Friday, March 25, 2011

Internet Explorer Certificate Security

Once upon a time in a world not too unlike this one, there was an Internet Explorer browser known as 6.0.  It was a nice little browser and had one big security advantage over all of its progeny - it not only looked at the Certificate Revocation List published by each Trusted Root Certification Authority, it also took the step of informing the user if this List could not be contacted.  That's a sane, security-conscious move right there.

Now, in a strange reversal of "Survival of the fittest" (which is a term incorrectly attributed to Charles Darwin), a genetic mutation occurred during the coding of Internet Explorer 7 whereby the CRL is still checked, but if the List cannot be contacted the user is no longer informed and continues on their merry way thinking that everything is good.  This mutated genetic code has then been successfully passed down to MSIE 8 and also on to MSIE 9.  This is not a good thing.

To address this issue, you'll need to make a Registry modification.  This isn't something that only those chosen few can do, but it is something you need to be really careful doing unless you like turning functional computers into smouldering piles of partially molten metal(1).  This Registry modification was originally listed in Microsoft Knowledge Base Article 946323 which has since been removed from the Microsoft KB.

I'm not going to repeat what's already out there in the Intarwebs, so I'll just link to an existing site showing what this Registry modification entails.  Obviously those people running an AD-based network can push this Registry entry out using GPO - Policies or Preferences depending on the version of AD/Server and your organizations policies on these sorts of things.

So, this link is basically a copy of the original (now removed) Microsoft KB article.  It adds the "FEATURE_WARN_ON_SEC_CERT_REV_FAILED" key to the Registry.  This link is to one of the original blog posts in 2007 about this security issue.

With the recent Comodo SSL breach still fresh in our minds, it should be time to ask, again, why this setting is not the default in Microsoft Internet Explorer and also why Microsoft has removed KB 946323 instead of updating it for MSIE 8 and MSIE 9.

(1) OK, your computer won't *physically* melt down, but you definitely need to be careful when editing the Registry as it can result in an unstable on unbootable Windows installation.  If we're talking about a F^HVista box here, making it unbootable may not be a bad thing - especially if this then means you can upgrade it to Windows 7!  :)


The Outspoken Wookie

Thursday, March 17, 2011

Improve iTunes

Obviously, Apple products never crash and never have bugs.  They most definitely never have security vulnerabilities.  Ask Apple fanbois about this and they'll drool on for hours about how *AWESOME* Apple products are.

So, to support this fallacy, Apple products never send bug/crash/error reports back to Apple - they send Apple information from time to time about how they are working and how you use them.

Of course, if you bother looking at what's being sent, it is a huge number of iTunes crash reports.  iTunes is a festering bucket of shit.


The Outspoken Wookie

Migrate From SBS 2008 to SBS 2008 R2 (SBS 2011)

It looks like Microsoft has finally figured out how to migrate from SBS 2008 to SBS 2008 R2 (aka SBS 2011) and has released the migration documentation which can be found at:


The Outspoken Wookie