This blog post is reaction to Qualys SSL research (see reactions here) and Security Now! podcast 255 which briefly covered the story.
The Qualys research process was as follows (simplified):
1. retrieve DNS domain names
2. check protocols open on the IP addresses related to the domain
3. check certificate on port 443
The result is a very good service SSLDB available on this URL: https://www.ssllabs.com/ssldb/index.html
However, the inherent problem with this process is that IP addresses may be shared between websites and a SSL check for one domain may actually be testing other website certificate.
The research was harshly criticised for flawed approach.
So is there a way to improve this situation? I think so.
What we need is to fully utilise a DNS feature that has been there for so long: SRV records.
Let me explain. Imagine you are owner of a website and you want all your users to prefer HTTPs. There is no way to tell the browser that there is HTTPs available on the server. But if you add following ecord and the bwowser checks it, they "Bob is your uncle":
_https._tcp.www.website.com 86400 IN SRV 0 5 443 www.website.com
_http._tcp.www.website.com 86400 IN SRV 0 5 80 www.website.com
This says to browser that the website is available on both http and https, so browser can simply go and connect on https.
Obviously, this requires domain administrators to populate DNS (not big deal) and web browsers to check for the SRV records. There is already an extension for Firefox that can prefer HTTPs, but this requires manual regular expression editing.
And it also means that DNS hosting companies need to allow their customer edit SRV records. My DNS company 123-reg certainly does not support it at the moment.
What do you think? Could this work and would it be useful? Worth an RFP?
The semantic web (or web 3.0 as some call it) is loosely defined as machine generated and consumed content. The If This Than That (IFTTT) is...
I have had my new Nexus 7 for 2 weeks now. It's now been updates to Android 4.2 after which I enabled the full disk encryption. Unlike i...
Introduction I am passionate about information risk security management. It is an area that is like shifting sands, constantly moving wi...
I have been using 1Password on my Mac since the version. Then with the arrival of iPhone and later iPad 1Password folks were quick to introd...
Yesterday I wrote about DigiNotar incident . And today another Certificate authority announced the incident as well. Apparently the same hac...
I have attended many interviews over last 10 months, all of them on the right side of the table though. I will never forget one particular c...
Today was certainly very busy in the security world. Security researches and analysis commented on #ShadyRAT report from McAfee. Just try...
Yet again, I have stumbled on a company that limits maximum password length. This time it is a giant software vendor, Adobe. I simply wa...
I forgot my password for the FT.com site. Solution? Use a password recovery form, which I did, and received this email: Dear FT.com u...
(c) Vladimir Jirasek. Powered by Blogger.
- ► 2012 (13)
- ► 2011 (23)
- ▼ July 2010 (6)