Security Basics mailing list archives
RE: Checkpoint smart defance as IPS
From: "Craig S Wright" <craig.wright () information-defense com>
Date: Mon, 7 Jun 2010 07:55:17 +1000
An RA is an internal CA, it is trusted by chaining. Please read up on this before making arbitrary comments. Yes, there is a cost to this and I have not commented on this as this will vary, but then a Checkpoint license is also a cost. Again, SSL is perceived by many as secure. So what? Security is not perception. This is a point that you continue to miss. Again, SSL is about privacy, not security. Privacy can be a part of a security solution, but it is not security in itself. Craig -----Original Message----- From: Shreyas Zare [mailto:shreyas () secfence com] Sent: Monday, 7 June 2010 2:33 AM To: craig.wright () information-defense com Cc: security-basics () securityfocus com Subject: Re: Checkpoint smart defance as IPS Hi Craig, On Sat, Jun 5, 2010 at 1:58 AM, Craig S. Wright <craig.wright () information-defense com> wrote:
I did not say that an organisation publishes certificates on the web.
These
are used internally. There is no illegality here. Illegality comes from fraud. I do not believe that I have ever stated this as a valid course of action, let alone for companies.
Even if you don't use the fake certificates outside the organization, it would still breach the terms you agreed with the CA. If an organization wants to achieve this anyways, a simple solution would be to use an internal CA with a directory service instead of wasting money and getting into legal troubles by setting up RA. Many companies wont be capable to get their own RA anyways so your suggestion in the context of this thread is no good.
Fraud consists of an intentional misrepresentation of material existing
fact
made by one person to another with knowledge of its falsity and for the purpose of inducing the other person to act, and upon which the other
person
relies with resulting injury or damage. Dr Russell Smith of the Australian Institute of Criminology stated in
2000
that: The perpetrators of many on-line scams are often not large
corporations.
They are able to close-down their operations quickly and easily, move
assets
to secure locations and use digital technologies to conceal their
identities
and disguise evidence. In such cases there is little likelihood of success whether civil or criminal proceedings are taken. If you check your browser certificate trust list, you will note that a few banks have not only opted for crossed signed trusted roots (where they are signed by a trusted root), but have become a trusted root CA. When you obtain a cross signed certificate there is a permanent record.
You
issue certificates INTERNALLY for your own systems. As long as the company has a policy that states it can do this - there is NO illegality. Here is NSW, Au, the requirements are that employees etc are informed that they
can
be monitored when accessing the Internet. The company does not need to provide detailed technical details as to how this occurs.
IANAL but check what laws in other countries say regarding this. Employee privacy is a complex issue and may have many complex legalities depending on country.
As for setting up an ILLEGAT RA. I at no point stated this. As for interception, the organisation sets a gateway with a device using certs from their own internal CA infrastructure. If this is cross signed using a trusted root certificate, bowsers will trust it. This is legal. To setup an internal RA and be cross signed, you have to be valued to be a significant business. Generally, this is around $5 million in capital
value.
This excludes small business and not much more. The CA needs to be secured (FIPs is usually mandated - but as stated, I have FIPs hardware on my
laptop
these days).
This is a costly solution as I mentioned earlier too. (By now everyone in the world know you have FIPs hardware on your laptop, you don't have to mention it again!)
The use of client certs are rare.
If you read carefully, that same point I too had mentioned in a previous post.
As for forensic uses, interception can easily occur at an ISP etc with a court order. This is
not
the same as an organisational interception at a company on the companies equipment for the purpose of monitoring. If you are too clueless
concerning
this topic to understand this, I suggest you get a different job.
Again, you don't understand why SSL is regarded secure. As you said, in order to intercept, ISP requires court order. The main thing with security is to make an attack difficult. And, not any guy just like that can intercept SSL. You need adequate resources to achieve it, this is what makes SSL secure. Technicalities are fine but, if you don't understand these simple things, I suggest you to get another profession.
How does this scenario involve "taking over VeriSign"?
It seems you don't get humor.
"The challenge experiment is still open if you don't ask for infeasible requirements" What infeasible experiment. I have FIPs hardware. I have a Checkpoint device. I have a organisational CA. You pay for a cross signing process,
and
I will happily demo it.
LOL. I will take a analogy of a "gun". While you are challenged to shoot at me, you have the gun but you are asking me to pay for the bullet! (I know this is bad analogy, but enough to convey the message). Your inability to do MITM for this experiment itself makes the point why SSL is secure. By saying that I don't mean its secure to do some business which is really TOP SECRET or valuable for that matter, but its quite ok to use it for e-commerce applications. For any security solution, you have to evaluate what exactly you are protecting and from whom. If the thing being protected is really that important, you have to implement a system with an acceptable level security and no matter what you implement, there would a some possible attack developed for it by a person who is really interested in thing being protected. So in that sense SSL "is" a secure solution (even though govt or organization with required resources can intercept it).
As for the 200 PS3s, I have more computing power at my disposal than this.
I am glad to know that you have something at your disposal! And, that challenge is still open! Its for you to prove it. Also remember, I will capture the traffic with wireshark, and would publish it and since you will be signing the website cert on-the-fly, it will be also available with the CA to check for any breach of terms you had agreed with them. Finally, you are just talking stupid thing in context of this thread as I stated in previous mail too. Regards, Shreyas Zare Sr. Information Security Researcher Secfence Technologies www.secfence.com ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- RE: Checkpoint smart defance as IPS, (continued)
- RE: Checkpoint smart defance as IPS Craig S. Wright (Jun 03)
- Re: Checkpoint smart defance as IPS Al MailingList (Jun 03)
- Re: Checkpoint smart defance as IPS Paul Johnston (Jun 07)
- Re: Checkpoint smart defance as IPS Shreyas Zare (Jun 07)
- Re: Checkpoint smart defance as IPS John Morrison (Jun 07)
- Message not available
- Re: Checkpoint smart defance as IPS Shreyas Zare (Jun 07)
- RE: Checkpoint smart defance as IPS Craig S. Wright (Jun 07)
- RE: Checkpoint smart defance as IPS Craig S. Wright (Jun 07)
- Message not available
- Re: Checkpoint smart defance as IPS Shreyas Zare (Jun 07)
- Message not available
- Re: Checkpoint smart defance as IPS Shreyas Zare (Jun 07)
- RE: Checkpoint smart defance as IPS Craig S Wright (Jun 07)
- Message not available
- Re: Checkpoint smart defance as IPS Shreyas Zare (Jun 07)
- Message not available
- Re: Checkpoint smart defance as IPS Shreyas Zare (Jun 07)
- RE: Checkpoint smart defance as IPS Craig S. Wright (Jun 07)
- Message not available
- Re: Checkpoint smart defance as IPS Shreyas Zare (Jun 07)
- Message not available
- Re: Checkpoint smart defance as IPS Shreyas Zare (Jun 07)
- RE: Checkpoint smart defance as IPS Craig S. Wright (Jun 07)
- RE: Checkpoint smart defance as IPS Craig S. Wright (Jun 07)
- RE: Checkpoint smart defance as IPS Craig S. Wright (Jun 07)
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- RE: Checkpoint smart defance as IPS Craig S. Wright (Jun 09)
- RE: Checkpoint smart defance as IPS Craig S. Wright (Jun 03)