2013-01-03

Improper TLS certificates in the wild

Not many things have been able to stop me from being blog silent, but rest assured, yet another nail in the digital certificates' coffin appeared today.

Please (re-)read TLS: A Broken Trust Model before continuing. Don't worry, I'll wait.

Today, Google announced that not only one, but two of TÜRKTRUST's customers incorrectly got issued intermediate CA certificates instead of web site certificates.  Such certificates can be used to issue new certificates to any domain. One of these were used to issue a certificate valid for *.google.com.

This attack was extremely dangerous, but at the same time very stupid.  By attacking a large security centric organization such as Google the attack was not able to run loose for very long.  Secondly, since Google provides one of the most widely used web browsers they were quickly able to release updates to block these intermediate CAs and even reducing the trust in TÜRKTRUST as a root CA.

Had this happened to a widely used but not very security centric organization it could have gotten a lot worse before the problem was fixed.

But this only serves to highlight my point from over three years ago: the CA trust model is inherently broken. We need a completely new approach to the trust supporting our digital life.

2012-05-10

Splitting hostnames and port numbers? You're probably doing it wrong!

Are you writing programs that accept hostname:port statements either as command line arguments or configuration file entries and then separating the hostname and port part by finding the colon?

Here's news for you -- you're probably doing it wrong!

Why? IPv6, that's why!  In IPv6 the colon character is part of the address statement.  A typical IPv6 address looks like 2001:db8:85a3::8a2e:370:7334.  In this form having a port number colon separated from the address is impossible.

That's why the URL syntax is as follows: https://[2001:db8:85a3:8d3:1319:8a2e:370:7348]:443/

Building on this the acceptable hostname:port syntax is retained, but you need to pay attention to the brackets.

For example, for the hostname:port value [2001:db8:85a3:8d3:1319:8a2e:370:7348]:443 the following C++ code does the trick:

size_t colon = host.find_last_of(":");
size_t bracket = host.find_last_of("]");
if (colon != std::string::npos &&
    (bracket == std::string::npos || bracket < colon))
{
    port = host.substr(colon+1);
    host.resize(colon);
}
You can probably figure out how to do this in other languages.

2011-10-29

Android Orphans: Visualizing a Sad History of Support

Michael Degusta tells a sad story in Android Orphans: Visualizing a Sad History of Support:
I went back and found every Android phone shipped in the United States up through the middle of last year. I then tracked down every update that was released for each device - be it a major OS upgrade or a minor support patch - as well as prices and release & discontinuation dates. I compared these dates & versions to the currently shipping version of Android at the time. The resulting picture isn’t pretty - well, not for Android users.
My iPhone 3G stopped being updated only a few months ago, and is now 1 major version behind.  In fact, iPhones are the only devices I've ever owned that has had regular long term updates, even across major versions, for free.

2011-09-22

A Lock Free Concurrent Circular Buffer With Multiple Independent Readers

I wrote about a Lock Free Concurrent Circular Buffer about a year ago.  This has now been updated to support multiple independent readers, so many consumers can get updates to this circular buffer.

It is still lock free, so the readers won't block.  If you try to take() on a buffer with no updates a null is returned, and if you drain() a buffer with no updates you get an empty list.

The code is now on GitHub, so I recommend you give it a spin if you want a (simple) circular buffer.  It does detect buffer wraparounds, but will in this case reset the reader to the end of the buffer, losing any intermediate updates. Tune your buffer size accordingly.

Take a look at the unit tests to get an idea on how to use this buffer.

2011-09-08

Blogger has an official app for iPhone

This blog post serves as proof that it works.

Seems to do okay, but does not have rich text.

Also the labels do not auto complete.

2011-09-06

So it finally happened...

From "Who do you trust to tell you who to trust?":
The big security news of the past few days is the story of the compromise of the DigiNotar Certificate Authority and the subsequent issuing of fraudulent SSL certificates, leading to actual Man in the Middle attacks against Gmail users in Iran.
and:
When the whole trust structure for SSL was devised, there were many people who worried that it gave too much power to certification authorities. In this instance we had one that suffered a security breach, but imagine if there were a corrupt one. With hundreds of trusted certification authorities, each with the power to issue certificates for any domain, the scope for abuse is substantial. I was one of those worriers.
It is easy to say that I don’t like the system, it is much much harder to present an alternative that works better and doesn’t burden users with the task of performing their own audits of certificates or authorities. There are a number of proposals out there, and discussion of them has certainly kicked off again over the past few days. My post here has already been long enough, so I will redirect readers to a post by Mike Caldwell who proposes an idea I haven’t seen before (as well as linking to other proposals).
Well, I told you so. Basically the use of TLS to ensure trusted domain names is not trustworthy. In my opinion this problem should be solved by the Domain Naming System, not by Transport Layer Security.

2010-09-17

How to fix a NETGEAR WN802Tv2 after firmware upgrade

For me, updating to the latest 3.1.3 firmware for the NETGEAR WN802Tv2 access point had an unfortunate side effect: the access point refused to accept any password for logging in…
Resetting to factory defaults did not work.  There are a few threads on the NETGEAR forums about this as well, but the only resolution seemed to be to send the unit to NETGEAR.
However – after two days of hacking I have found a do-it-yourself solution:
1. Make sure you can connect to the web interface safely
This means resetting to factory defaults, use a cable directly between your computer and the access point, and set a static IP address for your computer in the 192.168.0.x range.  NETGEAR supports recommends using the address 192.168.0.210 for reasons that I don’t know..
2. Go to the address http://192.168.0.233/recreate.php
The real purpose of this file is not known, but it has an interesting side effect:  When you go to the access point home page afterwards, you get access to a partly functional interface.  A lot of things don’t work, but one important piece did work for me: the firmware upgrade
3. Upload the 3.1.1 firmware image
If you don’t have the firmware image here you can get it from NETGEAR support at http://kb.netgear.com/app/answers/detail/a_id/12197
4. Restore config
If you have a backed up config file, you can upload it.  Otherwise, just configure settings as normal.