Category: security

An Introduction to SSL

Now I’m sure we’ve all bought something online or done a bit of internet banking.  If you have you’ve probably noticed that little lock picture in the corner of your browser somewhere.But I wonder how many people know what it means and what that little lock signifies.  Well if you’ve ever wondered, then let me explain some of the basics behind SSL and exactly how it works.

To begin with – SSL actually stands for Secure Socket Layer.  It was developed in the Mid-90s by a company called Netscape.  They owned a popular browser of the time called Navigator which was actually the first browser to allow secure and safe ecommerce functionality.  Up to then it was rather a large drawback that your communications should be spied on with the minimum of fuss.  Often it wouldn’t matter but if you were transmitting a credit or debit card number or some other confidential information – then you were risking a lot.

Netscape were well aware of this and what they designed was a new protocol.   That is a way for two different computers to talk to each other, however this protocol was different – the communication was encrypted in transit so they couldn’t be read by anyone.  Making the communication secure and ensuring that whatever information that was transmitted was safe. This was especially important due to the distributed design of the internet – your data could pass through hundreds of hops before it reached it’s destination. Without encryption anyone could just sit on a European, US or UK proxy server and analyse your data.

This works by the owner of the web server, obtaining something called a digital certificate from a company known as a Certification Authority or CA for short. Every certificate is unique and is linked to the company who issued it, this link eventually leads to the Root CA.

So each browser has access to a list of these CAs which are considered safe and secure.   So when you make a secure connection to a web site that owns a digital certificate, your own browser will look up the chain of command and check the validity of each certificate.  If the browser goes all the way back to the Root CA and still doesn’t find the certificate listed then you’ll get a warning that the certificate is not a trusted one.

Public Key Exchange

When a certificate is not trusted then you won’t know for sure if the information listed e.g. company name, address etc is valid.   Trusted Certificate Authorities (CAs) verify all the business and contact information for you. However even if the certificate is not trusted and the contact information unverified, at least the traffic from your browser to the web server is secured.

The next stage after the browser has established the certificate’s trust or you confirm you’re willing to trust it anyway is for the two computers involved to exchange keys.
A ‘Key’ is just a very large number which is related mathematically to another number in a defined way.  The form in which these two numbers are chosen is quite complicated, in fact an explanation of the process involved is likely to start something like this –

Agree on a finite cyclic group G with a generating element g in G.”

Unless you’re very interested in the cryptography behind these calculations, it’s probably just to consider it ‘magic’!

Each of the computers will create it’s own set of two keys.  Because of the special relationship of these two keys, any data encrypted with one key can only be decrypted by the other key.  One key is kept as a secret whilst the second is sent to the other machine.   After these keys are exchanged, each of the machines uses it’s own secret key and the key sent by the other machine to encrypt all data communicated between them.The same process is repeated at the second machine, which will decrypt using the two keys it has.

Remember the keys will only work to decrypt data which has been encrypted with the matching keys.  Each machine knows that the message came from the known source and was only intended for this machine.This effectively secures the data and ensures it cannot be intercepted.

Hope that clarifies a little – if it didn’t well I tried !

Further Reading and a recommendation for the UK VPN Access available.

Internet Monitoring – UK Snooping Plans

The UK Government have decided to take some lessons from the likes of China, Iran and Syria and started implementing increased internet surveillance. It often seems to happen when Governments are having a tough time they roll out the ‘tough on terrorism’ plans and start telling us how it will catch criminals and keep us safe.   After all it sounds good and is easy to implement – even though for the most part it’s completely pointless.

Under these plans, Police, the Government and intelligence agencies will be able to access data on all phone calls, emails, internet useage. They will be able to read through your web mail, Facebook messages, Linkedin posts, forums and gaming boards – just about anything you do electronically will be accessible to these people.

The Metropolitan Police Commissioner says –

Put simply, the police need access to this information to keep up with the criminals who bring so much harm to victims and our society.

Sigh……

What they will have is data and information on people who are doing nothing wrong. The criminals will be using SSH encryption, VPNs, secure proxies or they will simply just use other peoples Wifi connections. The only criminals you’ll catch by this incredibly intrusive internet snooping is thick ones who you should have caught anyway.


For instance I’m quite a careful driver however I live in an area where the Police force seems to have one single aim in life to catch people who exceed speed limits by three miles an hour. As such I have quite a few penalty points on my license which I’m not altogether happy with.

However I know several speed obsessed, thrill seekers who drive like they are on the Le Mons racetrack who have absolutely no points at all. Do you know why – it’s because they all have Warning systems and Radar detectors things in their cars. As such the only speeders that get caught are dozy ones like me who occasionally drift over the limit by a tiny amount.

This is the reality – and in this case too there are lots of easy ways to avoid this surveillance.

All this rubbish about a ‘Total War on Crime’ is just an excuse to further erode our privacy and civil liberties.  For example if I use Identity Cloaker then nobody will be able to see anything I do online, my data is encrypted and all the logs will just contain my fake IP address from the Identity Cloaker proxy server that I use. The logs on those are deleted almost instantly so that makes me just about invisible online.

So what’s to stop a terrorist using any one of these security systems ?

Nothing which is why the British Government will be left spying on ordinary people. That’s going to win the war on crime isn’t it?  Of course if you snoop on enough people for long enough I’m sure you’ll catch some people doing something illegal. But is it worth the cost, are we really expected to believe that this data won’t be routinely accessed to build profiles of individuals.

At the moment, the police can access this information anyway, however they need a warrant from a judge. Of course a judge isn’t going to issue these on the basis of ad hoc requests and idle snooping – which is exactly the way it should be.

We all know these powers will be abused, even if the police and intelligence services only exercise these rights in extreme cases (yeah right) – you can be certain that databases will be hacked, logs left on trains or USB sticks dropped in taxis.  All the time the criminals will be not remotely be worried as they will be the only ones not being monitored.

Bye, Bye Scroogle – Alternative? We’ll Miss You!

Yep  Scroogle has gone alas,  it had a purpose, it was useful and the owner had an attitude – but at time of writing sadly, there’s no Scroogle alternative.   To be honest it doesn’t come as a big surprise, for the last few weeks it’s been pretty much unusable for a variety of reasons.

A few days ago the owner Daniel Brandt announced  –

“Scroogle.org is gone forever,”

You might think what a drama queen, or perhaps so f**kin what – but it’s kind of a sad day for all of us with a brain.

But first perhaps we should say what Scroogle actually was – and that is simply a proxy for the Google search engine.  Instead of all your queries being logged, recorded and monitored in order to build up some sort of creepy online profile of you – Scroogle acted as a man in the middle. It was a like a trusted friend who wouldn’t make judgement, wouldn’t log the request for future gains and certainly wouldn’t sell your profile to Tesco to add to their Clubcard profiles (note to US readers – this makes no sense to you)

So if you wanted to search for ‘pornographic pictures of sexy ladies dressed up as members of the Stasi’ , then your East German security fetishes would be strictly private, meaning Google wouldn’t have made a little addition to your online search profile.

Which meant you had a little more privacy, your every internet searching whim was not added to a online profile or buyer’s list held by some bunch of corporate tossers. So for this to Daniel – I say thanks and am very sorry to see him go. Now the reasons for the end of Scroogle where apparently due to two main reasons,

  • Google throttling Requests
  • Many DDOS attacks on the site.

Now both are equally feasible and apparently both were happening.  Scroogle has been around for nearly ten years which is a long time in Internet years and Google could have closed it down at any point.   They have always limited the number of search requests from a single IP address  – so Scroogle would have tripped this many times with only about 6 servers and a limited number of IP addresses.   So did the Google guys finally have enough and tighten the screw?   I’m not sure, it’s not great publicity for them if they did and the impact on their profits were certainly negligible – but this requires further research !

The other problem which hastened the demise much more quickly was the increasing number of DDOS attacks.  These are just blunt attacks designed to bring servers to their knees,  easily orchestrated either with minimal technical knowledge or a few bucks to spend.  Daniel Brandt apparently was very outspoken and frequently upset people so he’d probably made a lot of enemies.  It’s a sad blow though, again showing that cyber bullies exist on all sides of the divide – the fact is you can use a DDOS attack on any web server in existence.  It’s the lead pipe of the cyber world, if you disagree with someone online you can just pay a few bucks to take out their web site/blog etc.

I don’t know who Daniel upset or why – but the loss of Scroogle is surely an own goal!!  Will it ever be reported on mainstream media?  Will we see reports on NBC, Fox or the BBC – probably not.I was going to rant further on this issue and put in a selection of secure search engines that still exist but I’ve suddenly discovered a rather full bottle of 10 year old Laphroaig whisky – if you’ve tasted it you know why I can’t concentrate now.   Adieu……………

 

PS

Will post up the list of secure search engines in my next post.