Wednesday, January 16, 2013

Uninstall Java.

(source: codemonkeyx.net)
(coincidentally in a story about getting viruses from Java)

Just as a PSA, if you have Java on your system, you need to either uninstall it, or at the very least, make sure it's disconnected from your web browser. Skip to the bottom for instructions or read on for the full story.

The past six months have shown Java to be the biggest security disaster in personal computing right now. Really, though, we've known this for a while now. A 2010 report by Microsoft showed that having Java was by far the most common reason users got malware on their computers:

(via Ars Technica)

Thursday, January 3, 2013

Fraudulent Google Certificate Issued by TURKTRUST - a CA you can safely delete

Firefox's default list of trusted certificate authorities

I'll point you here for the full story, and add my two cents below.

Sadly I don't have time to get into the rabbit hole of explaining certificates and SSL, so this will have to be directed at those already in the know.

Here's the overview. A root certificate authority, TURKTRUST (yes, they're Turkish), somehow issued two certificates in 2011 that allowed their owners to impersonate any *.google.com site. And I'm here to let you know you can go right ahead and delete TURKTRUST from your browser without worrying you'll ever need it.

This useful bit of information is courtesy of "Nasko" at netsekure.org, who did a survey in 2010 of the most commonly used certificate authorities on the web. This was in order to reduce his attack surface, since we've seen a steady stream of CA (certificate authority) compromises over the years, and if you don't trust a CA in the first place, you can't be fooled by their fraudulent certificates.

His surprising results were that you only need about 25 CA's out of the hundreds that browsers trust by default. His survey queried the top 1 million most popular sites according to Alexa, so you can be pretty sure he didn't miss much of the web.

What's more, I actually implemented his findings, deleting all but the those 25 from my own browser. And after several months of (heavy) browsing, I can tell you I've never once run into a problem.

After the jump, my revelations on the bigger picture I learned through this experiment.