ssl

CSSLP, Educational, News February 28, 2018

Microsoft Updates Guideline on Windows Driver Security

Microsoft has released an updated guide on driver security. This new guide offers advice that developers could use to ensure Windows drivers are secured against basic attacks and preventable flaws.   Driver Security Guidance This section contains information on enhancing driver security. In this section Topic Description Driver security checklist This topic provides a driver security checklist for driver developers. Threat modeling for drivers Driver writers and architects should make threat modeling an integral part of the design process for any driver. This topic provides guidelines for creating threat models for drivers. Windows security model for driver developers This topic describes how the Windows security model applies to drivers and explains what driver writers must do to improve the security of their devices. Use the Device Guard Readiness Tool to evaluate HVCI driver compatibility This topic describes how to use the tool to evaluate the ability of a driver to run in a Hypervisor-protected Code Integrity (HVCI) environment.   The nice part is that all this is also available as PDF. I am starting to like these new initiatives from Microsoft. I wrote that they are taking a clear stance on PUA and now I see that they are actually…

privacy, security November 27, 2017

Chrome will distrust SSL certificates generated by Symantec

I reviewed the headers of my IT Security News website https://www.itsecuritynews.info/ in order to add HSTS. This is what I can see in the headers.   The certificate used to load https://www.itsecuritynews.info/ uses an SSL certificate that will be distrusted in an upcoming release of Chrome. Once distrusted, users will be prevented from loading this resource. See https://g.co/chrome/symantecpkicerts for more information.   Source: https://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html Checking the article, I see some disturbing news:   Information For Site Operators Starting with Chrome 66, Chrome will remove trust in Symantec-issued certificates issued prior to June 1, 2016. Chrome 66 is currently scheduled to be released to Chrome Beta users on March 15, 2018 and to Chrome Stable users around April 17, 2018. If you are a site operator with a certificate issued by a Symantec CA prior to June 1, 2016, then prior to the release of Chrome 66, you will need to replace the existing certificate with a new certificate from any Certificate Authority trusted by Chrome. Additionally, by December 1, 2017, Symantec will transition issuance and operation of publicly-trusted certificates to DigiCert infrastructure, and certificates issued from the old Symantec infrastructure after this date will not be trusted in Chrome.     Strato…

published-external, quoted, security November 18, 2015

Quoted in ECommerceTimes: Gmail to Warn Users of Unencrypted Email

Gmail to Warn Users of Unencrypted Email Author: Richard Adhikari   Quotes: The warning “will help in cases where hackers try to perform DNS poisoning while trying to infect or phish users visiting well-established websites,” security consultant Sorin Mustaca said.   Going with TLS is not necessarily the answer because “many emails would not reach their destination if the destination servers don’t support TLS,” security consultant Mustaca told the E-Commerce Times. Emails continue to be delivered because of opportunistic encryption. “Servers first try to establish a TLS connection and, if they don’t succeed, they continue communicating on unencrypted connections,” he explained.

No Image

News, published-external March 20, 2015

The mysterious OpenSSL vulnerability has been patched

No, it doesn’t have a name like Heartbleed or POODLE, it was “just” a denial-of-service. “Just” is by no means something to be ignored, but it is less dangerous with the previous vulnerabilities. All users of OpenSSL 1.0.2 should upgrade immediately to version 1.0.2a. In the advisory published on their website the OpenSSL vulnerability is called “ClientHello sigalgs DoS (CVE-2015-0291)”. If a client connects to an OpenSSL 1.0.2 server and renegotiates with an invalid signature algorithms extension, a NULL pointer dereference will occur. This can be exploited in a DoS attack against the server. According to OpenSSL’s Security Policy, a “high severity issue”  includes issues affecting common configurations which are also likely to be exploitable. Examples include a server DoS (like this one), a significant leak of server memory (Heartbleed), and remote code execution. OpenSSL promises that such issues “will be kept private and will trigger a new release of all supported versions”. They will attempt to keep the time these issues are private to a minimum, but the goal would be “no longer than a month” where this is something that can be controlled, and significantly quicker if there is a significant risk or we are aware the issue is…

No Image

General, News March 6, 2015

FREAK: All Windows versions are affected too

UPDATE on the FREAK vulnerability in SSL: it affects not only Android and iOS but all Windows versions too.   I wrote about the new SSL vulnerability called FREAK – Factoring RSA Export Keys – affects around 36% of all sites trusted by browsers and around 10% of the Alexa top one million domains, according to computer scientists at the University of Michigan. Android, iOS and a lot of embedded devices that make use of the affected SSL clients (including Open) are in danger of having their connections to vulnerable websites intercepted. The two most used operating systems for smartphones, tablets, laptops and embedded devices  are in good company. Yesterday, Microsoft made known that all its supported Windows versions are also affected due to the presence of the vulnerability in the Windows Secure Channel (SChannel) – the Microsoft own implementation of SSL/TLS: Windows Server 2003 Windows Vista Windows Server 2008 Windows 7 Windows 8 and 8.1 Windows Server 2012 Windows RT Microsoft published an TechCenter an advisory where the problem is analyzed and solutions are offered. Also a patch is promised to fix all supported operating systems. What does it mean for the user? It means that if you are in Windows…

No Image

News September 8, 2012

How to prevent SSL sniffing through fake certificate injection attack?

SSL stands for Secure Socket Layer and is an encryption protocol used to secure the communication on a network. SSL is used to encrypt the segment of network connections and it uses several methods to encrypt the data, depending on the goal which needs to be achieved: asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. A certificate injection attack misuses the first type of cryptography algorithms: asymmetric cryptographic algorithms. Asymmetric cryptography  system requires two separate keys, one to lock or encrypt the plaintext, and one to unlock or decrypt the cyphertext. Neither key will do both functions. One of these keys is published or public and the other is kept private. If the lock/encryption key is the one published then the system enables private communication from the public to the unlocking key’s owner. If the unlock/decryption key is the one published then the system serves as a signature verifier of documents locked by the owner of the private key. Although in this latter case, since encrypting the entire message is relatively expensive computationally, in practice just a hash of the message is encrypted for signature verification purposes. In order to be able…

No Image

antivirus, News August 19, 2010

Quoted in the IT Business Edge

http://www.itbusinessedge.com/cm/blogs/poremba/trustworthy-ssl-certificates/?cs=42832 As Sorin Mustaca, manager of international software development at Avira, explained to me: A Certificate Authority is, by common understanding, an entity having a trust level beyond any doubt. This means that in the case of digital certificates, a CA can generate certificates which are trusted by all parties involved in a communication. Any entity, private or corporate, is allowed to request such a digital certificate, the only proof required is an official identification document. This means that such a certificate can only guarantee that the entity you are communicating with is who she pretends to be. It doesn’t guarantee that the owner of the certificate can be trusted.

%d bloggers like this: