Techhawking

Mozilla Firefox 3.0 throws a warning for self-signed certificate, and makes you do a couple of extra clicks to see the contents. Though some think its bad, I’m not sure what the fuss is all about. There are two reasons for the certificates. One is to encrypt the traffic, and the other to make sure no one intercepted your traffic using some kind of man-in-the-middle attack. One cant guarantee the second objective until a respected third party can sign/vouch the certificate. This is why these organizations exist.

If this is such a big issue, the right approach should be for someone to setup a free certificate registry. There are few out there today like startcom, but the browser support on such registries is currently unimpressive.

Speaking on behalf of the 99% of the Internet population who doesn’t understand the significance of SSL certificates, I think the decision Mozilla took is courageous and admirable, and other browsers should do something similar if they don’t already.

The other day I briefly mentioned the pain point of the web2.0 world and how consolidation, aggregation and summarization will help reduce some of it. Microsoft today formally announced the availability of Microsoft Live ID as a contender for the providing SSO (single sign on) services in the web 2.0 world. Live ID, incase you didnt know,  is the repackaged version of Microsoft Passport Network, which had failed so badly that it forced Microsoft to pull it out of the market. Here are some examples of how to use other languages like php, perl, python, ruby etc to do authentication using Live ID. Microsoft is not the first one to openly come out with a SSO technology. Liberty Alliance and OpenID are other opensource competitors which have some foothold in this market already.

The move to SSO, in the web 2.0 world, (Single sign on) is bound to happen regardless of how scary some people might find it to be. If you can trust your online bank with 100000 dollars and trust 3 companies you don’t really know with your entire credit history, then this shouldn’t be that much of a concern. The real question is whether you trust the technology leaders Microsoft, Google, Yahoo  or others like Verisign enough to provide these critical services for you.

In my opinion the reason why OpenID and Liberty Alliance have failed is because of fragmentation of standards and lack of leadership. While Microsoft failed the commercial venture into Authentication services (Microsoft Passport network) it might actually do well as long as it doesn’t screw up this time. Not because the they have done a great job in the past, but because the pain is now so unbearable that people are willing to give almost anything a try. But the real kicker is that almost everyone has a microsoft account anyway, so if I had an option to use my Microsoft account to login to a new web 2.0 product, I’ll do that in a heart beat. Creating yet another account with a new password and doing the email confirmation thing is not an adventure anymore… ( or may be I’m getting old ).

I predict that Google or Yahoo will soon jump into this with its own suite of authentication services (probably using OpenID or Liberty Alliance) which will then become the next battleground in the web2.0 world. I also predict that in a couple of years after that many of the web services will move towards supporting these forms of authentication services so that users are not forced to create new user accounts with new passwords every single time.

And if my predictions don’t really come true… hey, at least I know that I can dream.

References

• OpenID and Identity Systems of Yahoo , Google and MSN
• Google OpenID
• How to use OpenID
• OpenID enabled Sites

Everyone who knows what a “DNS Rebinding attack” is please raise your hands. I’m so glad I can’t see yours, because I’m ashamed of myself for not knowing this one. For those who are “pretending” not to know please read on.
Browsers use domain names to enforce same-domain policy for a lot of security features. Interestingly depending on which client you are using its possible to set a low DNS TTL and change the IP address such that without a change in domain name a script could interact with another website as long as browser can be made to believe that its still the same domain. To do this, all that the client needs to do is initially server contents from its own server and while the javascript is running, update the DNS such that the javascript can interact with a new domain from where it could steel information for the attacker.

There are some safe gaurds to stop these kinds of attacks, but for most part these kinds of attack can be done easily on the internet today. The browsers are getting smarter though. And the “DNS Rebinding attack” isn’t new anyway… its been known for years at least. The way browsers try to defeat this is by limiting the minimum DNS TTL which can be set.

All was well and good until an attacker realized that the browser and plugins inside the browser each have different minimum DNS TTL set. So as long as the browser and plugin can talk to each other, there could be a point in time when the plugin could be talking to the attackers server and the browser could be connected to the real server streaming the information to the attacker through the plugin.
References

1. Protecting browsers from rebinding attacks
2. XSRF^2
3. Anti-DNS pinning and DNS-rebinding attacks
4. Defending network against DNS Reminding attacks

I’ve been reading a lot about scalable web architectures lately and made a big enough collection of links to see that this could be interesting to others. Instead of putting all those links here in this blog, I’ve started a separate blog here http://www.royans.net/arch/. If you have an interesting link/links to share please send it over to me.

One of the more popular trends in the recent years is the move of malicious code analysts towards virtual machines to test and reverse-engineer malicious code. And surprisingly the virus/worm writers have been adding mechanisms to their code to detect such environments.

I came across this particular piece of software called Themida which does exactly that. Lenny Zeltser from SANS reports about this on SANS. Whats interesting is that this kind of detection is now part of commercial packers around the world.
The question I have is this, how long will it take for someone to come up with a VMWare/Virtual Machine simulator/faker which I can run on my perfect non-virtual desktop/laptop/server and make malwares believe its running inside a Virtual machine ?

If that can kill even a small percent of fresh 0-day worms/viruses, it would be worth the effort. Wouldn’t it ?