Skip to content

Archives

Links for 2015-12-22

  • Amazon EC2 Container Registry

    hooray, Docker registry here at last

    (tags: ecs docker registry ops containers aws)

  • How to inspect SSL/TLS traffic with Wireshark 2

    turns out it’s easy enough — Mozilla standardised a debugging SSL session-key logging file format which Wireshark and Chrome support

    (tags: chrome ssl browser firefox wireshark debugging tls)

  • ImperialViolet – Juniper: recording some Twitter conversations

    Adam Langley on the Juniper VPN-snooping security hole:

    … if it wasn’t the NSA who did this, we have a case where a US gov­ern­ment back­door ef­fort (Dual-EC) laid the ground­work for some­one else to at­tack US in­ter­ests. Cer­tainly this at­tack would be a lot eas­ier given the pres­ence of a back­door-friendly RNG al­ready in place. And I’ve not even dis­cussed the SSH back­door. […]

    (tags: primes ecc security juniper holes exploits dual-ec-drbg vpn networking crypto prngs)

  • Excellent post from Matthew Green on the Juniper backdoor

    For the past several years, it appears that Juniper NetScreen devices have incorporated a potentially backdoored random number generator, based on the NSA’s Dual_EC_DRBG algorithm. At some point in 2012, the NetScreen code was further subverted by some unknown party, so that the very same backdoor could be used to eavesdrop on NetScreen connections. While this alteration was not authorized by Juniper, it’s important to note that the attacker made no major code changes to the encryption mechanism — they only changed parameters. This means that the systems were potentially vulnerable to other parties, even beforehand. Worse, the nature of this vulnerability is particularly insidious and generally messed up. [….] The end result was a period in which someone — maybe a foreign government — was able to decrypt Juniper traffic in the U.S. and around the world. And all because Juniper had already paved the road. One of the most serious concerns we raise during [anti-law-enforcement-backdoor] meetings is the possibility that encryption backdoors could be subverted. Specifically, that a back door intended for law enforcement could somehow become a backdoor for people who we don’t trust to read our messages. Normally when we talk about this, we’re concerned about failures in storage of things like escrow keys. What this Juniper vulnerability illustrates is that the danger is much broader and more serious than that. The problem with cryptographic backdoors is not that they’re the only way that an attacker can break intro our cryptographic systems. It’s merely that they’re one of the best. They take care of the hard work, the laying of plumbing and electrical wiring, so attackers can simply walk in and change the drapes.
    (via Tony Finch)

    (tags: via:fanf crypto backdoors politics juniper dual-ec-drbg netscreen vpn)

  • 2016 Wish List for AWS?

    good thread of AWS’ shortcomings — so many services still don’t handle VPC for instance

    (tags: vpc aws ec2 ops wishlist)