Wednesday, December 24, 2008

Making Google's 'Note in Reader' work with Firefox's 'NoScript'

Update Jan 31, 2009: As of NoScript this is fixed. Per Giorgio's comment looks like it was fixed back in 1.8.8. Thanks Giorgio!

This is a specific post for FireFox NoScript users.

I use the FireFox Noscript extension for extra security. I also like to use Google's Note in Reader. The problem is that the cross-site scripting (XSS) protection of the former blocks the latter.

But I found that I could configure an exception to NoScript for 'Note in Reader'.
  1. First, bring up the NoScript preferences (in FireFox, under Tools select Add-ons, then find NoScript and select its Preferences).
  2. Then, in NoScripts preferences, select the Advanced tab, and then the XSS tab.
  3. Add the following to Anti-XSS Protection Exceptions and click 'OK'
That should do it. Not even a restart required.

Update Jan 31, 2009: Fixed broken link to Note in Reader.

Wednesday, December 17, 2008

How to really make something secure...

This is a little off my normal post of a simple how-to for this blog, but I saw this nice description of the real issues for making something secure from Perry Metzger and thought it was worth calling out.

This paragraph captures the gist:
The biggest problem in security systems isn't whether you're using 128 bit or 256 bit AES keys or similar trivia. The biggest problem is the limited ability of the human mind to understand a design. This leads to design bugs and implementation bugs. Design and implementation flaws are the biggest failure mode for security systems, not whether it will take all the energy in our galaxy vs. the entire visible universe to brute force a key.
I could not have put it better myself.

Tuesday, December 16, 2008

lifehacker post: Lessons Learned from a Hacked Gmail Account

A nice post on life hacker about what to do if your GMail account gets compromised:

As far as I can tell, it would apply to any other web email account.

Monday, August 4, 2008

Web Surfing and Security

So you sit down at your web browser and and head to some site on the web, and instead of getting the web site you get this warning from your browser:

What should you do? Well, that depends. The absolutely safe answer is to close the website and go on to something else.

But the goal of this post is to try and educate you so you can make an informed decision. That is decide what your risk is and make an informed decision.

First, what is this certificate thing? What does this error even mean? To answer that I have to explain a little bit about what a secure web site is. A secure web site is one that uses encryption between your web browser and the web site. You can tell a web site by the fact the URL starts with "https" instead of "http".

That encryption does two things. First it provides for confidentiality. If it's working right no one else on the network can eavesdrop on (or modify) the traffic between your browser and the web site. The second thing it does is authenticate the web site, that is, it allows the web site to prove it is who it says it is to your browser. This works the same way you use your driver's license to prove you are who you say you are, except in the case of the web site it's called a certificate instead of a driver's license.

So the web site shows its certificate to your web browser and your web browser looks at it and most of the times it thinks it looks good and all goes smoothly (it's actually a complicated cryptographic process, but you get the gist). Now the problem is sometimes the web browser looks at the certificate and something doesn't look right. For example, some equivalents would your driver's license saying you are 5'10" when you are actually 5'8", or it says you are 300 lbs when you look a lot closer to 150 lbs, or the driver license was issued by some state from which you've never seen a license from before and have no idea what it's supposed to look like, or it expired 1 week ago.

These could all be simple mistakes, or it could be something trying to impersonate the web site (in other words, steal its identity). For the purpose of this post, I'm not going to worry about the specific error - all of the above have equivalents in the web world, but understanding the error is advanced material. I'm just going to lump them all together. I'm also not going to get into how someone might be doing this as that's also rather technical.

So, what should you do? Well there are some factors to consider:

Have you visited the site before?

How did you end up at the web site? Did you click on a link in an email message? Did you type in the URL yourself? Did you select it from your bookmarks? Did you get there from another site?

Where are you? Are you sitting on your home network or at work? Or are you on a network at a public place?

What are you going to the web site to do? Is it your online bank or some other site you are going to type an important password into? Or is it just a site you are planning to read?

Let's take these factors one at a time.

Have you visited the site before? Did you see the certificate error then? If the answers are "yes" and "no", danger! This means something has changed and generally that is not a good thing. If this were the case and the web site was at all important to me, I would stop and try again at a later time and/or different place. It's possible it's some mistake the site is not aware of, and you could call their support number to let them know. If you constantly see errors from an important site, it might be time to consider finding a different web site.

How did you get to the site? If you ended up at the web site from anything but your bookmarks, your could easily be the victim of a link designed to mislead you to a malicious site. Or if you typed in the url, you could of entered a typo and would up at a look-alike web site. Assuming you have been to the site before and bookmarked it (always a good idea for important sites), go back and load it from your bookmarks and see if it goes away. If you are loading it from a bookmark, then presumably you've probably been then before and it goes back to the question in the previous paragraph - a error in this case is a cause for concern.

Where are you? Or, in other words, what sort of network are you on. If you are sitting in a public place using a public network, be very wary. It's easy for someone sitting nearby (or on the other side of a wall) to be misdirecting your traffic and trying to gather your password (the Symantec web site has a nice discussion of this for more information). Unfortunately, home and work networks are less secure than they used to be thanks to an issue with DNS security (sorry, I won't explain DNS here, just know it's one of the key services to how the Internet works). This means beings on a home or work network would make me a little more comfortable, but not much, it would depend on how confident I was that the administrator was keeping up with these vulnerabilities. If I know the administrator and they tell me they are on top of the DNS problems, I'm comfortable. If you are sitting in a home, it's a question on home much you are trusting that home's internet service provider (ISP), to which I my general answer is "not much" unless I've checked things out myself.

Finally, what are you going to the web site to do? If I'm going to my online bank and my answer to any of the above questions leads me to be cautious, I'm not going to do it. Just too dangerous. If I'm going to a site that isn't that sensitive, I'm not going to be typing any important passwords or looking at any information that's sensitive (remember the same security that allows you to authenticate the web site also provides for confidentiality, if the first is broken, so is the second), I might go ahead. It's a risk and I have to balance that risk with how badly I need to get what ever it I'm doing done and how serious the threat is based on the answers to the questions above.

I can't really answer that question for you as there are too many factors, but hopefully this post gives you some understanding about the risks to come to your own answer.

Sunday, July 13, 2008

Dealing with password overload

One of the most frequent questions I get asked is how to manage passwords. It seems like every web site requires you to have a password, and if you listen to some security advice, you should have a different password for each web site and write none of them down. Well, unless you have the memory of a computer, that's just not practical. In this post, I'll share my strategy for managing my passwords. It involves categorizing your passwords based on their importance, and taking an approach that balances security and ease of use.

I'm going to focus this post on passwords for the web. It could also apply to passwords for other things (it does in my case), but I'm guessing most of you use passwords primarily for the web, and focusing on those will keep this post simpler. I'm also going to assume you use a personal computer in your home that only you access, or at least only you and people you trust. If you are using a public terminal, or have others accessing your computer who you don't entirely trust (e.g., roommates, kids, dogs), you will have to wait for another post.

OK, on to the advice...

Not all passwords are created equal. The first thing I do with any new password is to decide how important it is to protect the password. Some passwords, such as the one for my online bank account, are very important to me - if they were to fall into the wrong hands it would mean real pain and suffering (i.e., financial loss). I'll call this group of passwords the important group. Many of the passwords I have are not that important. I care somewhat about them, but their misuse would be annoying not but disastrous. And, I tend to use them often, so having them be easy for me to use is important. An example is my password for a dog training discussion group; I read the group every day and if someone where to get the password, they could cause me some embarrassment (they could make fake posts claiming to be me), but no lasting harm.

How you categorize your passwords may differ from how I categorize mine. You may consider some passwords important that I don't, or vice-versa. The key concept is not the exact method I use, but the general strategy. Once I've decided the importance of a password, I apply a method to protect it that is in proportion to its importance.

Why not just protect all passwords as if they were important? Because protection is a trade off with ease of use. As I describe subsequently, I protect my most important passwords in a way that makes them inconvenient to use. While I don't mind jumping through the extra hoops to protect my online banking, it's more effort than I want to make to during my daily web surfing routine.

Except for your important passwords, let your web browser do the heavy lifting. You might have noticed that most of the time when you enter a user name and password into a web site, your web browser will ask if you want it to remember the password for you. Except for passwords in my important group, my answer is always a resounding "Yes". This gives me easy access to this password for future web browsing.

I also record these passwords (using the same method I use for important passwords, described next) for two reasons. First, if I use a different computer (hence a web browser that doesn't know my passwords), this allows me to access my normal web sites. Second, if some catastrophe were to occur and I were to lose my computer or its hard drive, the recorded passwords save me from trying to recall all my passwords.

High security for the important passwords. For the important passwords, I don't have my browser remember them, instead I write them down. Yes, write them down. Contrary to "old school" advice to never write passwords down, there are just too many passwords to remember today. I believe it's better security to create a different password for each of the important web sites I use and to write it down, than it is to deal with the limitations of my memory.

When I say "write down," it literally can be that simple. A viable low-tech option is to write the passwords down on a piece of paper and then keep that paper somewhere safe, such as your wallet, purse, or locked in a desk drawer. The high-tech alternative (and what I do) is to use a password management program such as Password Safe, KeePass, or Apple's Keychain. I'll talk about these more in a later post.

What this decision means is that if I'm doing online banking, or accessing some other web site of importance to me, I have to get at my written passwords. Inconvenient, yes, but this prevents anyone who has access to my browser, either physically or via a worm or virus, from easily getting at these important passwords.

Generating passwords. Up until now I've discussed how to handle passwords I already have. What about generating new passwords? I create a new, different password for each web site. The nice thing about using the methods described above is that I don't have to remember any of these passwords, so this different-password-per-website doesn't add any burden. And, it gives me some extra security in that if someone gets ahold of one password, they only can access one of my web sites.

How do I create all these passwords? The trick is to pick a password that isn't easily guessable. This means no words in the dictionary (English or otherwise), and nothing so simple as replacing all the "i"s with "1"s, "e"s with "3"s, etc. There are two methods I use. The first is to create a password that is completely random characters. The password management programs I mentioned before all have build in password generators that will do this for you.

The second method is to choose a sentence that is meaningful and then use the first letter from each word. Choose a sentence that incorporates some numbers and include those directly, and/or use some creative substitutions like "&" for "and", "@" for "at", etc. Some examples: "My favorite football team is the San Francisco 49er's" would become "MfftitSF49ers", "Tom and Jerry are the best" would become "T&Jatb", "The dog always barks at 5 AM" becomes "Tdab@5AM", etc. As you see, you can create some very hard-to-guess passwords that are memorable to you. I use this method a lot for work passwords that I type everyday and hence want to remember.

That's it. Hope you found this useful.

Monday, June 23, 2008


Hello and welcome. I just got this site set up and will be posting the first article soon. Please stay tuned.