Mozilla 在考慮移除 WoSign 的 CA Root

雖然平常早就把 WoSign 移除信任,但在「Mozilla考虑对沃通CA采取行动」這邊看到有趣的消息,翻了一下 Gervase Markham 發表的原文還蠻精彩的:「Incidents involving the CA WoSign」。

第一次事件 (Incident 0) 是在 2015/04/23,攻擊者只要能夠證明他能控制某個 TCP port,就會發出 certificate:

On or around April 23rd, 2015, WoSign's certificate issuance system for their free certificates allowed the applicant to choose any port for validation. Once validation had been completed, WoSign would issue certificates for that domain. A researcher was able to obtain a certificate for a university by opening a high-numbered port (>50,000) and getting WoSign to use that port for validation of control.

設計不良造成的資安事件總是會發生。重點在於 Google 知道,但 Mozilla 完全不知道:(我講得很保守是因為這個句子在 thread 後面被澄清解釋的更慘,參考後文)

This problem was reported to Google, and thence to WoSign and resolved. Mozilla only became aware of it recently.

更嚴重的是,這次的事件在 WoSign 的稽核上沒有出現:

* This misissuance incident did not turn up on WoSign's subsequent BR audit[1].

第二次事件 (Incident 1) 是在 2015 年六月,也是資安設計的問題,當你可以拿到 WoSign 所指定的 subdomain 控制權後,你就可以拿到 parent domain 的 certificate,而這次甚至被拿到 GitHub 全系列的 certificate:

The reporter proved the problem in two ways. They accidentally discovered it when trying to get a certificate for med.ucf.edu and mistakenly also applied for www.ucf.edu, which was approved. They then confirmed the problem by using their control of theiraccount.github.com/theiraccount.github.io to get a cert for github.com, github.io, and www.github.io.

嗯,也沒通報:

* This misissuance incident was not reported to Mozilla by WoSign as it should have been (see above).

嗯,稽核也沒出來:

* This misissuance incident did not turn up on WoSign's subsequent BR audit[1].

嗯,被拿到的 domain (ucf.edu) 也沒 revoke:(可以從「crt.sh | 29647048」這邊看到)

They reported this to WoSign, giving only the Github certificate as an example. That cert was revoked and the vulnerability was fixed. However recently, they got in touch with Google to note that the ucf.edu cert still had not been revoked almost a year later.

第三次事件 (Incident 2) 則是在 2016 年七月,由於現在大多數的瀏覽器都會對 2016 後簽出的 SHA-1 憑證直接標示為不安全,而 WoSign 的 API 提供造假,讓簽名日期 (notBefore) 簽在 2015/12/20:

Using the value "1" led to a certificate which had a notBefore date (usage start date) of 20th December 2015, and which was signed using the SHA-1 checksum algorithm.

嗯,然後否認造假:

* WoSign deny that their code backdated the certificates in order to avoid browser-based restrictions - they say "this date is the day we stop to use this code"[4]. If that is true, it is not clear to us how StartCom came to deploy WoSign code that WoSign itself had abandoned.

嗯,然後還是沒有回報給 Mozilla:

* This misissuance incident was not reported to Mozilla by WoSign as it should have been.

稽核報告應該是因為這太新,還沒開始做?

另外在 thread 討論時,Google 的 Ryan Sleevi 澄清的更慘:

Clarification: In none of these incidents was Google notified proactively by WoSign. Instead, Google received communication from internal or external researchers regarding these issues, either prior to resolution or much later after the fact, and subsequently contacted WoSign regarding them.

It was only when Google found out recently that other programs were NOT notified, proactively, as had been expected, that Google shared the details it was aware of regarding various CA incidents, including those of WoSign, mentioned in this thread.

也就是說,是 Google 主動發現這些問題,並且通報 WoSign。後來過了許久發現 WoSign 沒有照規定通報其他 CA Root 管理單位 (以這邊來說是 Mozilla),於是 Google 決定主動通報其他單位,然後大~爆~炸~

在密碼學理論裡,CA 架構是靠著稽核建立信任的,這次的事情又再次證實這個問題 (但目前沒有其他好的機制可以做)。來猜測下場的話,我的預期是會像拔掉 CNNIC 的作法拔掉信任,但針對之前發出的 certificate 設為白名單 (直到過期):

Posted in Computer, Murmuring, Network, Security, WWW | Tagged , , , , , , , | Leave a comment

OpenSSL 1.1.0

看到「OpenSSL 1.1.0 released」這篇得知大家期待已久的 OpenSSL 1.1.0 出了,在 1.1.0 的重要新功能中,對 ChaCha20 + Poly1305 的支援算是大家等很久的:

  • Support for ChaCha20 and Poly1305 added to libcrypto and libssl

由於 RC4 已經被證明不安全,OpenSSL 內變成沒有堪用的 stream cipher,這邊總算要補上來了...

另外兩個也頗有趣的:

  • Support for scrypt algorithm
  • Support for X25519

多了些東西...

Posted in Computer, Murmuring, Network, Programming, Security, Software, WWW | Tagged , , , , , , , , , , , , , , | Leave a comment

Scylla 1.3

看到 Scylla 正式公告 1.3 版的消息了:「Scylla release: version 1.3」。

Scylla 是用 C++ 重寫 Java 版本的 Cassandra 所有東西 (包括資料結構與 Protocol),目標是做到可以完全相容替換現有 Cassandra Cluster。(號稱可以一台一台移除 Cassandra 的程式,裝上 Scylla 後就可以無痛換過去)

而 Scylla 另外一個重點是效能的提昇,官方宣稱在完整最佳化的情況下是 10x 以上的效能提昇,之前拿 AWS 實測 (沒有完整最佳化) 也可以看到 2x 到 4x 的數字,對於目前的 Cassandra 應用來說極為重要。

1.3 版最重要的功能就是對 Thrift 的支援:

Thrift support. Many Cassandra users are still using Thrift, and they can now continue doing so while benefiting from Scylla’s performance. Built on top of Scylla CQL internal implementation, Scylla Thrift provides similar throughput and latency to Scylla CQL. Users of projects like KairosDB and Titan can now migrate to Scylla while maintaining full protocol compatibility .

本來在 roadmap 上的計畫是用兩個版本支援 Thrift:(從 Google Cache 拉出來的,CSS 看起來有些問題,不過意思有到就好)

剛剛發現 1.4 的 roadmap 已經沒有列 Thrift 了:

這應該是暗示已經實作完了?透過 Thrift 界面跟 Cassandra 溝通的應用程式都可以使用 Scylla 了...

先前在「Facebook Presto · Issue #1139 · scylladb/scylla」這邊跟 ScyllaDB 的人花了不少時間,總算是給出一份 data set 可以讓他們重製 bug,也算是有代價了 XD

Posted in Computer, Database, Murmuring, Network, Programming, Software | Tagged , , , , , , , , | Leave a comment

硬派學 JavaScript...

前幾天看到「Someone emailed me asking for tips or sites for learning JavaScript, and this is my final answer.」這篇也是頗有趣的...

Read the ECMAScript specification.

下面還花了些篇幅解釋要怎麼讀 XDDD

Don’t feel like you have to understand every word. Give yourself permission to just force the words into your brain, and move on to the next section. If you’re diligent about it, it only takes a few hours. Repeat this process every few years.

超硬派的 XDDD

Posted in Computer, Murmuring, Programming | Tagged , , , , , | Leave a comment

更新 letsencrypt.sh 的 PPA

letsencrypt.sh 是個用 shell script 實作出來的 letsencrypt/acme client,可以對 Let's Encrypt 申請出 SSL certificate。相較於官方後來交接給 EFFCertbot,我還蠻推薦使用純粹只需要 shell script 的 letsencrypt.sh...

由於作者沒有發出新的 release tarball,加上目前最新的 release 的程式也已經無法使用,所以昨天花了點時間更新了 letsencrypt.sh 的 PPA,就弄了一個 0.2.0.20160822 (版本號碼大於目前的 release 版本的 0.2.0):「PPA for letsencrypt.sh」。

與 0.2.0 版相比有個 BC-break 的地方:新版的 config 改檔名了 (從 config.sh 變成 config),如果之前有設定的話要記得改:

$ cd /etc/letsencrypt.sh/
$ sudo mv config.sh config

也趁機把之前建立 source package 的 build.sh 改成可以吃 git hash 或是 tag name 的版本,這樣需要針對特定版本產生 source package 也簡單多了。

Posted in Computer, Murmuring, Network, Security, Software, WWW | Tagged , , , , , , , , | Leave a comment

Star Trek 五十週年郵票

美國郵局決定要發行 Star Trek 五十週年郵票:「Star Trek Postage Stamps Coming Soon: Celebrating 50 Years of Exploring the Final Frontier」。

也快五十年了啊:

The original Star Trek TV series took to the airwaves nearly 5o years ago–on September 8, 1966.

Posted in Murmuring, Recreation, Science, Television | Tagged , , , | Leave a comment

砍站的技巧?

Hacker News 上看到的文章,講如何用 JavaScript 砍站:「I Don’t Need No Stinking API – Web Scraping in 2016 and Beyond」。

引起注意的是「Beating CAPTCHA」這邊,直接拿 Antigate 的服務 (付費服務) 來打穿 CAPTCHA,看了一下價錢:

Cheapest price on the market - starting from 0.7USD per 1000 images, depending on the daily volume

唔,這服務這好像頗不賴... 記錄起來用 :o

Posted in Computer, Murmuring, Network, Programming, Software | Tagged , , , , , , , , | Leave a comment

SWEET32:攻 Blowfish 與 3DES

最新的攻擊算是實戰類的攻擊,理論基礎以前都已經知道了,只是沒有人實際「完成」。算是近期少數直接對演算法的攻擊,而這些演算法剛好還是被用在 TLSOpenVPN 上,所以嚴重性比較高:「SWEET32: Birthday attacks on 64-bit block ciphers in TLS and OpenVPN」。

攻擊的條件是 block cipher 的 block size,而非 key length,所以就算是 256 bits 的 Blowfish 也一樣也受到影響。

這次順利打下 Blowfish3DES。這兩個 cipher 的 block size 都是 64 bits,所以對於 birthday attack 來說只要 232 就可以搞定:

This problem is well-known by cryptographers, who always require keys to be changed well before 2n/2 blocks. However it is often minimized by practitioners because the attacks require known plaintext, and reveal only little information. Indeed, standard bodies only recommend to change the key just before 2n/2 blocks, and many implementations don't enforce any limit on the use of a key.

在 OpenVPN 打 Blowfish 的部份 (Blowfish 是 OpenVPN 預設的 cipher):

In our demo, it took 18.6 hours and 705 GB, and we successfully recovered the 16-byte authentication token.

以及 HTTPS 打 3DES 的部份 (為了相容性問題):

Experimentally, we have recovered a two-block cookie from an HTTPS trace of only 610 GB, captured in 30.5 hours.

都是有可能的等級。也該來拔掉對 IE8 的支援了... orz

Posted in Computer, Murmuring, Network, Security, VPN, WWW | Tagged , , , , , , , , , , , , , , , | Leave a comment

在核輻射避難所建的資料中心

Nuclear Fallout Shelter 照字面翻是核放射塵碉堡,意思上算是可以對抗輻射塵的防空洞,用 Google Translate 翻出來是「核輻射避難所」,感覺也頗貼切的啦...

而 C14 project 則是 Online.net 在巴黎的核輻射避難所建立 data center 的玩意:「C14 story - Part 1 Meet Our Nuclear Fallout Shelter

在地下 26 公尺,如果一層樓三米的話,大約是已經是地下八樓到九樓的位置了:

Starting in October 2016, you will be able to store all your critical C14 data in our fallout shelter, located 26 meters underground in Paris, France.

整個計畫在 2012 年從法國政府買下來,然後開始重建:

In 2011, the French state, owner of the building, decided to move the Ponts et Chaussées' central laboratory in the Parisian suburb and started to dismantle the building.

The Ponts et Chaussées' central laboratory buildings were revamped and divided in multiple bundles to be sold and transformed in multi-unit housing. The main building and the shelter were sold separately via a public invitation to tender. Online landed the deal in September 2012 with the project to build a Datacenter. The project’s codename is DC4.

接近完工的照片看起來好棒啊:

看起來這是一系列的故事,到時候應該會有不少照片可以看...

Posted in Computer, Hardware, Murmuring, Network, Security | Tagged , , , , , , , , , | Leave a comment

無縫更換 symbolic link 所指的目錄或檔案

這邊如果把 atomatically 翻成原子性好像怪怪的,就照意思來翻好了。

這是一篇 2005 年的文章,講如何更換 symbolic link 內容,而且確保 symbolic link 不會短時間不見:「How to change symlinks atomically」。

作者拿了 strace 解釋 ln -snf 的例子,來說明這個方法沒辦法做到無縫:

$ strace ln -snf new current 2>&1 | grep link
unlink("current")         = 0
symlink("new", "current") = 0

unlink()symlink() 中間的 race condition 如果有人存取這個 symbolic link 就會失敗。作者提了這樣的方法來解決:

$ ln -s new current_tmp && mv -Tf current_tmp current

在「How does one atomically change a symlink to a directory in busybox?」這邊雖然提問的是 BusyBox,但道理相同,提到了怎麼做以及為什麼 (不要看綠色勾勾那個,看分數比較高的那個):

This can indeed be done atomically with rename(2), by first creating the new symlink under a temporary name and then cleanly overwriting the old symlink in one go.

DocumentRoot 是 symbolic link 時,這點變得很重要。這個方法才能避免切換目錄的過程中間不會有空檔,導致使用者收到 404...

另外通常會配合 mod_realdoc 一起用,避免程式用到 DocumentRoot 的路徑而導致前面指到的東西跟後面指到的東西不同。

Posted in Computer, Murmuring, Programming | Tagged , , , , , , , , | Leave a comment