LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 04-25-2009, 06:52 AM   #16
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371

Quote:
Originally Posted by tux99 View Post
The thing is, the Microdasys SKIP apparently doesn't require any certificate to be installed on the clients, according to people who have direct experience with it (I don't).
I can only imagine that means that it comes with a certificate built in that has been signed by one of the many 'trusted' CAs, with delegated CA authority.
Yikes! If that's the case, I wonder why their certificate hasn't been revoked yet.

Quote:
Even outside the corporate environment all you need is a valid certificate from any one of the many CAs trusted by default in browsers (IE has more than 100!) and control of the DNS the client is using (which any ISP has).
True that.

Quote:
And that's the weak point! Do you trust all 50-100+ CAs that your browser trusts by default?
I don't, and therefore I have a separate browser installation only for online banking that only contains the certificate of the CA used by my online bank (I deleted all other default certificates), but this is only a clumsy stop-gap to a the fundamental insecurity of the SSL trust scheme.
I agree. It seems that's the only workaround until a more permanent solution is found. Fundamentally, though, it's an issue of trust, so I can't envision a technological solution to it. We'll just need to limit ourselves to CAs which we can really trust. That might entail developing our own trust criteria and then going through each one of our browser's certificates to delete those that don't meet it. And even then, we're still vulnerable to being hit by those CAs themselves - which again raises the issue of trust.

Quote:
All you need is one foul apple in between and the whole chain of trust is broken.
Just because your online bank uses for example Verisign (as many banks do), that doesn't mean that your browser wouldn't accept a valid certificate for it from any other CA too!
See here too for a real example:
http://www.theregister.co.uk/2008/12...lla_cert_snaf/
Great article, thanks.

Quote:
Of course we cannot realistically have public keys for every https server we interact with, but online banks should start providing them offline for maximum security.
Okay, I see what you were getting at originally.

That does makes sense when you look at it in this context (even if it's infeasible).

Quote:
Also my suggestion is that the browser stores certificates the first time it gets them and then later warns you if they change (unless they change because they have reached their expiry date), similar to how SSH does it.
Of course if the key you get the first time is bogus this won't help, but it still adds a layer of security for most situations.
Yeah I think the fact you could get hit on the first download kinda defeats its purpose. If you don't mind the privacy implications, maybe you could have your browser query your major CAs (we could call them "super-trusted") directly to check whether they have signed a certificate for the relevant IP/domain too. I don't know, man. Like I said, I don't really see a technological solution for this. I think in the end we'll have to take legislative measures that allow people that do this to be put in prison.

Last edited by win32sux; 04-25-2009 at 06:55 AM.
 
Old 04-25-2009, 08:26 AM   #17
tux99
LQ Newbie
 
Registered: Mar 2009
Posts: 20

Rep: Reputation: 3
Quote:
Originally Posted by win32sux View Post
Yikes! If that's the case, I wonder why their certificate hasn't been revoked yet.
Maybe because no one has really investigated this yet?
They keep everything vague on their website as if they don't really want to tell you how exactly their software works.
I would like to get hold of their software to check this out myself and in case find out which CA's certificate they are using (if that's really the case), but even though they provide demo versions, the download is not automated, they have human checks to make sure you are a valid potential customer.

Quote:
Originally Posted by win32sux View Post
I think in the end we'll have to take legislative measures that allow people that do this to be put in prison.
Don't even suggest that as a joke, politicians who go anywhere near technology issues usually just make things worse with very bad laws!

I don't have a link, but there is a project going on which is based on the idea that you can be reasonably safe a certificate is genuine if you retrieve it from different locations (IP addresses) and the certificates you get from all IP addresses match (it's very unlikely that all those IPs are subject to the same MITM attack).

Else, once we have DNSsec maybe that could be used to verify the SSL certificates for the related domains? I don't know enough about DNSsec to tell if that's feasible and not exploitable in other ways.
 
Old 04-25-2009, 09:24 AM   #18
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Don't even suggest that as a joke, politicians who go anywhere near technology issues usually just make things worse with very bad laws!
Haha, fair enough.

Quote:
I don't have a link, but there is a project going on which is based on the idea that you can be reasonably safe a certificate is genuine if you retrieve it from different locations (IP addresses) and the certificates you get from all IP addresses match (it's very unlikely that all those IPs are subject to the same MITM attack).
I appreciate the work which people are presumably putting into mitigating this threat. I hope someone comes up with something that won't be just a band-aid, though. How effective would this multiple-IP approach be if the MITM was on the firewall in front of the server? Zero effective.

Quote:
Else, once we have DNSsec maybe that could be used to verify the SSL certificates for the related domains? I don't know enough about DNSsec to tell if that's feasible and not exploitable in other ways.
Ditto.
 
Old 04-27-2009, 05:29 AM   #19
ramanrv
LQ Newbie
 
Registered: Apr 2009
Posts: 2

Rep: Reputation: 0
more references needed

Quote:
Originally Posted by win32sux View Post
Could you rephrase your question please? It's not entirely clear what it is that you are asking. The server's public key is known to everyone. The server's private key is known only to the server. The randomly-generated symmetric key is only known to the client and the server.
The new thing I understood now is "the data encrypted by the client using the server key can only be decrypted by server with its' private key". I understood now the mechanism is really secure, but I would like to know in depth detail about how above mechanism is achieved. If this mechanism is known to public, isn't possible for them decrypt the data again?

Last edited by ramanrv; 04-27-2009 at 05:36 AM.
 
Old 04-27-2009, 06:21 AM   #20
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by ramanrv View Post
The new thing I understood now is "the data encrypted by the client using the server key can only be decrypted by server with its' private key". I understood now the mechanism is really secure, but I would like to know in depth detail about how above mechanism is achieved. If this mechanism is known to public, isn't possible for them decrypt the data again?
Wikipedia has great articles such as this one, which provide a good overview.

Last edited by win32sux; 04-27-2009 at 06:23 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Secure your webserver using SSL and TinyCA LXer Syndicated Linux News 0 10-08-2007 02:30 PM
LXer: Secure Websites Using SSL And Certificates LXer Syndicated Linux News 0 05-18-2007 12:31 PM
LXer: How to secure WebDAV with SSL and Two-Factor Authentication LXer Syndicated Linux News 0 04-18-2007 09:31 AM
secure. vs www. ssl apache config hank43 Linux - Networking 4 08-09-2006 10:06 PM
Secure email (SSL vs. secure authentication) jrdioko Linux - Newbie 2 11-28-2004 01:39 PM


All times are GMT -5. The time now is 07:59 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration