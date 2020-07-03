Security and DRM: CAs, Open Source Security Podcast, Reproducible Builds and Cars That Refuse to Work
How you get multiple TLS certificate chains from a server certificate
However, several certificates can have the same keypair and X.509 Subject Name, provided that other attributes differ. One such attribute is the issuer that signed them (including whether this is a self-signed CA root certificate). So the first thing is that having more than one certificate for an issuer is generally required to get multiple chains. If you only have one certificate for each issuer, you can pretty much only build a single chain.
There are three places that these additional certificates for an issuer can come from; they can be sent by the server, they can be built into your certificate store in advance, or they can be cached because you saw them in some other context. The last is especially common with browsers, which often cache intermediate certificates that they see and may use them in preference to the intermediate certificate that a TLS server sends. Other software is generally more static about what it will use. My guess is that we're unlikely to have multiple certificates for a single CA root issuer, at least for modern CAs and modern root certificate sets as used by browsers and so on. This implies that the most likely place to get additional issuer certificates is from intermediate certificates sent by a server.
Josh Bressers: Episode 204 – What Would Apple Do?
Josh and Kurt talk about some recent security actions Apple has taken. Not all are good, but in general Apple is doing things to benefit their customers (their customers are not advertisers). We also discuss some of the challenges when your customers are advertisers.
Security 101: Encryption, Hashing, and Encoding
Encoding is a manner of transforming some data from one representation to another in a manner that can be reversed. This encoding can be used to make data pass through interfaces that restrict byte values (e.g., character sets), or allow data to be printed, or other transformations that allow data to be consumed by another system. Some of the most commonly known encodings include hexadecimal, Base 64, and URL Encoding.
Reversing encoding results in the exact input given (i.e., is lossless), and can be done deterministically and requires no information other than the data itself. Lossless compression can be considered encoding in any format that results in an output that is smaller than the input.
While encoding may make it so that the data is not trivially recognizable by a human, it offers no security properties whatsoever. It does not protect data against unauthorized access, it does not make it difficult to be modified, and it does not hide its meaning.
Base 64 encoding is commonly used to make arbitrary binary data pass through systems only intended to accept ASCII characters. Specifically, it uses 64 characters (hence the name Base 64) to represent data, by encoding each 6 bits of raw data as a single output character. Consequently, the output is approximately 133% of the size of the input. The default character set (as defined in RFC 4648) includes the upper and lower case letters of the English alphabet, the digits 0-9, and + and /. The spec also defines a “URL safe” encoding where the extra characters are - and _.
Reproducible Builds: Reproducible Builds in June 2020
One of the original promises of open source software is that distributed peer review and transparency of process results in enhanced end-user security.
But whilst anyone may inspect the source code of free and open source software for malicious flaws, almost all software today is distributed as pre-compiled binaries. This allows nefarious third-parties to compromise systems by injecting malicious code into seemingly secure software during the various compilation and distribution processes.
Software Update Brings Subscription based Functions-on-Demand to BMW Cars
Consumers used to select options like an air conditioner or a satellite navigation system at the time of purchase, but now BMW will have the option to enable or disable some of the features by software depending on whether you pay for a subscription. This obviously does not include critical or safety functions like breaks or airbags, but currently you have to pay a subscription to use active cruise control and adaptive M suspension among others. Car companies will also have to way find to handle second-hand cars, as a new owner may not be able to access all advertised functions without paying extra.
Connected cars will also offer challenges in the future, as potentially your car could refuse to start depending on your social credit score, alcohol/drugs blood level, driving habits, a missed payment on the car loan, etc… Governments may also decide to mandate auto-fining drivers who exceed speed limits, park in the wrong location, and so on.
