Congrats!

These instructions work for Ubuntu 8.10 on my hardware.  My card reader is built into a USB Dell Keyboard.  It takes only a couple of steps to enable it for use in Firefox.

1. Install libccid (which requires pcscd as a dependency)
2. Install coolkey
3. Tell Firefox to use coolkey’s pkcs11 library
4. Profit!

To cover these steps in more detail:

1. Install libccid and pcscd.  (`apt-get install libccid`) libccid and pcscd are the hardware drivers for USB cardreaders and smartcard support libraries for Ubuntu.  With these alone installed, the ‘light’ on the smart card reader should illuminate, showing that it recognizes that a card is inserted.
2. Install RedHat’s PKCS11 SmartCard library coolkey (`apt-get install coolkey`).  This provides a PKCS11 compliant interface between smartcards and applications that support PKCS11 certificates, such as Firefox/Thunderbird.
3. Tell Firefox to utilize the coolkey PKCS11 library:
   1. In Firefox, go to Edit -> Preferences -> Advanced -> Security Devices and click ‘Load’.
   2. In the Module Name field, type “DoD CAC“
   3. In the Module Filename field type or select “/usr/lib/pkcs11/libcoolkeypk11.so”
      
   4. Select ‘OK’, and confirm that you would like to install the module.
      
   5. Click ‘OK’ to acknowledge that the module has been loaded.  If you receive an error that the module could not be loaded, exit and restart Firefox, and make sure your card reader light was on.
      
   6. This returns you to the Security Devices dialog.  Click ‘LOGIN’ in the upper right corner, and enter your CAC PIN.  And that’s it!
      
      
4. Now that you’ve got the CAC enabled and recognized in Firefox, you can login to sites requiring it.  A dialog box prompts you to select the proper certificate and enter your PIN each time.  That’s all there is to it!

After the recent Apple update, which included ’security fixes’ for Safari, Little Snitch popped up a warning message when I attempted to visit my banks website.  A process called ocspd wanted to visit “EVSecure-ocsp.verisign.com”.  Needless to say, I was instantly curious as to what in the world ocspd was, and why it was trying to talk to Verisign when I was visiting my banks webpage.

It turns out, ocspd is part of Apples new ’safe surfing’ update to Safari.  Online Certificate Status Protocol (OCSP) is the functional replacement for the old school PKI Certificate Revocation List (CRL).  It allows the Certificate Authority (CA) (in this case, Verisign) who signed the websites certificate, to authenticate the presented certificate in real time.  This is a much more ‘elegant’ solution than the old, crummy CRL, which had to be manually updated (or pushed down with OS patches, etc) and did not allow certificates to be rejected in anywhere near realtime if they were deemed fradulent.

Despite being a more elegant solution, it also creates a number of new problems.  

First, it places a big new load CAs, who went from being trusted certificate issuers to being real time certificate verifiers.

Secondly (and more importantly), it seriously breaches the privacy of every user using the service.

By requesting verification of every SSL certificate, the signing CAs now receive notification (and potentially tracking identification) every[1] time someone browses to a site utilizing an SSL certificate signed by that CA.  If that’s not bad enough, at least for Verisign, the server name is POSTed via plaintext HTTP!  Your formerly encrypted, secure connection to the remote server is now compromised by a plaintext referral to a 3rd party, who also gets to track your visits.

The entire contents of the SSL session isn’t posted, only the name of the site you attempting to access, but even that would have normally been encrypted, and most definitely not available to 3rd parties.  

So, Safari, by default, will now violate it’s users privacy in an attempt to prevent stupid users from mistaking an SSL certificate for being invalid.

Luckily, Firefox 3 (all versions of FF support OCSP, v3 turns it on by default), Opera and IE7 (only on Vista) do the exact same thing!  With IE and Firefox, however, the ocsp provider is apparently in-process to the browser, so it didn’t flag on firewalls and app monitors like Little Snitch.

On FF3 and Safari, it is simple enough to disable – in ‘Security Settings’, simply uncheck the ‘Safe Surfing’ or ‘Fraudulent Site’ protection buttons.  I don’t have Vista or Opera, so I don’t know if it can be disabled there or not.

The protocol doesn’t appear to allow cookies or specific tracking tokens to be exchanges, but IP addresses and the like most definitely are exposed.  I have to wonder what the privacy policy of the CAs is on information like this – there is definitely monetary value in knowing which IPs are hitting which encrypted sites.  I can’t find (after a bit of googling) any real reference to privacy policies or other tracking information policy on the part of any CA.  

[1] Technically, ocspd supports session ‘stapling‘, allowing the server serving the credentials that are being verified to cache a short-duration ’stamp’ from the ocsp responder at the CA, and providing them as a cached object during TLS session negotiation.  This definitely does not negate the need to take a better look at the privacy implications of ocsp in the first place.

PDFResurrect is a tool aimed at analyzing PDF documents. The PDF format allows for previous document changes to be retained in a more recent version of the document, thereby creating a running history of changes for the document. This tool attempts to extract all previous versions while also producing a summary of changes between versions. This tool can also “scrub” or write data over the original instances of PDF objects that have been modified or deleted, in an effort to disguise information from previous versions that might not be intended for anyone else to read.

This tool and accompanying whitepaper can be found over at the labs:
http://www.757labs.com/projects/pdfresurrect

Special thanks goes out to all the hr-geekers, and 757labs. Many were consulted on this and provided suggestions. including Tele, Derez, Remad, Count, Sunpuke. Special thanks to Brent, not really part of the 757 crew, but aided in proofreading the paper. Thanks Guys!

-Matt (enferex)

Well the customer calls me this morning and tells me that all their content is missing, which I quickly confirm to be fairly accurate. I fire back an e-mail saying that the pages must have been deleted through the admin interface because the missing pages have been removed from the database. I then go off to read logfiles with the intent of finding evidence that this customer blew up their own webpage and that it’s not my problem, because that’s how I think. Here’s what I find in my logs:

66.249.73.92 – - [02/May/2008:13:48:47 -0400] “GET /admin/website_pages_delete.php?id=25 HTTP/1.1″ 200 4642 “-” “Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)”

66.249.73.92 – - [02/May/2008:13:52:39 -0400] “GET /admin/website_pages_delete.php?id=26 HTTP/1.1″ 200 4760 “-” “Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)”

66.249.73.92 – - [02/May/2008:14:10:44 -0400] “GET /admin/website_pages_delete.php?id=42 HTTP/1.1″ 200 4642 “-” “Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)”