Threat Level: green Handler on Duty: Rick Wanner

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Let's Encrypt!

Published: 2015-02-27
Last Updated: 2015-02-28 03:34:04 UTC
by Rick Wanner (Version: 1)
0 comment(s)

As I have stated in the past, I am not a fan of all of the incomprehensible warning messages that average users are inundated with, and almost universally fail to understand, and the click-thru culture these dialogs are propagating.

Unfortunately this is not just confined to websites on the Internet. With the increased use of HTTPS for web based management, this issue is increasingly appearing on corporate networks.  Even security appliances from established security companies have this issue.

The issue in most cases is caused by what is called a self-signed certificate. Essentially a certificate not backed up by a recognized certificate authority. The fact is that recognized certificates are not cheap.  For vendors to supply valid certificates for every device they sell would add significant cost to the product and would require the vendor to manage those certificates on all of their machines.

The Internet Security Research Group (ISRG) a public benefit corporation sponsored by the Electronic Frontier Foundation (EFF), Mozilla and other heavy hitters aims to help reduce this problem and cleanup the invalid certificate warning dialogs.

Their project, Let’s Encrypt, aims to provide certificates for free, and automate the deployment and expiry of certificates.  

Essentially, a piece of software is installed on the server which will talk to the Let’s Encrypt certificate authority.  From Let’s Encypt’s website:

“The Let’s Encrypt management software will:

  • Automatically prove to the Let’s Encrypt CA that you control the website
  • Obtain a browser-trusted certificate and set it up on your web server
  • Keep track of when your certificate is going to expire, and automatically renew it
  • Help you revoke the certificate if that ever becomes necessary.”

While there is still some complexity involved it should make it a lot easier, and cheaper, for vendors to deploy legitimate certificates into their products.  I am interested to see how they will stop bad guys from using their certificates for Phishing sites, and what the process will be to report fraudulent use, but I am sure all of that will come.

Currently, it sounds like the Let’s Encrypt certificate authority will start issuing certificates in mid-2015.

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

Keywords: certificate
0 comment(s)

DDOS are way down? Why?

Published: 2015-02-27
Last Updated: 2015-02-27 20:04:44 UTC
by Rick Wanner (Version: 1)
1 comment(s)

I have been tracking DDOS volume and patterns for a few years.  We have seen the attacks move from DNS to NTP, to chargen then on to SSDP and occasionally QOTD.  I think we have a much better understanding of the vulnerabilities which are enabling the successful amplification of DDOS attacks. Small steps have been made, and are continuing to be made, by vendors and ISPs, to reduce the impact of this style of attack.  

What I haven't been able to understand is why since late last year, other than the occasional booter and attacks on Brian Krebs, the incidence and volume of these attacks has dropped off almost completely?

Any ideas?

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

Keywords: DDOS
1 comment(s)
Leonard Nimoy has passed - please be alert for the rounds of Phishing and malware that will inevitably occur!
ISC StormCast for Friday, February 27th 2015 http://isc.sans.edu/podcastdetail.html?id=4375
Diary Archives