Page 1 of 2 12 LastLast
Results 1 to 15 of 18
  1. #1
    5 Star Lounger
    Join Date
    Jan 2011
    Location
    Seattle, WA
    Posts
    1,070
    Thanks
    42
    Thanked 132 Times in 86 Posts

    The sorry tale of the (un)Secure Sockets Layer




    TOP STORY

    The sorry tale of the (un)Secure Sockets Layer


    By Woody Leonhard

    Two brazen Web-server break-ins this year call into question one of the Internet's fundamental security mechanisms — website security certificates.

    Because the most recent breach affected only PC users in Iran, most of us assume we're immune. But we're not; here's why — and what we can do to protect ourselves.

    The full text of this column is posted at WindowsSecrets.com/top-story/the-sorry-tale-of-the-(un)secure-sockets-layer/ (opens in a new window/tab).

    Columnists typically cannot reply to comments here, but do incorporate the best tips into future columns.

  2. #2
    New Lounger
    Join Date
    Jul 2011
    Posts
    2
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Ssl

    Hi,

    Thanks for your explanation. But I wonder what we can do more. After the DNS cache poisoning was discovered a new additional protocol was created : DNSsec. Which signs the DNS response with a certificate. As long as these certificates are of a different origin (CA) then there are two checks.The third measure is still under debate but, if I understand correctly, is DANE , a white list provided by the owner of the SSL certificates and websites that tells which certificates are currently valid.
    That would mean a third check.
    And I wonder if it is possible to make another addition to DNS eg. a second DNS resolve action with a different DNS server, to verify the results of the first one.
    And there is the host file, when going to or residing in a country like Iran. One could make your own entry's in the host file for important websites Thereby making it even more difficult to change the IP address of a website for a man in the middle attack.

    regards,

    Robert

  3. #3
    Star Lounger
    Join Date
    Apr 2010
    Posts
    77
    Thanks
    6
    Thanked 8 Times in 6 Posts

    Thumbs up Very clear explanation

    Thanks Woody for the very clear explanation, much appreciated.

    I would be very surprised if this problem was not already happening on a fairly wide scale already! The prize is enormous and hacking is quite commonplace therefore hacking companies and faking certificates will be a criminal's or State's priority, most unfortunately.

    It seems clear to me that the industry needs to go back to basics, but I also said that a few years ago about the financial industry when it was crashing around us, and look what happened there - nothing! No significant new rules were introduced by regulators and the banks have continued to repeat their appalling techniques because of vested interests and we'll soon see another crash.

    Same situation will happen with certs, there will be lots of talk but vested interests will prevent anything substantial happening.

    It will then be down to individual users to work out their own security strategies, and probably individual banks starting to issue their own certs and own browser versions to enable a direct and locked connection.

    I already use Trusteer Rapport as advised by my bank but I don't think that even this could guard against false certs in this way, or perhaps it can? They are meant to stop man-in-the-middle attacks. Similarly I trialled Prevx Safeonline.

    It would be nice to see in the next newsletter that you review and explain how these two softwares work and how effectively they can deal with these sorts of hacks?
    Last edited by cavehomme; 2011-09-15 at 07:31.

  4. #4
    New Lounger
    Join Date
    Dec 2009
    Location
    Germany
    Posts
    7
    Thanks
    0
    Thanked 0 Times in 0 Posts
    After reading this article I successfully write-protected the hosts file on a PC with XP as OS. But on my other PC, running under WIN 7 Ultimate 64bit I can't find any sub dir \driversetc or a "hosts" - file anywhere. The OS is configured to show all hidden files. Any suggestions? Thanks!

  5. #5
    5 Star Lounger
    Join Date
    Dec 2009
    Location
    Pittsford,NY
    Posts
    869
    Thanks
    512
    Thanked 35 Times in 27 Posts
    Put a "\" after drivers, and look in a subfolder called "etc".

  6. #6
    New Lounger
    Join Date
    Sep 2011
    Posts
    1
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Great article Woody, thanks. After reading this, I was intrigued regarding the CA's currently listed in my Firefox browser. I found quite a list, including a number of entries for DigiNotar (I'm using Firefox 6.0.2) and it made me wonder..."are all of these entries necessary?" There are French entries, German entries, Commodo, etc...Does the general public really need these entries? What would be the harm in my 'distrusting' most of these entries? Also, can the Validation option in preferences be used to ehance a users security as well?

    Interesting...

  7. #7
    New Lounger
    Join Date
    Jan 2010
    Location
    Los Angeles, CA, USA
    Posts
    7
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Here is an option that has the potential to make the system safer:

    http://perspectives-project.org/

    Perspectives adds another layer of cross-checking in the process of validating certs.

    There is also CsFire:

    http://distrinet.cs.kuleuven.be/software/CsFire/

    It's less clear to me what CsFire does, but it sounds like it could be helpful in prevent MITM attacks.

    It would be great if you could check these Firefox extensions out and do a followup.

  8. #8
    New Lounger
    Join Date
    Dec 2009
    Location
    Germany
    Posts
    7
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by Dick-Y View Post
    Put a "\" after drivers, and look in a subfolder called "etc".
    Oops, [shame] I relied on Total Commander's search engine. It does not find the file with "hosts" or "hosts.* as search string, I tested it again a few seconds ago. Strange....

    Thanks a lot!

  9. #9
    New Lounger
    Join Date
    May 2011
    Posts
    4
    Thanks
    0
    Thanked 0 Times in 0 Posts

    another layer is better?

    my agency is implementing digital signatures based on the ARX CoSign system, which in my state require digital certificates to be purchased from state-approved Certificate Authorities. ARX also requires that each of our users of the system be issued a unique code created by ARX and safeguarded in their appliance. This muli-layer approach to certificate security seems less likely to be exploited.

  10. #10
    New Lounger
    Join Date
    Dec 2009
    Location
    Rapid City, SD
    Posts
    11
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Host file

    In your article you said to make the Host file read only. If my Host file has been compermised and I make it read only I have not accomplished anything. How can I know if I have the correct Host File?

    I also have about 40 files called "Host.nnnnnnnn-nnnnnn.backup" where the n's are random numbers. Should these files be removed?

    OldGuy IK

  11. #11
    Silver Lounger
    Join Date
    Jan 2001
    Location
    West Long Branch, New Jersey, USA
    Posts
    1,921
    Thanks
    6
    Thanked 9 Times in 7 Posts
    Woody - thanks for a very clear article on the situation with the certificates, CA's and RA's. Having worked in the IETF, I certainly am familiar with the CA/RA division and process.

    Certainly, many aspects of Internet operation are under the control of various "authorities" - address assignment being a big one before (are we still 'before'?) the widespread implementation of IPv6. One wishes one could ensure the proper operation of any authority responsible for handing out 'numbers' that are needed for the proper operation of some aspect of the Internet (addresses, certificates, assigned numbers, ...). Perhaps unrealistic. But you touched on that in your article - it's not a windows problem, not even a browser problem. It's a human problem!

    As one of the contributors to this thread pointed out, it is unclear that making the host file read-only helps if it's already been compromised. Not sure what else one can do - how to tell if it's the case. (As an aside, I had to log on to my admin account to change the permissions of the host file; couldn't even do it from my user account even tho I gave my admin password; seems the things you can do from user even with an admin password vs admin are not uniform - not to me anyway.)

    But a question that occurred to me while reading the article: so I check read-only; what happens if a legit pgm (won't even touch the issue of how do I know it's legit) wants to write to it? Will that pgm give me a certificate?

    Another thing that might be useful as far as the article goes, although advanced, is to check the certificate entries. DigitNotar should be on the untrusted list. It is on my computer. Not sure how it happened since I didn't do it explicitly. Must have been one of those MS updates that did it (and I try to read the explanation of any update I allow onto my computer; the explanation in the update window is fairly useless/generic and the KB article you're pointed to is not much better).

    Even finding the certificate mgr was not easy - and it should be.

    As a friend of mine said, if you want computers to be easy to use, the manufacturer has to make it easy. This area (certificates, updates, etc) has a ways to go.

  12. #12
    5 Star Lounger ibe98765's Avatar
    Join Date
    Aug 2001
    Location
    Bay Area, California, USA
    Posts
    966
    Thanks
    19
    Thanked 4 Times in 4 Posts
    Quote Originally Posted by bradhofman View Post
    my agency is implementing digital signatures based on the ARX CoSign system, which in my state require digital certificates to be purchased from state-approved Certificate Authorities. ARX also requires that each of our users of the system be issued a unique code created by ARX and safeguarded in their appliance. This muli-layer approach to certificate security seems less likely to be exploited.
    The ARX CoSign appliance generates PKI keys for registered users that can be used to ONLY digitally sign electronic documents (these keys cannot be used to encrypt documents). By virtue of buying the CoSign appliance, the company becomes a de facto CA, and is therefore solely responsible for any PKI signing keys they issue to their users, which in most most companies is available to any person registered in the company dB (typically Microsoft's Active Directory).

    The ARX appliance does not issue SSL keys.

  13. #13
    5 Star Lounger ibe98765's Avatar
    Join Date
    Aug 2001
    Location
    Bay Area, California, USA
    Posts
    966
    Thanks
    19
    Thanked 4 Times in 4 Posts
    I am not sure what this does exactly but it looks related to the subject and perhaps worth investigating:

    http://convergence.io/index.html

  14. #14
    New Lounger
    Join Date
    Jan 2010
    Location
    Los Angeles, CA, USA
    Posts
    7
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by OldGuy IK View Post
    In your article you said to make the Host file read only. If my Host file has been compermised and I make it read only I have not accomplished anything. How can I know if I have the correct Host File?

    I also have about 40 files called "Host.nnnnnnnn-nnnnnn.backup" where the n's are random numbers. Should these files be removed?

    OldGuy IK

    If you view the content of your current Hosts file (not the backups) you will see a list of entries where websites are equated with IP addresses, for instance:

    127.0.0.1 Localhost (which is correct)

    To determine if all the entries are legit you would have to check every URL using a DNS Lookup site to confirm that the IP addresses are correct. For those users who find this too technical note that for general internet browsing it's not necessary have a hosts file. In the early days of the internet the Hosts file made browsing faster by providing a local database for DNS lookup, but that's not necessary today with broadband. You can disable it by renaming - for instance Hosts.sav - or just delete it. You can then create a new empty text file called "Hosts" (rename and remove the txt extension) and make it read only.

  15. #15
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts
    Quote Originally Posted by OldGuy IK View Post
    If my Host file has been compermised and I make it read only I have not accomplished anything. How can I know if I have the correct Host File?
    As noted in an earlier reply, hosts arrives from the factory with only a single entry for the fictitious domain name localhost which is pointed back to your computer. The odds that you need anything else in your hosts file is low.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •