Navigation

Search

Categories

On this page

MD5-signed X.509 certificates in trouble
Internet Explorer HttpOnly Cookie extension implemented in all major browsers
ReSharper v4.5 nightly previews started
Update for .Net Fx 3.5 SP1 available
Google Chorme v1.0 is out
Live Client Applications Wave 3 Updated

Archive

Blogroll

Disclaimer
The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.

RSS 2.0 | Atom 1.0 | CDF

Send mail to the author(s) E-mail

Total Posts: 83
This Year: 0
This Month: 0
This Week: 0
Comments: 20

Sign In

# Wednesday, 31 December 2008
MD5-signed X.509 certificates in trouble
Wednesday, 31 December 2008 10:25:26 UTC ( Security )

Security researchers have proven a successful collision attack against MD5-signed X.509 certificates. This would enable an attacker to create their own X.509 certificate with same digital signature as the original certificate. This certificate can then be used to sign additional certificates and provide whatever details they please, all trusted by existing security infrastructures. This will work great phishing and man-in-the-middle attacks.

This was performed using a cluster of 200 PlayStation 3’s and is reproducible with a couple of days of computing.

The risks inherent when using the MD5 hash algorithm have been known for quite some time and the recommendation is to move to the SHA family. Most certificates should as such be signed with SHA-1 instead of MD5, but history has proven that there are always old installations and old configurations around.

The following public Certificate Authorities are still using MD5 signing:

    • RapidSSL
    • FreeSSL
    • TrustCenter
    • RSA Data Security
    • Thawte
    • verisign.co.jp

The security researchers sampled 30.000 certificates, whereof 9.000 were using MD5 and 97% of those were issued by RapidSSL.

It’s time to review the algorithm used on your certificates; hopefully it is using SHA. This is easily verifiable if you look at the certificate properties. This is not a problem with EV certificates as they do not support the MD5 algorithm.

Microsoft recently issued this security advisory.

Comments [0] | | # 
Internet Explorer HttpOnly Cookie extension implemented in all major browsers
Wednesday, 31 December 2008 09:36:17 UTC ( Browsers )

The WebKit engine was recently enhanced with the HttpOnly Cookie feature originally introduced in Internet Explorer. This is a security feature that restricts access to certain cookies making them only available for HTTP requests and not from JavaScript running within the browser; a feature originally developed to help with XSS attacks.

The next versions of Safari and Google Chrome will most likely include these updated bits completing the browser lineup as Internet Explorer, FireFox and Opera already have this feature implemented.

Nice to see innovation being accepted and implemented across the board.

Comments [0] | | # 
# Friday, 26 December 2008
ReSharper v4.5 nightly previews started
Friday, 26 December 2008 00:31:13 UTC ( Tools )

The Early Access Program for ReSharper v4.5 just started and nightly builds are available for download. Keep in mind that these are not official beta releases, but automated builds straight from the development branch. The current release has a few very useful features as well as performance and memory optimizations.

Solution-wide analysis has been updated with unused code detection that will highlight unneeded code segments throughout your solution. If you have a layered architecture with multiple solutions you will have to up a new solution that includes all your projects for this to work correctly. If you are doing some Christmas cleaning you may want take these new bits for a spin. It also features a much more flexible naming standard configuration.

Download here.

Comments [2] | | # 
# Sunday, 21 December 2008
Update for .Net Fx 3.5 SP1 available
Sunday, 21 December 2008 17:54:02 UTC ( )

If you had any issues with .Net FX 3.5 SP1, or if you are holding it back for some reason, it’s time to head over to KB959209 and get this patch.

It contains a set of fixed for both the .Net 2.0 and the .Net 3.0 bits that were patched as a part of this release. There is also a list of fixes incase you have been noticing some strange behavior lately.

The .Net Fx 3.5 Service Pack 1 contained quite a few interesting optimizations, and is well worth the install.

Comments [0] | | # 
# Tuesday, 16 December 2008
Google Chorme v1.0 is out
Tuesday, 16 December 2008 08:57:04 UTC ( )

It looks like Google decided to fast track a version 1 release, probably hoping it will be an acceptable deployment for enterprise and computer manufacturers.

It is still lacking a few important features like client certificate support, but it’s fast and stable. If you are heavy user of Google web applications and want the extra features or simply looking for new browser alternative head on over to Google to give it a spin. If you just want to test it you can simply leave the ‘make it my default browser’ setting unchecked, it’s easy to change that once you become a true believer.

Comments [0] | | # 
Live Client Applications Wave 3 Updated
Tuesday, 16 December 2008 08:47:45 UTC ( )

A update to the Windows Live Essentials package has been released. This includes Live Messenger, Live Mail, Live Writer, Live Photo Gallery and more. Make sure you uncheck any checkboxes for things you don’t want, and be mindful of the last settings page with home page and search engine settings.

This appears to be a release candidate build, and we should expect a final release very soon.

Get your bits at download.live.com.

Comments [0] | | #