Monthly Archives: October 2013

How secure are those SSL and SSH keys anyway?

Thought I’d pass along this research study, The keys to the kingdom, as I found it to be quite interesting (especially when you scan the entire Internet for your data).  If you don’t understand the math explanation at the beginning just continue reading as you don’t need to have a degree in math and science to understand what’s going on.

Looking for a workflow plugin for WP

Security_blog_processAt my day job we use WordPress for our blog.  Because of the multiple approval steps (editor, manager, legal, and scheduler) sometimes posts get delayed because people don’t realize there are posts waiting for review or scheduling.  This should be easier to automate.  Using the Edit Flow plugin we’ve been able to add different status categories so people can see what is in their queue.

I’d like to automate the process a bit, though.  Does anyone know of a WordPress plugin that will send an email to a certain group or person when a post makes it into their queue?  Other than moving the post to the next queue I don’t want the person to have to do any manual action.  Any ideas?

Trusting Trusted CAs

Like it or not, the basis of trust for much of the Internet is based on Certificate Authorities (CA).  Companies like Verisign, GoDaddy, and GeoTrust are in the trust business.  They will sell you cryptographic proof of your Internet assets (namely your domain name) that others can use to verify that when they visit your website that they are actually visiting your website and not some lookalike website.  This is important as you don’t want to give your login credentials to your bank account to a lookalike web page that really isn’t your bank.

The trouble is, how do you know the CAs are doing their due diligence and not just issuing certificates to people who just claim to own a particular domain name?  Well, I’m not sure we do know, as users.  Mozilla, like other web browsers, has a policy for including CAs in their browser product but a quick look at the list of CAs that are already in Firefox shows that we as users probably can’t go behind and verify them all.

If I were a conspiracy theorist I would be looking real hard at what the Electronic Freedom Foundation (EFF) recently released about the NSA spying program.  According to their research (and that of the Guardian and others) the NSA is actively performing man-in-the-middle attacks (MITM) to get malware into computers.  This malware allows the NSA (and anyone else capable of accessing these infected computers) to circumvent protections put in place to keep information passed over the Internet secure.  To do these MITM attacks one would need to provide users with a valid SSL certificate if they happen to be visiting a site that is supposed to be secured.  The only way of doing this is to either obtain the SSL certificates from the real sites or to create their own and have them trusted by a trusted CA.  With that in mind, I wonder which option is more probable?

It’s good to note that these types of attacks are not solely done by the NSA.  Gaining access to computers is a very profitable business and one that people other than governments can do.  It’s important to protect yourself against these attacks and be smart when surfing the Internet.  The end of the EFF story contains information on how to protect your computer (and yourself) and is a good read for everyone.