Browse by Tags

All Tags » Why is PKI so hard? (RSS)
Thursday, May 22, 2008 8:02 PM

Searching for Weak Debian / Ubuntu SSL Certificates

I've seen a number of people promote packages that have shipped for Debian and Ubuntu, which allow users to scan their collected keys - OpenSSH or OpenSSL or OpenVPN, to discover whether they're too weak to be of any functional use. [See my earlier...
Posted by Alun Jones | 2 comment(s)
Filed under: , , ,
Thursday, May 15, 2008 5:55 PM

Debian and the OpenSSL PRNG

[PRNG is an abbreviation for "Pseudo-Random Number Generator", a key core component of the key-generation in any cryptographic library.] A few people have already commented on the issue itself - Debian issued, in 2006, a version of their Linux...
Posted by Alun Jones | 10 comment(s)
Filed under: , ,
Saturday, May 10, 2008 10:49 AM

In Defence of the Self-Signed Certificate

Recently I discussed using EFS as a simple, yet reliable, form of file encryption. Among the doubts raised was the following from an article by fellow MVP Deb Shinder on EFS: EFS generates a self-signed certificate. However, there are problems inherent...
Posted by Alun Jones | 2 comment(s)
Filed under: , ,
Saturday, May 03, 2008 4:57 PM

Can You Write Good Code for an OS you Despise?

No, this isn't another of my anti-Mac frothing rants. This is one of my "here's what I hate about many of the open-source projects I deal with" rants. I'm trying to find an SFTP client for Windows that works the way I want it to...
Posted by Alun Jones | 1 comment(s)
Filed under: , ,
Friday, June 08, 2007 12:01 PM

Can't I trust the Postal Service? Part 2 - the certificate.

In part 1 of this mini-series , I talked about how the US Postal Service had deployed only part of the certificate that they had bought, and that this resulted in either an irritating dialog (in IE 6, and other browsers), or a page that warned you not...
Posted by Alun Jones | 4 comment(s)
Filed under: ,
Sunday, May 20, 2007 9:10 PM

Can't I trust the Postal Service? Part 1 - the crypto.

The Security MVPs have a private mailing list on which we gather to share expertise or our interesting findings - the following was raised by an MVP, and very much interested me, on a number of levels: The US Postal Service has a web service (as well...
Posted by Alun Jones | 1 comment(s)
Filed under: , ,
Saturday, March 24, 2007 9:30 PM

EFS in a domain expires after three years

I enjoyed the research for writing my article on EFS , for the Technet Security Newsletter , but there's always something experience will teach you. Here's an issue I experienced just last week, with EFS. It shouldn't have been a surprise, given what...
Posted by Alun Jones | 3 comment(s)
Filed under: , ,
Wednesday, February 21, 2007 10:05 PM

Finding your private keys

For the most part, Windows users and administrators don't ever have to worry about how or where their private keys are stored. After all, your private key is yours , and it's private . You request it to be generated, and then you don't need to touch it...
Posted by Alun Jones | 1 comment(s)
Filed under: , ,
Saturday, January 13, 2007 9:30 PM

Certificate Manager does not require administrator access.

When you manage your personal certificates in Windows, the tool to use is Certificate Manager - you can access it either by running " certmgr.msc " to access your own personal certificate store, or by running MMC, the Microsoft Management Console, and...
Posted by Alun Jones | 1 comment(s)
Filed under: , , ,
Tuesday, November 07, 2006 7:09 AM

ChangePassword versus SetPassword

Writing a piece of code last night, I was struck by the thought that many developers I've worked with would not know why I use a ChangePassword function, instead of a SetPassword function. The difference in use is simple - SetPassword requires one password...
Posted by Alun Jones | with no comments
Filed under: , ,
Tuesday, July 18, 2006 6:56 PM

Defence in death

"Defence in depth" (or "defense in depth", if you're American) is a frequently misunderstood term in security. It refers to designing your software with the assumption that layers above you that were supposed to protect you have failed to do so - in whatever...
Posted by Alun Jones | with no comments
Filed under: ,
Monday, July 17, 2006 5:48 PM

Where did Private Folders go?

Wow - yesterday, you could download "Microsoft Private Folders" (if you were attested as Genuine) from Microsoft's downloads site. Today, it's gone. There's a brief synopsis of the story at the Seattle P-I's site here - as usual, I'm patient enough to...
Posted by Alun Jones | with no comments
Filed under: ,
Wednesday, July 05, 2006 11:06 AM

New ActiveSync - still not going to upgrade to it.

Microsoft just released a new version of ActiveSync - version 4.2 . It has some Outlook improvements, proxy improvements, partnership improvements, and VPN connectivity improvements. So why am I still not going to bother installing this? Because it still...
Posted by Alun Jones | 1 comment(s)
Filed under: ,
Saturday, May 27, 2006 6:10 PM

PGP / Truecrypt brouhaha

There's a fascinating debate going on at present. Two 'researchers', called Abed and Adonis, are trumpeting their mad sk177z at cryptography . They have a few basic claims: They can bypass authentication on PGP self-decrypting archives. They can decrypt...
Posted by Alun Jones | with no comments
Filed under: ,
Sunday, May 14, 2006 8:31 PM

How to scan SSL/TLS sites.

The other day, I hit a conundrum. We couldn't make LDAPS connections to a couple of domain controllers. A quick "TS" over to the systems in question indicated that we had a correct certificate in place, and that it was valid, but when we connected using...
Posted by Alun Jones | 9 comment(s)
Filed under:
Monday, April 24, 2006 8:30 AM

Banks and SSL forms

I just knew this message was going to get badly diluted as it progressed. What Ullrich has 'discovered' is that banks provide the form to their users over a plain-text link - while taking the input from the form using an SSL link. This means that your...
Posted by Alun Jones | 3 comment(s)
Filed under: ,
Friday, April 21, 2006 5:51 PM

Two-factor authentication - what's not to like?

Steve Riley always makes me think, sometimes so much that it hurts. Thanks, Steve. His latest blog posting is about two-factor authentication , and he's asking for input on what you (we) want from it. First, a couple of examples on authentication. "I...
Posted by Alun Jones | with no comments
Filed under: , ,
Wednesday, April 05, 2006 9:19 PM

Signs your crypto is wrong.

Here are a few signs that you might be doing crypto the wrong way: You're using a third-party library "because .NET keeps throwing exceptions". Explanation: .NET's cryptography routines throw exceptions when you are doing something wrong. If you are getting...
Posted by Alun Jones | with no comments
Filed under: , ,
Friday, March 31, 2006 1:00 PM

More proof that crypto is harder than it needs to be.

I went looking today for a definitive statement on what purposes a certificate needs when it is created for an SMTP server that uses STARTTLS (I'm still looking, but I'm pretty certain I know what it needs). I came across this gem of a piece from the...
Posted by Alun Jones | with no comments
Filed under:
Thursday, March 09, 2006 3:11 PM

Why is PKI so hard? part 2

I promise, this one's shorter. It took me several hours to figure out, researching one alley or another, but here's the deal: I wanted to request a certificate from the local certificate server, running Windows 2000 Server. I logged on to http://site...
Posted by Alun Jones | 1 comment(s)
Filed under:
More Posts Next page »