My Desktop Application list

These are the applications that I need to have on my computer:

• Putty
• Cygwin
• WinSCP
• Apache Directory Studio
• Fiddler
• Burp Suite
• Eclipse
• TortoiseSVN
• Notepad++
• XMind
• Microsoft Visio
• Firefox
• Opera 
  
• Internet Explorer
  
• 7-zip
• Bullzip PDF Printer
• Paint.Net
• Windows Live
• Google Talk
• VLC Media Player

 The list have increased over the last couple of years. I would have liked to cut down, but right now I don't know where to start.
I would like comments on how I can cut down on this list.

Warning note: Poor security checks in "hidden" OpenSSO Administration feature

If you follow one of the many OpenSSO installation guides you will quickly get a OpenSSO installation up and running. It's really nice that it some many good and quick guides to the OpenSSO installation.
But of course when the guide is short, it's always some details that's left out.

For example, have you ever seen the web version of admin command ssoadm? It's handy to have a web servlet giving you the power that you need. But creating a web servlet with all the power of ssoadm, must be done with care.  But here the developers behind OpenSSO have failed.

This is how the web version of sso admin is protected:


String strDisabled = SystemProperties.get("ssoadm.disabled", "false");
    if (Boolean.parseBoolean(strDisabled)) {
        response.sendRedirect(SystemProperties.get(
            Constants.AM_SERVICES_DEPLOYMENT_DESCRIPTOR));
    } else {
        try {
            SSOTokenManager manager = SSOTokenManager.getInstance();
            SSOToken ssoToken = manager.createSSOToken(request);
            manager.validateToken(ssoToken);


From this you can read out that they have made at lest 2 failures. First of all the feature should have been disabled by default, and not enabled. The second mistake that they have done is to drop the authorization check before the servlet is presented. There are NO authorization checks. Ok, they still have the build in authorization check in the ssoadm command it self. This lack of check of authorization means that all users can retrive all the configuration data that they want. (They will need to do some more digging before they can update the configuration, because of the checks in ssoadmin it self.)


Why are this powerful admin command so available?

I really think that the guy's behind OpenSSO now need to remember:

"Secure by default"

Norwegian Netbanks SSL Certificates (use of Extended Validation)

I had some fun today, going through some of the Norwegian netbanks SSL-Certificates. I questions was if they used Certificates with extended validation. You know those certificates giving a green address bar in your browser.  My results shows that it's only 1/4 of the banks that are using it. 


Those banks that host their own dedicated netbank should upgrade to a Extended validation certificate next time. And of course make sure that  you have your own company name in the Organization part of the Certificate and not IBM Danmark.

The other banks that are hosted by EDB, well. Would you like to promote your bank or your partner?
I can't see how they can start using extended validation certificates without starting to promote EDB.

Here are the results:

Bank	DNS	Cert.Organization	Valid to /from	Extended Validation
DnB NOR	www.dnbnor.no	DnB NOR Bank ASA	13.11.08 - 14.11.10	Yes
Nordea	nettbanken.nordea.no	Nordea Bank Norge ASA	05.02.09 - 03.03.10	No
Sparebank 1 Oslo & Akershus	www2.sparebank1.no	SpareBank 1 Gruppen	22.10.09 - 24.10.11	Yes
Sparebank Vest	nettbank.spv.no	Sparebank Vest	19.01.09 - 20.01.11	Yes
Fokus Bank	nettbank.fokus.no	Danske Bank AS	17.06.08 - 18.06.10	No
Skandiabanken	secure.skandiabanken.no	Forsakringsaktiebolaget Skandia (publ)	11.05.09 - 12.05.11	Yes
Gjensidige Bank	www.gjensidige.no	GJENSIDIGE FORSIKRING BA	22.09.09 - 23.09.11	No
Bank2	www.terra.as	Terra Gruppen AS	30.09.09 - 17.12.10	No
Bank Norwegian	nettbank.banknorwegian.no	IBM Danmark A/S	22.09.09 - 23.09.11	No
YA Bank	www.portalbank.no	IBM Danmark A/S	11.07.08 - 12.07.10	No

Then you have all the banks using the services of EDB Business partner.
This is banks like: SEB Privatbanken, Storebrand Bank, BNP Paribas Oslo Branch, Handelsbanken and Verdibanken.
They all use the same server at EDB:

DNS	Cert.Organization	Valid to /from	Extended Validation
nettbank.edb.com	EDB Business Partner ASA	22.07.09 - 22.08.11	No

The Bank Santander, the bank behind begyrfri.no, are using another EDB Business partner, https://secure.edb.com, with a valid certificate from 27.10.08 to 28.10.11



Other information that I found in my search and that I find funny:

• The e-mail address registered for the domain sparebank1.no is: Bent.Kristiansen@sparebank1.no. I wonder what type of information I can find about this guy?
• The e-mail address registered for the domain banknorwegian.no is: michael.myran@banknorwegian.no. I wonder what type of information I can find about this guy?
• Why are Skandiabanken shouting out that they use: Microsoft-IIS/6.0, AspNet-Version: 2.0.50727?
• Why are EDB business shouting out that they use: WebSphere Application Server/6.1?