Time for some unexpected updates

Due to the Dutch certificate authority Diginotar being compromised, Mozilla released Firefox 6.0.2 and Microsoft released security advisory 2607712 in order to prevent those compromised SSL certificates–in layperson terms, a file that permits web servers to use https for security–from being used.

Without this step, someone could use a compromised certificate to set up a fake web site masquerading as some other web site you trust and using it for fraud.
Read more

Why SSL isn’t fooolproof security

Over at Rabbit-Hole, a commenter posted that my low-tier VPN is unnecessary if you’re using SSL. He’s wrong.

Perhaps I should have titled this “When SSL isn’t foolproof security,” but it’s too late now. Oh well.

When you’re sitting on a strange network (not your home or work network), SSL is vulnerable to a classic man-in-the-middle attack. If you’re paying attention, you should know if your session is being hijacked. But who’s paying attention?

Read more

A simple security enhancement you can and should do now

HTTPS Everywhere is a free Firefox extension–the EFF would like to do it for other browsers but says it’s not possible without source code–that forces the browser to use HTTPS (SSL-encrypted) connections whenever possible. This isn’t foolproof security–HTTPS is vulnerable to man-in-the-middle attacks–but it forces an attacker to do more work in order to snoop on your web traffic.

If you spend a lot of time on public wi-fi networks, this is the bare minimum you should do to protect yourself.

I need to remember to write up an explanation later this week of how SSL is vulnerable to man-in-the-middle attacks. But it’s better than nothing, and there’s nothing wrong with using it as additional protection even when you’re on a safe network.

Basic Internet Explorer troubleshooting

I did a little moonlighting this past weekend fixing Internet Explorer for somebody. It’s been several years since I’ve used that web browser regularly, but if someone pays me to fix IE, then I fix IE.

The problem was that after he paid someone else to fix his spyware problems, IE quit displaying SSL (secure) sites. So much for online banking and bill paying.

So here are some simple things to try if IE breaks and switching to an alternative browser like Opera or Mozilla isn’t an option.My guess is he got trigger happy with disabling stuff. IE was about as secure as it was going to get, but it was no longer useful as a web browser either. It was kind of like taking the tires off your car to keep it from getting in a wreck. The "Cannot display this page" page gave some troubleshooting information. It didn’t help. I searched Google for information. There were some suggestions of things to enable. It didn’t help.

So I figured I’d just download IE6 and see if running the installation program would give me an option to do a repair install. No dice. The installation program couldn’t access the Internet to phone home to Microsoft.

Two words: Personal firewall. I went looking. I found two. I uninstalled one. No dice. I uninstalled the second one and enabled Microsoft’s built-in firewall. It still couldn’t call home. This was weird.

As a last resort, I went into Tools, Internet Options, and cleared the browser cache and the history and everything else you could clear. And then I stepped through each tab, resetting the defaults everywhere I could.

In all honesty, I couldn’t see what difference there was between the defaults and the settings he had after I’d followed all those suggestions I found online. But after I reset the defaults, his browser was displaying SSL pages again.

All I can think of was that there may have been some hidden setting or settings in the Registry that got wiped out when I reset the defaults.

Then I went back and tightened things down a bit more–stuff like ActiveX controls and the like.

It’s always best to start with the simplest known configuration that works, then secure it one step at a time. That was definitely the case here.

Patch your Linux distros

There’s a nasty vulnerability in recent SSL libraries that an Apache-based worm is currently exploiting. The patch is obviously the most critical on machines that are running secure Apache sites. But if you don’t like vulnerabilities, and you shouldn’t, go get your distribution’s latest updates.
This is why I like Debian; a simple apt-get update && apt-get upgrade brings me right up to speed.

CERT pointed out that Apache installations that contain the ServerTokens ProductOnly directive in their httpd.conf file aren’t affected. (I added it under the ServerName directive in my file–it’s not present at all in Debian by default.) This will hurt Linux’s standings in Netcraft, but are you more interested in security or advocacy? Increasingly, I’m more interested in security. No point in bragging that you’re more secure than Windows. Someone might make you prove it. I’d rather let someone else prove it.

While you’re making Apache volunteer as little information as possible, you might as well make the rest of your OS as quiet as possible too. You can find some information on that in an earlier post here.

WordPress Appliance - Powered by TurnKey Linux