I have to say, this is interesting and if anyone has any examples of the message (with mail headers) or a valid email link, please share it with me (treguly@thisdomain).

When sockstress was first discussed I was rather intrigued and thought about it for a bit, but then I quickly abandoned it… I just had too many other things on my plate. However discussions at SecTOR renewed my interest in exploring how this tool worked. After a bit of googling, I found this page which gives an explanation of what is occurring, although I wasn’t sure if it was correct. It did, however, fit with the ‘TCP/IP Zero Window Size Vulnerability’ in MS09-048.

I decided I would code up the diagram on the Check Point page and see what happened when I tested it. I started writing in python using SOCK_RAW and was ready to send my first packet… or so I’d thought. I forgot to send an appropriate Ethernet header, which meant parsing the packet found garbage instead of a valid packet… and port security on on the switch found an invalid MAC address and quickly disabled the port. Which means no more using the SSLFail.com server for playing with raw sockets.

Anyways, everything is back up and running now.

For now, I just wanted to say thank you to everyone that skipped two amazing talks to sit through ours, it was definitely appreciated.

As for the subject… we don’t really know. In fact we’re a week away from presenting and it’s still up in the air to some extent. From what I’ve heard you can expect Lolcats, interesting information and some survey results. Anyways, if you’re at SecTor and the Nsploit and Ghostnet talks are full (and I suspect they will be, I wanted to see both of them)… we’re the only option you have left — so come and join us!

Dear Tyler,

Thank you for taking the time to write to us, we appreciate your use of
online customer service.

In your recent email, you have informed us that you would like to know
when we will fix an issue with SSL warnings.

Please accept our apologies for any difficulties that you may have
experienced while using Rogers services. Rogers strives for excellence
in customer service and we’re sorry that we did not meet your
expectations. Be assured that we take your concerns very seriously, and
appreciate the feedback that you have provided and this has been sent to
the appropriate group for their review. If you have any further
questions or requests please let us know.

Thank you for contacting Rogers. For additional information please visit
our website at www.rogers.com. You are a valued customer and we thank
you for your business.

For future email correspondence with respect to this e-mail, please
quote reference number XXXXXXXX

I have recieved no additional communication to let me know if they would be fixing this issue or not. I’m guessing they don’t take their SSL issues to be very serious as the issue still exists.

As a side note, in order to contact Rogers about a “website issue”, I had to provide an account number. The account 12345679 was accepted, but I couldn’t believe I needed an account number in order to contact them about there website. That’s ridiculous.

I realize that you can’t police the internet, but individual countries can police companies that operate within their borders, so let’s start there. We simply need someone to bring it up at the G8 meeting, after all this is much more important than all the discussions on the fictitious issue of global warming. If you require a business permit to operate in a business legally and have to pay taxes and abide by laws, subject the companies to additional regulations related to tricking the customer on the web, or not following best practices. It’s that simple.

I’m sure people will argue that it’s impossible to police the internet, which is why you stick to this per country basis. There will always be malicious sites that dupe the user… that’s unavoidable but in the countries that can do something… do it. Punish these businesses for malicious actions. Take the example that started this post, slap aferry.co.uk with a $10,000 fine. See if they bypass buying that $10 SSL cert again.

I always had two pet peeves about a number of the websites I frequent. First, they frequently required me to whitelist them on NoScript, which I wasn’t a fan of and second, the SSL versions of the sites often gave large Mixed-Content warnings. These warnings are annoying, distracting and honestly disruptive to the user experience. I’ll be the first to admit to that. It seems that some browsers listened to these complaints. I just recently remembered when visiting my personal blog that these warnings no longer exist when using Firefox. Sure if you look in the bottom corner there’s a little red exclamation mark over the lock but it doesn’t contain the full screen warning that a Domain Mismatch or Self Signed Cert cause.

ComputerDefense.org via HTTPS

See it there, next to Fiddler: Disabled… a little time red exclamation mark. That’s all the warning you get. So what do other browsers do? Well, Chrome gives you a slightly bigger, yellow-ish exclamation mark in the address bar, yet it still allows the content to load. IE on the other hand brings up a pop-up (pictured below) prompting the user if they want to load the insecure data or not. It’s not as vocal as it could be, but it’s better than nothing.

IE Pop-up for Mixed-Content

So why am I blogging about this? After all I said they were annoying and distracting and it seems that the browser vendors are removing them. That’s a good thing… isn’t it? Nope, definitely not a good thing.

Let’s think about some of the pages that throw large, screaming, in-your-face type errors. Let’s take two examples, Self Signed Cert and Domain Mismatch. Now remember that the aim of SSL is two-fold. One is to provide verification of the source of the data, the other is to provide encryption.

Does a Self-Signed Cert provide encryption? Yes.
Does a Certificate with a Domain Mismatch provide encryption? Yes.
Does a site with Mixed-Content provide encryption? Partially.

Does a Self Signed Cert provide site verification? No.
Does a Certificate with a Domain Mismatch provide site verification? No.
Does a site with Mixed-Content provide site verification? Partially.

So Yes + No = In-Your-Face Error
Yet, Partially + Partially = Tiny Little Error in the Corner

I would say that Mixed-Content is more dangerous than both a Self-Signed Cert and a Domain Mismatch, yet they’ve been treated as more serious issues. I’m don’t understand that logic, and I’m not sure that I ever will.