Category Archives: Tech News

Buggy Domain Validation Forces GoDaddy to Revoke Certs

GoDaddy has revoked, and begun the process of re-issuing, new SSL certificates for more than 6,000 customers after a bug was discovered in the registrar’s domain validation process.

The bug was introduced July 29 and impacted fewer than two percent of the certificates GoDaddy issued from that date through yesterday, said vice president and general manager of security products Wayne Thayer.

“GoDaddy inadvertently introduced the bug during a routine code change intended to improve our certificate issuance process,” Thayer said in a statement. “The bug caused the domain validation process to fail in certain circumstances.”

Part of the validation process involves registrar’s sending customers via email a validation code that the customer drops onto their site. Thayer explained that the system searches a particular spot for the code in order to complete validation.

“When the bug was introduced, certain web server configurations caused the system to provide a positive result to the search, even if the code was not found,” Thayer explained, adding that GoDaddy was not aware of any compromises related to the bug.

The issue did expose sites running SSL certs from GoDaddy to spoofing where a hacker could gain access to certificates and pose as a legitimate site in order to spread malware or steal personal information such as banking credentials.

GoDaddy has already submitted new certificate requests for affected customers. Customers will need to take action and log in to their accounts and initiate the certificate process in the SSL Panel, Thayer said.

“This process will be identical to the process they followed when their previous certificates were issued. (If a customer has more than one revoked certificate associated with their customer account, they will be able to initiate the certificate process for each domain within the SSL Panel.),” Thayer said. “The SSL Panel provides helpful information and instructions that should allow customers to easily process the certificate online.”

Affected websites will still resolve, GoDaddy said, but customers may see untrusted-site error warnings.

Experts, meanwhile, caution that as more Certificate Authorities come online such as Let’s Encrypt, which provides free certs in an automated fashion, that more errors like this one could crop up.

“I only see more of them happening,” said Kevin Bocek, vice president of security strategy at Venafi. “We’re seeing faster and faster certification validation with organizations like Let’s Encrypt turning up the competition [among CAs]. And things like DevOps driving faster certificate issuance. And with organizations moving to the cloud, you’re going to have more machines doing these types of requests for new certificates.

“It’s all software,” Bocek said. “It could all have bugs. In the past year, we’ve seen more and more of these reports and the trend is going to continue.”

Let’s Encrypt has taken great strides toward fulfilling its promise of bringing free encryption and SSL to the web by simplifying and automating the process. Let’s Encrypt isn’t alone; Amazon, Cloudflare and others also offer free SSL certs in one form or another. Let’s Encrypt uses ACME (Automated Certificate Management Environment), an open API, to automate certificate requests and issuance. And it’s working; in October, Mozilla telemetry that was made public showed that for the first time, more than half of all traffic in transit is encrypted.

“There are going to be more demands on CAs and more and more machines doing requests,” Bocek said, adding that while ACME is great for efficiency, it is taking people out of the process. He recommends that organizations familiarize themselves with NIST guidance on preparing for and responding to CA compromises.

“Everyone,” Bocek said, “needs to have a plan and an automated way to get around this.”

Security Now 591: Law Meets Internet

Leo and Steve discuss Russia’s hacking involvement in the US Election; that, incredibly, it gets even worse for Yahoo!, misguided anti-porn legislation in South Carolina, troubling legislation from Australia, legal confusion from the Florida appellate court, some good news from the U.S. Supreme Court, Linux security stumbling, why Mac OS X got an important fix last week, the Steganography malvertising attack that targets home routers, news of a forthcoming inter-vehicle communications mandate, professional cameras being called upon to provide built-in encryption, LetsEncrypt gets a worrisome extension, additional news, errata, miscellany… and how exactly DOES that “I really really promise I’m not a robot (really!)” non-CAPTCHA checkbox CAPTCHA work?

What is OpenBazaar?

OpenBazaar is an open source project to create a decentralized network for peer to peer commerce online—using Bitcoin—that has no fees and no restrictions.

Right now, online commerce means using centralized services. eBay, Amazon, and other big companies have restrictive policies and charge fees for listing and selling goods. They only accept forms of payment that cost both buyers and sellers money, such as credit cards or PayPal. They require personal information, which can lead to it being stolen or even sold to others. Buyers and sellers aren’t always free to exchange goods and services with each other, as companies restrict entire categories of trade.

OpenBazaar is a different approach to online commerce. It puts the power back in the users’ hands. Instead of buyers and sellers going through a centralized service, OpenBazaar connects them directly. Because there is no one in the middle of your transactions there are no fees, no restrictions, no accounts to create, and you only reveal the personal information that you choose.

openbazaartransaction_1024

How does OpenBazaar work?

Let’s say that you are looking to sell your old laptop. Using the OpenBazaar client (a program you download), you create a new product listing on your computer with details just like you would on any ecommerce site.. When you publish that listing, it is sent out to the distributed p2p network of other people using OpenBazaar. Anyone who searches for the keywords you’ve used—laptop, electronics, etc—will find your listing.

If you both agree to a price, the client creates a contract between you both with your digital signatures, and sends it to a third party called a moderator. These moderators are also folks on the OpenBazaar network—could be your neighbor or someone across the world—who the buyer and seller trust in case something goes wrong. The third party witnesses the contract and creates a multisignature Bitcoin account (multisig) that requires two of three people to agree before the Bitcoin can be released.

The buyer then sends the agreed upon amount to the multisig address. You get a notification saying the buyer has sent the funds, and you ship the laptop to them and mark that it has been shipped. The buyer receives it a few days later, and they mark it received, which releases the funds from multisig to you. You got your Bitcoin, the buyer got the laptop; no fees paid, no one stopped your trade, everyone’s happy.

What if something goes wrong?

As we all know, things don’t always go smoothly. What if you’re buying a certain book from a seller, you pay the multisig, and they ship you the wrong one, or it was in poorer condition than advertised, or they don’t even send a product at all?

This is where the third party comes in. Remember that a multisig requires two of three people to agree in order to move the Bitcoin. They control the third key to the multisig, so the funds will not move until either the buyer and seller work out an arrangement themselves, or the third party agrees with either the buyer or seller on how to deal with the transaction and funds in multisig.

These steps may sound complicated, but the details are handled by the client itself. Our goal is for buyers and sellers to have an even better experience using OpenBazaar than the old centralized platforms.

Timeline

OpenBazaar version 1.0 has been released, and you can download it here. If you want to keep up to date on announcements and releases, please subscribe to our subreddit.

Submit bug reports and suggestions for improvement to our Github repositories, either server or client.

Feel free to drop into our Slack room. We’re happy to help you get a node running or answer your questions.

Developers can visit our developer resource page. Obviously any code submitted to the project is much appreciated!

You can also donate Bitcoin to this address to help us pay for seed servers, the website, and other projects costs like conferences.

Let’s make trade free, together.

Bring Back the Honeypots

https://www.youtube.com/watch?v=W7U2u-qLAB8 Honeypots were all the rage in the 90’s – A raft of tools (and even a world-wide alliance) sprung up extolling their virtues but they never managed to live up to their hype. They were largely relegated to researchers and tinkerers on the fringes. At the same time, we have the Verizon DBIR telling us that most companies are first informed by 3rd parties that they are breached. This is a stupid situation to be in. Well deployed honeypots can be invaluable tools in the defenders arsenal, and don’t need to look anything like the honeypots of old. From application layer man-traps, to booby-trapped documents. From network-level deception, to cloud based honeypottery, we are bringing honeypots back! During this talk, we will discuss and demonstrate the current state of the art regarding honeypots. We will explore the factors that limit adoption (and will discuss how to overcome them.) We will demonstrate new techniques to make your honeypots more “hacker-discoverable” & will share data from running actual honeypots in real organizations. We will also discuss (and release) OpenCanary, our new open source honeypot (along with supporting scripts and utilities). Over the past few years, honeypots have gotten a bit of a bad rap. We will give you tools, techniques and takeaways, to move them from geeky time-wasters, to the most useful pieces of kit you will deploy.