers), or a page that warned you not...

Can't I trust the Postal Service? Part 1 - the crypto.

The Security MVPs have a private mailing list on which we gather to share expertise or our interesting findings - the following was raised by an MVP, and very much interested me, on a number of levels: The US Postal Service has a web service (as well...

EFS in a domain expires after three years

I enjoyed the research for writing my article on EFS , for the Technet Security Newsletter , but there's always something experience will teach you. Here's an issue I experienced just last week, with EFS. It shouldn't have been a surprise, given what...

Finding your private keys

For the most part, Windows users and administrators don't ever have to worry about how or where their private keys are stored. After all, your private key is yours , and it's private . You request it to be generated, and then you don't need to touch it...
More Posts Next page »