General Musing

blaze your trail

Archive for the ‘identity’ Category

OCSP Troubles #security #x509 #certificate #revoke

with one comment

A company was having intermittent trouble with their new authenticated SSL, it wasn’t that they experienced trouble with the certificates, which came from a large international CA, or the authentication. There was a bug which caused the OCSP check on some certificates to fail. And after it had failed the first time for a certificate it would continue to fail for that certificate until the application server had been restarted. As this was a mission critical application for their customers between 8am-6pm they had taken to restarting the servers at 7am to ensure that there would be less issues during the day. This was obviously not a permanent solution so the vendor was called to fix the issue.

Read the rest of this entry »


Written by Daniël W. Crompton (webhat)

June 23, 2011 at 7:05 am

Proof of Concept: Simple Authenticated Internet Access

leave a comment »

Sitting in the train at Amsterdam’s “Centraal Station” I was considering what the simplest method would be to provide public authenticated internet access – such as the one I was using in the train – with a payment/self-service to track the users. I’m not saying that this is possible to do with low end systems such as your provider gives away as part of the DSL subscription.

I’m into quick paper prototypes, so there could be an even simpler way in practice, and I think I mostly covered it in the diagram.

Simple Authenticated Internet Access Diagram

  1. Firstly the client must be able to connect, which is symbolized by this arrow. I don’t want the user to be redirected to the internet immediately so I have the “proxy” redirect the user, this could be based on the MAC address that the user’s computer broadcasts to the Access Point, IP allocated in the DHCP lease, or both. The risk here is that the IP and MAC can both be spoofed. In a system for which payment is needed the risk is theft of the connection from the real customer or a DoS due to the IP address collision. The choice here is to accept and budget for it, making all the honest customers pay for the crimes perpetrated against them, or reduce this by using the Access Manager (AM) to ensure that the current user is the user who authenticated by using some browser magic.
  2. The user goes to the Self Service and either creates and pays for an account, or requests some type of (limited/trial) access. There is a risk here that identity theft can take place, as the network is not secured with a password, and this risk can be reduced by using SSL to encrypt the session.
  3. The user then uses the created data to authenticate, again this risk can be reduced by using a SSL connection.
  4. After authentication the user session is passed on to the AM.
  5. The AM checks the access rights for the user/session and passes this data on to the Self Service so the user can see the current status of the account.
  6. The “proxy” is also updated at the same time as the Self Service, this to ensure that the user can make use of the service that has been acquired.
  7. The user starts to use the service which has been acquired. To avoid the theft of the user’s information due to an insecure wifi network the choice can be made to tunnel the connection to the internet over SSL, the issue is naturally that each page or item will get a SSL security warning. And this may give issues with sites which do use SSL. The simplest strategy is to warn the customers of the risk during the Self Service in a EULA that they will never read, although the nicest way would be to warn them in a more prominent way – still the treatment of this risk is to not become involved in any resolution.

Any comments?

Image source: purpleslog

Written by Daniël W. Crompton (webhat)

January 3, 2011 at 8:30 am

PCI is nice (or what I do) #pcidss

leave a comment »

Since I started working for my company I’ve been exposed to (Payment Card Industry Data Security Standard), “It was developed by the major credit card companies as a guideline to help organizations that process card payments prevent credit card fraud, hacking and various other security issues.1 There are only a small amount of requirements that need to be implemented, although these can be pretty substantial for some customers. I can also be difficult to understand the details of these 12 requirements for compliance.2

Being a programmer by nature I’ve often been told that the nuts and bolts of what I do, the part I enjoy, are a little complex. PCI is something different, everybody can understand that credit card data needs to be protected from unauthorized access. Not just credit card data, but all data that could potentially be used in . Which means that a policy or control needs to be implemented to control this, and note any non-compliance.

PCI is just about protecting your “Cardholder Data“:

    Primary Account Number (PAN)
    Cardholder Name
    Service Code
    Expiration Date

I know first hand that most of the banks in the Netherlands, and in most of the world, are quick to discover credit card fraud. They are also quick to payout and correct the issue for the customer, because the chance that customers will loose faith in the bank is high if they don’t. Yet ultimately these customers are still paying for all the fraud committed with all the credit cards. Banks, payment service providers or retail merchants, who have your Cardholder Data, have all the data needed for this kind of financial identity theft and fraud, and more…

It may seem obvious that this data is stored securely, credit card use is ubiquitous. Yet the large banks have had the same problems with data leakage as small retailers, which means the data must be secured from the customer right to the bank who finally processes the payment to avoid this type of leakage. The problem is that payment service providers or merchants have traditionally not done this. They may handle the temporary authorization requests for the PAN or use the (BIN) from the card number for routing the payments to the specific issuer, so they may need the number. That’s fine, as long as they store the data securely and have a log of who accessed the data and why the data was accessed.

Now that’s out of the way I can tell you what I’m doing, I’m playing with RSA [now EOL’d] and RSA . Simply put DBSM is a framework which encrypts the data as in goes into the database and decrypts it as it comes out. It’s something that anybody who is paranoid like me had already been doing for a while, but the way I was doing it required me to write custom fragments of code for every application which needed to access the data. DBSM does it transparently, while at the same time checking the users who try to access it, so only the correct users gain access. RKM hooks into this by providing a framework for the policies or controls which grants the correct people/devices/programs a key to lock-up or unlock the data, different policies can be implemented for different types of data or device.

Now you know what I do.

More reading

Originally appeared here.

Technorati technorati tags: , , , , , , , , , , , ,

  • Link openen op nieuw tabblad
  • Downloaden

Written by Daniël W. Crompton (webhat)

May 18, 2010 at 3:55 pm

VeriSign PIP Browser Certificate workaround (PIN Request) #identity #openid

leave a comment »

VeriSign – Personal Identity Portal is a OpenID provider with multiple factor identification: Password +

  • Mobile Credential (phone or mail PIN)
  • Account Information Card (can be used by applications such as Microsoft CardSpace)
  • VeriSign browser certificate
  • VeriSign Identity Protection (VIP) Credential (Physical Token)

As I have a browser certificate linked to my old browser and couldn’t login with my current browser I had to figure out a workaround when I don’t have the browser certificate: PIN Request. On the page that does the browser certificate request there is a hidden link to get a PIN send by mail or mobile, which you can find here.

Hope that helps you.

Written by Daniël W. Crompton (webhat)

April 17, 2010 at 7:24 pm

Merging Duplicate Contacts #mail #dedup #addressbook

with one comment

I’ve been struggling with removing/merging duplicate entries from my address book with a commercially available tool for some time. I could just write one, and I still might. Until then I’ll list the ones I’ve tried and

Plaxo doesn’t de-dup for free, and they have difficulty with an address book which has more than 10000 entries, even though a good part of them are duplicates. An ad

also doesn’t do it very well, I can download my address book and upload it again and have it add most of the enrties for a second time.

is much worse as a storage place, as it ignores all the users who I am not connected to on LinkedIn. And I have too many connections who have populated important fields, such as Name or Title with SEO data or mail addresses.

There are a number of simple commercial script which should do what I need, but I expect that it’s little better than the scripts I’ve written to do a contact merge.

Finally advised me to have a look at Apple‘s MobileMe, although yesterday I was getting the following message:


So I guess I’ll have a look at it tomorrow.

Any other suggestions?

Technorati Technorati Tags: , , , , , , ,

Written by Daniël W. Crompton (webhat)

July 25, 2009 at 7:33 pm

Clipperz, Online Password Share

with one comment

I was trying to think about what to say about SlideShare, so I was browsing the site to give me inspiration, it didn’t work.

What I did find was Clipperz, Clipperz makes it possible to login with one click. The username and password for the site is stored encrypted at Clipperz and is decrypted and posted to the site. I’ll use the example of /., the bookmarklet provided extracts the form and uses that to populate the login form.

  "page": {"title": "Slashdot: News for nerds, stuff that matters"},
  "form": {
    "attributes": {"action": "", "method": "post"},
      {"type": "text",     "name": "unickname",   "value": "username"},
      {"type": "hidden",   "name": "returnto",    "value": "//"},
      {"type": "hidden",   "name": "op", "value": "userlogin"},
      {"type": "password", "name": "upasswd",     "value": "password"},
      {"type": "checkbox", "name": "login_temp",  "value": "yes"},
      {"type": "submit",   "name": "userlogin",   "value": "Log in"}]
  "version": "0.2.3"

To be entirely portable you can access the websites from a sidebar in your browser. Naturally this is a nice proof of concept for the real product they are selling: zero-knowledge web applications.

Zero-knowledge web applications is about making web applications more secure. Do you trust Google Documents with your confidential documents? You shouldn’t unless the data is stored without the knowledge of the SaaS provider. Clipperz password manager is the first zero-knowledge web application. This means that Clipperz knows nothing about its users and their data. They do this using a JavaScript library, based on Ajax and browser-based cryptography, which can be used to build applications that users can can use to manage their private data.

Technorati technorati tags: , , , , ,

Written by Daniël W. Crompton (webhat)

July 26, 2008 at 8:07 pm

MySpace gains OpenID, FaceBook should

leave a comment »

Firstly I’m not using WordPress’ Press This feature any more, this is the third time I am having to post this after it ate 2 previous drafts. Maybe I should fix the GreaseMonkey script I build for /. to work on Press This.

After predicting the death of MySpace they have surprised me by adding an OpenID Identity Provider. Obviously they are only allowing you to use it to authenticate on other sites, but still is a step with others including FaceBook haven’t done yet. So I started to muse how FaceBook would be able to top it, and what I actually want from a OpenID Identity Provider:

  • Authentication (obviously)
  • FOAF
  • hCard (or other microformats)
  • Certificate Authentication (PKI)

ClaimID already has 3 of the 4, but their friend system requires some kind of social networking and as it is not a social networking site it doesn’t really cover FOAF completely. This is why integration of FOAF would be a good step for both FaceBook and MySpace.

MySpace is only acting as an identity provider, meaning that while you can use your MySpace credentials to sign into other Web sites, you cannot yet use your credentials from another OpenID provider to sign into MySpace.

Source: MySpace Opens Up First; Launches Data Availability on Flixster and Eventful

Technorati technorati tags: , , , , , ,

Written by Daniël W. Crompton (webhat)

July 24, 2008 at 3:19 pm

%d bloggers like this: