StumbleUpon | Hobbadehoy's favorites

19 January 2010

My Desktop Application list

These are the applications that I need to have on my computer:

 The list have increased over the last couple of years. I would have liked to cut down, but right now I don't know where to start.
I would like comments on how I can cut down on this list.

    18 January 2010

    Warning note: Poor security checks in "hidden" OpenSSO Administration feature

    If you follow one of the many OpenSSO installation guides you will quickly get a OpenSSO installation up and running. It's really nice that it some many good and quick guides to the OpenSSO installation.
    But of course when the guide is short, it's always some details that's left out.

    For example, have you ever seen the web version of admin command ssoadm? It's handy to have a web servlet giving you the power that you need. But creating a web servlet with all the power of ssoadm, must be done with care.  But here the developers behind OpenSSO have failed.

    This is how the web version of sso admin is protected:


    String strDisabled = SystemProperties.get("ssoadm.disabled", "false");
        if (Boolean.parseBoolean(strDisabled)) {
            response.sendRedirect(SystemProperties.get(
                Constants.AM_SERVICES_DEPLOYMENT_DESCRIPTOR));
        } else {
            try {
                SSOTokenManager manager = SSOTokenManager.getInstance();
                SSOToken ssoToken = manager.createSSOToken(request);
                manager.validateToken(ssoToken);



    From this you can read out that they have made at lest 2 failures. First of all the feature should have been disabled by default, and not enabled. The second mistake that they have done is to drop the authorization check before the servlet is presented. There are NO authorization checks. Ok, they still have the build in authorization check in the ssoadm command it self. This lack of check of authorization means that all users can retrive all the configuration data that they want. (They will need to do some more digging before they can update the configuration, because of the checks in ssoadmin it self.)


    Why are this powerful admin command so available?

    I really think that the guy's behind OpenSSO now need to remember:

    "Secure by default"

    18 November 2009

    Norwegian Netbanks SSL Certificates (use of Extended Validation)

    I had some fun today, going through some of the Norwegian netbanks SSL-Certificates. I questions was if they used Certificates with extended validation. You know those certificates giving a green address bar in your browser.  My results shows that it's only 1/4 of the banks that are using it. 


    Those banks that host their own dedicated netbank should upgrade to a Extended validation certificate next time. And of course make sure that  you have your own company name in the Organization part of the Certificate and not IBM Danmark.

    The other banks that are hosted by EDB, well. Would you like to promote your bank or your partner?
    I can't see how they can start using extended validation certificates without starting to promote EDB.

    Here are the results:

    Bank
    DNS
    Cert.Organization
    Valid to /from
    Extended Validation
    DnB NOR
    www.dnbnor.no
    DnB NOR Bank ASA
    13.11.08 - 14.11.10
    Yes
    Nordea
    nettbanken.nordea.no
    Nordea Bank Norge ASA
    05.02.09 - 03.03.10
    No
    Sparebank 1 Oslo & Akershus
    www2.sparebank1.no
    SpareBank 1 Gruppen
    22.10.09 - 24.10.11
    Yes
    Sparebank Vest
    nettbank.spv.no
    Sparebank Vest
    19.01.09 - 20.01.11
    Yes
    Fokus Bank
    nettbank.fokus.no
    Danske Bank AS
    17.06.08 - 18.06.10
    No
    Skandiabanken
    secure.skandiabanken.no
    Forsakringsaktiebolaget Skandia (publ)
    11.05.09 - 12.05.11
    Yes
    Gjensidige Bank
    www.gjensidige.no
    GJENSIDIGE FORSIKRING BA
    22.09.09 - 23.09.11
    No
    Bank2
    www.terra.as
    Terra Gruppen AS
    30.09.09 - 17.12.10
    No
    Bank Norwegian
    nettbank.banknorwegian.no
    IBM Danmark A/S
    22.09.09 - 23.09.11
    No
    YA Bank
    www.portalbank.no
    IBM Danmark A/S
    11.07.08 - 12.07.10
    No
    Then you have all the banks using the services of EDB Business partner.
    This is banks like: SEB Privatbanken, Storebrand Bank, BNP Paribas Oslo Branch, Handelsbanken and Verdibanken.
    They all use the same server at EDB:
    DNS
    Cert.Organization
    Valid to /from
    Extended Validation
    nettbank.edb.com
    EDB Business Partner ASA
    22.07.09 - 22.08.11
    No
    The Bank Santander, the bank behind begyrfri.no, are using another EDB Business partner, https://secure.edb.com, with a valid certificate from 27.10.08 to 28.10.11



    Other information that I found in my search and that I find funny: