SSL

26c3 Berlin

Thursday, December 31, 2009 

26c3 was a blast, as was Berlin. It’s a good conference in the olde school hacker style: mostly younger people, mostly wearing black. There weren’t a lot of women, but Carolyn, Isabella, and Meredith tried to even out the ratio a bit.

Some of the best lectures included one by some German engineers working on the lunar x-prize. They had their prototype rover with them and gave a great talk about the various challenges.

Another great one was Dan Kaminski’s talk on PKI. I don’t agree with the premise that SSL should be a reliable method for identifying the owners of websites as people just can’t tell the difference between bankofamerica.com and bancomerica.com and so it doesn’t make anyone safer if the bankofamerica site is super green if bancomerica.com is also super green, and so the complexities of getting an accepted certificate simply reduce the use of secure connections and the overall security of the internet. But he had some pretty great attacks on the security of SSL that causes problems no matter what.

We enjoyed fuzzing the phone as well. It was a very entertaining talk on attacking phones with crafted SMSes. The method of creating the attacks was very clever – rooting the phone, redirecting the radio to a wifi link to a CPU so they could try zillions of SMS and see what would happen. In the process they discovered they could remotely root the communications manager (which runs as root). And %n to specific windows phones and they’ll crash and fail to reboot until the SMS is cleared out of the inbox.

Berlin is a great city and it was fun working in the shadow of the TV tower.

We made reservations for lunch but we could tell it wasn’t going to be a great day. In the end it was a very intimate lunch with pretty clouds pressing against the glass.

The fog lifted but was replaced by snow, which is a lot of fun in a city when you don’t have to drive.

IMG00220-20091228-0842.jpg

IMG00224-20091229-1405.jpg

IMG00225-20091229-1438.jpg

IMG00226-20091230-1303.jpg

IMG00230-20091230-1653.jpg

IMG00214-20091228-0802.jpg
Posted at 11:42:34 GMT-0700

Category: Cell phonesEventsFreeBSDLinuxphotoPlacesTechnologyTravelWeather

Cleaning Out Duplicate IMAP messages

Saturday, October 17, 2009 

Find some great IMAP scripts here.

There are a number of ways to end up with a lot of duplicate messages in an IMAP folder, and while IMAP tends to handle very large stores gracefully, it is possible to hose things.  On my 32 bit server and with Mulberry as a client things get weird after about 15,000 messages in a single folder.

Google does some odd things and at one point a periodic check of my gMail account resulted in about 70,000 messages in a single folder, which definitely caused some chaos.

I thought that was pretty impressive, but my girlfriend just managed to get 144,000 messages in a single folder.  Woo Hoo!!!  High Score.

Anyway, things like the dedup plugins for Thunderbird can just make things worse at that point as they seem to fail gracelessly on very large message counts.

I found that Rick Sander’s perl scripts are the best way out of this difficult situation.  delIMAPdups.pl solves the problem without running out of memory or munging files.  I haven’t had any lost data and just tested by clearing about 1400 dups out of a directory of 15,000 messages (my 2009 store to date).
/.delIMAPdups.pl -S example.com:993/user/pass -m INBOX.2009 -p
-m is the mailbox to expunge
-p is purge
-S means use SSL

Posted at 23:49:53 GMT-0700

Category: FreeBSDTechnology

Logicmail send via gmail

Tuesday, September 1, 2009 

Tonight probably wasn’t the best night to try to configure logicmail to send via gmail.  I went through every permutation then found out that gmail is flaking out tonight.  Go Cloud Computing.  Brilliant idea to trust your business to the cloud. Anyway, I did get LogicMail to work.  It isn’t the fastest way to get your mail, but it connects via IMAP to my home server to read (never a problem) which means the client is synchronized with Mulberry (running on 3 computers) and Roundcube webmail and whatever else.

I also sync to gmail using procmail on my server to forward selected messages to my gmail account.  Google’s mobile mail clients are great, by gmail does not work as an imap client and so reply/read status doesn’t get updated on my server, which is the canonical reference.  I can remember for a quick reply, but I forget when I’m using my blackberry in some extended way and then when I get to a real client I sometimes double answer, which can be embarrassing…

LogicMail still has problems with certain TLS authentication schemes, which I use on my server, and so I can’t seem to send through my own SMTP, but thankfully gmail lets me send through theirs with the only penalty being the Return-Path: <youraccount@gmail.com> header.

I used:
Server: smtp.gmail.com
Use Secure Connection: SSL
Port: 465
Authentication: LOGIN
Username: youraccount@gmail.com
Password: *********
(don't use MDS proxy)

Posted at 23:48:50 GMT-0700

Category: Technology

Verisign Cold Calls to Push Pay Certs

Monday, August 3, 2009 

I got an interesting call from 305-800-1000 claiming to represent Verisign. Whoever was calling (“they,” not necessarily Verisign, but I don’t have any reason to doubt that) had reviewed my site and found I was using a CACert certificate, which the caller accurately pointed out generates a warning in most browsers, and accurately pointed out might turn users away for no valid reason whatsoever except that I didn’t pay Verisign for the privelege of using encyrption and FireFox penalizes me for not having done so.

They thought I should “upgrade” to a Verisign cert.

I politely explained that I understood that CACert isn’t included in most default browsers and that it should be and that charging for certificates was a scam and that I absolutely would not be switching and I was doing my part to make the web a better place.  Amazingly, the caller actually seemed to understand my off-script rant and thanked me for my time.

I hate the current cert model.  It is totally broken.  People seem to think that certs work as a trust tool and if only you give people big enough, annoying enough warnings they’ll not trust a free, expired (or perhaps even illegitimate) cert.  The problem is that certs are a pain in the ass.  Recently my BlackBerry started telling me Google Maps’ cert had expired.  Did I not use maps until they fixed it?  Would you?  No, of course not.   You just pick through an extra stupid dialog.  The worst thing about the new FireFox update is the real estate wasted on cert validity and the astonishingly annoying “are you absolutely sure you trust this cert?” dialogs.

The only valid reason for SSL is so that when you’re at a coffee shop or on an untrusted networks, it is harder for people to sniff your passwords.  That’s it. It completely fails as a validity check, no matter how big and red the policeman warning logo is.  It always fails for a number of reasons:

  1. A bad cert doesn’t mean anything.  “Green” certs are absurdly expensive (they should be free), expire, and are hard to manage so one frequently finds bad certs on known good sites.
  2. A good cert doesn’t  mean anything.  All it means is that the site paid and the URL matches.  But even a place like a bank might have dozens of URLs for different parts of their service and so getting a green cert for www.my-bank.com is just as good as www.mybank.com.  If the site looks the same, most people will log right in to either.
  3. Nobody pays any attention anyway.  And they really shouldn’t.

In the end this is a disaster for net neutrality.  There are some interesting debates about FireFox’s new, intrustive dialog boxes.  The cold call I just got is a natural consequence of a FUD policy which in effect reduces interent security to the benefit of people selling certificates FireFox approves.  If it turns out there is financial benefit flowing from the vendors of “approved” certificates to FireFox, I’ll never use it again.   Even without impropriety, I think Mozilla has done a grave disservice to the internet.

Posted at 12:56:39 GMT-0700

Category: PoliticsTechnology

Courier IMAP 4.2.0 breaks SSL-Authd on 993

Sunday, October 14, 2007 

Updating to Courier IMAP 4.2.0_1 broke authentication with SSL on 993 for roundcube (and perhaps others) but not for Thunderbird. The following worked for me:

Change:

TLS_PROTOCOL=SSL3

to:

TLS_PROTOCOL=SSL23

in /usr/local/etc/courier-imap/imapd-ssl

(from this fine site)

Posted at 13:12:47 GMT-0700

Category: FreeBSDTechnology

updating bothers

Saturday, October 6, 2007 

Apache LogoPHP  Logo
I recently did a portupgrade -ra on my server after some period of complacence. It was instigated by having to clean out my mySQL logs after they ate up 30GB of disk space and caused some table corruption.

Anyway, the key details were that
apache+mod_ssl-1.3.37+2.8.28 > needs updating (port has 1.3.39+2.8.30)
php5-5.2.3 > needs updating (port has 5.2.4)

(among about 50 others)

Some foreshadowing.. once I updated and rebooting I get in /var/log/messages only
kernel: pid 1127 (httpd), uid 0: exited on signal 11 (core dumped)
and in /var/log/httpd-error.log only
[info] mod_unique_id: using ip addr 66.93.181.130
every time I “apachectl start” (and after setting apache.config log level to “debug”)

No go.

Much email searching ensued, but Torfinn Ingolfsen on the free-bsd-stable mailing list suggested looking at PHP. Turned out disabling php.so in httpd.conf got apache sort of working, but that was no help, so I thought, eh, why not migrate to apache 2.2.6?

That helped a lot. First the default config didn’t get run with SSL (crash) but that was hinted in the config files

Oct 02 11:30:26 2007] [info] mod_unique_id: using ip addr 66.93.181.130
[Tue Oct 02 11:30:27 2007] [info] Init: Seeding PRNG with 136 bytes of entropy
[Tue Oct 02 11:30:27 2007] [info] Loading certificate & private key of SSL-aware server
[Tue Oct 02 11:30:27 2007] [error] Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile]

so I disabled that for the moment. But I was also getting periodic seg faults from Apache. No details (even less than with 1.3.39). Disabling PHP made them go away, but at least apache 2 was self-restarting, so aside from log pollution, no problem…

It occurred to me that my make.conf -O2 compiler specification might be part of the problem, so I changed just that to -O1 and recompiled with portupdate -rf PHP and no more seg faults. 5.2.3 had no trouble with -O2, but 5.2.4 doesn’t seem stable with O2 optimization.

The SSL problem was that /usr/local/etc/apache22/httpd.conf had a bit at the end about the following being present to support starting SSL… blah blah, 3rd line from the bottom “SSLEngine on.” It was turning on the engine twice since I was using extra/httpd-ssl.conf already. I commented that line out and everything seems fine now.

Posted at 11:00:15 GMT-0700

Category: FreeBSDTechnology