1. Trust issues (and the web), 03 - Convergence

    In a previous post I promised that I would check out some of the solutions that promise a safer and thus better web.

    This is part two, Convergence.

    How does it work?

    Convergence replaces the certificate authorities (CA) used traditionally in SSL by an independent distributed authorities, called notaries.

    It totally ignores the CA that issued a sites certificate and instead checks the certificate over all activated notaries. These can be added, removed or disabled on personal preference; so you don't have to trust a bunch of faceless corporations which are each a SPOF in the whole concept(!), but can instead trust a number of notaries working together.

    This can be one of your own servers in your LAN (providing no MITM security towards the internet), another one of your servers reachable over the internet, and the server of people or organizations you may or may not trust all over the world.

    Than you can decide if it is enough for you if only one notary validates the requested certificate - bad idea, perhaps even a little worse than the CA system. However, the default is to gain a majority validation. This means every active notary will be checked and ...

    read more

  2. Flashrom support for AMD SP5100?

    I recently bought a very neat little Supermicro mainboard, with AMD's Socket C32 and a SP5100 chipset.

    I did so because it is neat hardware, I needed to replace my home-server - and mainly because it is supported by Coreboot. Unfortunately, it turns out that there is no version with a socketed BIOS chip out there (and resoldering a SOIC16 socket isn't easy) despite some pictures showing it. Even more unfortunate was that it turned out that flashrom didn't support flashing the board either.

    The reason for this is, that AMD's Soutbridge 700 series makes noise on the SPI bus with its IMC (Integrated Microcontroller), so you can't safely flash because data gets corrupted.

    Luckily AMD has recently released a new version of the SB700/SP5100 register datasheet that documents how to turn the IMC off, and Frederic Temporelli has already added support which is waiting for inclusion in flashroms inbox: 1/2 and 2/2.

    I haven't tried it out yet, but I'll do so in the next couple of days.

  3. Trust issues (and the web), 02 - Web Of Trust

    In my last post I promised that I would check out some of the solutions that promise a safer and thus better web.

    Let's start with Web Of Trust (WOT).

    In contrast to some of the other things I plan to take a closer look at, WOT is not related to transport security or any cryptographic methods to ensure site integrity.

    It actually works like Mandatory Access Controls (MAC) with a user centric (as apposed to a system centric) approach.

    How does it work?

    WOT is a combination of client side software, usually a brower plugin (who would have guessed :P), and a central database that contains per-domain based ratings, provided by users as well as "trusted sources". The latter are (well-known) security sources, such as blacklists from security vendors, and similar material.

    The browser plugin, which exists at least for Firefox and Chrome, is available under GPLv3. It checks every domain, that is either querried or linked to, against the WOT central database and aquires a rating based on the previously mentioned sources.

    Feedback is given to the user via an easily visible graphical indicator (green = good, yellow = so-so, red = bad, grey = no rating yet), as well as ...

    read more

  4. Trust issues (and the web)

    The last couple of days, a company named DigiNotar was in the news for issueing fake SSL certificates. I don't need and want to go into details, but what was clear before, has now officially been proven big time: The whole trust concept of SSL certificates and with it a corner stone of http security does not work and thus is completely worthless. The sad thing is, that this is the only http/web security system supported on a large scale to this day.

    Overall the concept of trusting a hand full of companies out of good will is just stupid. Each and every one of them is very susceptible to single hackers or small groups of hackers, not to mention foreign agencies and more importantly local agencies with proper funding or even a "legal" way to mess with certificates.

    So, what is a solution that works? Learn from filesharing. To this day a lot of filesharing networks have been put down due to the SPOF nature they share with the CA companies. A single target which can compromise the whole network and system. What followed was decentralization - and with so many other systems (from network architecture over source ...

    read more

  5. server fail and more

    While I was on vacation, my old vServer provider decided to inform me via a 2-liner that my vServer has been nuked. At first it was supposed to be only a short power outage, but a day later a mail came in, that all data is gone. This certainly wasn't the first time I doubted the ability of the provider to maintain his machines, so it finally pushed me to move on.

    Anyway, while it might be overkill for me, I'm finally on real hardware (and OVH is ridiculously cheap) and while it isn't failsafe in any way, I'm much more comfortable by being able to maintain it myself completely.

    As you can see, my old blog is also gone. I could have restored the backup, but I wanted to move from blogofile 0.7 to 0.8 for a while and never had the time and motivation to do so - so I decided to just restore my few posts and set up blogofile 0.8 with the simple-blog profile from scratch. I'm currently working on the templates and the CSS to make it look decent again, but this may take some time, as I ...

    read more

« Page 2 / 3 »