My Android Adventure begins

So, today I started downloading and configuring of Eclipse, the Android SDK, Titanium, and even set up an account at Urban Airship, so let the coolness begin!

It should be very very interesting to see “whats new in development” these days. I haven’t used an IDE since Borland C back in… well, ages ago, anyway. I work faster in vi than in notepad, so it will surely be interesting to give Eclipse a go.

Watch out for more posts on my android progress!

Thoughts on fake SSL certificates for web sites

As you know, a while ago, an intruder to one of comodos affiliates were able to issue SSL certificates for:

  • (three different)
  • “global trustee”

The reason for the identity theft was probably a dictatorship state planning to implement a man-in-the-middle attack, silently monitoring the HTTPS traffic to the above sites.

It would be possible when you have control over all DNS traffic in and out of the country, to spoof all the DNS replies, so for instance the A record for points to your proxy with the bogus certificate installed to decrypt the traffic, and just resending the request to the real site.

My suggestion (at least for security-aware techies): An addition to the web browser that remembers the certificate fingerprint, issuer, and expiry date of your favorite HTTPS sites.

Each time you visit an HTTPS site, a simple local lookup will compare the sites certificate with the remembered value, and if it has changed, present the user with a notice and a choice to cancel or investigate. For instance if changes from a Verisign certificate to a smaller CA (Comodo, StartCom, etc.) long before the expiry date, you may want to think twice before continuing..

See Comodo’s blog for more info.

Comments are always welcome.