browser – Phocean.net

CVE-2009-3555: Safari not yet patched ???

phocean — Sun, 10 Jun 2012 18:17:59 +0000

The other day I was shocked to find this entry in my Apache logs:

[error] SSL Library Error: 336068931 error:14080143:SSL routines:SSL3_ACCEPT:unsafe legacy renegotiation disabled

It occurs appears when I try to use a SSL client certificate with Safari. Of course, authentication is broken as it just fails on an 403 error page.

So it seems that Safari is the last browser which was not patched against CVE-2009-3555 !

2009 !! At least, I quickly checked the other browsers I had around and they were fine: IE, Firefox, Chrome… I am having an issue with Opera also, but although I have not identified the problem yet, it seems unrelated (and does not throw the same error).

Note that I reported the issue to Apple, but I did not receive any answer. Silence on the wire.

Tabnabbing

phocean — Mon, 04 Jul 2011 21:08:02 +0000

On his website, Aza Raskin calls it Tabnabbing. Don’t miss the video there and the test web page. It is so simple and probably efficient with most users. Certainly another dangerous phishing attack.

Cloud in the security sky or should I see a psychologist?

phocean — Sat, 05 Feb 2011 18:22:45 +0000

The “cloud” is a buzz word that has been around for months. The marketing guys are pushing it so hard that every IT guy will hear of that at work soon or later.

Taking a decision whether to use it or not requires some deep knowledge, because if its pros are clear – you can count on the salesmen to get a great picture of it again and again, its cons are silenced.

Too bad, a major disadvantage is security. But guess what? The other day an “analyst” presenting his study about cloud computing just cleared out the issue in 3 words :

“Concerning the people who doubt of the security in the cloud, it is a typical psychological issue of theses persons fearing change or something new . There is really nothing concrete to worry about cloud security.”

Well, not sure I am going to see a psychologist. Of course the guy did not give any solid argument, so here we go.

In short, cloud computing expose to the Internet services that were, in normal conditions, always kept inside an internal network and behind peripheral protections.

Of course, these services offer authentication, but basically almost every traditional web attacks will work as usual. After all, we are talking about the same web portal, the same users, the same browsers, etc.

Let quickly summarize the potential threats: CSRF, XSS, phishing, SSL attacks (MiTM, certificate spoofing), browser exploits and many more.

So really, it is not a question of being crazy, paranoid or reluctant to change. There are just many issues that don’t make the cloud useless but should incite to caution.

Cloud computing can be used for what it is good at (flexibility, convenience) but not to replace a datacenter. It should not be used if security is a concern.

Don’t listen to the salesman only, read what some specialists are saying. Here is a compilation of some interesting articles I found :

Black Hat 2009 presentation : pdf and summary
Owasp presentation (pdf)
Dangers in the cloud
So you think *your* capability model is bad? (browser’s weak design)

And last but not least, in case our favorite salesman keeps pushy:

But that’s not all. The same goes with “virtualization everywhere”, but that will be another topic…

Microsoft’s Zozzle, Javascript malware detector

phocean — Tue, 01 Feb 2011 00:07:54 +0000

In an effort to detect malicious Javascript code, Microsoft is developing a tool named Zozzle, aimed to be embedded into the Javascript engine of a browser.
The authors claim that it is both fast and efficient with a very low rate of false positive.

Here is the report for more details.