Vortices of Extelligence

An Illustrated Guide to Cryptographic Hashes

Well, Steve Friedl does it again: in response to the recent flurry about the MD5 and SHA1 collisions and the End of Cryptography As We Know It[0], he has written another one of his Tech Tips, An Illustrated Guide to Cryptographic Hashes (mentioned in his blog). Even though he claims he is no crypto expert, this either does not show or, if true, even *helps* his writing style: it's clear, it's simple, it's helps dispel the hype and hysteria.

[0] Newsflash: the crypto world is NOT, repeat NOT ending this week!

Nikolay Nedyalkov: an interview

Students in the Faculty of Mathematics and Informatics at the Sofia University are probably familiar with the Network Security elective (and if they are not, they ought to be ;) Nikolay Nedyalkov, one of the course's organizers and a founding member of the Association for Information Security, gave a brief interview in Bulgarian touching on the recent Kaspersky "the-Internet-is-dying" hype, the Internet and security in general, and the pointlessness of any attempt at Internet regulation by the state. The interview was also linked to by the big.bg portal.

Disclaimer: I am also among the lecturers in the Network Security course, as well as a founding member of ISECA.

Super Spoof Deluxe

Somebody said that truth is stranger than fiction. This, however, just defies imagination: it seems that Microsoft Internet Explorer allows JavaScript code to modify the contents of existing windows/frames, even when they are in a completely different domain! If you have a MSIE installation, try and view the demos - it's.. enlightening, I guess. Never again trust the URL bar, never again trust the page even when it *looks* genuine - or at least, never trust them if you're viewing the page with MSIE.

I've so far mostly refrained from IE-bashing and such, but this time there's absolutely no choice but to heartily recommend switching away from it - whether to Mozilla Firefox, Opera, Lynx, Safari, or just any other browser... just anything but MSIE! A couple of days ago, Yoz Grahame summarized the reason quite succintly in his discussion of Joel's web app ideas, and this part still has me laughing each time I reread it:

The current Javascript security philosophy can be easily summarised thus: "No." (And the IE/Win version can be summarised thus: "Well, okay, but just a little bit." (pause) "Hey! Come back here!")

Okay, me off soapbox. Just had to let it off. Sorry if I've spoiled a wonderful morning for ya, but... just had to say it.

Web disasters

Some time ago, there was a running joke about the formula "web designer + webmaster = web disaster". This entry, however, is about an entirely different type of web disasters:

A simple Google search.

Is there a need to explain what exactly is being shown there? :)

Info from Microsoft about the HTTP username support

Microsoft have now released an official Knowledge Base article about the removal of support for usernames in HTTP/HTTPS URL's. The great (yep, great, not just good) news is that this will indeed be done for HTTP and HTTPS only, and it will *not* affect FTP URL's, where this is indeed a useful feature every once in a while. The so-so news is that the support for HTTP will be removed altogether, not controlled by an option or anything, but then that's not really as big a problem as it might seem at first sight.

Microsoft to remove support for usernames in http urls

There has been much talk in recent years about the security hazards of a deceiving practice that was little known outside the IT security communities: using the http://username@hostname/ syntax for an URL to fool the user into going to a unexpected website: just use a hostname in the username part, as in http://www.cnn.com@extelligence.ringlet.net/, and there are people who would really think they are going to the CNN site. This works even better if the real hostname is disguised as an IP address or some other weird representation, like binary or just URL-encoding. Recently, this has become more widely known, as several large-scale scamming operations used this technique to lure unsuspecting users to their own websites.

Now, NetCraft reports that Microsoft has decided to remove the support for username@hostname HTTP URL's from Internet Explorer. Some might see this as a deviation from standards; I personally see it as an unfortunately needed bandaid, which removes very, very rarely used functionality.

Somewhat to my surprise, I actually find that I am with Microsoft on this one, my rants about Outlook 2003's mishandling of Message-Id notwithstanding. There are just two things that bother me somewhat. It would be nice if they would not touch FTP URL's, since, much as I abhor using a browser as an FTP client (that's a subject for another rant, but it *will* be a vicious one), it is sometimes the easiest way. And the other thing - I wonder if the username@hostname support for HTTP could be made an option, off by default, not removed altogether. It may be very rarely used, but it still might come in handy once in a long while.