Yet Another PHP Security Blog

There’s a very good writeup by fellow security analyst Moxie Marlinspike in the ThreatPost blog that details the current issues with SSL and trust roots - and although a little short on actual mitigation ideas - pretty much nails all the problems that we currently have. As a little sugarcoating, he also dismantles the notion that DNSSEC is “our savior”.

And there’s a clever little jab at GoDaddy.

Go find the article here at ThreatPost.

The folks at SektionEins security consulting are starting a new Month of PHP Security. They are currently collecting interesting entries via a public CfP on php-security.org and will publish the most interesting stuff duringMay 2010 - one item per day.

Papers, Exploits and other stuff related to the following topics can be submitted:

• New vulnerability in PHP itself
  
• New vulnerability in PHP extensions/patches (such as eAccelerator or Suhosin )
  
• Explain a single topic of PHP application security in a detailed paper
  
• Explain a complex vulnerability in/attack against an “interesting” PHP application
  
• Explain a complex attack method (in a theoretical article) against PHP itself
  
• Explain how to attack encrypted PHP applications
  
• Release of a new open source PHP security tool
  
• Other stuff related to PHP security
  
  

There’s a bunch of prices, including security conference tickets and Amazon vouchers. You should check it out!

More info: http://www.php-security.org/

(Preface: Most of the scenarios I am going to point out have actually been around for a long time, since Loki toolbar existed for a while now. However, I live under a stone and seem to learn things a million years after the “in crowd”. So, no flaming pls.)

So, the Mozilla Labs have released an experimental Geode plugin that is a preview for possible future native features in the Firefox mainline (and derived) browsers. The plugin basically provides a possibility for web sites to receive the user’s current physical location on a fairly precise scale.

I have played with the plug-in a little and found that it is between 10 and 50 meters off in an urban, although not very densely populated area of Hannover, Germany. This is surely not GPS-quality positioning, but it works indoors and gives a detailed enough ballpark figure to enable most “where’s the next café”-like business models.

The whole endeavor is part of an upcoming W3C spec for geolocation and thus somewhat high-profile and “official”. This is no longer a niche project, or at least aims not to be. Sure enough, my interest was sparked and I dug a little deeper.
Continue reading "Geode, Loki and the implications"

After throwing the first article about PKI and PHP at you with relatively few explanation about why I am doing this, I thought I’d post something that explains a bit more in detail.

Continue reading "Upcoming article series regarding security - some thoughts"

Preface

As some of you know, I’m currently working in an environment that is very much about security in terms of “how do I determine for sure who is accessing my service while having all access encrypted”. Since grid computing (that’s what I’m currently doing) also is very much about Single-sign on and delegation of rights, username/password authentication schemes don’t quite do it for us. Thus, a PKI (public key infrastructure) based on X.509 is employed.

Huh?

Acronyms-a-plenty, you think. Well, it’s not so bad at all. What we call X.509 certificates is what you would call “SSL Certificates”. The correct name for those certificates is “X.509 certificate” and that’s what I’m going to refer to. Whatever name you call the child, it is what you already know and probably use - the certificates that make you able to verify you’re actually buying at amazon.com. More generally speaking, X.509 certificates can be mutually used by servers and clients alike to authenticate themselves to the other party. We can exploit this feature to get away from traditional knowledge-based credentials towards possession-based credentials. Continue reading "X.509 PKI login with PHP and Apache"