Search the Site

 

Top
Blog

My Social
Services
Meta
Powered by Squarespace

Entries in PKI (7)

Sunday
Apr012012

Mozilla's Firefox Invalid, Yet Valid Certificate

DateSunday, April 1, 2012 at 21:59

In my line of work I get to work with a lot of security devices which run self-signed certificates. Those certificates are most of the time generated when the device / appliance is installed, or configured for the very first time. When you connect to one of those devices with a web browser, you tend to see the warnings displayed by the browser that the connection is not to be trusted.

In Firefox, you can add an exception in the browser. When you've done that, the next time you go to the website, the browsers treats the website as trusted.

Click to read more ...

AuthorWillem | Comment1 Comment |
tagged , , in , ,
Wednesday
Jun082011

Microsoft Internet Explorer and IP Addresses in Certificate SAN

DateWednesday, June 8, 2011 at 22:55

A fairy long title, but it describes exactly what this post is about. Once again a post about a Microsoft product and the way it works (or rather doesn't work) with your average Internet standard.

This week I was busy with RADIUS, 802.1x, PKI and the protection of websites with SSL encryption. For the implementation of 802.1x, I needed a PKI environment, so I used the Microsoft Certificate Services for that purpose. Along the way, I needed an SSL certificate for an internal website, but this particular website needed to work properly based on different FQDN's and or IP addresses without throwing warining or errors regarding the SSL connection.

The way to do this is to add Subject Alternative Names (SAN) to the certificate. This enables you to access the website in different ways, e.g.;

  • Access a webmail host from the internet based on its official FQDN (https://webmail.somedomain.com)
  • Access the same webmail host from the inside of the corporate lan based on its internal name (https://webmail.acme.local)
  • And access the host from legacy DNS-unaware software on its IP address (https://192.168.1.254)

Click to read more ...

AuthorWillem | Comment2 Comments | Reference6 References |
tagged , , , , , , , in , , , ,
Thursday
Jan202011

802.1x: Machine Access Restriction 'Vulnerability'

DateThursday, January 20, 2011 at 21:45

Today we ran into a feature of the Machine Authentication Restrictions (MAR) option in the Cisco Secure ACS Radius server. It seems that when you're using the ACS for 802.1x authentication, you have the option of demanding that the authenticating users can only be authenticated when the computer is already authenticated. This way, you make sure that no user can access the network without a legitimate PC.

Click to read more ...

AuthorWillem | CommentPost a Comment |
tagged , , , , , , , in , ,
Monday
Jul122010

The Problems with Apple OS X (10.6.4) Server

DateMonday, July 12, 2010 at 12:44

Updated on Monday, July 12, 2010 at 21:48 by Registered CommenterWillem

It has finally been done. I've switched off the old Windows 2003 server at home and officially replaced it with an Apple Mac mini server. For now... And with 'for now' I really mean for now. It turns out that Apple OS X Server doesn't resemble its client counterpart at all. Where the client is stable and intuitive, the server edition lacks both.

I'll try to explain why I think there's lots of room for improvement. Mainly stuff I ran into while configuring the server/services.
Since the Windows fulfilled several functions, I needed these functions to be available on the OS X server as well. These were;

  • Networking services like DNS and DHCP
  • Webserver
  • Mailserver
  • MySQL Database
  • SSH Server
  • File sharing on the internal network
  • Public Key Infrastructure for issuing certificates
  • Download station

Evaluating these functions, one would think that this shouldn't be a problem. Well it actually is.... At least some of those features.

Click to read more ...

AuthorWillem | Comments Off |
tagged , , , , in , , ,
Tuesday
Jul212009

Juniper NSMXpress 'Fun'

DateTuesday, July 21, 2009 at 21:01

Today was one of those days. First the two NSMXpress appliances failed yesterday (version 2008.2r2). No way of connecting the client gui. The webinterface and SSH connections worked fine though. Picked one up for examination, and since I had some *cough*good*cough* experiences a while back I assumed the latest software had some undocumented bug.

A back to factory defaults (version 2007.3r1) worked fine, but due to certain hardware the 2008 version was needed. So I upgraded the appliance (again) and found (while waiting) that the security certificate, used between the NSM server and the client gui, had expired on Juli 20th, 2009....... So someone forgot to update the certificates in the 2008.2r2 software.
After fixing that, the client gui worked like a charm.

Click to read more ...

AuthorWillem | CommentPost a Comment |
tagged , , , , in , , ,
Wednesday
Dec102008

SafeSign and OSX

DateWednesday, December 10, 2008 at 20:27

Updated on Thursday, April 22, 2010 at 22:07 by Registered CommenterWillem

After my blog post on OSX and Aladdin eToken I received a phonecall from Haaino @ AET Europe. He offered the SafeSign software for OSX so I could try their OSX software as well.

The SafeSign software is used with smartcards and smartcard readers like the OmniKey smartcard readers. Through my line of work, no lack of smartcards and/or readers. Only the software was missing (up till now).

Click to read more ...

AuthorWillem | Comment15 Comments |
tagged , , , , , , , in , ,
Tuesday
May202008

OpenSSH Vulnerabilities

DateTuesday, May 20, 2008 at 9:53

It seems that public key authentication isn't as save as you might have thought. That is if you're using a Debian based OpenSSH solution. This package can be found in many Linux distributions like;

  • Debian (duh ;) )
  • Ubuntu
  • Kubuntu
  • etc.

The problem is that the random number generator (which is of vital importance in generating key-pairs) isn't as random as you might think. It seems that there are only about 30.000 combinations in this specific generator. This leaves the door wide open for brute-force attacks.

So, the first you must do is update your OpenSSH software, and generate new keypairs for all devices / users which might have keys which were generated with the vulnerable OpenSSH software. Softwarepackages depending on OpenSSH are;

  • OpenVPN
  • DNSSEC
  • OpenSSH
  • Certificates used in TLS connections
  • etc.

More info on the subject can be found here [1, 2, 3].

AuthorWillem | CommentPost a Comment |
tagged , , , in , , ,