Tag Archives: ssl

SSL Certificates

This article is the beginnings of an article about SSL Certificates, what they look like, what they do, and what you should know so as not to be fooled.

The objective is pretty simple: To make it easy for the user’s computer to send and receive information from a site in a closed and secure environment.

Once a few steps are checked, the user can be assured that the data they are sending and receiving from the site is not going to be intercepted and mis-used. Most of the work is done by the “to be trusted” site, and one of a handful of 3rd party groups called Certificate Authorities (CA).

Now, in the digital cinema business the term certificate authorities comes up when speaking of the interchange of data between media server components and projector components. There are passwords (in the form of encrypted public and private keys) and encrypted data flying back and forth, and all refereed by CAs who follow rules set by a standards group or three.

The same is true in the web space, where keys are sent back and forth according to strict protocols. The user does’ t suspect any of this unless and until there is a gross problem. Usually the browser (Firefox, Safari, Chrome) notices certain clues that the sending site sends out, and if the browser doesn’t get more of what it needs for safe browsing it will either refuse to work or if it isn’t completely suspicious, it will tell the user the problem and ask the user for permission to continue.

Of course, absolutes don’t seem to exist…

SSL Certificate Explained – YouTube

{youtube}SJJmoDZ3il8{/youtube}

On the DCinemaCompliance.net demo site, there is a certificate from one of the major CAs named Comodo. They are major enough that Firefox and Chrome and Safari recognize them. If we got all our friends together to set up a certificate authority, we could do so but the browsers would throw up an error…probably each time. The user would have to grant authority.

cert on dcinemacompliance.net siteThe picture of a cert as on the DCinemaCompliance site might look cool and official, but it means nothing significant. It might remind you to look at the URL and see if it has one important feature: did the “http:” change to “https:”. A site that doesn’t have that ‘s’ wouldn’t be secure.

What an https:// url should look like

You will notice that the URL is also colored green. It could also have a green or blue bar behind it, depending on which level of certificate was purchased from the CA. In this case the ‘s’ is showing so that indicates that a secure communication line has been created for the data to pass through. Without the bars behind it indicates that there is some material on the page that may not be completely secure, for example if there is a link to a non-secure site.

One should still be careful that there isn’t any of those famous key stroke stealing pieces of malware that can get whatever data you punch in. But that is the background of SSL.

The following two pictures show what happens when hitting the lock on a site with a valid certificate, and the identical site incorrectly using the same certificate…valid in one place and not another. Note that it will get goofy with questions if there is no means of qualification with a widely acknowledged certificate authority. There are private certs, but your browser will tell you and give you a chance to make your mind up about accepting them or not.

A Cert Validates Correctly

 

 

 

 

 

 


 

 

 


 

Part II will deal with how this is important to you as a user of the DCinema Compliance Post-Installation.

SSL Certificates

This article is the beginnings of an article about SSL Certificates, what they look like, what they do, and what you should know so as not to be fooled.

The objective is pretty simple: To make it easy for the user’s computer to send and receive information from a site in a closed and secure environment.

Once a few steps are checked, the user can be assured that the data they are sending and receiving from the site is not going to be intercepted and mis-used. Most of the work is done by the “to be trusted” site, and one of a handful of 3rd party groups called Certificate Authorities (CA).

Now, in the digital cinema business the term certificate authorities comes up when speaking of the interchange of data between media server components and projector components. There are passwords (in the form of encrypted public and private keys) and encrypted data flying back and forth, and all refereed by CAs who follow rules set by a standards group or three.

The same is true in the web space, where keys are sent back and forth according to strict protocols. The user does’ t suspect any of this unless and until there is a gross problem. Usually the browser (Firefox, Safari, Chrome) notices certain clues that the sending site sends out, and if the browser doesn’t get more of what it needs for safe browsing it will either refuse to work or if it isn’t completely suspicious, it will tell the user the problem and ask the user for permission to continue.

Of course, absolutes don’t seem to exist…

SSL Certificate Explained – YouTube

{youtube}SJJmoDZ3il8{/youtube}

On the DCinemaCompliance.net demo site, there is a certificate from one of the major CAs named Comodo. They are major enough that Firefox and Chrome and Safari recognize them. If we got all our friends together to set up a certificate authority, we could do so but the browsers would throw up an error…probably each time. The user would have to grant authority.

cert on dcinemacompliance.net siteThe picture of a cert as on the DCinemaCompliance site might look cool and official, but it means nothing significant. It might remind you to look at the URL and see if it has one important feature: did the “http:” change to “https:”. A site that doesn’t have that ‘s’ wouldn’t be secure.

What an https:// url should look like

You will notice that the URL is also colored green. It could also have a green or blue bar behind it, depending on which level of certificate was purchased from the CA. In this case the ‘s’ is showing so that indicates that a secure communication line has been created for the data to pass through. Without the bars behind it indicates that there is some material on the page that may not be completely secure, for example if there is a link to a non-secure site.

One should still be careful that there isn’t any of those famous key stroke stealing pieces of malware that can get whatever data you punch in. But that is the background of SSL.

The following two pictures show what happens when hitting the lock on a site with a valid certificate, and the identical site incorrectly using the same certificate…valid in one place and not another. Note that it will get goofy with questions if there is no means of qualification with a widely acknowledged certificate authority. There are private certs, but your browser will tell you and give you a chance to make your mind up about accepting them or not.

A Cert Validates Correctly

 

 

 

 

 

 


 

 

 


 

Part II will deal with how this is important to you as a user of the DCinema Compliance Post-Installation.

Certificate Authorities and DCinema

Another has been found to have introduced a man-in-the-middle attack vector, meaning that once a legitimate user opened the door by giving the correct credentials, someone slipped in and assumes the identity of that user with all their rights (usually kicking them off the system – something that should arouse suspicion but which happens so often, seems normal.

Last week the Big Kahuna of CAs, Verisign, had to admit that they also were hacked into and that data was stolen from their systems. Coming so long after the break-in and after people got used to the news that smaller sites were hacked (relatively smaller sites…still significant to the system though), this isn’t getting a lot of play. When Belgian CA GlobalSign was broken into the hue and cry approached ChickenLittle-ish. This week I see articles on Verisign that don’t get any clicks.

Is it that all the tech geniuses at all the dcinema installers and installation and distribution sites double-triple checked their firewalls and decided they were nuke free and nuke-proof? Or perhaps we are complacent, feeling that the industry is not like the bank industry, with no immediate link to buckets of spendable cash, and no one really focusing the industry. Or, perhaps more logically, the dcinema industry is just hoping that the entire unbuilt fortress of SMPTE compliance will get together before the jewels that the studios need to protect get too exposed, because – “Hey, we’re pedaling as fast as we can, and see, you wanted all these updates put into legacy equipment with constant patching to the legacy InterOp format…”

For bettor or worse, there is no universal trusted device list in the industry, most likely due to potential liability issues. This has led to every company and their brother having a separate list – though there is enough interplay that these are presumed to have enough intercourse that if one list is polluted with a rogue ‘signed’ utensil, it would be disseminated throughout the lists. So, the best and the worse of all possible worlds.

Into this is a RFI from a company (last week) suggesting that they can build a system…

This article is a work in progress. Here are some of the industry articles that provoked the issue:

Who to trust after the VeriSign hack? | IT PRO

VeriSign admits 2010 hack | IT PRO

Trustwave issued a man-in-the-middle certificate – The H Security: News and Features

Break-ins at domain registrar VeriSign in 2010 – The H Security: News and Features

Backdoor in TRENDnet IP cameras – The H Security: News and Features

Certificate fraud: Protection against future “DigiNotars” – The H Security: News and Features

OpenPGP in browsers – The H Security: News and Features

Google researchers propose way out of the SSL dilemma – The H Security: News and Features

Google wants to do away with online certificate checks – The H Security: News and Features

Is the end nigh for Certificate Authorities? | IT PRO

Certificate issuing stopped at KPN after server break-in discovered – The H Security: News and Features

Certificate Authorities and DCinema

Another has been found to have introduced a man-in-the-middle attack vector, meaning that once a legitimate user opened the door by giving the correct credentials, someone slipped in and assumes the identity of that user with all their rights (usually kicking them off the system – something that should arouse suspicion but which happens so often, seems normal.

Last week the Big Kahuna of CAs, Verisign, had to admit that they also were hacked into and that data was stolen from their systems. Coming so long after the break-in and after people got used to the news that smaller sites were hacked (relatively smaller sites…still significant to the system though), this isn’t getting a lot of play. When Belgian CA GlobalSign was broken into the hue and cry approached ChickenLittle-ish. This week I see articles on Verisign that don’t get any clicks.

Is it that all the tech geniuses at all the dcinema installers and installation and distribution sites double-triple checked their firewalls and decided they were nuke free and nuke-proof? Or perhaps we are complacent, feeling that the industry is not like the bank industry, with no immediate link to buckets of spendable cash, and no one really focusing the industry. Or, perhaps more logically, the dcinema industry is just hoping that the entire unbuilt fortress of SMPTE compliance will get together before the jewels that the studios need to protect get too exposed, because – “Hey, we’re pedaling as fast as we can, and see, you wanted all these updates put into legacy equipment with constant patching to the legacy InterOp format…”

For bettor or worse, there is no universal trusted device list in the industry, most likely due to potential liability issues. This has led to every company and their brother having a separate list – though there is enough interplay that these are presumed to have enough intercourse that if one list is polluted with a rogue ‘signed’ utensil, it would be disseminated throughout the lists. So, the best and the worse of all possible worlds.

Into this is a RFI from a company (last week) suggesting that they can build a system…

This article is a work in progress. Here are some of the industry articles that provoked the issue:

Who to trust after the VeriSign hack? | IT PRO

VeriSign admits 2010 hack | IT PRO

Trustwave issued a man-in-the-middle certificate – The H Security: News and Features

Break-ins at domain registrar VeriSign in 2010 – The H Security: News and Features

Backdoor in TRENDnet IP cameras – The H Security: News and Features

Certificate fraud: Protection against future “DigiNotars” – The H Security: News and Features

OpenPGP in browsers – The H Security: News and Features

Google researchers propose way out of the SSL dilemma – The H Security: News and Features

Google wants to do away with online certificate checks – The H Security: News and Features

Is the end nigh for Certificate Authorities? | IT PRO

Certificate issuing stopped at KPN after server break-in discovered – The H Security: News and Features

SSL Breaches & Duqu; What is DCinema Interesting

This is not something to panic about. This is just a topic to learn about. We typically attach our common work machines to the same network as the machines that control projectors and ticket systems. The lesson of StuxNet is that a breach of one is a breach of all. The lesson of the US Department of Defense is that employees must learn the basics of how systems can be infected and how to stop those infections. A simple USB stick allowed an infection that later allowed people to download secure documents from other countries through the US defence department systems.

Now Duqu, which appears to be targetting machine control systems in much more clever ways than Stuxnet and capable of many future variations. Let’s not forget that Digital Cinema Systems are machine control systems. The nature of the infection is to wildly scatter then wait for the new slaves to start chattering back where someone then checks to see what kind of fish has been caught. Then they put a list up on the ‘black hat’ web sites announcing Systems With Access Holes and trade your life for a few hundred dollars.


 

Here are some of the more recent articles. Make certain that there is someone in your organization who learns to stay on top of these things. Don’t pass it off to an outside group without also having employee training. This is a quality control issue. Put someone in charge.

Good News:

DuquDetector released to forensically detect pest – The H Security: News and Features

Not so good News

How much similar? Remotely Opening Prison Doors Schneier on Security

Cyber Intrusion Blamed for Hardware Failure at Water Utility — Krebs on Security

Stolen government certificate signed malware – The H Security: News and Features

Compromised certificates: Revocations alone are insufficient – The H Security: News and Features

Malware Signed With a Governmental Signing Key – F-Secure Weblog : News from the Lab

Old but relevent news:

Autopsy of RSA Attack

More Military Systems Hacked