The OpenID levees break: Everyone’s OpenID accepted on Facebook

David Christiansen — Mon, 18 May 2009 21:14:45 GMT

Facebook will momentarily add yet another feather to their bow by becoming the biggest example of a social network accepting OpenID from other companies.

It is maybe now, more than ever we should expect websites to care more about verifying the age and identity of their customers – now that one of the largest in the market has widely accepted a technology that makes asserting verified claims SO easy.

Lions and Tigers – End of Safari evaluation

David Christiansen — Mon, 11 May 2009 09:37:20 GMT

So today see’s the end of my week long attempt to use an online bookstore search in replacement of my habitual use of Gooooogle.

All in all it was a relative success. We were certainly able to find the topics we were looking for – but as expected, Safari was able to best answer questions on ‘best practise’ and ‘how should be approach x’. Where Google steps forward was exposing the real world experiences actually implementing those practises, thanks to the world of Blogging and Forums.

Has to be said I found the interface to be simple. I don’t think I would ever be able to sit and read a whole chapter let alone a book. I wasn’t able to achieve the ‘flow’ otherwise experienced by reading a book or web page. Having to set the page Zoom each time became rather irritating after a while but I was able to find the information I required – answer the question – and move on.

I would LOVE to be able to flip pages using my cursors, rather than my mouse. I would love to see all the pages of a book laid out on a ‘whitebox’ table in some kind of deep-zoom visualisation so I can see all the headings, sub heading, illustrations, to mimic what you would do by the ‘flicking’ through a book.

So, will a Safari subscription kill my GoogleAmazon addiction. No, not yet. Besides, I can’t take Safari to the ‘john’.

This curiosity was satisfied thanks to my friends at GeekWithBlogs.net and Safari Books Online. Thanks very much guys!

Update:

*****

For a limited time, Safari Books Online is offering GeekswithBlogs readers a 15 day free trial, plus a 15% discount on a monthly subscription for a full year. Learn more and start your free trial at:http://www.safaribooksonline.com/geeks/mobile/?cid=200904-my-geeks-blog

*****

OpenSocial – Being forward, to move the social web forward …

David Christiansen — Tue, 05 May 2009 11:52:55 GMT

Signing up to OpenSocialthis afternoon I found that their registration page shows a woman being a bit more sociable than I was expecting. Not sure how this constitutes toward ‘Moving the social web forward’ – but she certainly is.

Security Question

David Christiansen — Tue, 14 Apr 2009 15:59:02 GMT

Courtesy of XKCD

PCI-DSS Assessment – Howto: Disable SSL2 and Weak Ciphers on IIS6

David Christiansen — Tue, 24 Mar 2009 19:24:17 GMT

If you deal with Credit Cards on the Internet, then it is very likely that you will have to conform to the Payment Card Industry Data Security Standards (PCI-DSS). You can get the standards specification, the self assessment questionnaire, or find instructions on exactly what you need to do to conform on the PCI-Security Standards Council website.

Depending on the nature of your business, and indeed how much money you see, you may need to perform network vulnerability assessments every quarter. These assessments are performed against the servers hosting your ‘payment application’ ie. your web server.

You will find a complete list of all companies that are recognised by the PCI on their website here (PDF) and most will offer some kind of free limited network assessment (such as 5 free scans for up to 3 IPs per device)

So, you’ve run your network vulnerability assessment on your IIS6 server. Great. But now you received a “NOT COMPLIANT” report as a result of failing the following two tests:

“Deprecated SSL Protocol Usage”
“Weak Supported SSL Ciphers Suites”

Let’s look at each one in turn and how to solve them.

Deprecated SSL Protocol Usage - The remote service encrypts traffic using a protocol with known weaknesses

The report may also give you the following information to put the fear of your god into you - “The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers from several cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients.”

You can confirm the reports findings by typing your hostname or IP into this handy utility - http://www.serversniff.net/sslcheck.php which will generate a report such as the picture below

The report is showing you that both SSL2 and SSL3 are enabled, and all the ciphers currently exposed by the server.

OK- So we want to remove SSL2 from this list. Unfortunately the only fix I know for this is by modifying some keys in your registry. There is a Microsoft Support article (187498) herewhich describes the following registry modifications.

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"Enabled"=dword:ffffffff
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
"Enabled"=dword:ffffffff

What is happening here is that you are explicitly turning off PCT 1.0, SSL 2.0 and explicitly turning on SSL 3.0, TLS 1.0.

Running the report again on http://www.serversniff.net/sslcheck.php should present results something like below:

Right, now lets get rid of those weak ciphers.

Weak Supported SSL Ciphers Suites - The remote service supports the use of weak SSL ciphers

Again, another hard hitting description may be given - “The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all”

OK. Here’s registry fix number 2.

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
"Enabled"=dword:ffffffff
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168]
"Enabled"=dword:ffffffff

This time we are explicity turning off the ciphers identified in the Network Vulnerability report, leaving only the strong ones switched on.

Running the http://www.serversniff.net/sslcheck.php report again shows a completely new picture:

NOTE: I do hope this post helps you out but please note that I do not accept any responsibility for your actions. This post details what worked for me, YMMV. Take care, Backup first, and don’t blame me if it goes pear shaped. As Microsoft Support says :

Important This post contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

322756 How to back up and restore the registry in Windows