Penalizing Unauthenticated SSL Certificates

August 5th 2008

Mozilla, like most responsible web browsers, pops up a warning if someone visits a secure web site where the site’s crypto credentials have not been countersigned by a recognized certificate authority.

In Slashdot, Chandon Seldon arues that the Mozilla SSL Policy is Bad For the Web., which links to material by Nat Tuck saying, again, Mozilla SSL policy bad for the Web. The argument is that this policy violates net neutrality by forcing people into a commercial venue if they want their secure connections to be user friendly. The commentaries find this especially troublesome for nonprofit organizations.

This is nonsense. Net Neutrality is about connectivity. SSL is about security and assured identification. Web browsers pop up a complaint about authentication when they can’t verify a site’s identity – that’s what the browser is supposed to do. SSL certificate management is the best affirmative defense in the Internet today and these suggestions will only weaken it. Continue Reading »

Posted under Security | No Comments »

Six Minute History of Information Security

August 3rd 2008

I have been reading the ACM’s Model Curriculum on Information Technology (a prototype “IT” major) with a special eye towards the information security coverage. I’ve been teaching information security courses and recently developed a major in the area.

The curriculum provides minimum times to cover major topics in the field, like 3 hours to cover “Fundamental Aspects” including the “history” of information assurance and security. After factoring out the other dozen ‘learning outcomes’ for that topic, one is left with six minutes to cover the “history” of information security. Continue Reading »

Posted under History of Technology & Security | No Comments »

Are 32,768 different keys enough?

May 30th 2008

This is one for the books. Several OpenSSL implementations, including Denbian and its children, including Ubuntu, have been crippled since September 2006. It’s described on the metasploit web site.

The pseudo-random number generator (PRNG) was broken such that it only used the Unix process ID as the unchanging random input to the generator process. In other words, these security packages could not generate more than 32,768 different keys (since there were only 32,768 different process IDs on Unix). Continue Reading »

Posted under Security | No Comments »

SSL Site “Seal”

May 5th 2008

As noted earlier, I’m now using SSL to secure parts of my site. I used to have arrangements like that at Visi.com, my old ISP, but I’m making better use of it with WordPress and such.

Continue Reading »

Posted under Household Tech & Security & WordPress | No Comments »

« Prev - Next »