Bits and Chaos


Between bits and chaos, a sysadmin stands.

Certificate Patrol can really save your pocket

Certificate Patrol is a nice add-on for Firefox: it basically monitors all SSL connections and checks, during activation, if the exchanged certificate has changed. This is extremely useful for determining if you are under a man-in-the-middle attack.

To give you an idea, I tell you that my university has a webmail service, which I use a lot. A couple of days ago, I access this service from work, and Certificate Patrol shows up this message screen:

The message is a bit cryptic, but the sense is clear if you know how to read it: the Certification Authority that guarantees the authenticity of the site I’m using is changed, and is no longer Cybertrust. So I ran into the operations office and told them that we are under attack, just to discover that they are doing a test, using some (I cannot tell you the name) web proxy to inspect all the SSL connections. Of course, it was just a test, but Certificate Patrol really does its job, alerting me that something strange it’s happening in the network.

It’s interesting to observe that, prior to the message, I was temporarily unable to access the webmail: I thought it was because they were experiencing problems, while it was due operations reconfiguring the web proxy. When I was finally able to access the webmail, Firefox told me (using the standard message) that the connection to the website was with an unsecure certificate, and my first idea was that they had rebooted the webmail in the university and they have somehow changed the certificate, so I click, click and click again to tell Firefox that I was willing to accept the risks.

In fact, I did a stupid thing, because I should not accept, at least no easily, that a website is changing its certificate with something not issued by a CA: without Certificate Patrol I would be unaware of what was really happening.

And, if you think that you would never experience anything like this, because you always refuse accepting certificates from an unknown CA, you’d better read this Law Enforcement Appliance Subverts SSL and Certified Lies: Detecting and Defeating Government Interception Attacks Against SSL, an article where another plugin for Firefox to address this kind of vulnerability is exposed.


Filed under: Uncategorized, , , , ,

Internet Traffic Consolidation

We had learnt and taught Internet as an hierarchy of ASN, starting from local ISP to regional to Tier 1, with traffic graciously moving between the levels.

This is no longer true, according to this presentation from NANOG47:

  • 150 ASN accounts for 50% of all Internet traffic;
  • Revenues from Internet Transit are declining, whilst revenues from Internet Advertisement compensates;
  • The new rule is 30/30: the 30 top destinations (Google, Yahoo, Facebook, …) accounts for 30% of all traffic, so if you are a provider you’d better make a deal with them: your customer would get a better Internet experience which is a commercial advantage: as a result, Youtube bandwidth bill is a lot less than you could imagine.

It’s time to rewrite some courses material.

Filed under: network, , , ,