Posts tagged ssl blacklist

Testing Mozilla Firefox 3.5 Beta 4

This morning I decided to give Firefox 3.5 Beta 4 from Mozilla Labs a try.

I'm really interested in a lot of what they're doing, including their development of HTML 5 support for <audio> and <video> elements and closer CSS 2.1 support including text shadows. I haven't tested the former, but the latter is definitely working; not sure whether I'd ever use such shadows on my own pages but it's good to see Firefox catching up to Safari/WebKit, Opera and Konqueror/KHTML in this regard.

Testing CSS 2.1 test shadows

According to the development page, another feature is vastly improved JavaScript support which should be most noticeable in Ajax applications. I'm old fashioned and am of the opinion most Ajax online is poorly executed (plus I dislike it when sites only work with JavaScript enabled) but to be fair Gmail and Google Maps did seem quicker and the interfaces worked more smoothly; that said I don't have any hard numbers so this could all just be attributable to a placebo effect.

Mac users like me will be pleased to note some quite significant cosmetic changes which make Firefox look more Mac-like. Context menus now finally match Mac OS X Leopard's rounded corners, the bookmark bar has a much more subdued gradient which looks classier and the toolbar itself takes up less screen real estate.

Testing CSS 2.1 test shadows

Given I use so many extensions I admit I was worried how many of them would break in the beta; to my relief only two were, and neither are security related. SSL Blacklist (now my favourite extension alongside NoScript) in the version I had was incompatible, but updating to version 4.0.31 and the SSL Blacklist Local Database 1.0.7 fixed this. Clipmarks reports to be compatible, but alas doesn't work for me at all.

Compatible with 3.5b4 Not compatible with 3.5b4
Adblock Plus 1.0.2
BetterPrivacy 1.29
British English Dictionary 1.19
DownThemAll! 1.1.3
FireFTP 1.0.4
FoxClocks 2.5.33
Ghostery 1.4.0
NoScript 1.9.2.8
Permit Cookies 0.6.2
SSL Blacklist 4.0.31
SSL Blacklist Local D’Base 1.0.7
Tree Style Tab 0.7.2009051501
Clipmarks 3.5.1
Greasemonkey 0.8.20090123.1
LORI 0.2.0.20080521

I look forward to the final release, as usual the Mozilla folks are doing a fantastic job.


Credit card fraud on rise, IT security thoughts

Two of the big Aussie banks in Adelaide by Dodge 76
ANZ and Westpac bank buildings on an appropriately drizzly day in central Adelaide, by Dodge 76 on Flickr

After reading the headline, I was expecting this news story from the ABC (Australia) to be about predatory lending,exploitation or other unwarranted behavior on the part of financial institutions. Alas no, it was a report on how people are becoming victims to people who steal their credit card information, not banks!

ABC News: Credit card fraud on the rise: report

By Online business reporter Michael Janda and staff

An industry report has identified a rise in the rate of internet and telephone credit card fraud.

Figures from the Australian Payments Clearing Association (APCA) show the credit card fraud rate was 45 cents per $1,000 in 2007, but in 2008 it had climbed to 53 cents.

Original Clipmark link

Icon from the Tango Desktop projectThere were very good points regarding why banks themselves don't in fact do more to prevent fraud which I encourage you to look at if you're interested.

Several comments though were about using your credit card to shop online, but they were mostly limited to discussing virus protection. I usually just click the "Agree" link next to comments because people on the ABC News website are generally more eloquent and succinct than I am, but this time I figured an explanation was in order.

Kudos to people saying they were expecting the article to be about exorbitant credit interest rates, I did too!

As for the technical question, virus protection and firewalls are only a tiny part of the equation. Especially if you run Microsoft Windows you absolutely MUST keep your system current with patches and security fixes. Viruses, worms and trojan horses (three very different beasts) take advantage of weaknesses that often have already been fixed but that people haven’t bothered to guard against. Confiker is the latest example of this.

There’s also the issue of “social engineering” where instead of blindly sending messages out to millions of addresses, they watch your online activity so they can gather enough information about you to send you an email as a trusted person who you may let your guard down for.

If you use Mozilla Firefox (anyone still using Internet Explorer is dumb, sorry that’s just accepted fact now) the SSL Blacklist plugin from CodeFromThe70s.org helps guard you against suspicious “secure” web authorities, and the “BetterPrivacy” plugin (just Google it) helps guards against the next generation of malicious cookie spying. The weakest part of any system though is the USER, so just stay vigilant and remember if something is too good to be true it usually is. Like those misleading “low balance transfer” advertisements!

In retrospect I shouldn't have called Internet Explorer users dumb. Some casual computer users may still not know, other people like my dad wish they could change but can't because their company machines can't be altered.


Awesome security and privacy Firefox extensions

I’ve been promising for a while to list all the extensions I use for Mozilla Firefox. Given I have a stack of homework to do and other chores and errands, it seems now is as good a time as any.

Each of these are reasons why I use Firefox over other browsers!

NoScript

If you’re only ever going to install one add on, make it this one. NoScript cops a lot of nonsense and flack from people for being tedious and a pain to use, but it really is very simple and with a few days of using it, it becomes second nature.

NoScript works as a whitelist by blocking all dynamic content on pages by default such as Flash and JavaScript, but when you go to a page you trust you click the NoScript icon and choose "Allow Site". You can even "Temporarily Allow" pages that you suspect aren’t working properly without JavaScript but that you don’t necessarily want to permanently add to your whitelist.

As for customising, I suggest disabling the "Show message about blocked scripts" because it’s a bit redundant. I also suggest removing the NoScript icon from your toolbar and accessing it from the status bar instead, it takes up less space and will be conveniently located next to other extensions with menus.

SSL Blacklist

This protects you for suspect root certificate authorities, and if you prefer not pinging their server every time you access a secure page, you can also download their database as a extension. As a bonus in the newest version it will also warn you if you’re accessing a site that uses the now vulnerable MD5 hash that I’ve talked about before, very cool.

BetterPrivacy

Protects you from so called Super Cookies such as Adobe Flash LSOs [Wikipedia link] which can be used to track you. Spooky stuff.

Cookie Monster

NoScript got me used to the idea of blocking everything by default and only allowing sites I trust to execute code. Cookie Monster is a lightweight extension that does the same thing for cookies.

Another such pair of extensions are CookieSafe and CS Lite, the latter of which I used to use for a while. They’re both extremely sophisticated but I found I never used any of their advanced features.

BlockSite

BlockSite is a simple, lightweight and very easy use blacklist utility which does what you think it does. The only thing I wish it did was allow you to right click (or CTRL click on Mac) a link and add the target site to your blacklist.

Adblock Plus (discussed on my usability Firefox extensions post) used to be able to block entire websites, but later versions removed this functionality for some reason: BlockSite fills this void nicely.


Sites that are still using MD5

The SSL Blacklist add-on warning screen after loading a page
The SSL Blacklist add-on warning screen after loading a page

If you’re a Mozilla Firefox user and you haven’t installed the SSL Blacklist add-on from CodeFromThe70s.org yet, you should absolutely go there right now and click the sslblacklist-4.0.30.xpi link. By installing this plugin you can help protect yourself from suspect SSL root certificate authorities, as well as make sure the sites you’re visiting are no longer using the demonstratively flawed MD5 hash algorithm.

ASIDE: I’d argue this plugin along with NoScript are the two greatest arguments for using Firefox. No other browser with these plugins are a match. I feel naked, cold and scared using anything else now.

MD5 is still probably safe, but the fact it has been shown to have problems should alert people running websites to move over to an SHA hash instead. If you find such a site, you absolutely want to let their admins know about it.

So far I’ve installed SSL Blacklist on my dad’s, sister’s and my machines and we’ve been warned the following sites are using MD5:

If we find any more we’ll add them to the list. Feel free to post a comment with links too. Be careful though, my spam filters block anything with more than three links so you may need to space them out. Cheers.


Protect yourself against MD5 certificates

SSL Blacklist showing that Gmail doesn't use the vulnerable MD5 algorithm.
SSL Blacklist showing that Gmail doesn't use the vulnerable MD5 algorithm, and that it's certificate issuer isn't on their black list.

I'm typing this post this evening on my beautiful 2002-vintage iBook with Mac OS X Tiger. Still going strong, definitely the most reliable and dependable system I've ever owned.

To be serious now though: it's official folks, there is now awareness of weaknesses of the MD5 algorithm used to sign secure certificates online. Sites that use the more secure SHA1 algorithm are safer, and RapidSSL is now offering it in place of MD5. Still, some are still using MD5, meaning if you connect to them you're not really using a secured connection.

From CodeFromThe70s.org:

An attack has been demonstrated yesterday that highlights the practicality of the well-publicized weaknesses of the MD5 algorithm. Essentially, any certificate signed with the MD5 algorithm may be counterfeit.

There is […] a large number of CAs out there, and it is certain that some of them will continue to use MD5 for one reason or another.

Therefore it may be prudent to avoid, or, at the very least, not place much trust in websites that authenticate themselves with the help of MD5. After all, there is no way to automatically distinguish between a chain with a genuine MD5-based certificate signature and a chain with a counterfeit certificate.

A solution to this is a Mozilla Firefox plugin called SSL Blacklist which places a small certificate notice in the bottom right hand side of your browser that indicates whether a page is secured with SHA1 or not secure with MD5. This allows you to make informed decisions when using secured sites, and to let existing web hosts know that they should upgrade.

Even before this vulnerability was demonstrated this plugin was a useful addition to the security conscious internet user's toolkit, but this lastest release makes it indispensable. If you don't have it in other words, grab it now! This is an order!

UPDATE: Steve Gibson also goes into great detail about the exploit and the plugin to protect yourself in Security Now 177.