Saturday, November 28, 2015

HTTPs as it could be

Google has reinvented the wheel HTTP and called it HTTP/2. This comprehensive article about HTTP/2 describes how the web will benefit from this new protocol.

The problem with HTTP/2, as with most of what Google does is that it was designed by coders, not by system architects. The protocol severely lacks internal clarity and integrity. The server should behave in many (at least 4) completely different ways depending on what it supports and what the client requests. It's like trying to combine the truck's wheel with the bike one.

The authors are definitely not readers but writers. There exists SSH family of protocols, which does a thing very similar to what HTTP/2 does. And SSH has quite complicated but logical internal structure. The only thing missing from SSH (not exactly missing but not used) is X.509 certificates and/or OpenPGP keys - while both are in theory supported as authentication methods, almost no real software supports these methods (our SecureBlackbox supports OpenPGP and import of keys from X.509 certificates). Meanwhile HTTP/2 is a combination of old HTTP, new protocol (completely unrelated to HTTP) with fallback to HTTP, and more. Probably the authors of HTTP/2 are adepts of the pastafarian church.

The authors could easily learn how to design the multiplexing scheme right, but, as said, they are likely not readers.

Hitting him with nails

PKI is having hard time, as more and more human mistakes are revealed, which undermine PKI's position.

In fact,  PKI is not about technology, its about people actions. People forget or don't care to guard their property (private keys, in this case). This is common - people are negligent. There was a study several years ago, which revealed that a huge part (40-something %, if memory serves) of office workers shared their passwords for a chocolate bar. Why would they invest time and resources into guarding other one's secrets, if they don't guard their own?

Tuesday, November 24, 2015

Another nail in the coffin

of PKI as we know it. Dell has introduced a huge security hole in its devices.

And more complete coverage, together with remedies, can be found here.

Wednesday, November 4, 2015

Invest in your own security first

Iboss Cybersecurity raised $35 million from Goldman Sachs' Private Capital Investing group, the article tells us.

At the same time Goldman Sachs has deployed an SSH/SFTP server for their corporate operations, and has built it on the outdated version of the open-source SSH server library. Moreover, they've implemented the server badly, in the way that is incompatible with the wast majority of SSH client implementations. They have probably saved a couple of thousands by choosing an in-house (or, maybe, even worse, outsourced to overseas junior developer assistants) implementation based on outdated open-source, instead of paying for the supported commercial solution without such nasty bugs. At the same time they have found 35 mln. to invest into third-party something. Good job, security boys. 

Thursday, October 22, 2015

On hitting nails with a microscope

The newly presented RFC introduces probably the most contradictory extension, and by itself is the one of the most meaningless RFCs adopted in the last 20 years.

The address of the RFC is and it defines the padding extension, whose only function is to insert some zero bytes into the ClientHello packet of the TLS protocol. What's the purpose, you might ask? The purpose is to work around the bugs in some implementation(s) that is/are confused by certain lengths of ClientHellow packet.

You've got it right. Instead of fixing bugs (or pushing the developers to fix bugs) they invent extensions to make other developers complicate their software with those extensions to work around the bugs.

Tolerance is acceptable to people of different race/origin/group. Tolerance to bugs in unacceptable. Tolerance to idiocy is not acceptable either.