When sockstress was first discussed I was rather intrigued and thought about it for a bit, but then I quickly abandoned it… I just had too many other things on my plate. However discussions at SecTOR renewed my interest in exploring how this tool worked. After a bit of googling, I found this page which gives an explanation of what is occurring, although I wasn’t sure if it was correct. It did, however, fit with the ‘TCP/IP Zero Window Size Vulnerability’ in MS09-048.

I decided I would code up the diagram on the Check Point page and see what happened when I tested it. I started writing in python using SOCK_RAW and was ready to send my first packet… or so I’d thought. I forgot to send an appropriate Ethernet header, which meant parsing the packet found garbage instead of a valid packet… and port security on on the switch found an invalid MAC address and quickly disabled the port. Which means no more using the SSLFail.com server for playing with raw sockets.

Anyways, everything is back up and running now.

For now, I just wanted to say thank you to everyone that skipped two amazing talks to sit through ours, it was definitely appreciated.

As for the subject… we don’t really know. In fact we’re a week away from presenting and it’s still up in the air to some extent. From what I’ve heard you can expect Lolcats, interesting information and some survey results. Anyways, if you’re at SecTor and the Nsploit and Ghostnet talks are full (and I suspect they will be, I wanted to see both of them)… we’re the only option you have left — so come and join us!

So there have been some comments about SSLFail not having an SSL version. I’ve fixed this today and you can now access SSLFail via https://www.sslfail.com. The CA is SSLFail so by defaut you’ll get an error (in Firefox the message will read: ‘The certificate is not trusted because the issuer certificate is unknown.’ ). The SSLFail certificate is available for download, should you wish to install it.

Should anyone want a cert signed by SSLFail, I’m more than willing to do so… simply email — treguly (at) sslfail (dot) com.

We could setup a self-signed certificate to allow for encryption, but then you’d have to walk through those annoying “Add An Exception” screens for this site.

The reality of it is that not everyone needs SSL, although I’m sure in saying that even some of my fellow SSLFail.com bloggers will disagree with me.

That being said, if anyone feels we require a SSL cert, let me know… I doubt I’ll shell out the money for one, but maybe a SSL vendor will come along and read this and offer us one free of charge .

Lately there seems to be a lot of SSL discussion, and not just the recently released ‘Rogue CA‘ presentation. There have been speakers at several cons, blog posts, and conversations lately around the subject of SSL.

Marcin and I were discussing some of the recent failures that we’ve seen and that others have mentioned and decided that we needed a place to bring all of these together, to point out that companies are failing at SSL. Marcin suggested mismatched.com, however the domain was already taken and as I typed in random things, I stumbled across the availability of SSLFail.com. It seemed to work well, so I registered it and 24 hours later here we are.

One of my coworkers, Jay, spends a lot of time playing with SSL… both at work and on his own. So naturally when the thought of blogging about SSL came to mind, so did his name. I pinged him and sure enough, he was interested.

So here we are, the three of us (for now). I invite anyone interested in writing here to contact us.

Enjoy,
Tyler.