On this page

MD5-signed X.509 certificates in trouble
Internet Explorer HttpOnly Cookie extension implemented in all major browsers
ReSharper v4.5 nightly previews started
Update for .Net Fx 3.5 SP1 available
Google Chorme v1.0 is out
Live Client Applications Wave 3 Updated
Silverlight 2.0 RTM
Tired of all the UAC prompts?
CLR vNext with side-by-side support
IE8 with HTML 5 improvements
Mono at Microsoft PDC



The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.

RSS 2.0 | Atom 1.0 | CDF

Send mail to the author(s) E-mail

Total Posts: 83
This Year: 0
This Month: 0
This Week: 0
Comments: 5

Sign In

# Wednesday, December 31, 2008
MD5-signed X.509 certificates in trouble
Wednesday, December 31, 2008 10:25:26 AM UTC ( Security )

Security researchers have proven a successful collision attack against MD5-signed X.509 certificates. This would enable an attacker to create their own X.509 certificate with same digital signature as the original certificate. This certificate can then be used to sign additional certificates and provide whatever details they please, all trusted by existing security infrastructures. This will work great phishing and man-in-the-middle attacks.

This was performed using a cluster of 200 PlayStation 3’s and is reproducible with a couple of days of computing.

The risks inherent when using the MD5 hash algorithm have been known for quite some time and the recommendation is to move to the SHA family. Most certificates should as such be signed with SHA-1 instead of MD5, but history has proven that there are always old installations and old configurations around.

The following public Certificate Authorities are still using MD5 signing:

    • RapidSSL
    • FreeSSL
    • TrustCenter
    • RSA Data Security
    • Thawte

The security researchers sampled 30.000 certificates, whereof 9.000 were using MD5 and 97% of those were issued by RapidSSL.

It’s time to review the algorithm used on your certificates; hopefully it is using SHA. This is easily verifiable if you look at the certificate properties. This is not a problem with EV certificates as they do not support the MD5 algorithm.

Microsoft recently issued this security advisory.

Comments [0] | | # 
Internet Explorer HttpOnly Cookie extension implemented in all major browsers
Wednesday, December 31, 2008 9:36:17 AM UTC ( Browsers )

The WebKit engine was recently enhanced with the HttpOnly Cookie feature originally introduced in Internet Explorer. This is a security feature that restricts access to certain cookies making them only available for HTTP requests and not from JavaScript running within the browser; a feature originally developed to help with XSS attacks.

The next versions of Safari and Google Chrome will most likely include these updated bits completing the browser lineup as Internet Explorer, FireFox and Opera already have this feature implemented.

Nice to see innovation being accepted and implemented across the board.

Comments [0] | | # 
# Friday, December 26, 2008
ReSharper v4.5 nightly previews started
Friday, December 26, 2008 12:31:13 AM UTC ( Tools )

The Early Access Program for ReSharper v4.5 just started and nightly builds are available for download. Keep in mind that these are not official beta releases, but automated builds straight from the development branch. The current release has a few very useful features as well as performance and memory optimizations.

Solution-wide analysis has been updated with unused code detection that will highlight unneeded code segments throughout your solution. If you have a layered architecture with multiple solutions you will have to up a new solution that includes all your projects for this to work correctly. If you are doing some Christmas cleaning you may want take these new bits for a spin. It also features a much more flexible naming standard configuration.

Download here.

Comments [2] | | # 
# Sunday, December 21, 2008
Update for .Net Fx 3.5 SP1 available
Sunday, December 21, 2008 5:54:02 PM UTC ( )

If you had any issues with .Net FX 3.5 SP1, or if you are holding it back for some reason, it’s time to head over to KB959209 and get this patch.

It contains a set of fixed for both the .Net 2.0 and the .Net 3.0 bits that were patched as a part of this release. There is also a list of fixes incase you have been noticing some strange behavior lately.

The .Net Fx 3.5 Service Pack 1 contained quite a few interesting optimizations, and is well worth the install.

Comments [0] | | # 
# Tuesday, December 16, 2008
Google Chorme v1.0 is out
Tuesday, December 16, 2008 8:57:04 AM UTC ( )

It looks like Google decided to fast track a version 1 release, probably hoping it will be an acceptable deployment for enterprise and computer manufacturers.

It is still lacking a few important features like client certificate support, but it’s fast and stable. If you are heavy user of Google web applications and want the extra features or simply looking for new browser alternative head on over to Google to give it a spin. If you just want to test it you can simply leave the ‘make it my default browser’ setting unchecked, it’s easy to change that once you become a true believer.

Comments [0] | | # 
Live Client Applications Wave 3 Updated
Tuesday, December 16, 2008 8:47:45 AM UTC ( )

A update to the Windows Live Essentials package has been released. This includes Live Messenger, Live Mail, Live Writer, Live Photo Gallery and more. Make sure you uncheck any checkboxes for things you don’t want, and be mindful of the last settings page with home page and search engine settings.

This appears to be a release candidate build, and we should expect a final release very soon.

Get your bits at

Comments [0] | | # 
# Tuesday, October 14, 2008
Silverlight 2.0 RTM
Tuesday, October 14, 2008 8:28:11 AM UTC ( )

Finally, Silverlight v2.0 has been released and is now available for download.

This, to me, is really the first version of Silverlight. It’s the first version with a modern development environment, a rich set of controls and a familiar development framework.

You will even find a Eclipse-based development environment, if you are somewhere where you are unable to use Visual Studio.

Go fetch!

Comments [0] | | # 
# Sunday, October 12, 2008
Tired of all the UAC prompts?
Sunday, October 12, 2008 10:23:59 AM UTC ( Security | Tools )

Norton Labs have created a utility that removes a lot the UAC annoyances you may be experiencing in Windows Vista. It allows you to configure a list of applications that can be launched in admin mode without incurring a UAC prompt, basically a “do not ask me again” dialog. Great for everyday applications like Visual Studio.

May be a better solution than disabling it completely ;)

There is one caveat though, it will send information to Norton whenever you get a prompt. It will send the filename and hash of the files involved, as well as your response. The intention is to create a white list that will be shipped with the finished product.

There is a free beta version and a FAQ available at Norton Labs, both X86 and X64 editions.

Comments [1] | | # 
# Saturday, October 11, 2008
CLR vNext with side-by-side support
Saturday, October 11, 2008 10:19:31 AM UTC ( Architecture )

Reading around the PDC site for some scoops into the future, I’m pleased to see one session covering how the CLR vNext will support side-by-side versioning of CLRs within the same process.

This may seem like a rather obscure requirement at first, but keep in mind we now have CLR v1.0, CLR v1.1, CLR v2.0 and the new CLR v2.0 shipped with .Net Framework 3.5 SP1. Luckily these CLRs and their libraries are largely compatible. However, over the years of .Net  the industry has written countless of components that they probably expect to be able to use for some time to come, even in-process. As our development tools and new frameworks keep pushing us up the stack to the next version of .Net, we will probably see some issues soon.

Hopefully, this feature goes beyond providing support for multiple Silverlight version within the same browser process, and enables us to use CLR 2.0 components from CLR vFuture. If this is the case, I'm looking forward to see how they will be providing interoperability, or if we’ll have to use an in-proc WCF channel for this purpose.

Maybe this may even be a hint that Microsoft is not expecting backwards compatibility between the current and future CLRs, and their libraries.

Comments [0] | | # 
IE8 with HTML 5 improvements
Saturday, October 11, 2008 10:00:44 AM UTC ( Web )

There is a very interesting post about AJAX improvements on the IEBlog. Looking past all the improvements in cross domain communication, I am particularly pleased to see that they are actively following the HTML 5 work, and implementing new functionality in accordance with the current working draft.

Also nice to see that IE8 features are becoming a part of the HTML 5 drafts.

In short, with all the focus around alternate browsers and standard compliance, it’s good to see that the IE team is hard at work.

Comments [0] | | # 
# Wednesday, October 8, 2008
Mono at Microsoft PDC
Wednesday, October 8, 2008 2:47:23 PM UTC ( Mono )

This was slightly unexpected, but I’m happily surprised that Miguel de Icaza will host an official session about Mono during this years Microsoft PDC in Los Angeles. Usually, we only see Microsoft employees presenting at this conference.

Perhaps Microsoft is warming up to Mono – it would allow development of .Net clients on other platforms – convenient for their new Cloud Services push?

Comments [0] | | #