Impersonating secure web servers
BREACH OF TRUST
Find out why you can’t trust your web browser or certificate authorities.
If you’re reading this magazine, a large portion of your life is likely handled through a web browser. Online banking, shopping, bill payment, social networks, news – you name it and chances are you can do it with a web browser. To do these things safely (especially the things like banking), you need to trust your web browser. However, your web browser can’t magically verify that yourbank.com is actually your bank, which is why SSL was invented.
Read full article as PDF:054-055_kurt.pdf (2.16 MB)
Good news - Verisign removes dangerous addressesFrom Verisign (Bug 556468):
Hi, I did want to provide an update from our side and say that VeriSign will be
removing the following generic approver email options for GeoTrust and RapidSSL
as of tonight or tomorrow night:
- ssladmin, sysadmin, and info
We did have these planned for removal in our upcoming release, but have
acceralated that to tonight or tomorrow night. We will post an update once
these are removed.
Our hope is that Mozilla will work with the other CAs who use these options for
domain validated certs to have them remove these asap as well.
However this means that "domain verification" still consists of checking one email address and nothing else, but at least the easily obtained email addresses have been removed. If anyone knows of other CA's still using addresses such as ssladmin@ please contact me at email@example.com.
Turktrust and governmentTurktrust lives and operates in Turkey. Thus the Turkish government can order/force/etc. certificates to be issued (for example to intercept communications between say a PKK website and its members). Or for anything really. If a company like Turktrust was restricted to issuing certificates for Turkish entities with domains names only ending in .tr (not .tk as I originally said, my bad) then I would have very little trust issues with them, but since those types of restrictions are not currently supported a root CA can do anything they please. Thus certificate authorities in countries with governments that are less open and subject to fewer checks and balances are potentially very dangerous to users of Firefox worldwide.
TurkTrustTurkTrust is a private company which is entitled to issue sertificates according to their web site. I don't have a clue about how good they do their job. But I don't see the connections you are making between TurkTrust, Turkish government or .tr/.tk whatever domain. AFAIK being CA and giving out domain names ending with .tr or any other country code are different matters.
tk/tr - my badApologies, that was a typo, I was specifically talking about the Turktrust certificate (first one listed in the certificate store if you look), I should have double checked the TLD I typed but my brain told me .tk so I typed .tk, mea culpa.
An industry problem with DV certsThis is the problem with DV (Domain Validated) certs. You don't know who you are dealing with. (How can you trust what you can't really see? ) DV certs need to die a horrible death. There is only a few places where a DV cert is worthwhile. That is on your website's control panel (or anywhere that isn't intended for other users than yourself or a few "employees".) or your company's webmail (for employees, not customers). Because if you can't trust your own company to exist or be who they say you are, who can you trust?
The place to get these DV certs out of the industry is the CA/Browser forum(cabforum.org). It's because of Companies like Verisign (Owners of RapidSSL) and GoDaddy that DV certs are popular because they are so "inexpensive". Other CAs are FORCED into offering them and unfortunately it is a dog eat dog world out there.
There is one minor browser vendor (Comodo, which is also a CA) trying to do some good to get these certs out of the way by displaying a little warning about any DV cert it comes across. There may be a few false positives with it, but over all it works pretty well in my uses. Sites that I didn't think would use DV certs DO! (Twitter and Facebook come to mind and that's pretty sad). Here's a link to the writeup that Netcraft recently wrote up on said browser (Comodo Dragon).
If we all voice our thoughts, we can get these pathetic excuses for a cert OUT of the marketplace!
.tktk -> Tokelau
How much time does it take to check what .tk stands for?
Domain .tk.tk is not Turkey. .tr is.
The Raspberry Pi Foundation has announced an even smaller version of the tiny computer that will fit into a DIMM slot.
A new class of problems lets a malicious app pre-configure an invisible privilege update.
New Hack language adds static typing and other conveniences.
New crypto policy system will offer easier configuration and more uniform security.
Ubuntu founder denounces insecurity in proprietary, close-source software blobs.
Vulnerability affects many Linux web servers
The Bavarian capital shuns Microsoft, Google, and other alternatives to implement an open source groupware solution.
Phone vendor partnerships bring Mark Shuttleworth's dream of Ubuntu on a phone a step closer to reality.
Donors will get to vote on new features for the free video editor.
Debian project puts init out to pasture and says no to Ubuntu's Upstart.