December 31st, 2008
admin
This is huge, make no mistake. There has never been such an exploit against PKI this big, to my knowledge. I mean it (PKI) is not a perfect system by a long way but up until now, if you were careful, then you could have a reasonable expectation of your HTTPS connection being secure.
This latest MIM attack disclosed at 25C3 has changed that, now you would have to be very careful indeed to have an expectation of privacy/confidentiallity. Make no mistake, a large portion of the blame lies at the feet of those certificate providers who are still using MD5 hashes instead of SHA. The MD5 flaw/vulnerability (that of increased likelyhood of collisions) has been know for a long time – in fact Schneiers post makes it plain that attacks against MD5 were no longer theoretical, and that was in 2005.
The thing that, to me, makes this worse is that its not just smaller certifcate authorities that are still using MD5 – Thawte and RSA Data Security are two of the biggest providers of certs and they still use MD5 (according to the presentation).
One thing that did suprise me is that the CRL that is used to check against revoked certificates is obtained from within the certifcate itself – so if you are spoofing a cert, you could theoreticaly put your own spoofed CRL in as well. Thats a pretty large whole from where I’m sitting.
A detailed explanation of this exploit/vulnerability is availble here and their slides are here
OSG
Additional Note
Itrs worth considering this post, that points out that not all CAs use a serial number that increments and so not all are vulnerable to this attack – its a valid point but it only tales one vulnerable CA for this to work and while we do need to stop using consecutive serial numbers, I think we also need to stop using MD5 for gawd sake
Additional Note 2
SSL Blacklist (a Firefox extension) has been updated to check for certs that use MD5 as their algorithm (this doesnt mean they are bad per-se – see above note). The extension is available here
December 30th, 2008
admin
Like any true geek Im always elated when I get a package from Amazon and yesterday was no different. My latest book arrived on the doorstep – Fyodors NMAP Network Scanning.
Some may say that the info for this tool is already available on the net but to be honest my decision to buy this book was, in part, so that Fyodor would get some money back for the excellent tool that he has created and regularly updates.I found out that the book had gone into print when I heard his talk at Defcon and decided there and then that I must have it.
Its both interesting and very encouraging to read that he, as an open source author, choose to use open-source tools to write to book rather than bowing to the pressure to use proprietary software – kudos for that dude. Now to find some time to read it 
OSG
December 28th, 2008
admin
Xmas holidays mean friends, family, far too much food and (hopefully) additional time to geek out and get some things done that you don’t normally get time to do.
For me this holiday time I’ve been absorbed by the following geeky stuff
getting this site tuned/updated and backups setup so that I can blog away without any worries – WordPress 2.7 is awesome by the way, a huge well done to that team
Upgraded my local mailserver (running Zimbra) – I love Zimbra, its just so good. I haven’t touched it for 116 days apparently (when it was shut down for a planned power outage) but it just keep on running without any complaints and stays on top of spam. After upgrading, as I had extra time, I decided to take a look at Zimbra Desktop – in short I like it, so its now installed on my laptop also.
Today I shall be upgrading my Zenoss server as well – again this is another amazing piece of software, rock solid and very well implemented.
Ive also been playing some more with Netifera (see earlier post) and also rediscovering Maltego – Maltego is useful if you are doing some domain research. Its nothing that you can’t do from the command line I know but its the way it represents it visually and groups it to other domains you may be investigating that make it pretty cool in my books. To understand more, check out their videos here here here and here
I’m so happy to have a hobby that so utterly consumes me. Being able to play with quality software packages such as those mentioned above (and many not mentioned) is almost entirely due to the FOSS community that contribute their work under the many open source licenses and much of it is done for free – so I just wanted to say thanks to all the FOSS developers for the best present ever; free software !
Happy holidays, OSG