Go Back   Wireless and Wifi Forums > News > Newsgroups > alt.computer.security
OpenLeaks doesn't know how SSL works

OpenLeaks doesn't know how SSL works

OpenLeaks doesn't know how SSL works. Discuss OpenLeaks doesn't know how SSL works, on Wireless Forums.

Register FAQ Forum Rules Members List Calendar Search Today's Posts Advertise Mark Forums Read

 
Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 08-21-2011, 04:04 PM
Bear Bottoms
Guest
  
Posts: n/a
Default OpenLeaks doesn't know how SSL works
http://www.hboeck.de/archives/786-Op...e-things-with-
SSL.html

OpenLeaks is a planned platform like WikiLeaks, founded by ex-Wikileaks
member Daniel Domscheit-Berg. It's been announced a while back and a beta
is currently presented in cooperation with the newspaper taz during the
Chaos Communication Camp (where I am right now).

I had a short look and found some things noteworthy:
The page is SSL-only, any connection attempt with http will be forwarded
to https. When I opened the page in firefox, I got a message that the
certificate is not valid. That's obviously bad, although most people
probably won't see this message.

What is wrong here is that an intermediate certificate is missing - we
have a so-called transvalid certificate (the term "transvalid" has been
used for it by the EFF SSL Observatory project). Firefox includes the root
certificate from Go Daddy, but the certificate is signed by another
certificate which itself is signed by the root certificate. To make this
work, one has to ship the so-called intermediate certificate when opening
an SSL connection.

The reason why most people won't see this warning and why it probably
went unnoticed is that browsers remember intermediate certificates. If
someone ever was on a webpage which uses the Go Daddy intermediate
certificate, he won't see this warning. I saw it because I usually don't
use Firefox and it had a rather fresh configuration.

There was another thing that bothered me: On top of the page, there's a
line "Before submitting anything verify that the fingerprints of the SSL
certificate match!" followed by a SHA-1 certificate fingerprint. Beside
the fact that it's english on a german page, this is a rather ridiculous
suggestion. Checking a fingerprint of an SSL connection against one you
got through exactly that SSL connection is bogus. Checking a certificate
fingerprint doesn't make any sense if you got it through a connection that
was secured with that certificate. If checking a fingerprint should make
sense, it has to come through a different channel. Beside that, nowhere is
explained how a user should do that and what a fingerprint is at all. I
doubt that this is of any help for the targetted audience by a
whistleblower platform - it will probably only confuse people.

Both issues give me the impression that the people who designed OpenLeaks
don't really know how SSL works - and that's not a good sign.

--
Bear Bottoms, security consultant
http://bearware.info

Reply With Quote
Reply


« Adobe Reader X can't be trusted yet | Re: Replacing external HDD - moving all contents - copy, backup or clone? »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On

Similar Threads
Thread Thread Starter Forum Replies Last Post
Wireless Adapter Only Works on One USB Port mtomme Troubleshooting 6 11-12-2011 01:17 AM
Texting Works When Mobile Coverage Doesn't Snapper aus.comms.mobile 35 10-10-2008 02:27 PM
THIS WORKS FOR SOMEBODY - WHY NOT YOU?yQHSd Deacon alt.internet.wireless 3 07-26-2005 08:03 PM


All times are GMT. The time now is 02:43 PM.

Wireless Support Forum - Archive - Top - Privacy Policy - Terms of Use


Powered by vBulletin® Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.6.0 PL2

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45