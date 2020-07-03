Language Selection

Security and DRM: CAs, Open Source Security Podcast, Reproducible Builds and Cars That Refuse to Work

Monday 6th of July 2020
Security
  • How you get multiple TLS certificate chains from a server certificate

    However, several certificates can have the same keypair and X.509 Subject Name, provided that other attributes differ. One such attribute is the issuer that signed them (including whether this is a self-signed CA root certificate). So the first thing is that having more than one certificate for an issuer is generally required to get multiple chains. If you only have one certificate for each issuer, you can pretty much only build a single chain.

    There are three places that these additional certificates for an issuer can come from; they can be sent by the server, they can be built into your certificate store in advance, or they can be cached because you saw them in some other context. The last is especially common with browsers, which often cache intermediate certificates that they see and may use them in preference to the intermediate certificate that a TLS server sends. Other software is generally more static about what it will use. My guess is that we're unlikely to have multiple certificates for a single CA root issuer, at least for modern CAs and modern root certificate sets as used by browsers and so on. This implies that the most likely place to get additional issuer certificates is from intermediate certificates sent by a server.

  • Josh Bressers: Episode 204 – What Would Apple Do?

    Josh and Kurt talk about some recent security actions Apple has taken. Not all are good, but in general Apple is doing things to benefit their customers (their customers are not advertisers). We also discuss some of the challenges when your customers are advertisers.

  • Security 101: Encryption, Hashing, and Encoding

    Encoding is a manner of transforming some data from one representation to another in a manner that can be reversed. This encoding can be used to make data pass through interfaces that restrict byte values (e.g., character sets), or allow data to be printed, or other transformations that allow data to be consumed by another system. Some of the most commonly known encodings include hexadecimal, Base 64, and URL Encoding.

    Reversing encoding results in the exact input given (i.e., is lossless), and can be done deterministically and requires no information other than the data itself. Lossless compression can be considered encoding in any format that results in an output that is smaller than the input.

    While encoding may make it so that the data is not trivially recognizable by a human, it offers no security properties whatsoever. It does not protect data against unauthorized access, it does not make it difficult to be modified, and it does not hide its meaning.

    Base 64 encoding is commonly used to make arbitrary binary data pass through systems only intended to accept ASCII characters. Specifically, it uses 64 characters (hence the name Base 64) to represent data, by encoding each 6 bits of raw data as a single output character. Consequently, the output is approximately 133% of the size of the input. The default character set (as defined in RFC 4648) includes the upper and lower case letters of the English alphabet, the digits 0-9, and + and /. The spec also defines a “URL safe” encoding where the extra characters are - and _.

  • Reproducible Builds: Reproducible Builds in June 2020

    One of the original promises of open source software is that distributed peer review and transparency of process results in enhanced end-user security.

    But whilst anyone may inspect the source code of free and open source software for malicious flaws, almost all software today is distributed as pre-compiled binaries. This allows nefarious third-parties to compromise systems by injecting malicious code into seemingly secure software during the various compilation and distribution processes.

  • Software Update Brings Subscription based Functions-on-Demand to BMW Cars

    Consumers used to select options like an air conditioner or a satellite navigation system at the time of purchase, but now BMW will have the option to enable or disable some of the features by software depending on whether you pay for a subscription. This obviously does not include critical or safety functions like breaks or airbags, but currently you have to pay a subscription to use active cruise control and adaptive M suspension among others. Car companies will also have to way find to handle second-hand cars, as a new owner may not be able to access all advertised functions without paying extra.

    Connected cars will also offer challenges in the future, as potentially your car could refuse to start depending on your social credit score, alcohol/drugs blood level, driving habits, a missed payment on the car loan, etc… Governments may also decide to mandate auto-fining drivers who exceed speed limits, park in the wrong location, and so on.

»

More in Tux Machines

Proton GE compatibility layer has a big new release up

Proton GE, the community-built fork of the Proton compatibility layer for Linux has a big new release out. Need a quick reminder? Wine is a compatibility layer that can help to run Windows apps and games on Linux. Valve have their own version called Proton which is included with the Linux Steam Client in Steam Play, and Proton GE is a special version of it built by user "GloriousEggroll". Why use it? You might find certain games need adjustments not currently in the official Proton and Proton GE can make them run "out of the box". Proton-5.9-GE-3-ST is the brand new release aimed to now be the stable Proton GE release. It pulls in tons of fixes to help various Windows games run on Linux including GTA V, Metal Gear Solid V: Ground Zeroes, Planet Zoo, Jurassic World: Evolution, Origin client fixes and much more. Read more

COVID-19 has not stalled Linux development

Linus Torvalds and Dirk Hohndel have been telling anyone who will listen that while COVID-19 has slowed down many technologies, while speeding up other tech developments, it hasn't affected Linux development much at all. Torvalds said that none of his co-developers have been hugely impacted either. “I was worried for a while because one of our developers was offline for a month or two.... [But,] it turned out that it was just RSI [repetitive strain injury], and RSI is kind of an occupational hazard to deal with." He added. "One of the things that is so interesting about the Linux community is how much it has always been email-based and remote, how rarely we get together in person.." Torvalds took time out to praise his new AMD Threadripper 3970x-based processor-powered developer desktop. Torvalds later added that, although he had been concerned about its fan noise it actually works well for him. Torvalds moved to this new homebrew computer because he needed the speed. Read more

today's howtos

Meet RecApp, a New Screen Recording App for Linux Desktop

RecApp is a simple open-source screen recorder tool. It doesn’t boast of huge features but gives you enough to record your screen with a simple user interface. We have plenty of screen recorders available for Linux. Abhishek prefers to use Kazam while I like using SimpleScreenrecorder. Neither of us use the GNOME’s built-in screen recorder. Recently we were contacted by the developer of RecApp, a new screen recording tool. Since I like experimenting with different applications, I took it upon myself to cover RecApp as this week’s open source software highlight. Read more

