SSL Certificate Vulnerability

This is huge, make no mistake. There has never been such an exploit against PKI this big, to my knowledge. I mean it (PKI) is not a perfect system by a long way but up until now, if you were careful, then you could have a reasonable expectation of your HTTPS connection being secure.

This latest MIM attack disclosed at 25C3 has changed that, now you would have to be very careful indeed to have an expectation of privacy/confidentiallity. Make no mistake, a large portion of the blame lies at the feet of those certificate providers who are still using MD5 hashes instead of SHA. The MD5 flaw/vulnerability (that of increased likelyhood of collisions) has been know for a long time – in fact Schneiers post makes it plain that attacks against MD5 were no longer theoretical, and that was in 2005.

The thing that, to me, makes this worse is that its not just smaller certifcate authorities that are still using MD5 – Thawte and RSA Data Security are two of the biggest providers of certs and they still use MD5 (according to the presentation).

One thing that did suprise me is that the CRL that is used to check against revoked certificates is obtained from within the certifcate itself – so if you are spoofing a cert, you could theoreticaly put your own spoofed CRL in as well. Thats a pretty large whole from where I’m sitting.

A detailed explanation of this exploit/vulnerability is availble here and their slides are here


Additional Note

Itrs worth considering this post, that points out that not all CAs use a serial number that increments and so not all are vulnerable to this attack – its a valid point but it only tales one vulnerable CA for this to work and while we do need to stop using consecutive serial numbers, I think we also need to stop using MD5 for gawd sake

Additional Note 2

SSL Blacklist (a Firefox extension) has been updated to check for certs that use MD5 as their algorithm (this doesnt mean they are bad per-se – see above note). The extension is available here

New book arrives

nmap-bookLike any true geek Im always elated when I get a package from Amazon and yesterday was no different. My latest book arrived on the doorstep – Fyodors NMAP Network Scanning.

Some may say that the info for this tool is already available on the net but to be honest my decision to buy this book was, in part, so that Fyodor would get some money back for the excellent tool that he has created and regularly updates.I found out that the book had gone into print when I heard his talk at Defcon and decided there and then that I must have it.

Its both interesting and very encouraging to read that he, as an open source author,   choose to use open-source tools to write to book rather than bowing to the pressure to use proprietary software – kudos for that dude. Now to find some time to read it 🙂


Holiday Time Geekiness

Xmas holidays mean friends, family, far too much food and (hopefully) additional time to geek out and get some things done that you don’t normally get time to do.

For me this holiday time I’ve been absorbed by the following geeky stuff

getting this site tuned/updated and backups setup so that I can blog away without any worries – WordPress 2.7 is awesome by the way, a huge well done to that team

Upgraded my local mailserver (running Zimbra) – I love Zimbra, its just so good. I haven’t touched it for 116 days apparently (when it was shut down for a planned power outage) but it just keep on running without any complaints and stays on top of spam. After upgrading, as I had extra time, I decided to take a look at Zimbra Desktop – in short I like it, so its now installed on my laptop also.

Today I shall be upgrading my Zenoss server as well – again this is another amazing piece of software, rock solid and very well implemented.

Ive also been playing some more with Netifera (see earlier post) and also rediscovering Maltego – Maltego is useful if you are doing some domain research. Its nothing that you can’t do from the command line I know but its the way it represents it visually and groups it to other domains you may be investigating that make it pretty cool in my books. To understand more, check out their videos here here here and here

I’m so happy to have a hobby that so utterly consumes me. Being able to play with quality software packages such as those mentioned above (and many not mentioned) is almost entirely due to the FOSS community that contribute their work under the many open source licenses and much of it is done for free – so I just wanted to say thanks to all the FOSS developers for the best present ever; free software !

Happy holidays, OSG

Privacy through Add-ons – LeetKey

While at work the other day, I wanted to send a friend an email but I didn’t want it going through the corporate systems. It used to be that just using webmail was generally enough to give you this protection (using corporate email is obviously out of the question), but in these days of increasing surveillance and paranoia over Data Leakage I know that every packet is being inspected at the gateway for certain text patterns.

I could have used a webmail provider that allows HTTPS connections I guess, such as Gmail (and been sure to check the certificate) but I wanted more than that

Now there are plenty of solutions if you are happy installing some encryption software on your computer but I wanted something that wouldn’t alert people who were looking at my add/remove program list. For example I could use FireGPG but that needs you to have GPG installed and have copies of your public and private keys. Freenigma (new ownership BTW) is similar in that it requires public/private keys to have been setup in advance and didnt quite fit what I needed

Some may suggest Hushmail but things like this are nearly always blocked at the proxy when you work at a large company

All I wanted to be able to do was a little quick (and strong) symmetric encryption and simply text the password to my friend. I briefly considered coding something but that is way beyond my skill levels and I realised that if I wanted it, then surely Im not the only one who did. I continued my search and eventually found the solution in a not particularly obvious Firefox add-on – LeetKey

LeetKey lets you select some text on a web page and convert it into (and back from) Elite Speak,but it doesn’t end there. You can also do other conversions/transforms with it – such as Morse code, base 64 etc etc. It also lets you do 128 bit AES en/decryption ! Fantastic, that is exactly what i was looking for. So now I can have nothing more than a Firefox add-on and I can send private emails to people on the fly.

Why not install it and use the AES Decrypt function with the password monkey to decrypt the following text


Have Fun, OSG


I have to say I am really enjoying Netifera at the moment. Its a security tool that has most of what you need to do, like ports scan and look ups all in one tool. I think this is going to be one of those few times that someone decides to create a framework to base their tool in and it actually works. One of the reasons is that its plug-in based and it comes with a good range of them built in from day one.

Its written in Java and so I guess that means it is available on a wide range of platforms. They only list Linux and Mac at the moment but I don’t see why, given its Java based, it cant spread further.

Check it out for yourself – its available either with or without a bundled java environment –