Xenatisch

Freedom of speech comes with no strings attached…

Month: March, 2011

The Persian Translation to the part 2 of the article: SSL security issue cased by the Iranian government

PART 2

This is a Persian Translation to the article: SSL security issue cased by the Iranian government: Answers to your Questions.

مشکل امنیتی ایجاد شده از سوی دولت ایران در گواهی نامه های SSL: پاسخ به سوالات شما

 

Upon the requests, a very good friend and old friend of mine, whose name is not to be disclosed here, did me, and the community a favour and translated this article to Persian. So that the non-English speaking members of the Iranian community can also take advantage. A very warm appreciation towards him as he deserves it. Translating such a technical article is not very easy, one must admit.

Advertisements

The Persian Translation to the part 1 of the article: SSL security issue cased by the Iranian government

This is a Persian Translation to the article: SSL security issue cased by the Iranian government: In depth look!

مشکل امنیتی ایجاد شده در گواهینامه های SSL توسط دولت ایران:‌ نگاهی عمیق (قسمت اول)

Upon the requests, a very good friend and old friend of mine, whose name is not to be disclosed here, did me, and the community a favour and translated this article to Persian. So that the non-English speaking members of the Iranian community can also take advantage. A very warm appreciation towards him as he deserves it. Translating such a technical article is not very easy, one must admit.

 


What is SSL (Secure Socket Layer) at all?

This article is intended to be written in a simple way so that it will be understood by the majority of computer and network power users (not developers or designers).

What is SSL at all? This was One of the frequently asked questions from me during the past 2 days, and upon the my blog entries on the following topics:

Well, I must confess that this is a very difficult question to answer to those who are not specialised in the area of Computer Science and Networking.

Basically, as the internet became popular and the commercial industry started taking advantages out of it, the need to secure data transport was felt more than ever before. Imagine you are trying to buy something from the internet, say from Amazon®. When you want to pay for the good using your credit or debit card, you want to make sure that the following happens:

  1. Your money goes to Amazon
  2. The details of your credit/debit cards are safely transferred to the Amazon server
  3. Your details can only be retrieved and used by Amazon
  4. The details of the purchase remain as they are. (The quantity doesn’t change, for instance)
  5. No one else in the middle of line (between you and the Amazon server) is going to be able to read your data, and maybe use it later for unauthorised purchases off the internet.

In order to achieve these goals, the requirement of a security system was understood. The experts later realised that the issue is not limited merely to the transaction. For instance, when you want to write an email which consists classified information to your colleague, you want to make sure that:

  1. The email goes to your colleague.
  2. The email goes ONLY to your colleague.
  3. The credentials (username and password) of your email are not disclosed.
  4. You other emails are not disclosed.

In which case, it was decided to define a generally purposed protocol which gets placed between (figure 2) the Application Layer (layer number 7) which is mostly known as the protocol that handles HTTP arguments, and the Transport layer (layer number 5) which is the only handling the transport and is mostly known by name TCP, in OSI (Open System Interconnection) modelling system as shown in figure 1.

FIGURE 1.

They reason why this later is called a “Transport Layer Security” is that, from the layer above it (the Application Layer), it looks just like a normal transport layer, except that is a secured transmitting system. That means, the sender may open a connection and deliver data for transmission, and the Secure Transport Layer makes sure that the data is getting transfer securely. So, basically by running this protocol before TCP (the transmitting protocol), it is assured that all the TCP features are provided to the application just as well.

FIGURE 2.

So there should be a difference between a secured, and an unsecured transmission. Of course there is one beyond an individual’s sight, but there must be a way for people to recognise whether they are in a secured or an unsecured area. To meet this requirement, it was decided to slightly change the name of the protocol when it becomes secured. In which case, a letter “S”, representing “Secure”, is added to somewhere to the name of a secured protocol. So, HTTP protocol becomes HTTPS when secured. FTP protocol, becomes FTPS when secure and so on and so forth.

Secure Transport Layer inserted between layers

Application Layer (HTTP, FTP)

SECURE TRANSPORT LAYER

TCP

IP

Subnet

 

For the sake of convenience, special ports are assigned to the secured protocols as well. So, HTTP protocol port is 80 whereas HTTPS is 443, FTP port number is 21 whereas FTPS is 989, and so forth.

There are various cryptographic algorithms that may be used for various operations, however, you cannot assume that the other side of the communication always implements all these algorithms. In which case, the two systems (both sender and the receiver) must keep negotiating until they find something that they both agree on. The encryption may also be changed in the middle of a connection if it is required, for instance when: “you had a very important data that warranted more computationally expensive encryption” – [Larry L. Peterson et al. – Computer Networks, 3rd Edition: Morgan Kaufman Publishers]

That is why the Transport Later Security breaks into two pasts:

  • A HANDSHAKE protocol which negotiates
  • A RECORD protocol used for the data transfer

The HANDSHAKE protocol is responsible for exchanging the certificate between the nods (the participant interfaces).

Now this is where the interesting things happens:

In making a purchase using your bank card, you need to know that you are talking to the real server (Amazon in our example above). But you do not necessarily need to the authenticated. In which case, the server shall provide you with a certificate, or sometimes several certificates, if required. Thereafter, it provides you with a reliable copy of its public key. The server is therefore able to authenticate subsequent message using the private key. You are now able to encrypt messages with the public key provided by the server. One of the things done with this key is that a premaster secret key gets sent to the server.

Now the RECORD protocol defines several formats and procedures:

  • Fragmented and coalesced into blocks of required (defined) sizes.
  • Optionally compressed
  • Integrity protected using a hash
  • Encrypted
  • Passed to the next layer

 

Just to be clear, handshaking protocol is where the Iranian government has fingered using the invalid certificate and providing the clients with an invalid public key.

 

Well, this was a very brief explanation of how SSL (TSL) works in a very simple language.

Hope you have enjoyed it.

Thank you for spending your time on my blog.

SSL security issue caused by the Iranian government: Answers to your Questions

Okay, here is the second volume of my assessment over the security issue caused by the Iranian government. This is following the previous post of this blog entitled: SSL Security Issue caused by the Iranian government: In depth Look! , in case you are lost!

In this writing, I am going to mainly focus on the questions that I have been asked since yesterday, some of which I have personally answered so far.

Okay, one of the frequently asked questions was:

Does the invalid SSL certificate in fact redirect the victim to another computer apart from the sender and the intended receiver?

The answer to this question is, No. SSL certificate does not have the ability to redirect you. It is your Internet Service Provider that redirects your connection to super computer. What SSL does (or is supposed to do) is to encrypt your data, so no computer other than the intended receiver is going to be able to open it.

What does exactly happen in that “Super Computer” that enables them, supposedly the government, to be able to steal the data?

As I mentioned in the previous entry, by accepting an invalid certificate, you are accepting the risk of acknowledging another computer as your destination (intended receiver). By doing so, you are allowing that fake receiver to open the header containing the key to the encryption of your data made by your SSL encryptor. Once opened, it gets recorded or spying purposes, and then gets forwarded to the intended receiver. Whereas the intended receiver recognises the request as if it is sent mainly from that computer (the fake receiver), it then automatically recognises it as the true sender of the request. In which case, the respond to the request shall therefore be sent to it, instead of you. Once this fake receiver receives the information, it then records it, and forwards it to your computer, which allows you to see the information you had requested leaving you unaware that you data as been monitored.

It can make a better sense if you have look at figure 1 .

FIGURE 1.

It is in fact unnecessary to direct data through a computer. The switches and routers are well capable of redirecting the data to the intended receivers without requiring any further involvements of computers (as we call them). In which case, the data transfer should normally take place via the RED connected in figure 1, whereas it is now taking place via the BLUE connection.

Can antivirus software, or firewalls be of any assistance?

No, to my knowledge, there is no antivirus that or firewall software that can control what is happening beyond the Application layer in OSI model. And firewall devices (which of course are not used in home networks) do not recognise this unless they are programmed accordingly.

Would updating our Operating Systems, browsers, or other medium software help?

It would help you having an up-to-date database of the accepted and valid certificates. But it will NOT prevent nor stop the event. You will still face invalid certificates and it is YOU who must remain cautious not to mistakenly accept an invalid certificate.

I have already accepted an invalid certificate, what shall I do now? Am I all gone?

I cannot say if your data has been retrieved from the server or not. Nor can I suggest if you have been monitored or not. But what you can do now is to open the certificate library of your operating system, Windows, Linux, Mac OS X, Unix, BSD, Solaris, whatever it is. Open it, find all the invalid / expired certificates, and manually delete them. Once accomplished, attempt to change all your security credentials, passwords, security questions and so forth. AVOID accepted any invalid certificates. Following this, you may be sure that you are no more being monitored.

Are VPNs Safe?

No, they are mostly not. VPN, or Virtual Planned Network, is a secure way of connecting to an internetwork. VPNs usually use SSL certificates, and for financial reasons, and the fact that they are private networks; validated certificates are NOT used within them. In which case, the VPN users are left with no option but accepting an invalid certificate. Some operating systems even have the option of “Accept the SSL Certificate” set on them and marked as default. So no matter what, they get accepted. Upon the acceptance, you would face the same issue, however, in an even wider aspect. You are risking your own computer data getting monitored.

Is there any way at all to avoid accepting the certificate?

Yes, there are three methods, out of which 2 can be done through normal users. However, the third requires power user who has in-depth knowledge in the operating system level networking.

1- You may use proxy servers. However, you should be careful to use only the proxy servers that work completely indirectly. So you requested website, in fact, gets loaded in the host server of the proxy service provider, and then a link from their server is appeared at your URL bar. So for instance, if you attempt to open “https://www.gmail.com/” you do not see any sign of “gmail” or “google” or anything identical to them in your URL bar. (as seen in figure 2.)

FIGURE 2 (Click on the photo to enlarge).

2- Use IP / Port redirection system. Although there is no guarantee in it, it is very likely that the data going out of your computer (or coming in) form any ports other than 80 / 8080 don’t get monitored. Because monitoring over 64000 ports from each computer connected to the internet in a country wouldn’t be so pleasant to the ISP, even for a super computer. Please note that all you need to redirect is you HTTPS traffic. You don’t need to redirect everything since it reduces your speed of browsing, as shown in figure 3. (sorry I don’t have Windows on any of my computers, but it’s not difficult to find where these settings are placed).

FIGURE 3.

3- This is the difficult solution. What you need to do, is to find a valid certificate of the website you are willing to use, and set it as the default SSL certificate for that website. But this needs to be done manually, and is not particularly the easiest thing to do. Specially in Windows, where it must be done through registry system. So, no matter what, the computer will stick to that certificate for that website. An example on the OS X would be as follows in Figure 4.

FIGURE 4 (Click on the photo to enlarge).

This will conclude this question/answer session. Please do not hesitate to leave comments, make questions and enquiries, or otherwise email me.

Thank you for spending time on my blog.

SSL security issue caused by the Iranian government: in depth look!

Before getting to the point, one needs to know what SSL is and what does it do at all?

Secured Sockets Layer

Secure Sockets Layer or SSL is a cryptographic protocol that provides communications security over an internetnetwork, including the internet. SSL encrypts the segments of network connections above the Transport Layer, using symmetric cryptography for privacy and a keyed message authentication code for message reliability.

Basically, SSL works as follows:

Open System Interconnection

This procedure mainly occurs in the 6th layer of OSI (Open System Interconnection) system, also known as Presentation layer. OSI model consists of 7 layers, each of which works independently. These layers tend to put a header on the data packets (or frames, segments, etc) they receive. In which case, one the header is placed over the data, it can only be removed by the same layer, either on the same computer (known as the sender), or in another one (supposedly the receiver).

Knowing this, the classification of OSI layers are as follows:

Okay. Having said that, you also need to consider the fact that the user interactive programmes on a computer are placed within the Application layer, that is, layer number 7. In which case, they have no control over the layer below them, unless otherwise it requested by the the layer below them, itself.
SSL is able to offer such very high level encryptions which might take tens of years for a regular computer to break.
However, what the Iranian government seems to be doing can easily become ice clear to someone experienced in the area of IT. Check this out:
A major issuer of secure socket layer (SSL) certificates acknowledged on Wednesday that it had issued 9 fraudulent SSL certificates to seven Web domains, including those for Google.com, Yahoo.com and Skype.com following a security compromise at an affiliate firm. The attack originated from an IP address in Iran, according to a statement from Comodo Inc.
Although SSL is very secure, it can be controlled through its user’s machine (computer, mobile, printer or any network interface). There are several SSL certificate issuers in the world that are accredited by the SSL Inc., out of which the first place belongs to VeriSign.
Many of the website you use everyday take advantage of this security system. In fact, whenever you see a sign of HTTPS in the beginning of a URL  in your browser navigator, you may be sure that you are using an SSL certificate. When you sign into your Yahoo!® account, when you use your Gmail®, when you make an online payment using your credit or debit cards, when you enter your private information into a website, when you enter your passwords, when you look up your bank account using internet banking and so many other secured environment that you may hit everyday over the internet.
Trusted and Certified
Once into a SSL Secured transmission, the transmission medium (could your browser, a network dependant software, a SMTP dependant hardware like SMTP enabled printers, and so on and so forth) will check into the verified SSL certificates. If it was valid, you won’t even notice that you have been redirected to a secured area. The only thing that happens is that your URL changes to HTTPS, the certificate will be shown valid as a very small icon on a corner of your browser (the place varies depending on the  browser), and the speed reduces slightly, since all the data, sent and received, gets encrypted.
A valid certificate, therefore, would typically looks like this:
Click to enlarge.
and the most important part of it is:
Browser Reactions
Where number 1 represents the website that the certificate has been issued for. And number 2 represents the date on which the certificate expires (or required to be renewed) and whether or not the certificate is still valid an verified by the issuer or not.
In case of an invalid certificate, different browsers behave differently. What I’m going to do is that I’m going to set up an untrusted unverified certificate on my own website and show you how the browsers would therefore act. I’m also going to show you examples of 4 different browsers: Safari, Firefox, Chrome, Opera and IE.
Safari 5.0.4 :
Firefox 4.0 :
Chrome 10.0.648.151 :
Opera 11.01 :
Internet Explorer 8:
Why are the untrusted certificates used at all?
There could be various reasons for that. Some networks may be desired to remain offline, and therefore they cannot get verified SSL certificates. The number of users may not be as many, so it wouldn’t be financially reasonable to buy it. And many other reasons. But they remain untrusted, unless we are absolutely sure about the content, and the certificate we are about to use.  Like our own websites, or a university internal network and so forth.
How do we know?
However, when we get to the internationally recognised service providers, such as Yahoo!®, Google®, Skype®, our banks, Facebook®, etceteras, an invalid certificate will, and must ring a bell, actually, an alarm!
What shall we do?
Conclusion would be, if you are asked to trust a certificate on a well known service provider website, never do so, there is something wrong. Try to report it to the administrator for further investigations.
What can they do with an untrusted, invalid certificate at all?
Having said all the above, now we are getting to the climax! Your data gets encrypted using SSL in the presentation layer of your network, it then takes its header, which also consists the key, and is then released to the layers below it to be transmitted through the network, the internetwork, the internet, and the destination.
Now, let’s see how does it get to the destination, and what does it go through in this journey?
I tried to keep the diagram very simple. Now if you look inside the cloud, you see 3 kinds of links. Some are in black, which is normal. Some are in blue, which is what the Iranian telecom is now doing, and some are in red, which is how it is supposed to be. So, considering the current situation, all the data goes to a super computer in the server, before going to where it is supposed to go. But didn’t we say that no other network interface can open SSL, unless the actual destination? Well, that is where the hack has taken place. When you accept an invalid certificate, you are trusting a computer that may not, and in this case is not, the computer (the server, or the interface) which you want to communicate with. In which case, you are telling you SSL, okay, well, this is what I wanna communicate with! So that computer receives all your data, saves it, and the forwards it to main server that you wanted to communicate with, such as Google, Yahoo or anything else. So, you data once gets decrypted inside your internet service provider for monitoring purposes and censorship, then gets encrypted, gets sent to the main server, and vice-versa. Therefore, there is basically no way of preventing this, unless you reach for the true and valid certificate. No antivirus or firewall can be of assistance here, if you, as the owner and administrator of your computer, allow this and trust the certificate whereas you command has more priority to the computer than the Antivirus, or the FireWall.
In conclusion:
  • Do not accepted certificates unless you are absolutely sure they are valid.
  • Use encrypted proxy servers in order to open your personal documentations over the internet (Emails, Bank account, etc).
  • Avoid using VPNs unless they have valid SSL certificates (which is very rare), make sure your VPN setting is not set on trust all SSL certificates.
  • Use redirecting IP/Port systems, if available.
  • Make sure your data is transmitted on a valid certificate at all times.
  • Keep your certificate database up to date by upgrading your operating system, your browsers, and other medium software, such a Flickr uploader, iPhoto, ACDSee, and so on.

If there is any question that I can help with, do not hesitate to leave comments here, or email me. I would be delighted to be of assistance.


These do, those react, we get the result: Western force and Iranian speech

I should have written about this a couple of days earlier, for which I apologise. My excuse is that I have been extremely busy studying as well as doing some voluntary jobs. Having said that, let’s move onto the main subject.

I was watching (actually listening to) the BBC News when Nicolas Sarkozy, French President, declared war with the Libyan government in order to enforce the United Nations’ Security Council no fly zone order. He indicated that the French jets are on their ways to Libya as I speak to you. And that the British Royal Airforce, the Canadian Airforce and the US Airforce shall join us later. He didn’t particularly speak of any other means of defence or attack, but it was made clear that they are going to use anything within their power to just do it. As observed, the British and American navies later joined them.

I strongly support this action. I believe that the war with Iraq was unnecessary (let’s don’t call it a lie to the world). I believe that Taliban is not as powerful as it seems to the world. Not to NATO! I don’t believe in the war between Israel and Palestine, it’s becoming more stupid on a daily basis, and so on and so forth. But I strongly support this one with Libya.

Why?

This guy, Gaddafi, was crossing the lines. Killing innocent people of the country governed by him, on that scale, was seriously unacceptable. Not to mention his blackmails to other countries. Not to mention his efforts towards saving Saddam Hussain. Not to mention his involvements with the events in Palestine. I believe this action had to be taken years ago, when the Scottish aeroplane was attacked by that terrorist, under his order, which resulted in hundreds of innocent people getting killed.Okay, it may be of some benefits to the west to take control of Libya as well, but let’s be honest, it is so much of the benefit of the Libyans themselves as well. It may be classified as a modern style of the colonisation plans, but still, it is good. These people need support to get rid of this freaking dictator after 43 years of his so-called presidency. It has been proven that he will do just about anything in his power to remain in power.

Now that for once NATO has made the right decision, the Iranian media has started its lies. Just a few hours after the declaration was made by President Sarkozy, the Iranian official news agency, Press TV, announced: The western aircrafts started firing over innocent people and the cities in Libya.

I’m just wondering how much lie are they going to tell people.

Do they fear that this may happen to them sometime soon? Or are the just pursuing their old denial policy?

I will write further about the “Failure of the Iranian Government in their Media Monopolisation Plan” later in the blog. Keep on reading then!

Thank you for your time.

President Obama’s Nowrouz (Iranian New Year) Message

President Obama sends an important message to those celebrating the holiday of Nowruz.  At a time of great regional change and renewal, the President this year speaks directly to the Iranian people, in particular the Iranian youth.  “…you – the young people of Iran – carry within you both the ancient greatness of Persian civilization, and the power to forge a country that is responsive to your aspirations. Your talent, your hopes, and your choices will shape the future of Iran, and help light the world.   And though times may seem dark, I want you to know that I am with you,” he says.

– Citation: White House Blog [Click Here]


 

 

Denial: A sign for strength or weakness?

WARNING: THIS ARTICLE CONTAINS DISTURBING IMAGES.

 

Iranian selected president, Mahmoud Ahmadinejad stated in his recent interview with TVE, the Spanish State Television, that: “Never, never. We have never done that. During the past 30 years we have had 30 free elections” he said, when asked about Iran, Ahmadinejad denied any repression against opposition at home.

Citation: CNN [Click Here]

Indicating that the Iranian regime has never done anything against the people. The actions have merely been taken against those who were acting roughly, or the public properties.

Accordingly, I would like to share some photographs taken during various protests which took place after the last presidential election in Iran.

This was taken in a hospital in Iran. The mother was shot by a machine gun, the hospital staff were told not to release any information regarding the incident,  however, a personal friend of mine who used to work in that hospital at the of this incident, sent the photograph to me asking me to release it anonymously.  Advise me of the reasons why the incident took place, in accordance with the president’s statement.

Neda Agha-Soltan

Whose dying image later became the symbol of protests in Iran. She was a PhD student going back home, she wasn’t even attending the protest.
Advise me what are these people doing except protesting peacefully that entitles them to be beaten by the guard?
What is this man doing to deserve that? Protesting? Is this a new definition of human rights? Is he damaging the public properties? Is he being rough?

 

These were only a few examples out of millions of images available showing the same pictures of the clashes.

How much lies would these so called politicians tell? How much do they think they can fool the people? It’s over. I has been for a long time. Iran is like an explosive which has its detonator released. It’s only the matter of time until the explosion.

These do, those react, we get the result: Protests – Price of Power, of lie?

Nick Clegg, deputy prime minister of the United Kingdom, stated yesterday in his conference for the Liberal-Democrat party members in Sheffield City Hall that “Protests are price of power”. This happened while thousands of people were shouting outside the city hall demanding their own rights, standing against the lies they have been, well, fooled by.

Not only that the Liberal-Democrat got into coalition with the Conservatives merely for the sake of power, they have even started acting against their very own manifest. Almost whatever that the Liberal-Democrats were promising the public before the election has gone with the wind unless it has been of the very own benefit of their party, such as the electoral issues and so forth.

Clegg indicated to the attendees of the conference in Sheffield City Hall: “with power comes protest” and that they should “just get used to it”

I have one question for you, Nick, and only one: Since I’m not sure whether it is the power that causes the protests of such a nature, or is it the lies that you said to the people that resulted in this mess? Even your very own supporters, those who voted for you, were among those people standing outside the city hall shouting. They weren’t in fact among them, they were running it…

What is said by the leader of the Liberal-Democrat party, which I used to support as well, reminds me of what Secretary of State, William Hague, said just couple of days ago:

Foreign Secretary William Hague has rejected claims he might resign over his handling of the Libyan crisis and denied he has lost his “mojo”.

He told the Sunday Telegraph he had wide support in his party and people should “get used” to the idea.

Right, problems solved. People are just to get used to the stuff happening around them and leave the politicians alone. Since they are always doing the right thing, making the right decision, going towards the right path, and taking the right action. So just get used to it if you haven’t yet. You have no right to stand against it, cause you are wrong, always wrong.

The most significant difference that is observed between the government of the so called advanced western countries with some of the middle eastern dictatorships is that, they just use words instead of guns! They call up 300 vans of police from West Yorkshire and Manchester to support them. The police will stand quite for as long as you stand still. But the moment you stat doing a bit of action, you will so hardly be hit by them. They waste this money of such a security force while the fire 10,000 police officers to cover the debts and do their cuts!

So just get used to it. Cameron is the prime minister, Clegg is his deputy, and you are getting fired soon, if you haven’t yet.

Anti Government Protests and Clashes in Sheffield

ENGLISH

COPYRIGHTED MATERIAL:Pouria Hadjibagheri Photography Portfolio.

© All rights reserved, any reproduction by any means of concept is prohibited and thus shall be tracked and prosecuted legally unless otherwise agreed and authorised in writing. Photographer: Pouria Hadjibagheri.

 

NEDERLANDS

AUTEURSRECHT MATERIAAL: Een Pouria Hadjibagheri Fotografie Portfolio.

© Alle rechten voorbehouden, elke reproductie op welke wijze is verboden, en zal dus worden bijgehouden en juridisch vervolgd, tenzij anders schriftelijk is overeengekomen. Fotograaf: Pouria Hadjibagheri.

 

FRANÇAIS

Matériel sous copyright: Un portefeuille de droits Pouria Hadjibagheri.

© Tous droits réservés, toute reproduction, par quelque moyen du concept doit donc être suivis et poursuivis légalement sauf accord contraire par écrit. Photographe: Pouria Hadjibagheri.

 

The Demonstration:

Click on the photos to enlarge.

 

The Slideshow

This slideshow requires JavaScript.