Skip to main content

Posts

Showing posts from May, 2015

SSL verification does NOT prevent MITM server-to-server attacks

Man-in-the-middle, or MITM, is a specific attack whereby an attacker injects themselves into the communication stream between a recipient of a message and the sender of that message. The most common example on the Internet is between a web browser and a web server. I am not disputing the necessity of verification in that example despite being nearly impossible to detect (e.g. generation/issuance of rogue but legitimate-looking certs to law enforcement ). Last-hop MITM defense is an essential component of SSL security even though it is nearly impossible to detect rogue certs. However, server-to-server MITM defense is far more dubious. Let's suppose I am an attacker for a moment and I find a way to inject myself between two servers in your web application (e.g. web server and database server). What is my behavior? Dumb attackers will simply take the low-brow approach and try to access the communication stream in a continual fashion, which seems to be the use-case that's b

Portable Apps on a very fresh Windows installation is a bit buggy

I recently reinstalled Windows. Portable Apps shaved off a ton of time during the reinstallation process. It is awesome to return to the DOS days of computing on the modern desktop where each application is self-contained as all applications should be. However, during my reinstall, running the Portable Apps updater at first resulted in the message, "The downloaded copy of ... is not valid and can not be installed. This could be due to an incomplete download or other network issue. Please try running the updater again when complete." Re-running the updater resulted in the same message. There's something about repeating the same thing again and sanity that could be said here. I eventually resolved the problem after I realized that I hadn't run Internet Explorer before. So I ran IE for the first time, got through all of the dialog boxes and then shut IE down. After that, the Portable Apps updater worked great. I've always half-figured that IWebBrowser2 w