enicaise, Author at Apalala srl

StartSSL is blocked by Chrome & Firefox and they didn’t notified their customers

enicaise | 2017-04-09 | English, Information Security

The SSL certificates issued by Israel based Certificate Authority StartSSL (https://www.startssl.com/) are blocked by Google Chrome and Mozilla Firefox since March 2017. Behind what could be just a technical issue, there is some disturbing facts:

First, the reason why Google and Mozilla have decided to progressively block StartSSL (and more importantly WoSign) is the issuance by WoSign, a chinese Certificate Autority, of multiple SSL certificate for Domains for which they didn’t received any mandate and didn’t validate the ownership of the domain by the requester. The first case to be reported to Google was GitHub, the famous Source Code repository. As WoSign had “secretely” bought StartSSL and integrated its infrastructure in its own, StartSSL has been “sentenced” to the similar distrust by most browser than its owning company.

As DNS CAA records are not used by browsers to check if the Certificate Authority of an SSL certificate for a domain is the correct one, it could have allowed someone to impersonate GitHub or at least to lure some users to a fake GitHub site (anyway, GitHub didn’t set his CAA record). Such behavior is unacceptable for any certificate issuer as trust is the cornerstone of the entire SSL certificate paradigm. Google and Mozilla’s reaction seems then proportionate. However, you can imagine the impact of such sentence. For any CA, being withdraw from the list of trusted certificates of the two main browsers is like a death penalty for the CA.

The second disturbing fact is that StartSSL failed (or decided not) to properly inform its customers. Worse, it continues to sell its Class 1 certificate despite the fact they are basically useless. That’s not the kind of commercial decision that will help restore the trust to the Israeli company, even if WoSign has defined a remediation plan aiming at giving more autonomy to StartSSL (see below).

Customers who had paid for the Enterprise Validation have lost their money and are now using blocking certificates. The only cheap and rapid solution to restore access to their website (and keeping the SSL/TLS active) is likely to use LetsEncrypt free certificates.

I don’t know what the future is but I wouldn’t recommend StartSSL to anyone anymore and I doubt any security aware person would. That’s not a good indicator for a bright future.

References:

No Wifi in the Airport? Use the Searchable Airport Wi-Fi Database

enicaise | 2017-04-02 | Uncategorized

You’re travelling and won’t have 4G access abroad? Use the Searchable Airport Wi-Fi Database (https://rud.is/b/2017/04/02/simple-offline-airport-wi-fi-tracker-in-r/) to get a list of most airports WiFi access points and their passwords.

Your security maturity is low? Are you using your people the best way you can?

enicaise | 2017-04-02 | Corporate security, Cyber security, English, Leadership, Perspectives

One famous saying attributed to Steve Jobs must be: “it doesn’t make sense to hire smart people and tell them what to do; we hire smart people so they can tell us what to do.”

It makes sense and security is no exception. How often do I see companies struggling to improve their level of security hiring external consultant while they have very talented and smart people capable of solving most of the issues… if you let them do it.

It might seem exaggerated but it is not so far from the reality. Your people may not have all the answers but they have likely solutions to a vast majority of your issues.

During lot of audit (or due diligence or GAP assessments), I interviewed managers and employees in order to get an idea of what works and what don’t in a company. Obviously, we check the incidents, the KPIs, the financial losses and all the possible indicators but its the discussion with the persons performing the jobs that give you the best insights. Rapidly, we can get a sense of where there is a bottleneck, a gap or an issue to fix. That’s normal, it is what we expect from external consultants. But what is often more surprising is that the same people are aware of the issues and have most of the time lot of ideas to fix them. It make sense as they are sometimes the persons suffering the most from these issues.

So, why are the issues still present? There is a lot of possibilities. One of the most common is the believe that the boss is always right (you know, rule #1). Hence, he likely know how to fix the problem, no reason to bother him with our stupid solutions. It creates blind spots. That’s probably why the space shuttle Columbia ended-up in ashes (see http://www.space.com/19476-space-shuttle-columbia-disaster-oversight.html).

Another possible reason is the difficulty of the people from the low level of the pyramid to talk the highest level’s lingo. Senior executives rarely want’s to have their hands dirty or to get involved in technical details or business processes considerations. I saw a few years ago a CIO meeting all the persons in its IT department (hundreds of people). Each meeting with a team gave him multiple hint on what was blocking or impacting the efficiency of his teams. And when you do, it’s easier to get the big picture and take the right decisions.

Another issue is the believe that the top management expect only green lights and positive outcome. “Failure is not an option” is a culture typically leading to failure. Also, sometimes, teams have opposed objectives, hence, they don’t work together to solves common issues but rather they fight each others or they continuously pass the hot potato. Not a good way to solve issues either.

A good and efficient security management, like any other corporate governance, requires an appropriate culture, fostering trust, empowerment, responsibility and so on. But these are more than words, they must be applied to be effective. bringing external consultants to fix internal issues is not always the best solution to improve your culture: it just send the message you don’t trust your team have the skills to do it.

You might want to try to express your expectations and discuss with everybody (or designated someone to do it) to figure out the best way to improve the situation. And if they need resources (what is likely the case) then maybe hire (external) people to reduce their current workload so they can start working on the changes.

Last tip: check your workforce’s skills… there’s sometimes people in your company who are doing work for which they are over-qualified and who could do jobs that could really provide you more added-value. Don’t look too far for your glasses, they might be on your nose.

Think about it.