Today when I opened my self-signed secure website, it gave me following error:
The key does not support the requested operation. (Error code: sec_error_invalid_key)
But in the past it was like:
What I did wrong? Oh yes, Firefox upgraded to 33.0 (now 33.1), something broken in 33+ and was working fine with Firefox 32.0?
Posts Tagged ‘SSL’
Use this command to verify the SSL certificate for the domain www.somedomain.com
openssl s_client -showcerts -connect www.somedomain.com:443
If the certificate is correctly installed the result should contain at the end:
Verify return code: 0 (ok)
That’s it
Firefox 7 isn't just about speed, there's also a long list of security patches. Surprisingly, a fix for the SSL BEAST attack is not one of them.
Mozilla is patching it's Firefox Web browser for at least 10 vulnerabilities, seven of which are rated as being "critical." Firefox 7 was released on Tuesday offering users the promised of improved performance and better memory usage.
On the security front, the Firefox 7 release provides a critical fix for what Mozilla describes as, "Miscellaneous memory safety hazards."
"Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products,"
Mozilla stated in its advisory. "Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code."
There is also a critical fix for an interesting flaw that could have been triggered by having a user hold down the 'Enter' key. By holding
down the key, code could potentially be installed without a user's knowledge.
"Mariusz Mlynski reported that if you could convince a user to hold down the Enter key — as part of a game or test, perhaps — a malicious
page could pop up a download dialog where the held key would then activate the default Open action," Mozilla warned.
Other critical flaws that are fixed in Firefox 7 include potentially exploitable crashes in WebGL graphics and the YARR regular expression
library. Firefox 7 also provides a fix for a high impact flaw where cross-site scripting (XSS) could have been enabled via plugins.
There is also a fix in Firefox 7 for a flaw rated as "moderate" that is triggered by the motion of a device. Mozilla's advisory noted that a recent research paper detailed how it would be possible to inferring keystrokes from device motion data on mobile devices.
"Web pages can now receive data similar to the apps studied in that paper and likely present a similar risk," Mozilla warned. "We have decided to limit motion data events to the currently-active tab to prevent the possibility of background tabs attempting to decipher
keystrokes the user is entering into the foreground tab."
While Firefox 7 addresses multiple security issues, it is not taking specific aim at the recent disclosure of potential SSL vulnerabilities. Overall, Mozilla has publicly noted that they do not believe Firefox to currently be at risk from the SSL BEAST attack
SSL is a critically important part of Internet security and it has come under increasing scrutiny in recent months. Last Friday, a pair of security researchers demonstrated a new attack called SSL BEAST at the ekoparty security conference in Buenos Aires, Argentina. Researchers Thai Duong and Juliano Rizzo leveraged weaknesses in cypher block chaining (CBC) in order to exploit SSL.
"The SSL standard mandates the use of the CBC mode encryption with chained initialization vectors (IV)," the researchers wrote in a white paper detailing their research. "Unfortunately, CBC mode encryption with chained IVs is insecure, and this insecurity extends to SSL."
Duong and Rizzo noted the CBC vulnerability can enable a man-in-the-middle (MITM) attacks against SSL to decrypt and obtain authentication tokens.
"The novelty of our attacks lie in the fact that they are the first attacks that actually decrypt HTTPS requests by exploiting cryptographic weaknesses of using HTTP over SSL," the researchers stated.
While the SSL BEAST attack is a cause for concern, there are already technologies in place to help mitigate the risk. For one, the BEAST attack only affects the TLS 1.0 version of SSL and not later versions. One vendor that leverages a non-vulnerable version of TLS is the Tor onion router project which provides a degree of anonymyity and privacy to users..
"Tor uses OpenSSL's empty fragment feature, which inserts a single empty TLS record before every record it sends," the Tor project noted in a blog post. "This effectively randomizes the IV of the actual records, like a low-budget TLS 1.1. So the attack is simply stopped."
Google's Chrome Web browser has also taken steps to mitigate the risk as well.
"Chrome has already addressed the issue and the fix on the browser side is quite simple and elegant," ISC SANS security research Mark Hofman blogged. "We'll see the other browsers implement something similar over the next few weeks. That doesn't fix the protocol, but it will help address the immediate issue of clients being attacked in this manner."
Google engineer Adam Langely blogged that Google's own servers are also somewhat protected from the SSL BEAST attack since they use a cipher that doesn't use CBC.
While Google has already taken steps to protect its users, Microsoft sees the risk as being low.
"Microsoft is aware of the industry-wide SSL 3.0 / TLSv1.0 issue demonstrated at a recent security conference which we believe presents low risk to our customers and to the Internet," Jerry Bryant, Group Manager, Response Communications, Microsoft Trustworthy Computing said in a statement emailed to InternetNews.com. "Windows 7 and Windows Server 2008 R2 support TLSv1.1 and TLSv1.2 but due to compatibility issues with many web sites, are not enabled by default."
2011 has not been a good year for SSL. SSL has come under fire due to the exploit of a pair of certificate authorities. Both Commodo and DigiNotar were exploited this year leaving big sites including Google and Mozilla at risk.
Pakistan newspaper The Express Tribune reports from Karachi that the country's telecommunications regulator is pressing ISPs to comply with recent regulations which restrict the use of end-to-end encryption.
Any technology which conceals communications and prohibits monitoring, it seems, is off the menu.
The Tribune quotes a letter sent to it by an ISP which had been warned by the regulator:
In line with [the Monitoring & Reconciliation of International Telephone Traffic] Regulations 2010 and national security, [the Pakistan Telecommunication] Authority prohibited usage of all such mechanisms including encrypted virtual private networks (EVPNs) which conceal communication to the extent that prohibits monitoring.
The letter continues by reminding the ISP:
It is observed that the aforementioned directive has not been followed in true letter and spirit as EVPNs are heavily being used on the Licensees Network.
This concern over the inability of law enforcement to intercept or prevent communication between criminals and militants will no doubt resonate in other countries – notably in the UK, where services such as BlackBerry's instant messaging came under the spotlight after the recent riots there.
Unfortunately, however, an internet in which encryption was banned altogether would be even more dangerous than what we have today.
You've probably heard the gun lobby's truism that "if guns are outlawed, only outlaws will have guns." Yet there are many countries where private ownership of guns – handguns, at least – has been heavily regulated or even banned outright without a concomitant increase in gun crime.
It's tempting, therefore, to argue that if we can ban guns without endangering society, despite the vigorous warnings of a vocal minority, we can do the same with cryptography. Perhaps "if crypto is outlawed, only outlaws will have crypto" is just the crazy slogan of a bunch of libertarian survivalist cypherpunks with something to hide?
The problem is that banning every sort of 'communications concealing' technology online would destroy the very fabric of the internet's law-abiding use. There would be no SSH, no SSL, no TLS, no HTTPS. There would be no WiFi security. Online commerce would implode.
Whether the private ownership of weapons is as big a threat to society as some like to make out is an argument for another day, because cryptography on the internet isn't like handguns in the suburbs.
In most developed countries, you don't routinely need to pack a Browning Hi-Power when you visit your local bank branch. (Even in countries where that's legal, the bank would probably make you lock it in a safety deposit box at the entrance, anyway.)
In contrast, you do routinely need to use an SSL-protected tunnel to the bank when you transact online.
Significantly, the bank needs you to do so, as well. And if you don't, you're actually playing into the hands of the crooks.
So the next time you hear a nanny-state advocate oppose the general availability of strong crypto on the grounds that "if you've got nothing to hide, you don't need to hide anything", don't just sigh in dismay.
Confront them with the inanity of their remark. (Unless they've got a Browning Hi-Power. In that case, give a little smile and leave as soon as you can.)
* If you have nothing to hide, then it doesn't matter whether you choose to hide it or not, does it?
* Online, you do have things to hide. And if you and the rest of us don't hide it as a matter of course, the cybercrooks will plunder our economy more seriously than they're doing already.
In short, if you want to do away with online crypto, you're making things easier for the crooks, not harder. And that, I'm sorry to have to say, is a truism.
Take cryptography seriously. Protecting your own online assets helps protect everyone else, too.
Sources:
http://tribune.com.pk/story/240736/virtual-watchdog-internet-users-banned-from-browsing-privately-for-security-reasons/
http://nakedsecurity.sophos.com/2011/08/29/pakistan-move-against-online-crypto-a-dangerous-idea/?utm_source=facebook&utm_medium=status%2Bmessage&utm_campaign=naked%2Bsecurity