OK, the title might sound a little weird, but trust me..... I work on a daily basis with digital certificates (end-user, and SSL certificates). These things get more, and more common these days. More and more webservices are being 'secured' by SSL certificates. The only problem is that the technicians who run the services don't know shit (well, most of them do) about SSL and/or PKI. I don't blame them, because it tends to be a little complex. SSL certificates can be generated as selfsigned certificates, or you might wanna get a commercial SSL certificate from Certificate Authorities like VeriSign, Thawte, GeoTrust, etc. Anyway, in every case, you need to generate a certificate signing request (CSR), and submit it to the Certificate Authority. The problem is that there are some applications that stay in a pending mode if you generate a CSR, and wait for the resulting certificate to come back from the CA. This might take a couple of days. It would be a lot nicer if you can request the certificate on another platform, and import it in the application when you get the thing. There are several ways to generate a CSR on the different platforms;
- OpenSSL - equivalent to rocket science for most people, since it's a commandline tool
- Via webserver tooling (IIS, JAVA Keytool, etc.)
- XCA - Not very user friendly if you're requesting just one or two certificates a year.
- And probably some other 'obscure' ways
But what if your application needs a SSL certificate, or your webserver is located on the other side of the world (and you have no way of accessing it directly)? How the hell do you generate a CSR? The Windows platform itself doesn't have any tools for creating certificates (only if you use IIS or have a CA running on the platform). I hope to solve this by creating an application (cross platform off course) which creates these CSR's, and create pkcs12 (or .pfx) files when you import the resulting certificate in the tool. This pkcs12 file can be installed on the server as needed. Finally, a challenge for me to start programming again.
The new and improved security in Microsoft Vista regarding DRM may have (and probably will) have great consequences for the end-user. Peter Gutman published
his research on the DRM features in Windows Vista, and his findings are staggering.
The biggest concerns are related to hardware certification revocation, and dynamically downscaling quality.
Dynamically downscaling qualit means that if Vista plays some DRM enabled media on the PC (HD-DVD, or whatever), all other in and outputs are degraded. This means that your high quality pr0n has a lousy quality, while you're listening to DRM enabled music..... Well that suck, but implications can be huge, as Peter Gutman explained.
Furthermore, the revocation of driver certificates. If, somehow, a driver signing certificate gets stolen from a manufacturer, Microsoft has the ability to revoke that particular certificate. This means that the complete install base for that drives becomes totally useless. It could mean that your PC won't be able to boot (and everyone else's) if you have that particular brand of motherboard. What if key public services become useless because of this driver revocation? No more fresh water, traffic lights gone haywire??
Peter also mentiones that the DRM scheme in general is very weak;
Note B: I'll make a prediction at this point that, given that it's trying to do the impossible, the Vista content protection will take less than a day to bypass if the bypass mechanism is something like a driver bug or a simple security hole that applies only to one piece of code (and can therefore be quickly patched), and less than a week to comprehensively bypass in a driver/hardware-independent manner. This doesn't mean it'll be broken the day or week that it appears, but simply that once a sufficiently skilled attacker is motivated to bypass the protection, it'll take them less than a day or a week to do so.
Funny thing is that engadget recently posted
an article about a piece of software that claims to remove DRM from HD-DVD movies...... So Peter's thoughts on that weren't that far off :).
Personally I think that the entire Music and Movie industry needs to come to their senses, and stop treating every customer as a criminal. But unfortunatelly, I don't think that that's gonna happen
soon.
I received an error today when I tried to access a SSL protected website. According to FireFox;
Firefox can't connect securely to because the site uses a security protocol which isn't enabled.
It seems that FireFox has removed the support for older/insecure SSL sessions. Some research showed that these setting are accessible through the 'hidden' configuration in FireFox. Just type
about:config in your addressbar and it shows the advanced settings of FireFox.
Put
security.ssl3.rsa_rc4_40_md5 in the filter bar, so that all other settings are removed from the current view. After that set the parameter to
true (default is false).
After this you're able to access the website. If not try enabling the other encryption parameter to true (which are set to false). Filter on
security, and the parameter are quite similar to the one discussed in this entry.
Note that there might be some security issues when you enable old(er) security protocol support in FireFox. These are disabled for a reason!!!.
Just spotted
an article about the new security requirements for a
DigiD. A DigiD is an online username password for (secure (??)) communication with the government. The ID is also used for filling in your taxforms and submitting them online.
I was, and still am, not in favor of a username and password for communication with the government. Username and password is a very weak form of authenticating people. Especially when those usernames and passwords can be used for identity theft.
Now there are
additional security requirements for having a DigiD. It seems that they require a unique phone number (a cellphone) for non basic services. At this moment there are multiple entries in their database which share the same phone number..... What's wrong with that? I don't own a cell phone. The cell phone I have is owned by my boss. I'm not using this phone number for this ID, because this phone can be used by my colleagues. Same for my wife. That leaves us with the phone number from my good-old analog (non SMS enabled) phone. That's one phone number for two people.... I guess that means that I'll be doing my tax returns the old-fashioned way.. by paper.
Hamachi is a great tool of connecting to your server / PC at home while you are on the road (or at work). The program allows you to create a Virtual Network between (configurable) clients without the need of opening ports in your DLS/Cable modem or router [
screenshots].
I use Hamachi at home where I can access my servers as if it were on the same network.
After a long beta period, they finally released an official final
1.0.1.1 version of this tool (available for Windows,
OSX). If you need some tool for administrating servers on a 'shielded' network, this is the tool to use. Another practical use is for remote assistance for family or friends. Just have them install Hamachi, and when ever they are in need of any assistance, they launch their Hamachi client and you can access their PC for troubleshooting.
How Hamachi Works
Hamachi is a UDP-based virtual private networking system. Its peers utilize the help of a third node called a mediation server to locate each other and to bootstrap the connection between them. The connection itself is direct and once it is established no traffic flows through our servers.
Hamachi is not just truly peer-to-peer; it is verifiably secure peer-to-peer.
Believe it or not, but we are able to successfully mediate p2p connections in roughly 95% of all cases we have dealt with so far. This includes peers residing behind various firewalls or broadband routers (aka NAT devices). It is high-tech and it is really cool :)
Don't worry about other people getting in, because the Hamachi client needs to run, you need to know the name of the created network, AND you need to know the password created for that network.
In the older FireFox versions (<2.0), it was possible to allow cookies from sites you visit, but to disallow cookies which do not originate from that site (e.g. advertisements etc.). These cookies makes it possible for the advertising sites to track your movements on the Internet (amongst other things).
Somehow, the FireFox developers removed that functionality from the user interface, and it seems to be disabled by default. It can be enabled by using the
about:config command (just type it in the URL bar in FF).
This opens the
registry/configuration of FireFox.
Search the config for
network.cookie.cookieBehavior (you can search by using the filter), and set the value to "1" (without the quotes).
