——————————————————————————————————————-

While there are methods like proxy ARP and IRDP that can help PC clients find their default router, most of us just configure a static route to a single router on each PC because it is easiest. However, by doing that, if that single router goes down, the PC client will be unable to reach other networks (like the Internet).

Virtual Router Redundancy Protocol (VRRP) enables you to set up a group of routers as a default gateway router (VRRP Group) for backup or redundancy purposes. This way, the PC clients can actually point to the IP address of the VRRP virtual router as their default gateway. If one of the master routers in the group goes down, one of the other routers can take over.

Routers can function as master or backup routers and you can actually configure up to 255 virtual routers on a router interface. Of course, there are platform constraints like router memory, for instance. Additionally, VRRP is intended for use with IPv4 routers only.

Is there a version of the IOS that works on your router? Refer to my article, “What is the Cisco IOS Feature Navigator and how can it help you,” to see if your current router IOS offers VRRP or if you need to upgrade your IOS.

Virtual Router Redundancy Protocol in greater detail

Let’s take a closer look at Figure A to understand a little better how VRRP works.

Figure A

Graphic courtesy of Cisco Systems

In this case, because VRRP uses the IP address of the Ethernet interface, Router A has assumed the position of Master or IP address owner (this is configurable). Clients 1-3 are configured with the default gateway IP address of 10.0.0.1 and Routers B and C have become backup virtual routers. If Router A fails, then based on priority (this is also configurable), Router B automatically assumes the Master until Router A becomes available again. One of the main characteristics about VRRP is the router priority. You can set up different priorities for each of your routers, which would enable them to become masters or backup routers to keep your network up and running in case of a hardware or natural failure. This would also help you balance out the work load on your routers.

To configure the priority, use the following command in global configuration mode. In this example, I’ve set Router A with a priority of 300.

RouterA(conf-if)# vrrp 1 priority 300

What’s the difference between VRRP and HSRP?

Does VRRP sound a little like Hot Standby Router Protocol (HSRP)? There are many similarities like load balancing and redundancy, but the greatest difference is that HSRP is a Cisco proprietary method whereas VRRP is an industry standard (based on RFC 2338). Both of these have some minor technical differences but the resulting functionality is the same.

For more information on HSRP, please see the Cisco’s “Configuring IP Services” documentation.

How do you configure VRRP?

Configuring VRRP can happen in a few commands. Here is the basic command syntax:

 vrrp [group] [timers advertise msec] [timers learn] [preempt delay] [priority] [description]

To enable VRRP on an interface, follow these steps in global configuration mode:

Router(config)# interface Fa0/0

Router(config-if)# vrrp (group) ip (ip address of the virtual router)

You would, of course, do this on a minimum of 2 routers (the smallest amount of routers you would want in your VRRP group).

To view the status of your VRRP group, use show vrrp, like this:

Router# show vrrp

Ethernet1/0 - Group 1

State is Master

Virtual IP address is 10.1.1.1

Virtual MAC address is 1234.5678.90ab

Advertisement interval is 3.000 sec

Preemption is enabled

min delay is 0.000 sec

Priority 100

Master Router is 10.1.1.10 (local), priority is 140

Master Advertisement interval is 3.000 sec

Master Down interval is 5.33 sec

Conclusion

Using VRRP with your routers can keep your network up and running by configuring the virtual router redundancy protocol. VRRP can very quickly move all traffic over to a backup router in the event that the master fails. With mission critical applications like VoIP, video, and e-mail — you need to do whatever you can to ensure that your network never goes down.

For more information on VRRP, please see “Cisco Virtual Router Redundancy Protocol.”

David Davis has worked in the IT industry for 15+ years and holds several certifications, including CCIE, CCNA, CCNP, MCSE, CISSP, VCP. He has authored hundreds of articles and numerous IT training videos. Today, David is the Director of Infrastructure at Train Signal.com. Train Signal, Inc. is the global leader in video training for IT Professionals and end users.

——————————————————————————————————————-

In two previous articles “SSL/TLS Certificates: What You Need to Know” and “SSL/TLS Certificates: Perspectives Helps Authentication,” I explained SSL/TLS certificates, why they are important to Internet users, and finally the inherent weaknesses of SSL/TLS certificates. Having spread enough gloom and doom, I’d now like to discuss what many consider the real answer to the privacy and security concerns associated with SSL/TLS.

Existing SSL/TLS certificates

To recap, there are trusted (signed by a certificate authority (CA) and pre-installed on Web browsers) and untrusted (self-signed by Web site and not pre-installed on Web browsers) certificates. The difference being that untrusted certificates require the Internet user to make a decision on whether it’s authentic or not, and that can be a problem.

There’s also a problem with trusted SSL/TLS certificates. The signing CAs aren’t required to use any specific process to authenticate entities that are asking the CAs to sign their SSL/TLS certificates. There are some, like VeriSign or Entrust, that try to be diligent, but it’s not required. Therefore, even malicious entities can get a trusted signing CA to sign a SSL/TLS certificate.

CA/Browser Forum

The signing CAs and Web browser developers decided something needed to be done, as Internet users need assurance that their on-line transactions are indeed private and secure. The result of this concern was the formation of a voluntary organization called Certification Authority Browser Forum (CA/Browser Forum).

Almost immediately, the forum members realized that they, the signing CAs, needed accountability. Therefore, the forum came up with the following requirements. Before a signing CA can join the forum, the CA must have a current and successful WebTrust for CAs audit, ETSI 102042 audit, or ETSI 101456 audit prepared by a qualified third-party source. After passing the audit, the forum allows the signing CA to become a member of the forum and place a seal of assurance on its Web site similar to the one shown below:

This guarantees that the signing CA is abiding by the forum’s requirements. In what I consider a good move, the forum also insists the auditing is ongoing and occurs every six months. I feel it is important to point out this internal process because it’s the starting point of a traceable “chain of trust.” Let’s move on to what the forum is trying to accomplish. The forum’s two main goals are:

• To provide increased security for on-line transactions.
• Come up with an obvious method of displaying the increased security (unlike the existing small lock) on every Web browser.

Created new standard

With that in mind, the CA/Browser Forum developed the Extended Validation (EV) SSL/TLS Certificate standard. The following is the forum’s definition of an EV certificate:

“The Extended Validation (EV) SSL Certificate standard is intended to provide an improved level of authentication of entities that request digital certificates for securing transactions on their Web sites. The next generation of Internet browsers will display EV SSL-secured Web sites in a way that allows visitors to instantly ascertain that a given site is indeed secure and can be trusted. A new vetting format, which all issuing Certification Authorities (CAs) must comply with, ensures a uniform standard for certificate issuance. Consequently, visitors to EV SSL-secured Web sites can trust that the organization that operates the site has undergone and passed the rigorous EV SSL authentication process as defined by the CA/Browser Forum.”

Thorough vetting

The information in the vetting process (per the CA/Browser Forum) is quite thorough, and some of the required components are listed below:

• The business entity must be a legally recognized entity whose formation included the filing of certain forms with the registration agency in its jurisdiction, the issuance or approval by such registration agency of a charter, certificate, or license, and the verification of the business entity’s existence with that registration agency.
• The business entity must have a verifiable physical existence and business presence.
• At least one principal individual associated with the business entity must be identified and validated.
• The identified principal individual must attest to the representations made in the subscriber agreement.
• The business entity and the identified principal individual associated with the business entity must not be located or residing in any country where the CA is prohibited from doing business or where it has no jurisdiction to issue a certificate.
• The business entity and the identified principal individual associated with the business entity must not be listed on any government denial list or prohibited list (e.g., trade embargo) under the laws of the CA’s jurisdiction.

One can see that the entity verification process is much more involved now. Heck, what am I saying, there wasn’t a process before, so it’s a huge improvement. The above requirements and questions also apply to private organizations and government entities.

Actual EV certificate

Once an entity supplies the appropriate information and is approved by the signing CA, it receives a signed EV certificate. The requesting entity will then install the EV certificate on its Web server. Thereafter any Internet user requesting the entity’s Web site will know that the site has a valid EV certificate, similar to what’s shown below:

What’s it mean?

Internet users will have a greater level of confidence when visiting Web sites displaying the green URL, just from knowing the Web site is authentic and the SSL/TLS connection secure.

Final thoughts

EV certificates may not be the “end all” answer, but they sure are an improvement over the other two options (trusted and self-signed). I just wish my bank and other important on-line transaction Web sites would start using EV certificates. Hopefully they will in the near future.

——————————————————————————————————————-

Michael Kassner has been involved with wireless communications for 40 plus years, starting with amateur radio (K0PBX) and now as a network field engineer for Orange Business Services and an independent wireless consultant with MKassner Net. Current certifications include Cisco ESTQ Field Engineer, CWNA, and CWSP.

Google Chrome Comic book (Google)

There was plenty of talk about the missing Google Toolbar, and it is more than a little surprising that they didn’t write one as part of the Chrome development process. There is also no current support for third-party plug-ins, but if developers write to the Chrome specifications, it could make for a far more secure environment. The latest addition to the open source community is a massive shot across the bow of various rivals and could open the door to desktop virtualization from Google.

Needed for Chrome: The Google Toolbar (Technologizer)

Google Chrome: A First Look (Real Tech News)

First Look: Is Google’s Chrome a Glimpse of the Future? (Computerworld)

I was thrilled to hear about Google’s new Chrome browser; I have long been a fan of the things that they are doing in the cloud. My experience today was marred only by the lack of a Google Toolbar to fully Chrome out my surfing experience. However, I did find a work-around while I was playing with Firefox and Chrome side by side. You can drag tabs from Firefox to Chrome, so I am using Firefox for the toolbar and Chrome for the surfing. I have thought that the next area of research and development should be desktop virtualization for quite some time, and this project could be a positive step in that direction. Only good things could come out of Google competing with Microsoft in the desktop space. What do you think about Google’s latest move?

The home network of the telecommuter is something that the enterprise network administrator wants no part of, and further, many steps, such as desktop firewalls and VPN policies, are taken to protect company computing equipment for use in untrusted networks.

The issue with the bandwidth limit policy is what to do with a telecommuter that becomes a victim of this policy? If a business line of service is not available, it may be a good idea to prepare some alternatives or contingency services to residential broadband for the telecommuter. While not ideal, the most readily available alternative is to use wireless broadband services from carriers such as Sprint or Verizon. These services may have bandwidth limits as well, and Verizon’s wireless broadband service is limited to 5 GB per month. Sprint, however, presents a more attractive wireless broadband offering for the enterprise.

Organizations need to be aware of this situation, because they may be a victim of this bandwidth limit if it remains in effect or if other providers make similar terms of service changes. You may have to answer this question: Can you ship me a modem cable?

————————————————————————————————————————-

Cables form layer 1 of the network — the physical layer. Properly connecting cables is fundamental to healthy network communication. Faulty connections could interrupt service or cause packets to be dropped. Without a clear understanding of cabling, you won’t be able to troubleshoot or design your LAN or WAN. Additionally, knowledge of cable types is important for certification tests like the Cisco CCNA/CCENT.

Cabling basics for network admins

• Your cable works at layer 1 — Physical of the OSI Model. Also at that layer are the 1’s and 0’s that traverse the cable as an electrical or light signal (depending on what type of cabling you are using).
• Unshielded twisted pair (UTP) copper cable is used for many functions in network cabling: Ethernet, Serial, ISDN, Console, and more.
• While you could put different ends on a UTP cable, typically it will have a RJ45 end with 8 pins.
• With a normal Ethernet cable, the wires run straight through, from one end to the other. Straight-through cables are used to connect a PC to a switch, as in Figure A.

Figure A

Graphic Courtesy of Cisco Systems

• With a crossover cable (Figure B), the source and destination of the UTP wires are crossed. This allows you to use it to connect a PC to PC, switch to switch, or router to router.

Figure B

Graphic Courtesy of Cisco Systems

Now, how is cabling for Cisco routers and switches different?

Cisco console and AUX port cabling

There are a few differences between Cisco cabling and other network device cabling. Two things immediately come to mind:

• Cisco routers, switches, and firewalls use a special “rolled” cable for console and auxiliary port access.
• Cisco offers intelligent serial cabling.

One of the most confusing things to Cisco newcomers is the concept of the console cable. Other SMB and home-networking devices don’t usually have a console port. With those devices, they receive a DHCP IP address and then you can configure them over the network from there. With Cisco devices, there is no IP address on the device, and you must first use the console port and console cable to configure the router, switch, or firewall OOB (out of band).

The Cisco console cable is a special cable. It isn’t wired like an Ethernet cable. However, if you didn’t have a console cable, you could cut off the end of a straight-through Ethernet cable, change the pin out, and recrimp it to make it a console cable.

Below, you can see the pin out of a console cable. The console cable is a “rolled” cable, because if you look at the pins from one end to the other, it is as if the end was rolled over (the order is flipped), as in Figure C.

Figure C

Graphic Courtesy of Cisco Systems

Traditionally Cisco console cables were RJ45-RJ45 and then you would use a RJ45-DB9 adaptor to connect it to your PC’s serial port (COM port). Today, new Cisco devices come with console cables that have a DB9 adaptor integrated/molded to the cable on one end (Figure D). Keep in mind that the data moving across the console cable is serial data (not Ethernet).

Figure D

Graphic Courtesy of Cisco Systems

While what I said above concerning console cables is true for most Cisco devices, there are variations on the console cable. For more detailed information about Cisco console and AUX port cabling (including the pin-out for a console cable so that you can make your own), see this Cisco document Cisco Cabling Guide for Console and AUX Ports.

David Davis has worked in the IT industry for 15+ years and holds several certifications, including CCIE, CCNA, CCNP, MCSE, CISSP, VCP. He has authored hundreds of articles and numerous IT training videos. Today, David is the Director of Infrastructure at Train Signal.com. Train Signal, Inc. is the global leader in video training for IT Professionals and end users.

Want to learn more about router and switch management? Automatically sign up for our free Cisco Routers and Switches newsletter, delivered each Friday!

1. Obtain a copy of the certificate using a trusted delivery method, such as e-mail or fax.
2. Compare the certificate in question to the copy received and see if the details are identical. If so, then the certificate is valid.

That sounds like a lot of fun, doesn’t it. No one has the time or inclination to do all that just to visit a HTTPS Web site, including me.

My bad

Ironically, while doing some on-line research after I published the article on SSL/TLS certificates, I happened to find myself staring at Firefox’s “Unknown Authority” window. I’m muttering to myself: Man, I don’t have time for this, and I OK’d the certificate. Whoa, it hit me like a ton of bricks, and to be honest I felt rather guilty. Here I am writing about certificate insecurity and I don’t even listen to myself. I immediately decided to find a way to resolve this.

TR members to the rescue

It didn’t take long for a potential answer to surface. Members Kevin Feyer and Seanferd both enlightened me about efforts by a group of Carnegie Mellon researchers. I’m very excited after reading the researchers’ white paper “Perspectives: Improving SSH-style Host Authentication with Multi-Path Probing” (pdf). First, the paper is very readable, to a point where I can even understand it (kudos to the authors). Second, although it’s not infallible, the solution has a lot of possibility.

I’m still testing, trying to make sure the application does what it claims. So far so good, and because of that, I wanted to bring the application to the attention of TechRepublic readers. As I see it, there’s no downside, and it has the potential to mitigate issues pertaining to certificate verification.

Perspectives: Better than “TOFU”

Researchers Dan Wendlant and Ethan Jackson along with advisers Dave Anderson and Adrian Perrig of Carnegie Mellon are the developers of Perspectives, a novel and simple-to-implement idea for certificate authentication. I’m not able to improve on their definition of Perspectives, so here’s what they say:

“The popularity of “Trust-on-first-use” (TOFU) authentication, used by SSH and HTTPS with self-signed certificates, demonstrates significant demand for host authentication that is low-cost and simple to deploy. While TOFU-based applications are a clear improvement over completely insecure protocols, they can leave users vulnerable to even simple network attacks.

Our system, Perspectives, thwarts many of these attacks by using a collection of “notary” hosts that observes a server’s public key via multiple network vantage points (detecting localized attacks) and keeps a record of the server’s key over time (recognizing short-lived attacks). Clients can download these records on-demand and compare them against an unauthenticated key, detecting many common attacks.

Perspectives explores a promising part of the host authentication design space: Trust-on-first-use applications gain significant attack robustness without sacrificing their ease-of-use. We also analyze the security provided by Perspectives and describe our experience building and deploying a publicly available implementation.”

I must admit acronyms and I have issues, but TOFU quite easily defines a concept that I spent several paragraphs in a previous article trying to explain. To reiterate I’d like to revisit why TOFU is not in anyone’s best interest:

• Automatically accepting a certificate creates conditions where the user becomes vulnerable to malicious attacks anywhere along the data path.
• On subsequent connections, if the received certificate is different from the cached certificate, the user must still determine whether the certificate is valid or not.

How Perspectives works

Perspectives consists of three distinct components: the notary authority, notary servers, and notary clients. In order to understand the process, let’s take a look at each individual component:

The notary authority is the overall controller that determines which notary servers are authorized to service notary clients. The notary authority creates a daily listing of authorized notary servers and their public keys. This listing is signed using the notary authority’s private key and pushed out to all of the notary servers that it’s responsible for.

The notary server consists of two components – a probing module and a database storage module:

• The probing module constantly monitors the Internet; looking for services that use certificates. If one is found the probing module pretends to be a client wanting to set up a secure link. The probing module takes the connection setup only to the point of where it receives the service’s public key. At that point, the probing module drops the connection, since it has the information it needs.
• The database storage module is a repository containing signed (notary server’s private key) entries for each service that the probing module is monitoring. Each entry consists of certificate information, the type of protocol used, and ways to contact the service. After time, the entry builds a history of observed parameters.

The notary client is a Web browser add-on that contacts the notary server for one of two reasons. The certificate for the contacted Web site isn’t in the Web browser’s database or it doesn’t match an existing certificate.

The following diagram (courtesy of the Carnegie Mellon researchers) depicts the interaction between the notary client and the notary server as well as the interaction between the probing module and network services such as Web sites that use SSL.

The next diagram (courtesy of the Carnegie Mellon researchers) is an example of the information sent from the notary server to the notary client in response to the notary client’s initial certificate query.

With all the pieces now understood, let’s walk through a complete transaction:

1. I open Firefox and try to access https://www.mpksecuresite.com for the first time.
2. The Web server for www.mpksecuresite.com sends a certificate to Firefox.
3. Firefox and the notary client realize that the certificate is new, so the notary client sends a query to the appropriate notary server.
4. The notary server looks up the certificate entry for www.mpksecuresite.com.
5. After finding the information, the notary server signs the query response with its private key (signature) and sends it back to the notary client.
6. The notary client has the public keys for all the notary servers that it uses, so it can verify that the query response from the notary server is valid and not from a spoofed notary server.

How the preferences are set up in the Perspectives client will determine how the client presents the information to the user. The following image is one example of how the preferences can be configured.

How does this help?

Perspectives provides a secure method for Internet users to obtain information about certificates published by services such as SSL Web sites. The information includes historical data from multiple notary servers, creating what may be considered a quorum, and allows Internet users to make an informed decision as to whether the certificate is valid or not. The following image is an example of the Perspectives application warning that the notary server’s quorum duration is only 1.39 days (the configuration specifies two days). So it flagged the HTTPS Web site, allowing the Internet user to make a more informed decision as to whether to accept the certificate or not.

Final thoughts

Making better decisions because of additional information is what makes Perspectives so appealing. The Carnegie Mellon researchers also did a great job of making Perspectives very configurable. Perspectives can be as granular or automated as you want. That should eliminate angst among users who just want to be secure and get their work done.

I use and recommend Perspectives. If there are some concerns, please refer to the researchers’ paper on Perspectives. The paper goes into much more detail and should answer any questions you may have.
——————————————————————————————————————-

Michael Kassner has been involved with wireless communications for 40 plus years, starting with amateur radio (K0PBX) and now as a network field engineer for Orange Business Services and an independent wireless consultant with MKassner Net. Current certifications include Cisco ESTQ Field Engineer, CWNA, and CWSP.

Virus Found on Computer in Space Station (Information Week)

Malware is at an all-time high, totaling more blocked in July than in all of 2007 according to SaaS vendor ScanSafe. Every time you turn around, there is another phishing scam, e-mail disguised as a FedEX notification, or outlandish news headline. Of course, all these are simply cover for and ways to entice unsuspecting users into compromising their computers. Even though there are a lot of fantastic (and free) tools to keep your computers malware-free, most people do not take the time or expend the effort to protect themselves.

Malware Rockets Again (VNUNet)

BitDefender Uncovers FedEx(R) Spyware (Marketwatch)

Heads Up: Trojans and Viruses Are Out to Get You (PC World)

I have long been of the opinion that a well-trained user is unlikely to be infected by most malware, because there are some very simple things you can do to avoid it. Here is my short list:

• Go to the source. If you see an offer that is too good to be true, a headline that is too outlandish to believe, or a warning that sets you on edge, go to a trusted source to confirm the information. If Bill Clinton really did bite the head off of a baby seal or Microsoft is really giving away money or there is a virus that can truly destroy your computer, CNN, Microsoft, Snopes, and Kaspersky are your best friends. Go to their Web sites and find the truth rather than clicking a link.
• No links. Don’t click on any links sent to you in an e-mail unless the person who sent it tells you directly. In addition, when you send a link, contact the person you sent it to and let them know that you sent it. When I want my wife to look at a Youtube video, Internet article, or cute picture, I call or text and let her know that I sent something.
• Don’t believe them. If someone you don’t know is asking you for personal information, assume that they are up to no good. If you are worried that your bank really needs to confirm information, call them. If PayPal needs to communicate with you, e-mail them directly.

What would you add to this to make it a comprehensive list?

The problem, quite simply, is that human intervention is required to verify the authenticity of certain types of certificates. This became apparent when Mozilla changed how its newest Web browser (Firefox 3) handles Web sites with expired or self-signed SSL/TLS certificates. The article “New SSL Policy in Firefox Hurting Tens of Thousands of Sites” on Pingdom’s Web site does an excellent job of explaining the changes:

“If you visit a Web site with either an expired or a self-signed SSL/TLS certificate, Firefox 3 will not show that page at all. Instead, it will display an error message, similar to any other browser error (for example a “page not found” 404 message). To get past this error page, users have to go through four different steps before they can access the Web site, which from a usability standpoint is far from ideal.”

The error occurs because Mozilla has decided to take SSL/TLS Web page security to the next level, challenging any certificate that isn’t in the Web browser’s certificate database, has incorrect information, or is expired. This is a good thing; it will make Web browsing and online commerce a great deal safer. In order to understand why, let’s take a quick look at the SSL/TLS process.

SSL/TLS processes

SSL/TLS consists of two important and independent processes: authentication and data stream encryption. With today’s tough Internet environment, it’s vital to have strong encryption to protect the data packets as they travel to their destination. Thank goodness that using a SSL/TLS VPN is secure and working properly. The weak link, I’m afraid, is part of the authentication process, so I’d like to focus on that.

Authentication is all about digital certificates, so it might be best to start by describing what a digital certificate is. A digital certificate is a data file that contains information about the Web site’s certificate holder and is used to verify that the Web site is indeed what it portrays to be. The Web server’s host name, issue and expire time, and the public key for the Web server are just a few of the details contained in a certificate. To look at certificates installed on your computer, use the following paths:

• Internet Explorer: Tools | Internet Options | Contents | Certificates
• Firefox: Tools | Options | Advanced | Encryption | View Certificates

The following image shows certificate details:

I can hear everyone saying that’s nice, but it doesn’t help me at all. I’m happy to say that understanding the exact details isn’t important, but the overview explanation will help make the following concepts easier to fathom. Just remember — digital certificates verify the identity of the Web server to the Web browser that’s trying to set up a SSL/TLS connection with the Web server.

Different types of SSL/TLS certificates

There are two major categories of certificates, trusted and untrusted. Trusted certificates are those residing on the Web browser and signed by a trusted certificate authority (CA). In order to understand this, let’s say I want to create a trusted Web server SSL/TLS certificate that’s signed by VeriSign, a well-known and respected CA. The following example will show the steps I need to take:

1. I create a certificate request on my Web server for www.mpksecuresite.com; doing so initiates a PKI key chain consisting of a private/public key combination.
2. I create a certificate request required by the signing CA, which in this case is VeriSign. The request includes domain name (distinct DNS name) of the Web server, distinct IP address, the public key (needed for signing and verification), and locality information. VeriSign will also ask for very specific information as it tries to verify that I’m the rightful owner of the domain.
3. The Web server signs the request with the private key, and it’s sent to VeriSign.
4. Responsible CAs such as VeriSign then go through a great deal of effort to make sure the request is valid. Once satisfied, VeriSign also checks the validity of the key pair, since the request contained the public key and was signed using the private key (both developed in step 1).
5. Everything checks out, so VeriSign adds its pertinent information to the certificate and signs the request using VeriSign’s private key.
6. VeriSign sends the certificate back to me, and I install it on my Web server.

Now my Web server has all the required components to set up a SSL/TLS connection with Web browsers. So let’s take a look at how a Web browser goes about the SSL/TLS certificate exchange.

Web server/Web browser certificate exchange

Begging your indulgence, I’d like to continue using the above example to explain the certificate exchange between the Web server and Web browser. Since everything is now in place in the example, I can set up a test SSL/TLS connection. Let’s see what happens by following the certificate exchange steps during a SSL/TLS connection setup:

1. I open my Web browser and type the URL https://www.mpksecuresite.com. Through the normal TCP/IP process, the Web server for www.mpksecuresite.com receives the Web page request.
2. The Web server for www.mpksecuresite.com responds by returning the certificate for mpksecuresite.com back to my Web browser.
3. My Web browser runs several checks, including certificate expiration and host name on the certificate.
4. My Web browser notices that the certificate from the mpksecuresite.com Web server was signed using VeriSign’s private key. My Web browser immediately checks its certificate database to see if it has VeriSign’s certificate information.
5. The Web browser locates VeriSign’s certificate information. My Web browser then uses the public key found in VeriSign’s certificate information to validate the signature on the certificate sent by the mpksecuresite.com Web server. Please remember that the certificate from the mpksecuresite.com Web server was signed using VeriSign’s private key.
6. The certificate signature checks out. My Web browser knows VeriSign is a trusted CA, so it now trusts the mpksecuresite.com Web server as well.

That’s how a SSL/TLS certificate exchange works. If you remember anything from the above process, it should be step 4 and the reasons why my Web browser trusted www.mysecuresite.com:

• My Web browser lists VeriSign as a trusted signing CA.
• VeriSign verifies that www.mysecuresite.com is what it claims to be, so my Web browser trusts the Web site as well.

It’s vital to realize there’s a pre-installed list of trusted certificates on every Web browser. This is done to set up a “chain of trust.” This chain of trust starts with the Web browser developers, who include this list of trusted signing CAs in the Web browser installation program. So, it’s automatically installed and presumed to be secure and accurate.

Therefore, if everything is as it should be (Web sites using certificates signed by trusted signing CAs) the whole SSL/TLS connection process is automatic. In fact, so automatic that we tend to become complacent about whether or not the connection is indeed encrypted and authenticated. When the automated process breaks, we get into trouble as exemplified by the new Firefox Web browser.

Self-signed certificates aren’t automatically trusted

Self-signed certificates are the next most widely used certificates and belong to the untrusted category. This type of certificate requires manual approval and installation on the Web browser. It might be best to walk through a SSL/TLS certificate exchange with a Web server that’s using self-signed certificates:

1. I open my Web browser and type the URL https://www.mpkselfsign.com. Through the normal TCP/IP process, the Web server for www.mpkselfsign.com receives the Web page request.
2. The mpkselfsign.com Web server sends the self-signed certificate for www.mpkselfsign.com back to my Web browser.
3. My Web browser runs several checks, including certificate expiration and host name on the certificate.
4. My Web browser checks its certificate database to see if it has certificate information for www.mpkselfsign.com.
5. Since I have never been to this Web site, there isn’t a certificate in the Web browser database. So the process stops right here and a window (like the one below) pops up asking me what I want to do.

This is where it gets complicated. I have to decide whether I trust this site or not. I can look at all the certificate information and make a decision from that or I can do further research to increase my confidence that the certificate is real. The only way to truly validate the certificate is to get a copy of the self-signed certificate via some other trusted method (fax, e-mail, or even snail mail) and manually verify the electronic certificate with the one you asked for.

I realize it’s very cumbersome, but it’s the only way to positively determine the validity of a self-signed certificate. I also know that once the window pops up asking whether to accept the self-signed certificate or not, most people automatically accept the certificate. They want to get to the Web site, all the time wishing this window would just go away.

Firefox 3 and raising the bar

It doesn’t take much effort to visualize the potential attacks that can be precipitated by malicious self-signed certificates. This is why the people at Mozilla took a stance, and I agree with them. Just raising user-awareness of what it means to automatically okay a self-signed certificate is a huge leap forward.

Final thoughts

Thanks for reading through yet another long article. It’s a tough topic to understand completely, but that’s not required. Everyone just needs to know what his or her options are when the “Unknown Authority” window pops up in the Web browser.
———————————————————————————————————————
Michael Kassner has been involved with wireless communications for 40 plus years, starting with amateur radio (K0PBX) and now as a network field engineer for Orange Business Services and an independent wireless consultant with MKassner Net. Current certifications include Cisco ESTQ Field Engineer, CWNA, and CWSP.

RAM Raiders: Inside Secrets of the Cyber Hackers (Times Online)

We aren’t even in September yet and 2008 has already surpassed last year in the pure number of data breaches, according to the Identity Theft Resource Center. Even though new security procedures and software are coming up all the time, ultimately consumers bear the price of cybercrime, just as they do shoplifting and theft. Even the hacks that are discovered are usually minimized by the affected companies as these companies are more afraid of liability than just about anything else.

This Year’s Data Breaches Surpass 2007 Totals (Information Week)

Purdue Expert Says Consumers Absorb Cybercrime Costs (Inside Indiana Business)

Best Western Disputes Depth of Suspected Breach (Information Week)

The incredible lengths to which some people will go to break security are amazing. Spending hours on end researching, discovering, and exploiting weaknesses in security requires a singular mind and a lot of caffeine. Fighting off such attacks takes time, dedication, and a whole bucket of money. Fortunately, the main requirements are common sense, proper procedures, and good user training. In my job, one of my main tasks is to maintain the security of the part of our network that secures credit card processing data. All it takes is one major breach to threaten our ability to take payment for the services we render, which does wonders for my stress level when I read about how easily some hackers are able to compromise networks. How much security does your network require?

According to a recent study, American adults are sleeping on average less than seven hours a night — down an hour and a half from the amount of sleep people got a hundred years ago. Many scientists believe that one of the major causes of our getting less sleep is the modern availability of round-the-clock activities and entertainment, the most pervasive source of which is now certainly the Internet. With the ‘net, we can now work, study, or play at 3 A.M. and increasingly, we do. Naturally, most of us in the IT industry have formed an especially close bond with the ‘net, making us more prone to losing sleep.

The fast-paced, highly competitive, and rapidly growing nature of our industry also makes us more likely to sleep less. To stay competitive, we often have to work way beyond the 40-hour work week, especially at smaller or emerging companies. For those who have started their own businesses, it’s even worse — work will usually go until exhaustion. To compound the issue, the field is still developing and changing so rapidly that we have to constantly study as if we were full-time students just to keep up. It’s really no wonder we’re not sleeping. There just isn’t enough time in the day. The problem is that this lack of sleep can hurt us.

Note: This information is also available as a PDF download.

Sleep deprivation and sleep debt

Sleep deprivation is exactly what it sounds like: depriving our bodies of sleep for long periods of time — a full day and night or more. Sleep debt has a cumulative effect: When we don’t get enough sleep (less than about 7.5 to 8.5 hours) night after night, we begin to experience many of the same problems as with regular sleep deprivation. These problems include

• Decreased alertness and manual dexterity
• Impaired memory and cognitive function
• Irritability
• Weakened immune system

Some more long-term issues thought to be linked to sleep deprivation include

• High blood pressure
• Diabetes
• Obesity

If the long-term health risks aren’t enough to encourage us to try to get to bed a little earlier, we should also keep in mind that impaired brain function and motor skills will decrease the quality of our work. We won’t be able to solve problems as quickly. And because we aren’t thinking clearly, we might even exacerbate the very problems we’re trying to fix. One study found that subjects who had been 17 hours or more without sleep experienced the same — if not worse — impairment while driving as those who were at the legal limit for blood-alcohol content. So when we work without sleep, it could have similar effects to working while inebriated.

Solutions

The real answer is quite simple: Devote seven or eight hours every night to sleep. It is best to try to keep the schedule consistent, as this will help our bodies keep what is called a circadian rhythm. Trying to sleep less during the week and then make up for it by oversleeping on the weekends will throw off that rhythm and make it much harder to wake up on Monday morning.

Caffeine

Stimulants such as caffeine will temporarily make us more alert and agile. They can’t, however, be recommended as a real solution because they will wear off, leaving us in a state of withdrawal that is generally worse than before. Also, caffeine increases heart rate and blood pressure, which can compound other problems caused by sleep deprivation and put us at risk for other diseases.

Power napping

One possible answer for those who simply cannot afford seven or eight hours of sleep every night is to take power naps. A power nap is a short period of sleep that ends just before entering deep sleep. Since the nap is so short, it is often possible to take one during a lunch break. A power nap is thought to give much of the same benefit of a regular sleep, but in only 20 to 30 minutes. Famous nappers include Winston Churchill, JFK, Ronald Reagan, Albert Einstein, Margaret Thatcher, Benjamin Franklin, and Leonardo Da Vinci.

When taking a power nap, it’s important to keep the duration short. If you allow yourself to enter deep sleep and don’t complete it, you’ll experience what’s called sleep inertia — basically morning grogginess — and may feel worse than before.

The bottom line is this: Whatever temporary fixes you may implement, in the end nothing can truly substitute for a good night’s sleep.