Certificate Errors due to Facebook Connect

 The first symptom of an issue was the certificate errors message in Internet Explorer. So I investigated and looked at the source of the page and found this line:

<script type="text/javascript" src="https://www.connect.facebook.com/js/api_lib/v0.4/FeatureLoader.js.php"></script>

Since that comes from a non-Geni site, I figured that was the cause. Sure enough, when I visited that address in my browser, I was presented with the more blatant error page:

Security Certificate Problem page in Internet Explorer

 Continuing onward, I was able to see why Internet Explorer was complaining:

Mismatched Address Warning in Internet Explorer

 Sure, enough, when you look at the certificate, you see that it is for www.facebook.com and not www.connect.facebook.com. I proceeded to notify Geni with a workaround and notify Facebook of the problem.

www.facebook.com Certificate

Hopefully, Facebook will fix the issue and Geni will be able to workaround it in the meantime.

Microsoft Security Essentials is still a quality product in my view. It has never caused me trouble. It has never given me a false positive. It has caught malware trying to infect my computer through advertisements on certain websites.

Trusteer Rapport is a suspicious product. In my experience, it causes crashes in the browser on occasion. It installs a file system filter driver that silently blocks some writes causing installation of some software to fail. Blocking the writes can be a good thing, but to do so silently is not appropriate behavior. The software claims to prevent screenshots of a protected browser session from being taken. However, the Problem Steps Recorder in Windows 7 was able to take screenshots of the browser. The general approach that Trusteer makes is flawed. The assume a machine is already infected. However, it the machine is infected, the malware is already in control including having the capability to make Rapport look like it is working when it does not. I do think Rapport has promise if the software is fixed to not prevent installation of legitimate software as a defense in depth measure. However, I currently don’t think the occasional stability issues I experience with it or the installation reliability issues I experience are worth the defenses it puts in place.

A new tool I am using is the LastPass password manager. LastPass allows me to generate random passwords for all the sites that I use. It encrypts these passwords locally using my master password. This gives me the security of multiple passwords with the convenience of one password. I have also purchased a YubiKey that will add a second factor to my master password. LastPass has really thought things out with encryption being done locally and passwords being cached locally. This means that the LastPass server does not know my passwords. It also means that if LastPass goes out of business, I can still access the cached passwords stored locally and export them. They also have some additional functionality in the works to bring the LastPass experience out of the browser and into the entire software environment. I’ll presumably be able to log in to Windows and transparently be authenticated to my LastPass password cache and have access to my passwords in any application. It will make for a nice single sign on experience that is both secure and convenient.

A digital signature ensures that what the recipient receives is what I sent. It also means that I cannot claim that I did not send the message ensuring non-repudiation.

Encryption ensures that only I and the recipient can see the message.

Without e-mail certificate and the encryption and digital signature capabilities they bring, e-mail is about as good as a postcard. Postcards are easy to forge and certainly are not very private. An e-mail certificate is similar to the seal used by a medieval king. He holds the only seal so a letter sealed with it can be reasonable assured to have actually come from the king.

Right now, I am looking mostly at Comodo and Verisign.

Microsoft Security Essentials screenshot

First, I use Microsoft Security Essentials as my antimalware software. It is free software from Microsoft filling both antivirus and antispyware functionalities. The software prevents a very simple user interface. It either displays green showing that you are protected or it display red indicating that you are not protected. Antimalware software such as this are reactive though. They are of little or no good against new threats.

The next tool I have been using lately is LastPass. LastPass provides both an online encrypted store of passwords as well as the ability to generate passwords randomly. With it, I have been able to change several of my online passwords to passwords unique to those sites. Randomly generated passwords are computationally difficult to brute force. Because they are long and have characters other than just letters and numbers whenever possible, it would take a dedicated person over a million years to find the password. The advantage of having a password unique to different sites is that a password that is compromized on one site does not mean that passwords on other sites are compromised.

Another tool is Trusteer Rapport. The Rapport technology integrates into the Web browser to a deep level to prevent malware from capturing the screen, capturing keystrokes, or otherwise interacting with a Rapport-protected site. There are greater protections when the site, usually a financial institution, is affiliated with Rapport.

To help ensure that e-mail from banks and social networks is legitimate, I use the Iconix Truemark service. For companies that have affiliated with Iconix, the service will use and augment such technologies as SPF to mark e-mail that is definitely legitimate.

Another tool I use is a VeriSign Identity Protection security token. I also have a very similar RSA SecurID. These are devices used in two factor authentication. In order to log in to a site like Paypal or E*TRADE, I need to supply both my password and the code one of these devices generates. The code on these devices changes every thirty seconds or so. This means that not only do you have to go through a million years of brute forcing a password, you have to compress that million years into that thirty second window. Otherwise, the password will change on you. Beyond that, let’s say you saw my credentials. They won’t do you any good since the passwords become only useful one time.

E-mail as generally used is more like postcards than letters. Anybody can see what you are sending and receiving in e-mail if they know how. All they need is a tool like Wireshark or Microsoft Network Monitor. These tools are free and easy to use.

What can you do about it? You can use public key cryptography to add an envelope to your e-mail. In the e-mail world, that means using either a variant of PGP or a variant of S/MIME. Those bring to the e-mail world what SSL and TLS brings to the Web world. You don’t use a shopping site online without its electronic envelope, so why use e-mail without its envelope?