Is Big Brother In Your Web Browser?

Ever considered the thought that the U.S. government, such as the NSA, has the capability to break in to an SSL-encrypted session between you and your bank, and eavesdrop on that conversation? That idea alone should cause you to pause the next time you see the padlock icon in your browser light-up when you think you are browsing securely.

In a purely hypothetical example, the U.S. government can force a Public Key Infrastructure (PKI) to give them a publicly trusted certification for www.amazon.com. They then poison your DNS and route your traffic for www.amazon.com to a site they own that has the fake certification installed. Your browser then gives you that pretty green bar or little lock and you think everything is cool, safe and secure. Or… they can put a device between you and your target and then perform SSL interception.

Never put anything past the U.S. government and its intelligence gathering capabilities. I think that is a safe theory to operate under. Even though suspension of disbelief is required in movies like Enemy of the State and Deja-Vu, where the government employed nifty intel collecting techniques, something as simple as eavesdropping on SSL-encrypted communications should not be underestimated.

In fact, performing an SSL man-in-the-middle “attack” using a web proxy server and SSL decryption is not difficult at all. It is exponentially more believable in a corporate setting, where the IT guys control the operating system and web browser, however that does not mean it is unheard of elsewhere.

What is the point? Be careful who you trust when you are supposedly surfing securely. Educate yourself on the security techniques used by SSL and how they function. While in most cases there is nothing to be concerned with, it is important to understand that SSL is not the end-all be-all of network security. It has its own shortcomings as eloquently articulated in this article.

Encrypted Search

Encrypted Search - TechMisoGoogle commits to security with its rollout of SSL encrypted search. This has nothing to do with how Google tracks your search habits.

From the Google Blog:

…today we’re gradually rolling out a new choice to search more securely at https://www.google.com.

Google will still maintain search data to improve your search quality and to provide better service. Searching over SSL doesn’t reduce the data sent to Google — it only hides that data from third parties who seek it.

HOWTO Configure Apache for SSL with DoD CAC Authentication on Ubuntu 9.04

Ubuntu LogoAdministering Linux servers is an art form not mastered by many because it is mostly command-line driven. Windows on the other hand, while a highly complex beast, has taught most administrators that configuring can be accomplished through a simple point-and-click interface.

One of the more difficult Linux tasks is properly configuring an Apache web server – the sheer power Apache can wield is evident in the exponential number of configuration options available. Setting up Apache on Linux for SSL-based DoD Common Access Card (CAC) authentication is pure freaking magic. Learn how to configure an Ubuntu Linux 9.04 (Jaunty Jackalope) server to perform this much-needed functionality!

Read the full story …

HTTPS Aloof On Gmail, Facebook And Other Major Websites

HTTPS Aloof On Gmail, Facebook And Other Major WebsitesGoogle does a disservice to its Gmail users by not turning on HTTPS by default — as doesn’t Facebook, MySpace, Hotmail, Twitter and other websites that require you to log on with username and password.

These and other sites not using SSL for their logon page could almost be called negligent in their [lack of] support for user privacy.

So why is the ‘S’ in HTTP’S’ important?

Read the full story …

Page 1 of 11