Lately I've had several people contact me to complain about bogus certificates with their email servers. Why are they contacting me? Well, the certificates are labelled RTFM, Inc.: Version: 3 (0x2) Serial Number: 0 (0x0) Signature Algorithm: md5WithRSAEncryption Issuer: C=US, O=RTFM, Inc., OU=Widget...

Joe Hall posts about TrapCall, a system for circumventing caller-id blocking (it also does call recording and voicemail transcription). I thought it might be worth explaining what's going on for those who aren't too familiar with the innards of telephony. The important thing to know is that telephon...

NYT reports on Hughes Telematics' plans to provide networked access to various aspects of your vehicle's operations: Hughes Telematics, which is behind the communications systems in Chrysler and Mercedes-Benz vehicles that are to make their debuts this summer, is headed in that direction. Its next-g...

Sorry it took me so long to get back to this topic. In previous posts I started talking about the possibility of replacing DNSSEC with certificates. Obviously, this can be done technically, but is it a good idea? The basic argument here (advanced by Paul Vixie but also others) is that putting keys i...

According to recent news coverage [*] [*] [*] Estonia is going to start allowing voters to use mobile phones to authenticate themselves for e-voting. It's a little hard to decipher the coverage, but this article suggests that voters aren't going to use the phone for the entire process but instead ar...

OK, so opinions differ about whether or not it's a good idea to encourage the use of self-signed certificates for SSL servers. As I read the situation, the basic arguments go like this: For: Active attacks are relatively uncommon but passive sniffing is a big problem, so the world would be better of...

As you may have heard, President-Elect Obama may need to give up his Blackberry for "security reasons": But before he arrives at the White House, he will probably be forced to sign off. In addition to concerns about e-mail security, he faces the Presidential Records Act, which puts his correspondenc...

One of the things I noticed in my review of OAuth was a pretty confusing section about entropy depletion: The OAuth protocol has a number of features which may make resource exhaustion attacks against Service Providers possible. For example, if a Service Provider includes a nontrivial amount of entr...

In the comments section, Olle (the proposal author) responds to my comments on IPETEE: "Like IPsec, IPETEE lives at the IP layer" No, IPSec is an IP protocol, IPETEE is an application layer wrapper totally independent of IP-transport. It could just as well be used over any other network transport. "...

As you may have heard by now, Debian introduced a distribution level patch to OpenSSL that pretty much completely wiped out the PRNG, with the result that it generated predictable keys. Plenty has been written about this, but it's worth noting that this bug has been hanging around for two years and ...