The following guide will show you how to install and customize XChat. XChat is a good alternative to using the chat-box on the HikiCulture forum and is, in my opinion, the best Windows IRC (Internet Relay Chat) client. It is user-friendly, has a nice interface, has native SSL (Secure Sockets Layer) support, among many other things.

Anyway, let's begin with the guide….

First off, download XChat from here: http://www.silverex.org/download/ (*Note* – Make sure to download XChat from the link I provided since that version is free, while XChat for Windows users usually costs money and expires after a month.)

When you're finished downloading XChat, install it (obviously). Now, open XChat. At the top of the screen, click on Settings. Under the context menu, select Preferences.

Now set everything up to be exactly as it appears in the screen-shots below:

Once you're finished setting everything up as it is in the above screen-shots, click on the top-left part of X-Chat where it says XChat. Under the context menu, select Network List.

The following box will come up:

Fill out of all the boxes with username(s) you wish to use whilst chatting on XChat. Once you're finished filling out all the boxes, click where it says Add. After clicking on Add, type IRCHighway then click on Edit.

The following box will come up:

Fill out the info so that it's exactly (minus the stars in the Nickserv box) as shown in the above screen-shot. When you're finished, close the box.

Now, to finish things off you can install a nice XChat theme from the following link: http://t0x.in/xchatthemes.html

Pick any theme you wish to use. I personally use the "Smog" theme, but there are lots of great themes on that page. The installation instructions for the themes is right on the page, so explaining how to install an XChat theme would be redundant.

Now whenever you wish to connect to the HikiCulture IRC channel, all you have to do is open up XChat, click on XChat in the top-left part of the screen, select Network List, highlight IRCHighway and click on connect. After clicking on Connect, you'll show up in the HikiCulture IRC channel.

Enjoy.

Posted via email from HikiCulture – A Forum for Reclusive People (and Hikikomori) {hikiculture.com site blog}

Read the article to get more details. You really have to stay on top of security. Click here.

Why would someone want a secure socket layer certificate. The reason is that what it provides is the ability for a Web browser that the customer is using to talk to a website securely. When they say securely this means that the communication between the person typing at their desk and the information that ends up at the website is not able to be taken and decrypted. So someone can get in between the customer and the site take the data. What this means to an individual is that they are safe to upload information or enter in information such as login name and password and also things such as credit card information when they may be checking out. Use a GoDaddy promo code to obtain a discount on a secure socket layer certificate and you will be able to show many ways to the customer that you are secure. It will show up in the browser bar and you can also put logos on the site showing the same.

You may not know what a secure socket layer certificate is. Many people refer to it as an ass ass Al certificate. This is the ability to allow someone to have their communications with your website be secure. The reason you would want this is so when people are entering it in a login name or password they can feel secure that you will not give out their information but more importantly that other people won’t steal the information. In other words someone can get in the middle between vacation take it. But if you use these Register coupons you can get an SSL certificate at a great price and add it to your site. Now people will see that you have a secure transmission between your site and their browser and no one can get in between. This is exactly what it is for whether someone is buying something or they are just entering in their login name and password those individuals will want to know that they are not going to have their information stolen in this is how you can show it with the certificate an icon.

En la línea de Better Gmail 2, pero en esta ocasión aplicado a Google Calendar, encontramos la extensión de Firefox Better GCal. Esta extensión nos permite tunear nuestro calendario favorito con una serie de opciones que, si bien no son muy numerosas, sí resulta bastante interesantes. Entre ellas encontramos la posibilidad de colapsar la cabecera y la barra lateral, para que el calendario ocupe todo el espacio del navegador (muy útil); o la opción de forzar la utilización de una conexión segura SSL para toda la sesión, y no únicamente durante el proceso de autenticación.

Si Google Calendar es vuestro calendario, Better GCal debería ser una extensión obligatoria en vuestro navegador.

This position is an Application Administrator to support operations within our client’s department. This position has a critical role in delivering our services to clients and ensuring successful ongoing operation of our applications and services. It services a highly interactive software development build/release process as well as a rich operational environment with many interrelated applications/database services. The candidate should be self-motivated, detail oriented, adaptable to change and must work well in a flexible team environment with developers, QA, operations staff, system administrators and managers.

RESPONSIBILITIES:

Application and database support

• Provide on-going database administration in both back-end and front-end with application infrastructure support for our client’s administration systems, including the deployment of new applications.
• Review the physical design of existing databases for optimal database structures, database performance tuning, security, database backup/recovery strategy, implementing high-availability, and pro-active and reactive performance analysis, monitoring, troubleshooting and resolution of issues, capacity planning, monitoring data growth and system utilization, trend analysis and predicting future database resource requirements.
• Install web-base applications from ground up to full-ballooned implementation and support, including configuration at Unix/Linux/Windows system level, back-end integration with database, front-end integration with user-interface, final delivery to users to fulfill users’ requirement and on-going maintenance.
• Take the lead in ensuring that application and web services are configured and tuned according to application needs; provide troubleshooting as needed.
• Work with System Administrators to ensure test and production boxes conform to the software application configuration needs.
• Support the department-wide infrastructure application for database management, system monitoring and notification, job scheduling, deployment, provision and patching automation, application topology and service level management for campus-wide system performance.

Build/release activities

• Manage the build, tagging and release processes for a number of interdependent Java web applications and background processes in the QA and production environments. Ensure the build and release process is scalable and repeatable.
• Work with the development team to ensure efficient and understandable build procedures are adhered to and conform to a standard process for configuration and release management
• Develop and maintain tools that automate the building of software releases for an Agile-based development process. This is one of continuous integration, where the automated build process can be run many times a day if necessary.
• Work with and support the QA team to ensure automated test suites run as part of the continuous integration build process.

REQUIREMENT FOR SKILL AND COMPETENCIES:

• Expert hands-on with shell scripts, other scripting languages, preferably Perl, and tool automations
• Minimum 2 years database administration experience in Oracle and 3 years Application administration experience in Unix/Linux infrastructure environments is required.
• Hands-on experience of Oracle databases 10g for 24/7 database operations and tool automation in installation, configuration, backup/recovery, startup/shutdown, data refresh, and application integrations.
• Experience with OEM/Grid Control is highly desired.
• Knowledge and understanding of large scale ERP implementation and support like Oracle Financial and PeopleSoft systems.
• Expert knowledge of Apache and Tomcat, and other web/application servers such as JBoss
• Strong Unix and system administration skills with basic network and security knowledge
• Strong experience and ability in web applications deployment, configuration and integration from both OpenSource and Commercial based systems with or without sophisticated vendor support.
• Java/J2EE based programs
• Java/servlet/JSP based web applications
• Experience with Subversion, PVCS or similar source code repository
• Experience with Maven and familiarity with automated build processes
• Experience with the Agile development methodology and concepts of extreme programming and continuous integration
• Understanding of the layers/tiers of web applications and the communication protocol between the tiers with networking protocols (TCP/IP, HTTP, SSL, DNS, FTP, etc.)
• Ability to multi-task and work in a team environment is critical and should have excellent communication skills in both verbal and written forms.
• Ability to manage multiple competing priorities and work under pressure in high stress situations
• Excellent communication skills in both verbal and written
• Ability to work under pressure and to deliver results in a complex and dynamic operational environment

Qualifications

Minimum 5 years as an IT professional in build/release and application/database administration, plus one or more of the following areas: IT infrastructure operations 24/7, systems analysis and design, or application development.

Education
Bachelors Degree in Computer Science, Engineering or related field or equivalent experience

If you are interested, please send your resume to tsotelo@mindsource.com.

Heidelberg. Nachdem in den letzten Tagen die Presse immer wieder Warnungen vor Kreditkartenbetrug und sogenanntem Phishing ausgibt und sich die Nachfragen nach Alternativen häuften, hat sich der Online Coaching Anbieter Seminar Service Nastasi entschlossen, die gute alte Überweisung / Vorkasse wieder zu aktivieren.

Wir haben bei den Zahlungsformen schon heute einen aktuellen Mix mit höchstmöglicher Sicherheit durch die Einbindung von Fremdfirmen, sagt der Firmengründer Alexander Nastasi – doch gerade in Österreich herrscht eine große Unsicherheit, da die Presse dort sehr massiv über Missbrauch bei diversen Zahlungswegen berichtet.

Seminar Service Nastasi arbeitet seit Jahren erfolgreich mit der Firma Micropayment zusammen, die für die Firma Lastschriftzahlungen mit Prüfung der Pin und Kreditkartenzahlungen von Visacard, Eurocard und Amex abwickeln, dabei wurde die Firma Micropayment mehrfach vom TÜV geprüft und als besonders zuverlässig bescheinigt – wie auch auf der Webseite der Firma nachzulesen ist. Hier werden an den Zahlungsempfänder keine Kreditkartendaten oder Kontodaten übermittelt, sondern diese bleiben auf den Hochsicherheitsservern des Anbieters und ein ganze Team von Experten kümmert sich um die Sicherheit der Server. Bei Seminar Service Nastasi kommt dann nur der Name und dass die Zahlung erfolgt ist an, sowie der gewählte Zahlungsweg.

Als weiteren Anbieter ist die Firma Paypal im Angebot – auch hier werden Zahlungen aussschließlich über den Fremdserver abgewickelt – Paypal bietet aktuell Lastschrift (ohne Pin), Überweisung an Paypal, Kreditkarten und Giropay an. Auch Paypal wird ständig überwacht und gilt im Internet als sichere Zahlungsmöglichkeit.

Als weitere Zahlungsform wurde nun Vorkasse per Überweisung eingeführt – direkt nach der Bestellung erhält der Kunde die nationalen und internationalern Kundendaten inkl. IBAN und BIC und kann sofort überweisen, in Europa sollte das Geld binnen einem Arbeitstag auf unserem Konto sein – sobald dies der Fall ist, wird er für alle Dienstleistungen freigeschaltet.

Kunden aus Deutschland können auch anrufen und ihre Bankverbindung telefonisch mitteilen, in diesem Fall wird der Kursbeitrag per Lastschrift abgebucht – das Büro ist Mo-Fr. von 9-18 Uhr besetzt. Tel: 06224/924255

Seminar Service Nastasi trägt damit den Sicherheitsbedenken vieler Kunden Rechnung und trägt dazu bei, dass der Kunde noch mehr Vertrauen zu der Heidelberger Online Coaching Firma haben kann.

Weitere Informationen und Anmeldemöglichkeiten gibt es auf der Webseite http://erfolg.seminar-service-nastasi.de

Verantwortlich für diese Pressemeldung ist

Seminar Service Nastasi
Inhaber Alexander Nastasi
Waldstraße 25/1
69207 Sandhausen
Tel: 06224/924255
Fax: 06224/924259
www.seminar-service-nastasi.de

Seminar Service Nastasi hat sich auf die Verbreitung von Onlineinhalten über das Gesetz der Anziehung und das Manifestieren zum persönlichen Wachstum der Seminarteilnehmer spezialisiert. Neben dem Manifestierenportal betreibt die Firma eine ganze Reihe Gesundheitsportale und hat zur Zeit fünf Bücher veröffentlicht. Weitergehende Informationen über den 2003 gegründeten Familienbetrieb mit Sitz in Deutschland sind auf der Firmenwebseite einsehbar. Abdruck und Wiedergabe dieser Meldung erwünscht – Belegexemplar erbeten.

Um verschlüsselte Verbindungen über SSL bzw. HTTPS zu ermöglichen, benötigt man als Server-Betreiber ein SSL-Zertifikat. Diese werden von Zertifizierungsstellen, sogenannten CAs, ausgegeben. Die CA überprüft, ob der Bestellende wirklich berechtigt (also Inhaber der Domain) ist, und stellt dann meist gegen viel Geld das Zertifikat aus. Damit kann sich die Website gegenüber einem Browser “ausweisen” und eine sichere, verschlüsste Verbindung wird möglich. Details gibt es in meinem ausführlichen SSL-Artikel, wo auch noch ein paar Worte über die Sicherheit von SSL stehen.

Nur Zertifikate von CAs, die der Browserhersteller als vertrauenswürdig in den Browser eingebaut hat, werden als gültig erkannt. Deswegen ist es schwierig, eine neue CA aufzubauen, denn die Kriterien für eine Aufnahme sind streng und es gibt viele Browserhersteller, die man zur Aufnahme bewegen muss. Aus diesem Grund gab es bis vor kurzem keine CA, die kostenlos Zertifikate ausgegeben hat und von allen gängigen Browsern akzeptiert wurde. CAcert und StartCom/StartSSL vergeben seit langem kostenlose Zertifikate. CAcert ist jedoch weder in Firefox noch im Internet Explorer als vertrauenswürdig enthalten. Somit kann man CAcert nicht für Seiten benutzen, die von Normalnutzern besucht werden, denn diese würden eine hässliche Sicherheitswarnung erhalten. StartSSL war schon länger in Firefox enthalten, jedoch nicht im Internet Explorer, und war für ernsthafte Nutzung mit unerfahrenen Nutzern daher auch ungeeignet.

StartSSL hat es jetzt aber endlich geschafft, in den Internet Explorer aufgenommen zu werden. Der Internet Explorer akzeptiert die kostenlosen StartSSL-Zertifikate somit seit kurzem als gültig. Dank einer eingebauten Auto-Update-Funktion funktioniert das auch mit veralteten Versionen des IE! Ein IE 6.0 aus meiner Sandbox-VM, Stand Anfang 2008, hat das Zertifikat anstandslos akzeptiert. Mozilla Firefox, Apple Safari (inkl. dem iPhone-Browser), Opera, Google Chrome und einige andere akzeptieren StartSSL schon länger, damit sind alle gängigen Browser abgedeckt. (Lediglich Konqueror unter einer aktuellen (K)Ubuntu-Version hatte Probleme damit.) StartSSL ist somit endlich eine voll einsetzbare CA geworden, und somit gibt es endlich kostenlose SSL-Zertifikate für alle! (StartSSL bietet übrigens auch EV-Zertifikate zu relativ humanen Preisen an.)

Als Serverbetreiber muss man übrigens der CA nicht besonders vertrauen (solange man nicht irgendwelche sehr besonderen Sachen macht wie Client-Zertifikate, aber das weiß man dann), wichtig ist nur, dass die Browser die CA akzeptieren. Eine bösartige, aber in Browsern als vertrauenswürdig eingetragene CA kann sich jederzeit für jede Website ein Zertifikat ausstellen lassen, unabhängig davon, ob der Websitebetreiber dort Kunde ist oder nicht. Die eigene CA könnte höchstens das eigene Zertifikat widerrufen und somit ungültig machen, aber mehr auch nicht. Darüber hinaus hat die CA noch ein paar persönliche Angaben, die aber bei einfachen Zertifikaten nicht über das hinausgehen, was die meisten Online-Shops auch wissen. Insbesondere den privaten Schlüssel des Zertifikats hat die CA normalerweise nicht! Es gibt zwar oft die Möglichkeit, die CA diesen Schlüssel generieren zu lassen, aber man kann es auch richtig machen und das selbst tun und den eigenen Schlüssel zertifizieren lassen. Selbst wenn man der CA also aus welchem Grund auch immer nicht vollständig vertrauen sollte, kann man sie als Serverbetreiber dennoch nutzen.

Ich erhalte für diesen Artikel keine Vergütung o.ä. von StartSSL/StartCom. Diesen Artikel habe ich geschrieben, weil es mich ankotzt, dass Firmen für das simple Ausstellen eines einfachen domain-validierten Zertifikats horrende Preise (oft sogar dreistellig!) verlangen, und weil ich froh bin, das es endlich eine kostenlose Alternative gibt und ich auf diese hinweisen möchte. Ich selbst habe von der Aufnahme in den IE auch erst heute erfahren. Nutzt diese kostenlose Möglichkeit, um die Datenübertragung zu euren Webseiten zu sichern! Macht diese Möglichkeit bekannt, damit die kommerziellen CAs ihre überzogenen Preise endlich etwas realistischer machen müssen.

A lot has been written about how Firefox’s stupid dialog is a big step backwards for the web.

But is there a way to disable it? Ideally I’d like it to work like ssh – give me a simple single-click warning and display the certificate the first time, and after that don’t say anything at all unless the certificate changes unexpectedly.

Update

This paper on phishing [PDF] is excellent.

S’échanger des fichiers volumineux en toute quiétude relève de l’exploit en ces jours de mondialisation et de vulgarisation d’Internet. En effet, avec les outils collaboratifs libres et/ou gratuits, les internautes – utilisateurs et développeurs – peuvent avoir accès non seulement aux codes sources, mais également aux contenus des données s’ils le veulent. De ce fait, la dimension stratégique de la Sécurité des données devient un élément prépondérant dans la qualité d’un logiciel de collaboration. A ce titre, je vous propose de voir la suite Filezilla.

Filezilla est un outil qui permet de partager et de transférer des fichiers, des pages web et même des sites web entiers. Autant Filezilla Client est un client FTP avec un protocole modifiable et des ports d’entrées paramétrables, Filezilla Server est un logiciel qui permet de créer soi-même son serveur FTP afin de fixer les règles de sécurité telles que convenues entre les seules parties habilitées à y accéder. Filezilla Portable n’est pas en reste car il permet de retrouver les paramètres des Serveurs de connexion à partir d’une clé USB sans devoir reparamétrer toutes les machines à partir desquelles on se connecte.

Etant donné que la suite Filezilla se doit d’être en perpétuelle évolution selon les contexte, Tim Kosse et 2 de ses camarades de classe, au cours d’un cours en informatique en Janvier 2001, ont décidé d’attribuer une licence open source à Filezilla[1]. Depuis, plusieurs communautés se sont regroupées [2] afin de parfaire et de développer les versions de Filezilla. En conséquence, si à l’origine Filezilla Client était destiné uniquement à recueillir des fichiers volumineux sur Windows, l’évolution des développements réalisés par la communauté peut actuellement nous permettre entre autres:

- d’obtenir des versions plus élaborées de la suite Filezilla (actuellement à sa version 3), d’en avoir les rapports de bugs et de solutions, et d’en avoir une interface qui se veut plus agréable et accessible aux non-initiés;
- de pouvoir utiliser Filezilla non seulement sur Windows(c) mais aussi sur MacOSX(c) et sur certaines distributions Linux;
- de reprendre un téléchargement là où il s’est arrêté;
- de comprendre chaque élément du code source (pour les utilisateurs avertis) [3]
- de parfaire et de toujours verrouiller les stratégies de sécurité liées aux attaques de virus et de hackers. En effet, Filezilla utilise des protocoles ayant des niveaux de cryptage assez élevés.[4]
- d’insérer d’autres langues dans les interfaces [5]
- et bien d’autres encore …

D’une manière générale, l’on constate que l’interface visuelle du logiciel n’a pas fait l’objet d’une attention spéciale. L’utilisation du logiciel pour le néophyte s’en retrouve assez compliquée car la priorité des développements semblent s’orienter en premier lieu aux fonctionnalités plutôt qu’à l’”image”. Toutefois, il existe une frange de la communauté qui s’en est occupée un tant soit peu[6].

________________________________________________

[1] http://en.wikipedia.org/wiki/FileZilla#History
[2]http://www.phpcs.com/codes/AJOUTER-UTILISATEUR-SUR-SERVEUR-FTP-FILEZILLA_44341.aspx
http://forum.filezilla-project.org
[3]http://forum.filezilla-project.org/viewtopic.php?f=3&t=4508
[4]http://translate.google.mg/translate?hl=fr&langpair=en|fr&u=http://en.wikipedia.org/wiki/FileZilla&prev=/translate_s%3Fhl%3Dfr%26q%3Dcode%2Bsource%2Bde%2Bfilezilla%26tq%3Dfilezilla%2Bsource%2Bcode%26sl%3Dfr%26tl%3Den
[5]http://trac.filezilla-project.org/ticket/1190
[6]http://www.movizdb.com/applications/logiciels-pc/print:page,1,49260-portable-filezilla-3.2.7.1-hotfile.html

A question came up today about how one might go about adding an SSL certificate to a SharePoint web application that has already been configured and running a site collection.

Unfortunately there doesn’t appear to be any way to convert it to SSL without blowing it away, and recreating the web app.  That’s a bummer.  I hope that get’s address in 2010.

If you are going to do this though, be sure you are familiar with Alternative Access Mappings.  (AAM’s)

If anyone knows of a way to do this without destroying everything first, I’d love to hear about it.

Thanks for listening.

Het overgrote deel van de webwinkels waar via iDeal kan worden betaald, is onvoldoende beveiligd. Dat blijkt uit onderzoek van internetbeveiliger Networking4all. Van de ruim 13.000 webwinkels in Nederland, heeft volgens de internetbeveiliger 12 procent de beveiliging op orde.

De uitkomsten van het onderzoek zijn woensdag door het bedrijf gepubliceerd. Volgens het internetbedrijf groeit het aantal niet goed beveiligde sites sneller dan het aantal dat de zaakjes wel op orde heeft.

iDeal veilig

Onderzoekers bekeken sites waar met de betaalmethode iDeal kan worden afgerekend. De betaalmethode van iDeal zelf is wel veilig, zegt Paul van Brouwershaven van Networking4all in een reactie.

Het probleem ligt volgens hem op de gedeelten van de webshops waar de handelingen niet compleet beveiligd zijn en kwaadwillenden persoonsgegevens kunnen aftappen. Zo zouden het koopgedrag en de bestelgegevens afgekeken kunnen worden.

Madurodam

Het onderzoek noemt sites van de NS, reisorganisatie Kras en Madurodam als voorbeelden van niet goed afgeschermde sites. Volgens Brouwershaven moet iDeal geen zaken doen met webshops die hun persoonsgegevens niet goed beveiligen.

Onderzoekers bekeken sites waar met de betaalmethode iDeal kan worden afgerekend. Dat ligt volgens Networking4all echter niet wakker van de resultaten en zegt ”dat is niet onze taak”.

SSL-certificaten

Networking4all wijst er op dat webshops volgens de Wet bescherming persoonsgegevens verplicht zijn het verzenden van persoonsgegevens te beveiligen. Het College bescherming Persoonsgegevens adviseert webwinkeliers gebruik te maken van zogeheten SSL-certificaten.

De afkorting staat voor Secure Sockets Layer en is te herkennen aan een hangslotje (rechtsonder of rechtsboven in de browser) en een adres dat begint met https. Met SSL worden persoonsgegevens ”versleuteld’ en onleesbaar voor derden.

In 2007 maakte ruim 6,8 procent van de webwinkels met iDeal gebruik van een SSL-certificaat. In 2008 was dat gegroeid naar bijna 9 procent en inmiddels is dat nu dus bijna 12 procent.

In aantallen gesproken is de groep webwinkels zonder beveiligingscerticaat echter veel sneller gegroeid dan die met. In 2007 hadden 5209 shops geen SSL en 385 wel, in 2009 was dat 11.980 tegen 1627.

NS

Volgens een woordvoerster van de NS is de website van het vervoersbedrijf wel veilig. De zegsvrouw erkent daarbij dat hackers voorletter, achternaam, mailadres en geboortedatum van een digitale kaartjeskoper kunnen zien. Het bedrijf werkt aan een betere beveiliging. ”Onze e-tickets zijn een groot succes, waaruit blijkt dat het publiek het waardeert.”

De woordvoerster beweert dat hackers verder niets met de informatie over de klanten kunnen doen. Als een kaartje wordt gebruikt, moeten klanten zich altijd legitimeren.

© ANP/NUzakelijk.nl

Daca ti-a placut, da-i un vot via FTW

SSL (secure socket layer) este larg utilizat de site-urile e-commerce pentru a proteja detaliile card-urilor si altor informatii personale. Grupurile de stiri de securitate au scris activ despre scaparea SSL, ce ar putea permite unui atacator “man-in-the-middle” sa adauge date intr-o tranzactie HTTPS securizata.

Intr-un atac man-in-the-middle, atacatorul efectueaza conexiuni independente cu victimele si schimba mesaje intre ele. Acestea cred ca vorbesc cu alti utilizatori printr-o conexiune privata, insa conversatia este controlata de atacator.

Insa, potrivit cercetatorului Anil Kurmus, aceasta scapare este putin probabil sa fie exploatata pentru HTTPS, deoarece permite atacatorului doar sa injecteze date.
Insa Anil Kurmus a descoperit un mod prin care un atac modificat ar putea fi utilizat pentru a sustrage drepturi de acces pe Twitter printr-un link SSL.
El a demonstrat cum un atacator ar putea lansa un atac man in the middle pentru a fura drepturile de acces ale unui utilizator ce se autentifica prin HTTPS pe un website de incredere precum Twitter.

.via

Sustin Revolutia Bunului-Simt – Votez Antonescu

I have a domain mydomain.com with some sub level domains like

• nexus.mydomain.com
• svn.mydomain.com
• www.mydomain.com

Now I need a self signed certificate for all these domains because I want to use them over HTTPS. There are some steps to do this. First of all: you don’t need for this propose your own root certificate. You should replace all occurence of mydomain.com with your own domain name and sub domains.

On the gentoo server where the apache should host the domains, I have to create the certificate. I do following steps:

1. Generate a private key

   openssl genrsa -des3 -out server.key 1024
   

2. Generate a CSR (Certificate Signing Request)

   openssl req -new -key mydomain.key -out mydomain.csr
   
   Country Name (2 letter code) [DE]:DE
   State or Province Name (full name) [Sachsen]:Sachsen
   Locality Name (eg, city) [Leipzig]:Leipzig
   Organization Name (eg, company) [My Company Ltd]:mydomain.com
   Organizational Unit Name (eg, section) []:Information Technology
   Common Name (eg, your name or your server's hostname) []:mydomain.com
   Email Address []:thomas dot wabner at mydomain dot com
   Please enter the following 'extra' attributes
   to be sent with your certificate request
   A challenge password []:
   An optional company name []:
   

3. Remove Passphrase from Key

   cp mydomain.key mydomain.key.org
   openssl rsa -in mydomain.key.org -out mydomain.key
   

4. Generating a Self-Signed Certificate

   To include all required subdomains a extensions file must be used. For example I have created a file /home/waffel/ssl/mydomain_extensions with following content:

   [ mydomain_http ]
   nsCertType      = server
   keyUsage        = digitalSignature,nonRepudiation,keyEncipherment
   extendedKeyUsage        = serverAuth
   subjectKeyIdentifier    = hash
   authorityKeyIdentifier  = keyid,issuer
   subjectAltName          = @mydomain_http_subject
   [ mydomain_http_subject ]
   DNS.1 = www.mydomain.com
   DNS.2 = nexus.mydomain.com
   DNS.3 = trac.mydomain.com
   DNS.4 = svn.mydomain.com
   

   The last command to create the certificate is:

   openssl x509 -req -days 365 -in mydomain.csr -signkey mydomain.key -out mydomain.crt -extfile /home/waffel/ssl/mydomain_extensions -extensions mydomain_http
   

In the apache configuration for the ssl host’s I have enabled the ssl module with following content:

...
ServerAlias svn.mydomain.com trac.mydomain.com nexus.mydomain.com

        ErrorLog /var/log/apache2/ssl_mydomain_error_log
        <IfModule log_config_module>
                TransferLog /var/log/apache2/ssl_mydomain_access_log
        </IfModule>

        SSLEngine on
        SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
        SSLCertificateFile /etc/apache2/ssl/mydomain.crt
        SSLCertificateKeyFile /etc/apache2/ssl/mydomain.key
        SSLCertificateChainFile /etc/ssl/cacert.pem
        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory "/var/www/localhost/cgi-bin">
                SSLOptions +StdEnvVars
        </Directory>
        <IfModule log_config_module>
                CustomLog /var/log/apache2/ssl_mydomain_request_log \
                        "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
        </IfModule>
...

For exmaple if you need such certificate to connect your maven with a self installed nexus repositiory over https you can follow the article from ahoehma.

A more detailed description with some beckground information about the certificate creation can be found here.

For a private project I try to use nexus behind apache and ssl. I used a self-signed certificate.

But each nexus repository request ends with a security exception:

[WARNING] repository metadata for: 'artifact org.apache.maven.plugins:maven-enforcer-plugin' could not be retrieved from repository: nexus-plugin-releases due to an error: Error transferring file: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target


I found many site for that problem and they describe always the same solution

import the self signed cert in your local truststore!

… here are the steps:

1. download the certificate
2. create a local truststore and import the certificat
3. call maven with the correct security properties

The import is simple  (java keytool):

keytool.exe -importcert
            -alias nexus-xxx
            -keystore xxx.jks
            -storepass secret
            -file xxx.crt

For maven I’m using a cygwin bash alias:

alias mvn_xxx='/cygdrive/d/maven-2.2.1/bin/mvn
-gs "d:/maven-2.2.1/conf/settings-xxx.xml"
-s "d:/maven-2.2.1/conf/settings-xxx.xml"
-Djavax.net.ssl.trustStore=d:/maven-2.2.1/conf/xxx.jks
-Djavax.net.ssl.trustStorePassword=secret'

I point the global config  (-gs) and the personal config (-s) to the same file to ignore other configuration from my default maven config file (i.e. common mirros settings / repositories etc.).

And at least here is my complete maven setting-nexus settings:

<?xml version="1.0" encoding="UTF-8"?>
<settings xmlns="http://maven.apache.org/settings/1.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0 http://maven.apache.org/xsd/settings-1.0.0.xsd">

  <localRepository>D:\maven-repository-xxx</localRepository>

  <mirrors>
    <mirror>
      <id>xxx-nexus-snapshots</id>
      <mirrorOf>nexus-snapshots</mirrorOf>
      <url>https://nexus.xxx.com/content/groups/public-snapshots/</url>
    </mirror>
    <mirror>
      <id>xxx-nexus-snapshots</id>
      <mirrorOf>nexus-plugin-snapshots</mirrorOf>
      <url>https://nexus.xxx.com/content/groups/public-snapshots/</url>
    </mirror>
    <mirror>
      <id>xxx-nexus-releases</id>
      <mirrorOf>nexus-releases</mirrorOf>
      <url>https://nexus.xxx.com/content/groups/public/</url>
    </mirror>
    <mirror>
      <id>xxx-nexus-releases</id>
      <mirrorOf>nexus-plugin-releases</mirrorOf>
      <url>https://nexus.xxx.com/content/groups/public/</url>
    </mirror>
    <mirror>
      <id>xxx-nexus-releases</id>
      <mirrorOf>*</mirrorOf>
      <url>https://nexus.xxx.com/content/groups/public/</url>
    </mirror>
  </mirrors>

  <profiles>
    <profile>
      <id>xxx-nexus-mirror</id>
      <activation>
        <activeByDefault>true</activeByDefault>
      </activation>
      <repositories>
        <repository>
          <id>nexus-releases</id>
          <url>http://foobar</url>
          <releases>
            <enabled>true</enabled>
          </releases>
          <snapshots>
            <enabled>false</enabled>
          </snapshots>
        </repository>
        <repository>
          <id>nexus-snapshots</id>
          <url>http://foobar</url>
          <releases>
            <enabled>false</enabled>
          </releases>
          <snapshots>
            <enabled>true</enabled>
          </snapshots>
        </repository>
      </repositories>
      <pluginRepositories>
        <pluginRepository>
          <id>nexus-plugin-releases</id>
          <url>http://foobar</url>
          <releases>
            <enabled>true</enabled>
          </releases>
          <snapshots>
            <enabled>false</enabled>
          </snapshots>
        </pluginRepository>
        <pluginRepository>
          <id>nexus-plugin-snapshots</id>
          <url>http://foobar</url>
          <releases>
            <enabled>false</enabled>
          </releases>
          <snapshots>
            <enabled>true</enabled>
          </snapshots>
        </pluginRepository>
      </pluginRepositories>
    </profile>
  </profiles>

  <servers>
    <server>
      <id>xxx-nexus-releases</id>
      <username>foo</username>
      <password>bar</password>
    </server>
    <server>
      <id>xxx-nexus-snapshots</id>
      <username>foo</username>
      <password>bar</password>
    </server>
  </servers>

</settings>

You can replace xxx with your personal domain-alias.

Followup to that story a couple weeks ago about SSL being eminently hackable by a man-in-the-middle attack.  It seems real.  Its the end of everything – the internet is falling.  Let’s all buy huge purses (schwing) for our soon to come legions of SecureID Dongles.  Feel free to get a European Carry-All.

Seriously, there’s only a few days left to use SSL in public.

Have a nice day.

There was an SSL vulnerability revealed last week – a design flaw in the protocol itself. There are two very notable things in this news: the vulnerability being in the protocol itself (like DNS and SNMP before it), and the way news of the vulnerability was broken.

The flaw in the protocol was discovered in August by researchers at PhoneFactor, and the vulnerability was released confidentially to those who could fix its problems and produce fixes for the vulnerability.

This flaw was then discovered by an independent researcher, who likewise released the vulnerability confidentially to an IETF security mailing list.

The problem was that a reader of that mailing list did an irresponsible thing and let the news of the SSL protocol vulnerability loose by sending a tweet message about it on Twitter to all of their friends – which meant that the news was set to be released to everyone. Mark Twain said: “Three people can keep a secret if two of them are dead.”. This problem of vulnerabilities and of when and how to release the news is not new; nor is the problem of the unknowing releasing confidential details.

The problem with security vulnerabilities and confidentiality is legend: it has become one of those arguments that never quits: do you release the details of a vulnerability as soon as they are known or do you wait for the fix to be released after confidentially notifying affected vendors? The uneasy answer most often reached is that a combination of both is necessary.

The problem of tweet messages releasing confidential information has happened before; one most notable incident was when Congressman Pete Hoekstra (R-Mich.) let slip news in Twitter about his trip to Baghdad. This news was then picked up by Wired, the New York Times, CNet, and – of course – the Congressional Quarterly.

In the security arena, confidentiality is much more critical – as is evidenced by the fact that Twitter itself was attacked with this vulnerability just in the last few days.

When you “speak” on the Internet, the world will hear: so be careful what you say.

An “Authentication Gap” was discovered in the latest version of SSL/TLS protocol.This could potentially be a huge problem. The gap is not due to some erroneous implementation, it is a property of the protocol.

Here is a list of links to websites where the issue is being followed:

http://www.phonefactor.com/sslgap/

IETF resources

Red Hat

SANS.org

On 11/05/09 the notice of Renegotiation vulnerabilities within SSL/TLS protocols became public.  The vulnerability allows for injection of arbitrary plain-text allowing for HTTP requests, or impersonate the victim, as well as other consequences.

~Opinion~

While the known possible outcomes of this vulnerability seem similar to many of the run-of-the-mill exploits we’ve seen, the ramifications behind this vulnerability are monumental.

Just the number of vendors, and their products effected by this alone show that there will soon be a revolution.  The affect on everyday lives of so many will undoubtedly negative.

Either a major overhaul of the protocols is necessary, or we are in for a new breed of security focus.  An overhaul is most likely to occur; however, if it doesn’t we will have to be prepared to move into a security stance which covers security in both a pre- and post- environment.

Our previously hardened infrastructure would have to be analyzed, and protected during use.  Protecting our protection if you will.

While all this seems goofy, given the fact that we will most likely just patch and move on, it seems to beckon the time for more intuitive security measures is nearing, or hear.  Security measures that… think.

Packets with guns.  Headers with secret handshakes. Connections that conspire against their own existence.

~/Opinion~

As usual, if you want to hear more information, visit the link below… And I am very interested in hearing comments on this one… Maybe I am just blowing it out of proportion, but it seems big.

Vulnerability Note VU#120541 (New Window)

My Liferay application was running on the domain www.pojoe.ca and resided on Tomcat 6 in its own VM while my SSO server was running on another Tomcat 6 instance on another VM under the domain sso.pojoe.ca. I wanted to establish an SSL connection between the two over a self-signed certificate.

I started by setting up HTTPS on my SSO server.

• Create the keystore and private key in some directory. I use /opt/tomcat/security

keytool -genkey -alias mykey -keypass changeit -keyalg RSA -keystore server.keystore

• Answer the prompts.  Use sso.pojoe.ca (your domain) when asked for first/last name.  This is critical.

NOTE: From http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html

I am using name-based virtual hosts on a secured connection which can be problematic. This is a design limitation of the SSL protocol itself. The SSL handshake, where the client browser accepts the server certificate, must occur before the HTTP request is accessed. As a result, the request information containing the virtual host name cannot be determined prior to authentication, and it is therefore not possible to assign multiple certificates to a single IP address. If all virtual hosts on a single IP address need to authenticate against the same certificate, the addition of multiple virtual hosts should not interfere with normal SSL operations on the server. Be aware, however, that most client browsers will compare the server’s domain name against the domain name listed in the certificate, if any (applicable primarily to official, CA-signed certificates). If the domain names do not match, these browsers will display a warning to the client user. In general, only address-based virtual hosts are commonly used with SSL in a production environment.

• server.keystore is generated.

• List the keys currently stored in your keystore.

keytool -list -keystore server.keystore

• You should see the PrivateKeyEntry named mykey in the listing.

• This should be sufficient to begin receiving connections using HTTPS.

• Generate the certificate.

keytool -export -alias mykey -keypass changeit -file mycert.crt -keystore server.keystore

• mycert.crt is generated.

• Import the certificate into the keystore.

keytool -import -alias mycert -keypass changeit -file mycert.crt -keystore server.keystore

• You receive a warning that it already exists in the keystore.  Ignore it.  It is because Java expects separate keystore and trust store files and we are using only one.

• List the keys currently stored in your keystore.

keytool -list -keystore server.keystore

• You should see a TrustedCertEntry named mycert in the listing as well as the PrivateKeyEntry named mykey.

Next I configured Tomcat to use the keystore I just setup. In server.xml uncomment the SSL connector port 8443. I’ve added the keystore file we created.

<Connector port=“8443″ protocol=“HTTP/1.1″ SSLEnabled=“true” maxThreads=“150″ scheme=“https” secure=“true” clientAuth=“false” sslProtocol=“TLS” keystoreFile=“/opt/tomcat/security/server.keystore” keystorePass=“changeit”/>

My SSO server is now ready to rock over HTTPS.

Next I’ll enable HTTPS on my Application server running Liferay.

Create the keystore and private key in some directory. I use /opt/tomcat/security

keytool -genkey -alias mykey -keypass changeit -keyalg RSA -keystore server.keystore

• Answer the prompts.  Use www.pojoe.ca (your domain) when asked for first/last name.  This is critical. See notes from above.

• Copy the mycert.crt certificate from the SSO server to /opt/servers/tomcat/security

keytool -import -alias mycert -keypass changeit -file mycert.crt -keystore server.keystore

• List the keys currently stored in your keystore.

keytool -list -keystore server.keystore

• You should see a TrustedCertEntry named mycert in the listing as well as the PrivateKeyEntry named mykey.

Next we’ll set the JVM parameters to tell the application to use the trust store.

-Djavax.net.ssl.trustStore=/opt/servers/tomcat6.0.18/server.keystore

-Djavax.net.ssl.trustStorePassword=changeit

My Liferay application server and my CAS SSO server can now talk over HTTPS.

Reference:

http://java.sun.com/javase/6/docs/technotes/tools/windows/keytool.html

Discussed in Slashdot quite few days back becomes true. Some researchers had claimed was too theoretical to worry about, has now been demonstrated by exploit. The attack description is available on securegoose.org.

The exploit by Anil Kurmus is significant because it successfully targeted the so-called SSL renegotiation bug to steal Twitter login credentials that passed through encrypted data streams. When the flaw surfaced last week, many researchers dismissed it as an esoteric curiosity with little practical effect.

For one thing, the critics said, the protocol bug was hard to exploit. And for another, they said, even when it could be targeted, it achieved extremely limited results. The skepticism was understandable: While attackers could inject a small amount of text at the beginning of an authenticated SSL session, they were unable to read encrypted data that flowed between the two parties.

Read more