Oktober 28, 2011 at 10:00 | categories: other
I haven't really had any spare time I felt would be best spent writing something here lately, so I think it is at least time for a short update.
The title is not only one of my favorite Dream Theater songs (if you can call 23 minutes a song) - here it also means that my favorite time of the year is coming. And yes, apparently you can go skiing in October. :)
2300m:
3200m:
Now, off to Sweden.
September 23, 2011 at 01:00 | categories: other
In a previous post I promised that I would check out some of the solutions that promise a safer and thus better web.
This is part two, Convergence.
Convergence replaces the certificate authorities (CA) used traditionally in SSL by an independent distributed authorities, called notaries.
It totally ignores the CA that issued a sites certificate and instead checks the certificate over all activated notaries. These can be added, removed or disabled on personal preference; so you don't have to trust a bunch of faceless corporations which are each a SPOF in the whole concept(!), but can instead trust a number of notaries working together.
This can be one of your own servers in your LAN (providing no MITM security towards the internet), another one of your servers reachable over the internet, and the server of people or organizations you may or may not trust all over the world.
Than you can decide if it is enough for you if only one notary validates the requested certificate - bad idea, perhaps even a little worse than the CA system. However, the default is to gain a majority validation. This means every active notary will be checked and if most of them (to be exact, the simple majority) validate, convergence accepts the certificate. The last option is to only accept absolute concensus of all notaries, what makes authentication fail if one notary either gets the wrong certificate or is not reachable.
I think convergence is a great idea.
The concept is well-thought, the implementation is solid and a pleasure to use. Even usually painful self-signed certificates work like a charm because convergence doesn't care about CA's. You are always in control, which of course means you have to make sure you have a number of notaries that can be trusted.
Of course everything is open source and so far the addon as well as the notary-server are constantly under (very active) development. It is easy and reasonable to run your own notary, for yourself or for others. It is largely written in python, and light on (very reasonable) dependencies, so if you feel like participating, I don't see any reason why not.
Long story short: great concept, great implementation: get it!
September 13, 2011 at 11:30 | categories: other
I recently bought a very neat little Supermicro mainboard, with AMD's Socket C32 and a SP5100 chipset.
I did so because it is neat hardware, I needed to replace my home-server - and mainly because it is supported by Coreboot. Unfortunately, it turns out that there is no version with a socketed BIOS chip out there (and resoldering a SOIC16 socket isn't easy) despite some pictures showing it. Even more unfortunate was that it turned out that flashrom didn't support flashing the board either.
The reason for this is, that AMD's Soutbridge 700 series makes noise on the SPI bus with its IMC (Integrated Microcontroller), so you can't safely flash because data gets corrupted.
Luckily AMD has recently released a new version of the SB700/SP5100 register datasheet that documents how to turn the IMC off, and Frederic Temporelli has already added support which is waiting for inclusion in flashroms inbox: 1/2 and 2/2.
I haven't tried it out yet, but I'll do so in the next couple of days.
September 11, 2011 at 06:00 | categories: other
In my last post I promised that I would check out some of the solutions that promise a safer and thus better web.
Let's start with Web Of Trust (WOT).
In contrast to some of the other things I plan to take a closer look at, WOT is not related to transport security or any cryptographic methods to ensure site integrity.
It actually works like Mandatory Access Controls (MAC) with a user centric (as apposed to a system centric) approach.
WOT is a combination of client side software, usually a brower plugin (who would have guessed :P), and a central database that contains per-domain based ratings, provided by users as well as "trusted sources". The latter are (well-known) security sources, such as blacklists from security vendors, and similar material.
The browser plugin, which exists at least for Firefox and Chrome, is available under GPLv3. It checks every domain, that is either querried or linked to, against the WOT central database and aquires a rating based on the previously mentioned sources.
Feedback is given to the user via an easily visible graphical indicator (green = good, yellow = so-so, red = bad, grey = no rating yet), as well as an warning dialog (per default) that shows up on untrusted sites.
It can also be set to block access to unwanted sources, e.g. as a porn-filter.
The ratings are based on an algorithm, partially comparable to mechanisms such as Google's pagerank: It doesn't only count and divide the ratings to generate an average; instead different sources have different weight, and if there are only a few ratings and maybe not the most credible ones, no general rating is given at all.
All in all, I'd say WOT can be very helpful.
However, you really should consider if the service is worth the loss of privacy, as every domain is transmitted to WOT servers along with your IP which makes you relatively identifiable. This usually happens only once per domain, as it is cached afterwards; also, only the domain, not the URL is transmitted. You should take into account, that your IP and all domains you access are logged on the route multiple times anyway, at your ISP at first, but at several routing points as well - so this is clearly a cost--benefit equation you have to do for yourself.
I would however recommend this service to each and every user that has trouble detecting which sites are bad, that includes subscription traps (largely a German problem I guess, here called "Abofalle"), and Freeware download sites. I think here clearly the downsides are neglegible so I would - and will - recommend this to people like my mother.
Lastly, the company behind WOT is in legal trouble with some US companies which claim, that the algorithm behind the WOT rating, is flawed. This is, in my opinion, the proof, that the algorithm works pretty well. If hosters of dubious sites use the courts, it generally means they haven't found an easy way to manipulate their ratings. And as the "crowd" ratings get the higher weight, no source credible enough to improve ones rating can be bought.
September 05, 2011 at 06:30 | categories: other
The last couple of days, a company named DigiNotar was in the news for issueing fake SSL certificates. I don't need and want to go into details, but what was clear before, has now officially been proven big time: The whole trust concept of SSL certificates and with it a corner stone of http security does not work and thus is completely worthless. The sad thing is, that this is the only http/web security system supported on a large scale to this day.
Overall the concept of trusting a hand full of companies out of good will is just stupid. Each and every one of them is very susceptible to single hackers or small groups of hackers, not to mention foreign agencies and more importantly local agencies with proper funding or even a "legal" way to mess with certificates.
So, what is a solution that works? Learn from filesharing. To this day a lot of filesharing networks have been put down due to the SPOF nature they share with the CA companies. A single target which can compromise the whole network and system. What followed was decentralization - and with so many other systems (from network architecture over source code management and storage systems) that prove how good this works, this clearly is the way to go.
So what's out there to accomplish this? Sadly: nothing that works out-of-the-box and/or everywhere. But there are some concepts:
Sadly, all of those come with some effort and are not available for every browser, let alone on every machine. I will evaluate these and probably other solutions in the next time, and report back.
Update: I forgot to mention this before: the whole situation is actuall that bad, that google decided to hard-code certificates (or probably their fingerprints) in Chrome, something Noscript apparently does, too. This is a horrible concept, but it seems the only way to make the CA system work as it is.
Of course, in the long run, it would mean, that every single certificate would have to be hard-coded in every single browser(engine) and every CA would have to be distrused. Certainly no system that is desirable.