OpenSourcery

After crossing 4 states by car we arrived Thursday in Las Vegas for Defcon 17. We obtained our temporary badges, purchased some shwag, and headed off to finally get some good sleep.

Friday:

Moxie Marlinspike gave an excellent talk on defeating SSL. Using specially crafted certificate requests and flawed SSL implementations (currently most of them), one can MITM attack with no degradation in authenticity of an SSL site. Interesting and scary at the same time. Firefox 3.5 is patched with more to follow. OCSP is also a joke and easily defeated.

Next up Jason Ostrom and Arjun Sambamoorthy gave a presentation on hacking video. They have created a tool that ARP poisons RTP video streams and is able to reconstruct the streams into media files. You can also take an existing avi file and loop over an existing stream. It was interesting to see new sniffer software attacking a new type of data stream. In the attack against the Cisco phone, they had an cool hack for causing the phone to reboot and push a new config over TFTP in order to disable anti-spoofing settings.

After my video fix I hung around for Robert Clark's update on the state of Computer and Internet Law. This high ranking DHS employee had a surprisingly good sense of humor and also provided some tips for handling police, and border searches. Remember folks, if cops show up to your house to "talk", they're trying to get you to consent to a search because they don't have enough cause to get a warrant. :)

Tor was the next talk I attended. The topic was why Tor has been slow and what design changes are being considered. Tor relays wrap all individual data channels into one tcp stream. If one channel trips a tcp window adjustment, all the data channels suffer. Bit torrent was also picked on as a culprit of slowing tor. It also reminded me that I need to get some of my own tor relays up again. This talk was given by Roger Dingledine.

The last session I checked into was Dan Kaminsky's unnamed talk which ended up being on PKI and SSL. A lot of it was a rehash of the Moxie SSL presentation and how they can be exploited. It provided more back story, and a bit more detail, but the Moxie presentation was better (and first, which gets your more l33t points).

Like many Drupal developers, at any particular time I'm running dozens of Apache virtual hosts on my workstation. This allows access to each project under a friendly url. We frequently create sites that employ SSL, which creates a wrinkle: officially, it's not possible to used name-based virtual hosting with SSL.

Simply disabling the SSL features on a development copy isn't the best option, because we need to test this functionality as we're developing.

It turns out that you can use SSL and vhosts together, sort of. Name-based virtual hosts can be configured on port 443 just like any other port. Apache won't stop you, though it will throw a stern warning when it starts up:

A common scenario we encounter is where the bulk of a site's traffic is anonymous users, for whom it would be an unnecessary burden on the server to transfer pages with SSL. However, it is still desirable to serve some parts of the site with SSL (typically the admin pages, or perhaps some commerce-related pages). Luckily, the securepages module accomplishes this nicely.

This approach has a drawback, however. The same session cookie is used to access both SSL and non-SSL pages. Since this cookie is passed around in plaintext, it's easily hijacked by an attacker, who can then access your SSL-protected pages with the hijacked session.