I haven't really had any spare time I felt would be best spent writing something here lately, so I think it is at least time for a short update.
The title is not only one of my favorite Dream Theater songs (if you can call 23 minutes a song) - here it also means that my favorite time of the year is coming. And yes, apparently you can go skiing in October. :)
2300m:
3200m:
Now, off to Sweden.
In a previous post I promised that I would check out some of the solutions that promise a safer and thus better web.
This is part two, Convergence.
Convergence replaces the certificate authorities (CA) used traditionally in SSL by an independent distributed authorities, called notaries.
It totally ignores the CA that issued a sites certificate and instead checks the certificate over all activated notaries. These can be added, removed or disabled on personal preference; so you don't have to trust a bunch of faceless corporations which are each a SPOF in the whole concept(!), but can instead trust a number of notaries working together.
This can be one of your own servers in your LAN (providing no MITM security towards the internet), another one of your servers reachable over the internet, and the server of people or organizations you may or may not trust all over the world.
Than you can decide if it is enough for you if only one notary validates the requested certificate - bad idea, perhaps even a little worse than the CA system. However, the default is to gain a majority validation. This means every active notary will be checked and ...
I recently bought a very neat little Supermicro mainboard, with AMD's Socket C32 and a SP5100 chipset.
I did so because it is neat hardware, I needed to replace my home-server - and mainly because it is supported by Coreboot. Unfortunately, it turns out that there is no version with a socketed BIOS chip out there (and resoldering a SOIC16 socket isn't easy) despite some pictures showing it. Even more unfortunate was that it turned out that flashrom didn't support flashing the board either.
The reason for this is, that AMD's Soutbridge 700 series makes noise on the SPI bus with its IMC (Integrated Microcontroller), so you can't safely flash because data gets corrupted.
Luckily AMD has recently released a new version of the SB700/SP5100 register datasheet that documents how to turn the IMC off, and Frederic Temporelli has already added support which is waiting for inclusion in flashroms inbox: 1/2 and 2/2.
I haven't tried it out yet, but I'll do so in the next couple of days.
In my last post I promised that I would check out some of the solutions that promise a safer and thus better web.
Let's start with Web Of Trust (WOT).
In contrast to some of the other things I plan to take a closer look at, WOT is not related to transport security or any cryptographic methods to ensure site integrity.
It actually works like Mandatory Access Controls (MAC) with a user centric (as apposed to a system centric) approach.
WOT is a combination of client side software, usually a brower plugin (who would have guessed :P), and a central database that contains per-domain based ratings, provided by users as well as "trusted sources". The latter are (well-known) security sources, such as blacklists from security vendors, and similar material.
The browser plugin, which exists at least for Firefox and Chrome, is available under GPLv3. It checks every domain, that is either querried or linked to, against the WOT central database and aquires a rating based on the previously mentioned sources.
Feedback is given to the user via an easily visible graphical indicator (green = good, yellow = so-so, red = bad, grey = no rating yet), as well as ...
The last couple of days, a company named DigiNotar was in the news for issueing fake SSL certificates. I don't need and want to go into details, but what was clear before, has now officially been proven big time: The whole trust concept of SSL certificates and with it a corner stone of http security does not work and thus is completely worthless. The sad thing is, that this is the only http/web security system supported on a large scale to this day.
Overall the concept of trusting a hand full of companies out of good will is just stupid. Each and every one of them is very susceptible to single hackers or small groups of hackers, not to mention foreign agencies and more importantly local agencies with proper funding or even a "legal" way to mess with certificates.
So, what is a solution that works? Learn from filesharing. To this day a lot of filesharing networks have been put down due to the SPOF nature they share with the CA companies. A single target which can compromise the whole network and system. What followed was decentralization - and with so many other systems (from network architecture over source ...