This week, I registered for the next Document Interop Initiative (DII) workshop being held at Microsoft. (Details here) The meet-up is centered around the new XML Advanced Electronic Signatures (XAdES) support in Office 2010. In my opinion, this is a great step forward for Office’s digital signature support, as XAdES provides the appropriate XML schemata to embed timestamps, revocation information and countersignatures within a digital signature on a document. Timestamp and embedded revocation support are two of the chief advantages that Acrobat digital signatures have held over Office for the past several years. Finally enabling this functionality will allow Office to compete with Acrobat on a more even playing field in terms of allowing robust, more auditable signature workflows. I’m[…]
Author: Walt Turnes
Everyone has their browser of choice; mine is FireFox, because of its level of extensibility and huge collection of user-created add-ons. There are many useful add-ons that deal with security. Here are 4 that deal specifically with SSL and certificates, and two that are just useful in general. Export All Certificates This add-on allows you to export all of the trust roots from Firefox in one operation. I can’t really think of a situation where this would be extremely useful, but it may be convenient for testing purposes. https://addons.mozilla.org/en-US/firefox/addon/141504 Conspiracy This plug-in adds some UI next to the SSL icon that shows the country of origin for the root certificate that issued an SSL cert. https://addons.mozilla.org/en-US/firefox/addon/107867 CipherFox Displays the current[…]
Last week, Google labs released a new free web analyzer tool called Skipfish (project details here). I haven’t had a chance to play with it yet, although I hope to soon, since I have a new web application almost ready to go live. Skipfish appears to support a ton of features, such as “Multiplexing single-thread, fully asynchronous network I/O and data processing model that eliminates memory management, scheduling, and IPC inefficiencies present in some multi-threaded clients.” Which, although I only barely can understand it, sounds very impressive. The vulnerabilities scanned for include: High risk flaws (potentially leading to system compromise): Server-side SQL injection (including blind vectors, numerical parameters). Explicit SQL-like syntax in GET or POST parameters. Server-side shell command injection[…]
In general, Windows does a decent enough job with securing software keys in CAPI. Sure, you can open up Windows Explorer, browse to C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys, and take a look at your private key files. These bare files, of course, are not exactly plain text. The RSA Machine Keys (which include private keys corresponding to software certificates), are encrypted using the Data Protection API (DPAPI). The DPAPI encryption method is based on the use of a Master Key – a 512 bit random blob that is created using PKCS #5 Password-Based Key Derivation. This process takes the user’s account password, applies the SHA-1 hash algorithm, sends the hash plus a salt to the key derivation algorithm, and then iteratively calls another PKCS[…]
The internet is full of unsavory characters who want to steal your personal information and/or money. This has been widely accepted for quite some time. Recently, some good articles have appeared online regarding what to do if you think you’re being scammed, especially by pop-up ads that look like anti-virus software (http://www.fbi.gov/pressrel/pressrel09/popup121109.htm, http://voices.washingtonpost.com/securityfix/2009/09/what_to_do_when_rogue_anti-vir.html). While these articles focus on what to do if you’re hit with such an attack, I’d like to present a few rules of thumb that I use whenever I see any type of message that looks suspicious, whether it is from a pop-up ad, e-mail or letter that purports to be from my bank, or even an unexpected phone call from someone claiming to be from a[…]
After recently upgrading to Windows 7, I installed our company’s SimpleCAPI tool to import some test certificates for a project. While I was unit testing my new code, I discovered some strange things had occurred during the certificate import process. Some native CAPI code I had written was failing with a “KeySet does not exist” error, but only for certain certificates. So, I fired up SimpleCAPI again, deleted the certificates, and re-imported them. After doing that, the unit tests ran fine. Some time later, I ran into a similar problem unit testing another segment of code, and the same fix worked for that problem as well. After retracing my steps a bit and trying to re-create the error, I found[…]