0 comments Friday, April 30, 2010

In March this year, there were few shouts about US government forcing certifying Authorities (CAs) to had over SSL key to decrypt mail transfer. Personally I'm not worried till the time the decrypted data is with any govt but it would be a serious issue if anyone else reads my data.


Old school hacks using fake SSL were popular till sometime where the adversary used to issue a fake certificate and client application (mail client/browser) would throw a warning. Those attacks were banking on stupidity of users to ignore the warning and move forward.

Then came a time (I'm not sure if it is over yet) where shady CAs would provide certificate without proper verification.

Now latest findings says few webmail provider were not careful enough to disable few admin-like accounts due to which anyone could have generated a genuinely fake certificate and conduct man-in-the-middle account without ANY warning from any software.

So I thought of conducting the same test on Indian webmail providers which are still popular and may people use it for mailing. I choose following 4 popular services and tired to create an account ssladmin@

1. indiatimes.com
2. rediff.com
3. india.com
4. sify.com

Here are my findings
1. Indiatimes.com - the account creation interface gave an error saying the account is already in use
2. rediff.com - denied saying this username is not allowed
3. india.com - denied saying the username is forbidden
4. sify.com - Oops! sify.com allowed me to create the account. Which means I could have gone to a CA and asked for a SSL certificate.

I got in touch with sify.com authorities but no one responded and they didn't either disabled my account for more than a week. Then I had to get in touch with head of portal business via LinkedIn and finally the account was closed. I'm still to receive a note of acknowledgement but atleast sify users are safe now.



Happy & Safe Browsing

0 comments Thursday, April 15, 2010

Today twitter announced public availability of @anywhere which I thought of giving a shot.
Yes it's easy to setup and works like charm


STEPS:
1. Go to the dev site of twitter anywhere
2. Login using your twitter account & go ahead to create an application
3. All inputs asked are pretty much intuitive
4. Go to you APP detail page & take a not of your API key
5. On your website simply add the code snippet preferably at the end just before


<script src="http://platform.twitter.com/anywhere.js?id=YOUR_API_KEY_HERE&v=1"></script>
<script type="text/javascript">
twttr.anywhere(function(twitter) {
twitter.hovercards();
twitter(".post").linkifyUsers();
});
</script>

6. Bang you are done. Now any twitter username on your webpage will be linked to twitter hovercacrd & a mouse over will show the fun
7. If you want to add this on any blog on blogger.com, simply add a "text/html box" under design layout and paste the code snippet in it.
8. To test I have added the same in this blog & now we'll see a few example with a little shameless plug of my twitter handles ;)

Mouseover these twitter handles to see @anywhere in action

My Twitter handles:
Technical tweets - @rohit11
General fun & casual tweets - @_rohit11
ClubHack - @clubhack



.

1 comments Sunday, April 04, 2010

The way internet has barged into our lives, we have been seeing the world in a very new way.
I stumbled on this image created by Byte Level research LLC which shows the new world


As per Byte Level
Each ccTLD is sized relative to the population of the country or territory, with the exception of China and India, which were restrained by 30% to fit the layout. At the other end of the spectrum, the smallest type size used reflects those countries with fewer than 10 million residents.


[click image to enlarge]