Security issues with Computers and other Information/Communications Technology

TPC

CMRG best practices currently recommends the use of a TrustedPhysicalConsole, also known as a TPC.

A TPC, combined with a healthy Public Key Infrastructure, strong cryptography, and backend server resources controlled by people you trust, provides for an unprecedented level of private, authenticated, global communications. However, most ICT users today don't know enough or have enough support to make good use of these tools.

TLS/X.509 workarounds

If you are trying to offer two separate name-based web services over HTTPS from a single IP address, you should look into using the SubjectAltName X.509 extension

fundamental free tools for cryptographically-secure communications

If you want to do cryptographically-secure communications over the internet using free tools, you should become familiar with a few staples:

• OpenSSH
• OpenSSL?, GnuTLS, and NSS
• GnuPG?

network authentication schemes

• OpenID
• kerberos
• SAML
• OpenPGP
• X.509 certs
• SPKI/SDSI

other links

Some pages worth reading when thinking about security in today's networked environment include:

• the W3C's analysis of security issues with HTTP/1.1
• Bruce Schenier's blog and web site
• the Debian Security Audit
• dkg's article about social flaws in the TLS protocol
• Microsoft, VeriSign, and Certificate Revocation by Gregory L. Guerin
• Everything you never wanted to know about PKI but were forced to find out by Peter Gutmann
• Common Vulnerability Scoring System, maintained by the Forum of Incident Response and Security Teams (FIRST)
• Cyber Security Bulletins, weekly summaries of announced vulnerabilities, maintained by the USA's Dept. of Homeland Security Computer Emergency Readiness Team (US-CERT) -- these make for interesting reading if you want to get a sense of what classes of attack are being announced
• An introduction to TLS, OpenSSL, and X.509 Certificates By Stephen Cristol
• The Fedora Project's Crypto Consolidation plan: standardizing on libNSS
• Names: Decentralized, Secure, Human-Meaningful: Choose Two (a.k.a. zooko's conjecture)
• The Tor Project's description of hidden services