Pie Palace » security

Java vs. Wireshark

Erigami Scholey-Fuller — Thu, 03 Jun 2010 17:08:42 +0000

Debugging cyphered connections is a hassle, but Wireshark can occasionally help. I recently spent a few hours trying to debug a Jetty server that insisted on speaking HTTPS.

First, I had to convert the Java Key Store to something Wireshark could consume: a PEM file. A fairly simple tutorial, should have been enough, but a GUI-based key store manager proved to be indispensable. Then I realized that Diffie-Hellman is the sworn enemy of network monitors everywhere, as illustrated by Wireshark’s SSL debugging output:

ssl_generate_keyring_material not enough data to generate key (0×16 required 0×37 or 0×57)
dissect_ssl3_hnd_srv_hello can’t generate keyring material

Of course, if you’re in control of the Jetty server in question, then you can use org.mortbay.jetty.security.SslSocketConnector.setExcludeCipherSuites() to prevent pesky DHE. Then it’s Wireshark all the way!

Take that, Security!

Erigami Scholey-Fuller — Mon, 09 Nov 2009 14:56:02 +0000

I’ve put together a Gnome applet that checks the balance of an online bank account at predetermined times and emails the balances to a selected email address. It’s unimaginatively titled “balancer“.

It’s (1) useful, and (2) scares the crap out of me.

The useful part is pretty self evident. I want to know my current balance so I can reign in my spending if I’m going overboard.

The scary part is equally self evident. balancer keeps bank credentials on the user’s computer. That’s a terrible idea. An attacker who wants to make some cash just has to trawl the secrets stored in the GnomeKeyring to get access to the user’s life savings. In theory, GnomeKeyring could be secure-ish, if it kept all of its secrets on a portion of the disk hidden from users and blocked access on too many failed access attempts. But it doesn’t seem to. It looks like it keeps secrets in ~/.gnome2/keyrings. If an attacker can subvert an app owned by the user, then they can read ~/.gnome2/keyrings/balancer.credentials.keyring and pass the file offsite for an offline dictionary attack. Eep!

On top of that, GnomeKeyring differentiates between apps based on the path to the app binary. I guess this works for native applications, but it breaks when the app runs in a virtual machine. My app, balancer, is written in Python. After I run it, other Python apps are able to dig into the GnomeKeyring without the user being prompted for a password. Noes!

It’s funny. I tried Wesabe, and had no problem putting myself at the same risk balancer would inflict on me. Even though the Wesabe client has the same security problems, I put them out of my head because someone else wrote the code. But I’m having a hard time doing that with something I wrote.

Software Loyalty

Erigami Scholey-Fuller — Thu, 01 Nov 2007 23:22:27 +0000

Pascal Meunier has written an essay about loyalty in software. It’s a riff on the idea of trusted computing (and the resulting crippled software), which asks about software’s loyalty. Is the software loyal to its user (as it should be for personal use), or is it loyal to its producer/distributer? The brief discussion of loyalty in free software interesting. It would be interesting if loyalty could be quantified or expressed somehow. I’d like to be able to tag stuff that I write with a loyalty signature. Update: Thanks to dave0 for pointing out that I’d failed to include a link. Now I do.