Category Archives: Information

General news/information to the CAcert community or about security in general

Learn from each other

Free and/or Open Source projects are about sharing and learning from others as well. An inspiring example is Lydias proposal of a Social Media Guide [1], giving an practical introduction. Have a look at it, read and learn about social media and get inspired for the benefit of CAcert and the Free and/or Open Source Community.

Download:
[1] http://www.lydiapintscher.de/whitepapers/Social_Media_Guide_For_Free_Software_Projects.pdf

quick reboot on Friday

Wytze writes: In order to install a kernel security update on the CAcert webdb server it needs to be rebooted. We are scheduling this reboot to take place on August 21 around 10:00 CEST (08:00 UTC). The expected downtime is around 5 minutes.

Signing server outage [solved]

Friday August 14, 2009 19:15 CEST both the webserver and the signing server suffered from a short power glitch. Due to this power glitch both servers performed a spontaneous reboot. After a reboot both servers will wait for manual input, as a critical server engineer has to enter the decryption-password. The webserver can be managed remotely, this server was operational again Friday at 22:15 CEST.
The signing server cannot be managed remotely. In order to restart the signing server a visit has been made to the hosting center this morning. The signing server is operational again since Saturday Aug 15 10:30 CEST.

No other servers were involved. The signing server will be replaced with new hardware (with a dual power supply) within a few weeks, the new server is currently under test.

Null-stuffing attack on SSL certificates

There is much news lately about the Null-Stuffing attack to SSL presented at BlackHat by Dan Kaminsky, Len Sassaman and Moxie Marlinspike. Quick answer: Our current assessment is that we were “probably not” vulnerable to this particular attack.

Bug: there is a theoretical possibility to create a certificate for example:

myspace.comNULLmy.cheapdomain.com

A CA might check the domain, and end up accepting a POSITIVE on the second part only. Meanwhile, a browser might show the first part, because it is written to stop processing when it sees the NULL . This is because NULLs are special characters that might be interpreted as the end of string, or might not be, and a browser might mistake it one way while a CA another way.

Analysis: At one level this is “just” input validation, and both browsers and CAs should reject immediately. At another level, the code that manages this input is very complicated, because of the way certificates are built. Too many standards, layouts, encodings. Hence the comments by many that this bug is actually indicative of systemic weaknesses in SSL. Technically, implementing SSL properly means this isn’t possible, but the system is so complex that it isn’t easy to rule out these sorts of issues. But, we don’t win anything if we pass the blame onto someone else, because we’ve still got the bug. Basic technical conclusion is that we need to check our inputs carefully, and hope that others do the same.

CAcert. So where are we at? Is CAcert vulnerable? This boils down to whether CAcert can issue a certificate with a NULL stuffed into a domain name. Which is in two parts: adding a domain name to your account, and sending in a request for a certificate (CSR). Investigations are on-going, but here is a status update:

  • Adding domain names is now covered with a quick fix that was patched in Friday.
  • CSRs were already being filtered on NULLs, so someone was alert back in the earlier years!

What is outstanding is checking that the database copy of the domain name is used instead of the CSR, and scanning the database for any NULLs. It’s still not entirely clear if there was a way to sneak a NULL through before that patch in, but it’s covered now. This work is ongoing, and updates will be reported here.

Service Failure of CAcert Email System

The CAcert Email System went down Friday fornoon 31th of July 2009. This problem caused that no emails could be transferred. The systems team works on it to solve the problem.

update:
After a reboot of the server, the Email system is working again. Multiple non-critical services were affected to a more or less extent. The cause was a problem with NFS.

Special General Meeting 20090725

CAcert Inc, the association within the Community, held an SGM or special general meeting on Saturday 21:00 UTC. Which makes it evening in Europe, afternoon in the Americas, and tomorrow morning in Australia.

Between 38 and 42 members were present. 4 business items were duly filed (21 days in advance) and were dealt with in the meeting.

#1, that pending applications for joining the association be accepted was passed with no vote, because all applications had already been dealt with.

#2 is a comprehensive rule change that (among other things) asked to do this:

  • made the status of Assurer the only requirement for membership of the Association,
  • increased the size of the board to 10,
  • rewrote and fixed up lots of other bugs in the rules.

It was voted and achieved 24 AYES against 14 Nayes. As this is a rule change, it required 75% and therefore failed. But, a good showing.

Item #3 was the controversial one. The first resolution said we association members were “disenheartened at the breakdown of working relationship.” It passed with 35 AYES to 5 Nayes. The second resolution said “the committee no longer enjoys the confidence, of the members, and [they] are removed.” It was duly voted and passed with 20 AYEs to 16 Nayes. With that resolution the board was relieved and opened for the next item.

The final business of the day was to elect a new board of 7 seats for an interim period of 4 months, until the next AGM. This was conducted on a person-by-person basis, and the 7 top-voted candidates were chosen:

Name Position
Nick Bebout President
Mark Lipscombe Vice-President
Ernestine Schwob Secretary
Philipp Dunkel Treasurer
Guillaume Romagny Ordinary Member
Andreas Buerki Ordinary Member
Ian Grigg Ordinary Member

This is the new committee of the association, or board. Please note:

  • the committee will adjust the positions somewhat, and
  • this committee is interim only, in place for 4 months. At the AGM, traditionally in November, they will stand down and face re-election.

Postscript: By means of m20090728.1 the committee agreed that Ernestine Schwob is now Treasurer and that Philipp Dunkel is now Secretary. No other changes are envisaged.

CAcert at Webmontag Berlin, Montag, 20. Juli 2009

Am Montag, den 20.7.09 findet in Berlin bei newthinking store, Tucholskystr. 48, Berlin-Mitte
der nächste Webmontag statt. Zu diesem Termin wird es für CAcert einen 10 minütigen Vortragsslot geben.
Arbeitstitel: CAcert – Was ist das? Wer steckt dahinter? Wie geht es weiter?
Anschliessend wird es die Möglichkeit für Assurences geben (Für Assurances bitte einen oder mehrere offizielle Lichtbildausweise mitbringen – Personalausweis, Führerschein, Reisepass).
Weitere Details unter Webmontag Berlin 20.7.09

CAcert Assurer Training Event Berlin-Brandenburg am 9. Juli 2009

CAcert Assurer Training Event Berlin-Brandenburg
——————————————————————————–ATE-Berlin

Es hat sich viel getan im letzten Jahr. Eine ganze Reihe von bisher eher “mündlich überlieferten” Regeln wurden in Policies gegossen. Neue Prozeduren (z.B. die Assurer Challenge) und Verpflichtungen (z.B. in dem CAcert Community Agreement) wurden beschlossen. Die Assurer Training Events wollen versuchen, die ganzen Informationen “unter’s Volk” zu bringen:

– Wovor schützt die CCA jedes CAcert-Community-Mitglied und somit auch dich?
– Kannst du die 5 Statements der “Purpose of Assurance” aufzählen?
– Kannst du auf Anhieb 10 Sicherheitsmerkmale des deutschen Personalausweises aufzählen?
Antworten auf diese und weitere Fragen erhälst du bei den Assurer Training Events (ATE’s).

Der Termin für Berlin steht nun fest.

Berlin-Wilmerdorf,
Donnerstag 09. Juli 2009 in der Zeit von 19:00 bis 21:00 Uhr
Restaurant Prometheus
Schlangenbader Strasse
12345 Berlin-Wilmerdorf
Berlin-Brandenburg, Donnerstag 9. Juni

Anmeldungen erfolgen bitte ausschliesslich über folgende Seite:
Anmeldung ATE-Berlin/Brandenburg

Die Teilnahme der Veranstaltungen ist kostenlos, Spenden werden aber gerne gesehen.

Details zum Veranstaltungsort und Anfahrthinweise findet Ihr im Wiki und
bei mixxt.de, siehe die Links oben.

Das Veranstaltungs-Team freut sich schon auf Eure Teilnahme.

Kontakt: events@cacert.org

CAcert signing server down for a few hours

The CAcert signing server went down at 16:00 UTC 27th June 2009. It is expected that this event is similar as what happened on the 18th of June. So it is expected that the certificate signing will be on service again at 19:00 UTC.

The CAcert signing server is needed to issue signed certificates so this part of the CAcert services is halted now to say about 19:00 UTC.

As this is the second time the hardware went down for unclear reasons, Oophaga will be asked to replace the hardware (the hardware is “dated”). If someone wants to donate a reliable rack PC (hardware requirements are small: today Intel processor, 1-2 Gb mem, today 2 disks of say 200 Gb and usb) that would help.

2009-07-01 Assurance Event und Key Signing Party in Hannover

Was? CAcert Assurance und Signing Party

Die Veranstattung ist öffentlich, jeder kann kommen.

Es findet neben der CAcert Assurance auch eine unorganisierte
PGP/GPG-Keysigning-Party statt.

Wann? 2009-07-01 16:00-18:00 Uhr CEST

Wo? Regionales Rechenzentrum der Universität Hannover (RRZN)
Schloßwender Strasse 5
D-30159 Hannover

Warum? In Hannover findet aufgrund einiger Anfragen aus dem Bereich
der Universität eine Möglichkeit zur Assurance statt.

Das Rechenzentrum der UNI ist so nett und stellt Resourcen
für diesen Zweck zur Verfügung.

Weiter? Direkt im Anschluss findet das monatliche Treffen der LUG Hannover statt.

Assurer werden noch benötigt.

Wenn jemand qualifiziertes spontan einen Vortrag halten kann über Assurance,
Ausweisdokumente, X.509 Zertifikate, etc.: Bitte melden!

Auch soll die eines Standes im Oktober zu den Erstsemester-Tagen (eine Woche)
geplant werden mit abschliessendem Assurance-Event.

Kontakt j.heine@cadnet.de