RE: Checkpoint smart defance as IPS

["Craig S Wright" <craig.wright () information-defense com>]

An RA is an internal CA, it is trusted by chaining. Please read up on this
before making arbitrary comments. Yes, there is a cost to this and I have
not commented on this as this will vary, but then a Checkpoint license is
also a cost.

Again, SSL is perceived by many as secure. So what? Security is not
perception. This is a point that you continue to miss.

Again, SSL is about privacy, not security. Privacy can be a part of a
security solution, but it is not security in itself.

Craig

-----Original Message-----
From: Shreyas Zare [mailto:shreyas () secfence com] 
Sent: Monday, 7 June 2010 2:33 AM
To: craig.wright () information-defense com
Cc: security-basics () securityfocus com
Subject: Re: Checkpoint smart defance as IPS

Hi Craig,


On Sat, Jun 5, 2010 at 1:58 AM, Craig S. Wright
<craig.wright () information-defense com> wrote:
> I did not say that an organisation publishes certificates on the web.
These
> are used internally. There is no illegality here. Illegality comes from
> fraud. I do not believe that I have ever stated this as a valid course of
> action, let alone for companies.

Even if you don't use the fake certificates outside the organization,
it would still breach the terms you agreed with the CA. If an
organization wants to achieve this anyways, a simple solution would be
to use an internal CA with a directory service instead of wasting
money and getting into legal troubles by setting up RA. Many companies
wont be capable to get their own RA anyways so your suggestion in the
context of this thread is no good.



> Fraud consists of an intentional misrepresentation of material existing
fact
> made by one person to another with knowledge of its falsity and for the
> purpose of inducing the other person to act, and upon which the other
person
> relies with resulting injury or damage.
>
> Dr Russell Smith of the Australian Institute of Criminology  stated in
2000
> that:
> “The perpetrators of many on-line scams … are often not large
corporations.
> They are able to close-down their operations quickly and easily, move
assets
> to secure locations and use digital technologies to conceal their
identities
> and disguise evidence. In such cases there is little likelihood of success
> whether civil or criminal proceedings are taken.”
>
> If you check your browser certificate trust list, you will note that a few
> banks have not only opted for crossed signed trusted roots (where they are
> signed by a trusted root), but have become a trusted root CA.
>
> When you obtain a cross signed certificate there is a permanent record.
You
> issue certificates INTERNALLY for your own systems. As long as the company
> has a policy that states it can do this - there is NO illegality. Here is
> NSW, Au, the requirements are that employees etc are informed that they
can
> be monitored when accessing the Internet. The company does not need to
> provide detailed technical details as to how this occurs.

IANAL but check what laws in other countries say regarding this.
Employee privacy is a complex issue and may have many complex
legalities depending on country.



> As for setting up an ILLEGAT RA. I at no point stated this.
>
> As for interception, the organisation sets a gateway with a device using
> certs from their own internal CA infrastructure. If this is cross signed
> using a trusted root certificate, bowsers will trust it. This is legal. To
> setup an internal RA and be cross signed, you have to be valued to be a
> significant business. Generally, this is around $5 million in capital
value.
> This excludes small business and not much more. The CA needs to be secured
> (FIPs is usually mandated - but as stated, I have FIPs hardware on my
laptop
> these days).

This is a costly solution as I mentioned earlier too. (By now everyone
in the world know you have FIPs hardware on your laptop, you don't
have to mention it again!)



> The use of client certs are rare.

If you read carefully, that same point I too had mentioned in a previous
post.



> As for forensic uses,
> interception can easily occur at an ISP etc with a court order. This is
not
> the same as an organisational interception at a company on the companies
> equipment for the purpose of monitoring. If you are too clueless
concerning
> this topic to understand this, I suggest you get a different job.

Again, you don't understand why SSL is regarded secure. As you said,
in order to intercept, ISP requires court order. The main thing with
security is to make an attack difficult. And, not any guy just like
that can intercept SSL. You need adequate resources to achieve it,
this is what makes SSL secure. Technicalities are fine but, if you
don't understand these simple things, I suggest you to get another
profession.



> How does this scenario involve "taking over VeriSign"?

It seems you don't get humor.



> "The challenge experiment is still open if you don't ask for infeasible
> requirements"
> What infeasible experiment. I have FIPs hardware. I have a Checkpoint
> device. I have a organisational CA. You pay for a cross signing process,
and
> I will happily demo it.

LOL. I will take a analogy of a "gun". While you are challenged to
shoot at me, you have the gun but you are asking me to pay for the
bullet! (I know this is bad analogy, but enough to convey the
message).

Your inability to do MITM for this experiment itself makes the point
why SSL is secure. By saying that I don't mean its secure to do some
business which is really TOP SECRET or valuable for that matter, but
its quite ok to use it for e-commerce applications. For any security
solution, you have to evaluate what exactly you are protecting and
from whom. If the thing being protected is really that important, you
have to implement a system with an acceptable level security and no
matter what you implement, there would a some possible attack
developed for it by a person who is really interested in thing being
protected. So in that sense SSL "is" a secure solution (even though
govt or organization with required resources can intercept it).



> As for the 200 PS3s, I have more computing power at my disposal than this.

I am glad to know that you have something at your disposal!



And, that challenge is still open! Its for you to prove it. Also
remember, I will capture the traffic with wireshark, and would publish
it and since you will be signing the website cert on-the-fly, it will
be also available with the CA to check for any breach of terms you had
agreed with them.

Finally, you are just talking stupid thing in context of this thread
as I stated in previous mail too.

Regards,

Shreyas Zare

Sr. Information Security Researcher
Secfence Technologies
www.secfence.com


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------