Comodo up to more tricks

People occasionally ask me who they should buy security certificates from. I absolutely will not recommend anyone in particular – even the most honest and honorable Certificate Authorities are inherently swindlers, because the trade itself is pretty much a legalized extortion scheme – but I am willing to say who I don’t recommend – Comodo is the worst CA, hands down. Witness their latest hijinks:

When you install Comodo Internet Security, by default a new browser called Chromodo is installed and set as the default browser. Additionally, all shortcuts are replaced with Chromodo links and all settings, cookies, etc are imported from Chrome. They also hijack DNS settings, among other shady practices.
[Link to Chromodo download elided]
Chromodo is described as “highest levels of speed, security and privacy”, but actually disables all web security. Let me repeat that, they ***disable the same origin policy***…. ?!?..

This certainly isn’t the first time Comodo’s been caught doing things they shouldn’t, but somehow they still control around a third of the world’s certificate issuance. People need to stop giving business to known bad actors, even when it’s unclear whether the actions stem from malice or incompetence.

annoying git

I’ve been installing git on some corporate servers with the idea of converting existing CVS and ad-hoc code management systems into something reasonably fast and modern.

It’s been somewhat tedious and painful, but supposedly once I’m done the installation will be stable and maintainable. For an enterprise SCM that’s a lot more important than ease of installation, at least in theory. (I ran OpenLDAP for a decade or more, so I can appreciate the value of putting all the pain up front.)

Today’s annoyance is that the gitolite documentation and web site refer to a “hosting user” but the toolset and other web sites describing gitolite installation talk about an “admin user”. After wasting several hours with Google trying to find out exactly what the difference was, I created a new user account for the admin user and executed the commands – at which point it became immediately obvious that THOSE ARE THE SAME DAMN THING.

Curse you, gitolite. I WANTED US TO BE FRIENDS.

Cryptic sword

British Library museum shelfmark 1858,1116.5

13th century double-edged European knightly sword, 2lb 10oz (1.2kg), 38″ (964mm) long and 6½” (165mm) across the quillons. Found in the river Witham, Lincolnshire, in July 1825, and presented to the Royal Archaeological Institute by the registrar to the Bishop of Lincoln. The blade was broken near the tip and mended “in modern times” according to the British Library website.

Said to bear an indecipherable inscription “+NDXOXCHWDRCHWDRCHDXORUN” inlaid in gold wire on one side, but to me it looks more like “+NDXOXCHWDRCHWDRCHDXORVI+”.

James Mickens in Norway

“In this bleak, relentlessly morbid talk, James Mickens will describe why making computers secure is an intrinsically impossible task. He will explain why no programming language makes it easy to write secure code. He will then discuss why cloud computing is a black hole for privacy, and only useful for people who want to fill your machine with ads, viruses, or viruses that masquerade as ads. At this point in the talk, an audience member may suggest that Bitcoins can make things better. Mickens will laugh at this audience member and then explain why trusting the Bitcoin infrastructure is like asking Dracula to become a vegan. Mickens will conclude by describing why true love is a joke and why we are all destined to die alone and tormented. The first ten attendees will get balloon animals, and/or an unconvincing explanation about why Mickens intended to (but did not) bring balloon animals. Mickens will then flee on horseback while shouting ‘The Prince of Lies escapes again!'”

RMS is online

Richard Stallman finally figured out a way to get online that was ideologically acceptable.

…he now connects to websites from his own computer – via Tor and using a free software browser. Previously, he used a complicated workaround to more or less email webpages to himself. The announcement brought a surprised gasp and a round of applause from the 300-plus attendees.

“At one point, I used to believe that the Firefox trademark license was incompatible with free software, I found out I was mistaken – it does allow the redistribution of unmodified copies,” he said.

Concerning Nature’s “open access”

Earlier this week the Intartubes were boiling with the news that Nature Magazine would open its archives back to 1869. Which would, indeed, be marvelous and unexpected.

But it’s a little more complicated than that… it seems Nature’s publisher, Macmillan, is going to let paid Nature subscribers use (yet another) foredoomed-to-failure “read only sharable format”.

The content-sharing policy, which also applies to 48 other journals in Macmillan’s Nature Publishing Group (NPG) division, including Nature Genetics, Nature Medicine and Nature Physics, marks an attempt to let scientists freely read and share articles while preserving NPG’s primary source of income — the subscription fees libraries and individuals pay to gain access to articles.

That sounds pretty great for everybody, right? Win-win!

ReadCube, a software platform similar to Apple’s iTunes, will be used to host and display read-only versions of the articles’ PDFs. If the initiative becomes popular, it may also boost the prospects of the ReadCube platform, in which Macmillan has a majority investment.

Starting to sound a lot dodgier now… we may have a reality disconnect going on…

Although the screen-view PDF cannot be printed, it can be annotated — which the publisher says will provide a way for scientists to collaborate by sharing their comments on manuscripts.

Yep, reality check sorely needed. Hey, look, smartphones have cameras!

ReadCube -> monitor screen -> camera phone -> email -> PC -> printer.

There are no formats that can be viewed but not printed. If you think such a thing exists, everything you’ve built is suspect, because you’re apparently not entirely aware of what’s going on around you. The odds are good that Macmillan’s “read only format” can be trivially defeated, and that script kiddy hacks will be available in short order.

Any questions?

Theo weighs in on Heartbleed

I’ve been subjected to a fair bit of hysteria about the heartbleed vulnerability in OpenSSL. While it’s admittedly a severe problem, I can’t see much use in all the frothing Y2K-esque fearmongering (although it’s funny when Randall does it).

But honestly, I’ve been looking forward to Theo’s take on this, and he did not disappoint. You never doubt where Theo stands!

OpenSSL has exploit mitigation countermeasures to make sure it’s exploitable. — Ted Unangst

As the various cert vendors I deal with have been telling me all morning (can you stop emailing me now, guys, please?) it’s time to patch the vulnerable webservers, get new certs and move on.

IF YOU DID NOT UNDERSTAND ANY OF THE ABOVE, here’s what you do: Test each site you use (like, for example, or using Filippo Valsorda’s tester. Once ALL the sites you use are patched, change ALL your passwords on ALL websites you use. Don’t change your password on a site that’s not patched – don’t even log in on a site that’s not patched! That will just increase the chances you will be hacked. Don’t assume that because your site is OK now, that you don’t need to change your password – the big boys (Yahoo comes to mind) were vulnerable for quite a while before they patched, but they test out fine now.

Chrooted SFTP-only accounts with OpenSSH

Courtesy of slashdot user CarlHaagen:

First off, add a group that you call for example “sftponly”. New users that are to be allowed only sftp access should have “sftponly” as their login group, and have /sbin/nologin as shell to deny them shell access. Their home directories should be owned by root:sftponly, and within the home dir you then create relevant user-controllable directories which should be owned by :sftponly.

Secondly, the sshd_config magic that makes the whole charade work:

Subsystem sftp /usr/libexec/sftp-server
Match Group sftponly
ForceCommand internal-sftp
ChrootDirectory %h

What happens is that when the SSHd matches the user’s login group successfully, it forcefully switches over to the internal sftp component instead of the default external subsystem, which in turn makes it possible to chroot the user to his/her home dir without having to place a plethora of system files in each user’s home directory.

Turing pardoned

Alan Turing was a brilliant British code-breaker in World War II and probably responsible for saving (at least) thousands of lives. He and his colleagues made a huge contribution to the eventual defeat of the Axis powers, and to modern computer science and cryptography. But because Turing was a homosexual, the British Government rewarded this service with vicious persecution – including so-called “chemical castration” – that eventually drove him to suicide.

Human rights campaigner Peter Tatchell has said: “I pay tribute to the government for ensuring Alan Turing has a royal pardon at last but I do think it’s very wrong that other men convicted of exactly the same offence are not even being given an apology, let alone a royal pardon.”

Crytpo Geeks and Hackers as Guardians of Internet Freedom

Socialist website Counterfire’s Marienna Pope-Weidemann assesses the ‘transnational surveillance state’ and ‘cypherpunks’ as self-appointed whistleblowers.

Jacob recounts the numerous occasions he has been detained by the FBI and immigration officials, usually in countries with lax judicial rights. He has had equipment confiscated and been denied access to both lawyers and bathrooms while being interrogated on his position on the Iraq War, and given explanations for this treatment such as: ‘you work on Tor’ and ‘you were sitting next to Julian, what do you expect?’

It’s a long read, but very informative. Worth the investment if you care about the way pervasive high speed global communication is reshaping our world.

SSL/TLS certificates, formats and file types

This stuff is a stack. You can’t skip the middle part and expect to understand any of it.

SSL (Secure Socket Layer) is a type of secure communications channel that you can push anything you want through. It is mostly used by web browsers to talk to web servers but it has infinite other uses. It was invented so that you could use a credit card online, and that is still the #1 use for it.

When a web address starts with “HTTPS” instead of “HTTP” it’s using SSL. You might see a little padlock icon in your browser when you go there.

SSL and TLS (Transport Layer Security) are pretty much the same thing. Everything I say here about SSL also applies to TLS.

PKI really means Paired Key Infrastructure even though officially the “P” stands for “Public”. I use lots of different PKIs, you probably do too. SSH uses one, SSL uses a different one, etc.

X.509 is a PKI standard for using linked pairs of cryptographic keys to ensure two separate things: #1, that you are talking to exactly who you think you are talking to, not some random criminal, and, #2 nobody can listen in on the conversation.

The security and reliability of x.509 depends on the non-existent virtuousness of commercial Certificate Authorities, so it’s not as great as you could hope, but good enough for buying stuff on Amazon or protecting PHI. The NSA and Unit 8200 are totally inside it all the time, but they don’t care about your Amazon wish list.

X.509 specifies only how key pairs are used, and not how they are stored on your disk drive. There are many formats for storage, but we have to stack up some more knowledge before we can talk intelligently about that.

As usual in paired key crypto, one key is chosen to be “public” (doesn’t matter which one) and one key is chosen to be “private”. Data encrypted with one can only be decrypted with the other, and vice versa. Bigger keys are better. Most people aren’t using big enough keys.

X.509 adds the extra wrinkle that the key chosen to be public will be time-stamped and signed by a Certificate Authority. A signed, stamped public key is called a certificate. The time stamp is there so CAs can charge absurdly high fees when certificates expire; it serves no other real purpose and don’t let them tell you different.

Don’t worry about what “signed” means. All that matters is that your web browser can always tell if your certificate was signed by a real commercial CA, or by your employer’s private CA, or is self-signed, or was signed by some random unknown system that might be criminal, or is expired.

When certificates are passed around from one system to another on the wires (like, from Amazon to your web browser, or in a Certificate Signing Request submitted to a CA, or whatever) they use Abstract Syntax Notation One’s Distinguished Encoding Rules (ASN.1 DER). If you really want to understand everything about standardized arbitrary data structure representation go to Wikipedia and start reading at ASN.1, which is sort of the ground rules everything else rests on. But you don’t really need to know the air:fuel mixture in your car is 16:1 to fix a carburetor, and you won’t need to know ASN.1 or DER to build a great web service.

Major point here: When you say “SSL certificate” you are saying “X.509 ASN.1 DER timestamped signed public key”, in the same way that when you say “living woman” you are saying “breathing mammalian human female person”. You don’t add any information by saying DER or X.509, those are already known when you say “SSL certificate”. Which is why I get annoyed whenever I read vendor documentation to see what format they want their certs in, because they always say something useless like “DER” or “X.509”. I already knew that!

Certificates and keys can be stored on disk in an bewildering number of different formats. Tomcat/Java, Apache, IIS/AD, and HP-UX’s webserver all use different formats with mostly stupid names following no particularly obvious pattern.

I’m only going to talk about the storage formats you might actually need to use, and I’m going to ignore lots of details.

PEM (used by lots of stuff) is the easiest way to store certs and keys and the least secure. You have to be super careful when you use PEM; making minor mistakes with file permissions or user privileges can be equivalent to leaving the root password written on a postit stuck to the side of your keyboard. Poorly written software may require you to put both the (public) certificate and the (private) key in a single PEM file which is unnecessarily dangerous. There are no non-printable characters in a PEM cert, it’s all human-readable gibberish that you can cut and paste.

PKCS#12 (Public Key Cryptography Standard number 12, the “Personal Information Exchange Syntax Standard”) is a password-protected format that can hold multiple sets of both (public) certs and (private) keys. The encryption is not marvelously strong so you still have to protect a PKCS#12 file, but it’s strong enough that you sure don’t want to lose the password! It’s a very good format for moving certificates and keys from system to system and used by many Microsoft products.

JKS (Java Keystore) is supposedly PKCS#12… but in my experience, using various versions of Tomcat, you have to build your Java keystore with the Java keytool that came with the version of the Java SDK that was used to build your Java application (such as Tomcat) which is a pain in the butt. It’s password-protected, so you need the passphrase used to build it in order to use it. The Java keytool can’t extract the private key to another file but there are plenty of other tools that can, so it’s not like this adds any real extra security, it’s mostly just annoying.

PKCS#7 (Public Key Cryptography Standard number seven, the “Cryptographic Message Syntax Standard”) is used a lot in the deep deep infrastructure. It cannot hold private keys, only certs, but it can hold a “cert chain” of any length, so for example CertX signed by CertZ, plus CertZ signed by some CA, plus the CA cert all in one file. I occasionally need to put certificates into this format for stuff like complex multi-OS LDAP architectures, and CAs use it, but most people will never need to work with it.

<Curmudgeonly Digression> An unfortunate result of Microsoft’s market dominance is that otherwise well-informed people often think that the last four characters of file names are deeply magical. This is because Apple used to have better filesystems than Microsoft (and arguably they still do). Apple filesystems implemented a resource fork as an extension to file metadata; the resource fork allows users, applications or operating systems to mark what program(s) should be used to process a file, so that you can just click on a file created by Excel and it will open in Excel, or whatever. Microsoft made a really crappy lame fake of this capability by creating a list of three-character codes and assigning each one to a piece of software, so that when you click on a file ending in .xls the operating system fires up Excel. If you think about this really deeply, you’ll realize it’s is a truly horrible idea that Microsoft’s success has conditioned everyone to believe is reasonable – sort of like the way people used to be conditioned to think it was totally reasonable to test for witchcraft by dunking people in water. Nowadays Microsoft takes this stupidity a step further by hiding the last four characters from the user (unless you change the file viewer settings, which you definitely should), mostly likely because they are ashamed of the utter boneheadedness of it.
</End Digression>

So anyway, although file “types” aren’t really types at all, but merely arbitrary strings preceded by dots on the ends of file names, that are used in Microsoft systems to do Dumb Things™, we humans generally use names and labels to encode useful hints to other humans and that’s all very well and good. I always end my perl sources with .pl for example, even though the perl interpreter couldn’t care less. It’s a useful hint to my co-workers about content.

These are the most commonly used file types for x.509:

something.key = PEM format private key for something
something.csr = PEM format “certificate signing request” to submit to a CA
something.crt = PEM format signed certificate

whatever.p7s = PKCS#7 format certificate chain

whatever.p12 = PKCS#12 password-protected keystore
whatever.pfx = either a PKCS#12 keystore or an obsolete Microsoft PFX keystore
tomcat.jks = a Java Keystore, probably for Tomcat, possibly PKCS#12 format

Unfortunately, there are hundreds of exceptions to the common usages – and Netscape Security Services, which is used in Firefox and HP-UX and lots of other places, can use files with names like cert7.db, secmod.db, key3.db, that use formats I haven’t even bothered to explain (use PEM format to import and export certs and keys into NSS and don’t worry about it).

Here are the takeaways:

#1 Crypto isn’t simple. Every vendor believes they are doing it right and nobody else is, although really they are pretty much all doing it partly wrong… in various different ways.

#2 If you start thinking .cer or .der or .spc means something outside a very limited space, you aren’t doing yourself any favors. File names are poor hints only. Never ask someone for a .DER formatted file, it makes you sound like an idiot.

#3 You can use well known vendor-independent language that does have real meaning – Here’s a list of the PKCS number standards and what they are used for. If you use that language, you can communicate effectively (and also sound like you might know what you’re talking about).

#4 Make sure you thoroughly document any non-standard formats that you’re forced to use by vendors so your co-workers aren’t cursing your name whenever you’re on vacation.

#5 Be fanatical about securing your private keys, and don’t lose the passwords to your keystores.