.:SSLFail:.

Anyone who tried to access SSLFail.com late last night or this morning would have noticed that it was down.  I apparently caused my own server outage with python. Here’s how it happened.

When sockstress was first discussed I was rather intrigued and thought about it for a bit, but then I quickly abandoned it… I just had too many other things on my plate. However discussions at SecTOR renewed my interest in exploring how this tool worked. After a bit of googling, I found this page which gives an explanation of what is occurring, although I wasn’t sure if it was correct. It did, however, fit with the ‘TCP/IP Zero Window Size Vulnerability’ in MS09-048.

I decided I would code up the diagram on the Check Point page and see what happened when I tested it. I started writing in python using SOCK_RAW and was ready to send my first packet… or so I’d thought. I forgot to send an appropriate Ethernet header, which meant parsing the packet found garbage instead of a valid packet… and port security on on the switch found an invalid MAC address and quickly disabled the port. Which means no more using the SSLFail.com server for playing with raw sockets.

Anyways, everything is back up and running now.

I just wanted to point to an awesome article from Kelly Jackson Higgins on DarkReading. I can call it awesome because it’s about the SSLFail panel at SecTOR and includes quite a bit of the information we shared with attendees, so for anyone not at SecTOR and not wanting to look at the raw data (which is coming soon)… it provides an awesome overview. Mike and I really enjoyed the opportunity to sit down and talk with Kelly and had realized at the end of the call that we had a much better idea of what we were going to discuss on the panel than we did before the interview. So everyone who enjoyed the discussion points on the panel has Kelly to thank for that.

I’ve been a huge fan of SecTor since the first year it ran and have been fairly vocal about people attending. This year there’s an extra special reason to attend though, a couple of SSLFail.com bloggers will be doing a panel, we may even have a special guest join us. You’ll have to attend the talk to find out.

As for the subject… we don’t really know. In fact we’re a week away from presenting and it’s still up in the air to some extent. From what I’ve heard you can expect Lolcats, interesting information and some survey results. Anyways, if you’re at SecTor and the Nsploit and Ghostnet talks are full (and I suspect they will be, I wanted to see both of them)… we’re the only option you have left — so come and join us!

Update: A lot of people don’t like the idea of people issuing their own CA Certs… I saw some humour in a SSLFail CA cert that wasn’t shared. I also see no reason why SSL Certs should be as over priced as they are (that deserves it’s own blog post), so I won’t pay for one for a blog. So… Install the CA cert at your own risk.

So there have been some comments about SSLFail not having an SSL version. I’ve fixed this today and you can now access SSLFail via https://www.sslfail.com. The CA is SSLFail so by defaut you’ll get an error (in Firefox the message will read: ‘The certificate is not trusted because the issuer certificate is unknown.’ ). The SSLFail certificate is available for download, should you wish to install it.

Should anyone want a cert signed by SSLFail, I’m more than willing to do so… simply email — treguly (at) sslfail (dot) com.

We just received a link to our own site. It would appear that someone was looking and discovered that we don’t have a SSL Enabled site. This is very true, but we’re not a large company with tons of visitors (in fact we’re still at less than 1000 unique visitors) and we’re not asking you for your passwords or allowing you to do online banking (however, feel free to email me your online banking information ).

We could setup a self-signed certificate to allow for encryption, but then you’d have to walk through those annoying “Add An Exception” screens for this site.

The reality of it is that not everyone needs SSL, although I’m sure in saying that even some of my fellow SSLFail.com bloggers will disagree with me.

That being said, if anyone feels we require a SSL cert, let me know… I doubt I’ll shell out the money for one, but maybe a SSL vendor will come along and read this and offer us one free of charge .