Create Your Own EV Certificate??

Most web browsers support the extended validation certificates. These certificates give a visual indication (green browserbar for example) that the SSL connection is trustworthy. The only problem is that they are expensive. Especially compared with the 'ordinary' SSL certificates.

These certificates are special because the Certificate Authority (e.g. VeriSign) validated the company who buys these certificates. This way, the end user can shop / bank / or whatever online without worrying too much.

Some affiliates / certificate vendors already did this years ago (validating the actual companies), so this is nothing new. Yet another way to fool the consumers, and make some extra money.....

The problem I run into is that I used to have a 'yellow-ish' addressbar when I entered an https website. Today (at least with FireFox 3) the address bar remains blank. The only indication is a tiny lock displayed at the bottom of the browser. Something you might (and definitely will) overlook.

I use a home made Certificate Authority to create my own certificates (for webmail, secure IMAP, SSL, etc.), but I would like to see a proper visual indication of the SSL connection. So, is there a way to create an EV-like certificate (or even a new CA) by using Microsoft Certificate Services or by using OpenSSL which displayes the colored addressbar?

I did find some info on the EV requirements, but these should be 'spoofable' some way or another.....

UPDATE: I found a website which suggests reconfiguring Firefox 3. Problem with that is that I need to reconfigure all my browsers. I'd rather do it by 'faking' the specs.

It seems that the OCSP-responder is mandatory for the bars to turn green....

Posted on August 15, 2008 by Willem and filed under Browsers, Security.

XS4ALL Plans Outbound Port Filtering

A usenet posting suggests that XS4ALL will provide a filtering service to their subscribers. The filter would consist of 5 levels. Ranging from fully open to 'fully' closed. The first will give you the possibility of running your own services at home, and the latter means you're only able to e.g. surf and e-mail (through the XS4ALL SMTP server).

The filters would give the basic/ignorant user the opportunity of preventing the spreading of malware and other stuff by default. The more tech savvy subscribers can remove the filter for running a bunch of services (webserver, ftp, mail, DNS, etc).

Definitely a good decision. I just hope that the other ISP's will do something similar, because most of the virus/malware/massmailing 'software' is running on PC's run by the average user. Totally ignorant of the malware running on their PC's.

Yet another 'thumbs up' for the quality provider of the Netherlands

Posted on August 13, 2008 by Willem and filed under Internet, News, Security and tagged port filtering xs4all.

Lightroom 2.0

Adobe has released Lightroom 2.0.

The new features for this release are (my favorites);

64bit support
>10.000 pixel wide images (finally able to add a decent panorama to Lightroom)
Multiple monitor support

An overview of the (new) features can be found here.

UPDATE: I've been playing with the dual display feature for a couple of hours. This is definitelly a major enhancement. Finally, a real workplace of 2 * 24" widescreen.

Posted on July 29, 2008 by Willem and filed under Personal, Security.

FireFox 3 Dialog Boxes

Firefox is the default browser on all my platform, and every once in a while I run into strange dialog boxes.
E.g., this evening I updated some digital certificates for the test environment of VeriSign MPKI backend. These certificates are issued by a (private) VeriSign CA. So there's no trust by default.

After generating the keypair in FireFox 3 I got the positive dialog box as showed below.

No problem so far, but the next dialog box 'scared' me a little;

This dialog box, or at least the result, would remove (or delete) the certificate I just generated. The issueing CA is not installed in FireFox (or on the machine itself for all it matters). But in fact the certificate was installed in the Crypto/Certificate store of FireFox, and I could use it to access the VeriSign test backend.

So, eventhough, FireFox warns the user that the content will be deleted (or not added), it doesn't exactly does that at all. Let's see if I can file a bug report, because this occured on all 4 certificates I generated/imported.

Posted on July 8, 2008 by Willem and filed under Browsers, Security, Software and tagged VeriSign certificates security firefox.

Full Disk Encryption for the Mac

Checkpoint acquired a company called PointSec a while ago. This company made full hard disk encryption software for Windows. Now, Checkpoint has released a hard disk encryption version for the Mac. I guess they are taking OSX seriously.

Disk encryption is available today for the Mac (TrueCrypt, PGP), but these aren't able to encrypt the boot partition. Only partitions are by the use of containers. This type of software was available to Windows only primarily.

Now that the 'trick' has been done, I guess more will follow.

I do wonder if it's still possible to use SuperDuper for cloning a bootdisk....

Posted on June 3, 2008 by Willem and filed under Apple, News, Operating Systems, Security, Switched2Mac and tagged Encryption Mac OSX PGP TrueCrypt checkpoint pointsec.

Symcaimport Safety

No matter what you do, there are always social rejects (and this is saying it nice) trying to sabotage you. I've been getting various virus alerts on my CA import tool for mobile phones. Every on of them seems to be an attempt to upload a trojan. Thankfully, the AV software intercepts them.

Just to reassure you all; each upload is given a unique name (8 characters). If such a filename already exists, it will be overwritten. So the chance of you getting someone else's file is (almost) zero. Just make sure that you use the correct name / URL when you're trying to download the certificate on your phone.

Posted on May 27, 2008 by Willem and filed under Annoying, Security, Symbian, Website and tagged Website social rejects symcaimport virus.

CiscoVPN Error 51 Annoyance

The CiscoVPN client (v4.9.01.0100) for Apple OSX throws an error every once in a while. Mainly when I just rebooted, or when I was forced to quit some hanging application (which also occurs on Macs). The error is:

Error 51: Unable to communicate with the VPN subsystem

Somehow, the VPN software looses contact with the network adapter (wired AND wireless). After this there are two things you can do;

Reboot
or restart the Cisco VPN Service manually.

The first is kinda obvious (it's almost a MS Windows strategy :)). The second one is done via the Terminal (Finder -> Applications -> Utilities -> Terminal). Just type the following command (followed by your password);

sudo /System/Library/StartupItems/CiscoVPN/CiscoVPN restart

The thing I don't understand is; Why hasn't Cisco incorporated this in the VPN client?

IF (Error 51 == TRUE)
DO CiscoVPN.restart

It seems that this 'bug' is present since the release of the Mac OSX version of the software.

Posted on May 20, 2008 by Willem and filed under Annoying, Apple, Security, Software, Tips'n Tricks and tagged Cisco Error 51 VPN.

OpenSSH Vulnerabilities

It seems that public key authentication isn't as save as you might have thought. That is if you're using a Debian based OpenSSH solution. This package can be found in many Linux distributions like;

Debian (duh ;) )
Ubuntu
Kubuntu
etc.

The problem is that the random number generator (which is of vital importance in generating key-pairs) isn't as random as you might think. It seems that there are only about 30.000 combinations in this specific generator. This leaves the door wide open for brute-force attacks.

So, the first you must do is update your OpenSSH software, and generate new keypairs for all devices / users which might have keys which were generated with the vulnerable OpenSSH software. Softwarepackages depending on OpenSSH are;

OpenVPN
DNSSEC
OpenSSH
Certificates used in TLS connections
etc.

More info on the subject can be found here [1, 2, 3].

Posted on May 20, 2008 by Willem and filed under Linux, News, Security, Software and tagged Debian OpenSSH PKI vulnerability.

OSX Update Galore

There are lot's of people who complain about the updates on the Windows platform, but Apple tries to compete I guess. In the last 3 days there was a big security update, Safari 3.1 (both Windows and OSX), Time machine and Airport Updates, and now a Camera RAW update for OSX 10.5.2. Thankfully no problems on my side with the updates. Looking for other updates from Apple? Just go here.

TrueCrypt Cross-Platform??

Since I have an iMac with OSX 10.5 (Leopard), I use TimeMachine for my backups. This works great actually. But I also need an off-site backup of some sort. Just in case the house burns down or that some f*cker decides to steal my hardware. So I bought an external Freecom 160GB USB2 drive (USB powered) for my off-site backups. I encrypted the entire harddisk with TrueCrypt 5.0 on my iMac, and copied the data I needed to preserve. After that I wanted to access the data from my work laptop (Windows XP SP2 with TrueCrypt v5.0)..... This didn't work. TrueCrypt didn't recognize the password, or the encrypted disk (AES / SHA-256 full disk encryption). I tried to access the data on my Mac and everything worked, so there's no data corruption of some sort. Eventually, I recreated the encrypted drive on my Windows XP laptop (lost the backup in the process). This time the disk would mount, and could also be read/mounted by my Mac. So, I guess that TrueCrypt is Cross-platform, but with the current version (v5.0a) you need to make sure to create the volume on Windows if you also want to mount it on OSX. I reported this through their bug-reporting tool to the developers. No idea if there are similar problems with Linux. UPDATE: Pretty soon they released v5.0a, and today v5.1 was released. So development goes on :-)