Browse by Tags

All Tags » Why is PKI so hard? (RSS)
Wed, Nov 18 2009 21:02

My take on the SSL MITM Attacks – part 3 – the FTPS attacks

[Note - for previous parts in this series, see Part 1 and Part 2 .] FTP, and FTP over SSL, are my specialist subject, having written one of the first FTP servers for Windows to support FTP over SSL (and the first standalone FTP server for Windows!) Rescorla...
Posted by Alun Jones | with no comments
Filed under: , , , ,
Wed, Nov 11 2009 21:20

My take on the SSL MitM Attacks – part 2 – clarifications

Since the last post I made on the topic of SSL renegotiation attacks , I’ve had a few questions in email. Let’s see how well I can answer them: Q. Some stories talk about SSL, others about TLS, what’s the difference? A. For trademark reasons, when SSL...
Posted by Alun Jones | 1 comment(s)
Filed under: , ,
Mon, Nov 9 2009 20:26

My take on the SSL MITM Attacks – part 1 – the HTTPS attack

If you’re in the security world, you’ve probably heard a lot lately about new and deadly flaws in the SSL and TLS protocols – so-called “Man in the Middle” attacks (aka MITM). These aren’t the same as old-style MITM attacks , which relied on the attacker...
Posted by Alun Jones | 3 comment(s)
Filed under: , ,
Mon, Feb 2 2009 17:47

When “All” isn’t everything you need – Terminal Services Gateway certificates.

Setting up Terminal Services Gateway on Windows Server 2008 the other day. It’s an excellent technology, and one I’ve been waiting for for some time – after all, it’s fairly logical to want to have one “bounce point” into which you connect, and have your...
Posted by Alun Jones | 1 comment(s)
Filed under: , ,
Wed, Jan 28 2009 6:57

Debugging SSTP error -2147023660

Setting up an SSTP (Secure Socket Tunneling Protocol) connection earlier, I encountered a vaguely reminiscent problem. [SSTP allows virtual private network – VPN – connections between clients running Vista Service Pack 1 and later and servers running...
Posted by Alun Jones | with no comments
Filed under: , , ,
Thu, Jan 22 2009 4:39

The CWE Top 25 Programming Mistakes

I’ve read some debate about the top 25 programming mistakes as documented by the CWE (Common Weakness Enumeration) project, in collaboration with the SANS Institute and the MITRE . That the list isn’t complete, that there are some items that aren’t in...
Posted by Alun Jones | 1 comment(s)
Filed under: , , ,
Thu, Jan 1 2009 19:31

Microsoft Security Advisory – MD5 collisions

I would hardly be able to call my blog “Tales from the Crypto” if I didn’t pass at least some comment on the recent Microsoft Security Advisory , and the technical pre-paper on which it is based . To an uninformed reader, the advisory (and especially...
Posted by Alun Jones | 3 comment(s)
Filed under: ,
Thu, May 22 2008 20:02

Searching for Weak Debian / Ubuntu SSL Certificates

I've seen a number of people promote packages that have shipped for Debian and Ubuntu, which allow users to scan their collected keys - OpenSSH or OpenSSL or OpenVPN, to discover whether they're too weak to be of any functional use. [See my earlier...
Posted by Alun Jones | 2 comment(s)
Filed under: , , ,
Thu, May 15 2008 17:55

Debian and the OpenSSL PRNG

[PRNG is an abbreviation for "Pseudo-Random Number Generator", a key core component of the key-generation in any cryptographic library.] A few people have already commented on the issue itself - Debian issued, in 2006, a version of their Linux...
Posted by Alun Jones | 10 comment(s)
Filed under: , ,
Sat, May 10 2008 10:49

In Defence of the Self-Signed Certificate

Recently I discussed using EFS as a simple, yet reliable, form of file encryption. Among the doubts raised was the following from an article by fellow MVP Deb Shinder on EFS: EFS generates a self-signed certificate. However, there are problems inherent...
Posted by Alun Jones | 3 comment(s)
Filed under: , ,
Sat, May 3 2008 16:57

Can You Write Good Code for an OS you Despise?

No, this isn't another of my anti-Mac frothing rants. This is one of my "here's what I hate about many of the open-source projects I deal with" rants. I'm trying to find an SFTP client for Windows that works the way I want it to...
Posted by Alun Jones | 3 comment(s)
Filed under: , ,
Fri, Jun 8 2007 12:01

Can't I trust the Postal Service? Part 2 - the certificate.

In part 1 of this mini-series , I talked about how the US Postal Service had deployed only part of the certificate that they had bought, and that this resulted in either an irritating dialog (in IE 6, and other browsers), or a page that warned you not...
Posted by Alun Jones | 4 comment(s)
Filed under: ,
Sun, May 20 2007 21:10

Can't I trust the Postal Service? Part 1 - the crypto.

The Security MVPs have a private mailing list on which we gather to share expertise or our interesting findings - the following was raised by an MVP, and very much interested me, on a number of levels: The US Postal Service has a web service (as well...
Posted by Alun Jones | 1 comment(s)
Filed under: , ,
Sat, Mar 24 2007 21:30

EFS in a domain expires after three years

I enjoyed the research for writing my article on EFS , for the Technet Security Newsletter , but there's always something experience will teach you. Here's an issue I experienced just last week, with EFS. It shouldn't have been a surprise, given what...
Posted by Alun Jones | 3 comment(s)
Filed under: , ,
Wed, Feb 21 2007 22:05

Finding your private keys

For the most part, Windows users and administrators don't ever have to worry about how or where their private keys are stored. After all, your private key is yours , and it's private . You request it to be generated, and then you don't need to touch it...
Posted by Alun Jones | 3 comment(s)
Filed under: , ,
Sat, Jan 13 2007 21:30

Certificate Manager does not require administrator access.

When you manage your personal certificates in Windows, the tool to use is Certificate Manager - you can access it either by running " certmgr.msc " to access your own personal certificate store, or by running MMC, the Microsoft Management Console, and...
Posted by Alun Jones | 1 comment(s)
Filed under: , , ,
Tue, Nov 7 2006 7:09

ChangePassword versus SetPassword

Writing a piece of code last night, I was struck by the thought that many developers I've worked with would not know why I use a ChangePassword function, instead of a SetPassword function. The difference in use is simple - SetPassword requires one password...
Posted by Alun Jones | 2 comment(s)
Filed under: , ,
Tue, Jul 18 2006 18:56

Defence in death

"Defence in depth" (or "defense in depth", if you're American) is a frequently misunderstood term in security. It refers to designing your software with the assumption that layers above you that were supposed to protect you have failed to do so - in whatever...
Posted by Alun Jones | with no comments
Filed under: ,
Mon, Jul 17 2006 17:48

Where did Private Folders go?

Wow - yesterday, you could download "Microsoft Private Folders" (if you were attested as Genuine) from Microsoft's downloads site. Today, it's gone. There's a brief synopsis of the story at the Seattle P-I's site here - as usual, I'm patient enough to...
Posted by Alun Jones | with no comments
Filed under: ,
Wed, Jul 5 2006 11:06

New ActiveSync - still not going to upgrade to it.

Microsoft just released a new version of ActiveSync - version 4.2 . It has some Outlook improvements, proxy improvements, partnership improvements, and VPN connectivity improvements. So why am I still not going to bother installing this? Because it still...
Posted by Alun Jones | 1 comment(s)
Filed under: ,
More Posts Next page »