[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-security] Re: OT: SSL Certs

Subject: [cobalt-security] Re: OT: SSL Certs
From: "Bill McToy" <mcnetec@xxxxxxxxxxxxx>
Date: Sat, 17 Aug 2002 21:52:07 -0700
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Lee,
Is the certificate for the entire server or just one site?

Bill

-----Original Message-----
From: cobalt-security-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-security-admin@xxxxxxxxxxxxxxx]On Behalf Of
cobalt-security-request@xxxxxxxxxxxxxxx
Sent: Saturday, August 17, 2002 12:00 PM
To: cobalt-security@xxxxxxxxxxxxxxx
Subject: cobalt-security digest, Vol 1 #882 - 10 msgs


Send cobalt-security mailing list submissions to
	cobalt-security@xxxxxxxxxxxxxxx

To subscribe or unsubscribe via the World Wide Web, visit
	http://list.cobalt.com/mailman/listinfo/cobalt-security
or, via email, send a message with subject or body 'help' to
	cobalt-security-request@xxxxxxxxxxxxxxx

You can reach the person managing the list at
	cobalt-security-admin@xxxxxxxxxxxxxxx

When replying, please edit your Subject line so it is more specific
than "Re: Contents of cobalt-security digest..."


Today's Topics:

   1. Re: OT:  SSL Certs (Up The Blues)
   2. RE: OT:  SSL Certs (Bradley Caricofe)
   3. RE: OT:  SSL Certs (craig)
   4. RE: OT:  SSL Certs (njd76)
   5. Re: Security Hardening Update 2.0.1 MAJOR    FLAW!!!!!!  ACTION
REQUIRED! (Zeffie)
   6. Re: Security Hardening Update 2.0.1 MAJOR FLAW!!!!!! ACTION REQUIRED!
(Zeffie)
   7. Re: Security Hardening Update 2.0.1 MAJOR
       FLAW!!!!!!  ACTION REQUIRED! (Mailing Lists)
   8. Re: Security Hardening Update 2.0.1 MAJOR           FLAW!!!!!!  ACTION
REQUIRED! (Zeffie)
   9. Re: Security Hardening Update 2.0.1 MAJOR           FLAW!!!!!!  ACTION
REQUIRED! (Michael Stauber)

--__--__--

Message: 1
From: "Up The Blues" <blue@xxxxxxxxxxxxxxxxx>
To: <cobalt-security@xxxxxxxxxxxxxxx>
Subject: Re: [cobalt-security] OT:  SSL Certs
Date: Fri, 16 Aug 2002 20:11:44 +0100
Reply-To: cobalt-security@xxxxxxxxxxxxxxx

Try Geotrust.


Cheap and works well.

regards

Lee


----- Original Message -----
From: "Chris Burchell" <cburchell@xxxxxxxxxxx>
To: <cobalt-security@xxxxxxxxxxxxxxx>
Sent: Friday, August 16, 2002 3:55 PM
Subject: [cobalt-security] OT: SSL Certs


> I'm looking for an inexpesive option for obtaining an SSL certificate.
>
> So far, I see:
>
> Thawte - 1 year:  $200
> VeriSign - 1 year:  $400
> IPSCA - 2 years:  $69
>
>
> I'm inclined to go with a name like Thawte, but has anyone had experience
with certs from IPSCA?
>
> Are there any other relatively inexpensive places to buy SSL certs?
>
> Regards,
> Chris
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
>


--__--__--

Message: 2
Date: Fri, 16 Aug 2002 16:59:03 -0400
From: Bradley Caricofe <caricofe@xxxxxxxxxxx>
Subject: RE: [cobalt-security] OT:  SSL Certs
To: cobalt-security@xxxxxxxxxxxxxxx
Reply-To: cobalt-security@xxxxxxxxxxxxxxx

> I'm looking for an inexpesive option for obtaining an SSL certificate.
>
> So far, I see:
>
> Thawte - 1 year:  $200
> VeriSign - 1 year:  $400
> IPSCA - 2 years:  $69

I've tried a couple from RackShack.net for $50 and they work great.

-Brad

--__--__--

Message: 3
Date: Sat, 17 Aug 2002 09:27:24 +1200 (NZST)
From: craig <craig@xxxxxxxxxxxxx>
To: cobalt-security@xxxxxxxxxxxxxxx
Subject: RE: [cobalt-security] OT:  SSL Certs
Reply-To: cobalt-security@xxxxxxxxxxxxxxx

> > I'm looking for an inexpesive option for obtaining an SSL certificate.
> >
> > So far, I see:
> >
> > Thawte - 1 year:  $200
> > VeriSign - 1 year:  $400
> > IPSCA - 2 years:  $69
>
> I've tried a couple from RackShack.net for $50 and they work great.
>
There is also
instantssl.com
freessl.com

most of the cheaper ones only work with IE 5.01 x and above and NE 4.7 and
above




--__--__--

Message: 4
From: "njd76" <njd76@xxxxxxxxxxx>
To: <cobalt-security@xxxxxxxxxxxxxxx>
Subject: RE: [cobalt-security] OT:  SSL Certs
Date: Fri, 16 Aug 2002 17:51:48 -0400
Reply-To: cobalt-security@xxxxxxxxxxxxxxx

Great site I found that compares them all for you.
www.whichssl.com



-----Original Message-----
From: cobalt-security-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-security-admin@xxxxxxxxxxxxxxx] On Behalf Of craig
Sent: Friday, August 16, 2002 5:27 PM
To: cobalt-security@xxxxxxxxxxxxxxx
Subject: RE: [cobalt-security] OT: SSL Certs

> > I'm looking for an inexpesive option for obtaining an SSL
certificate.
> >
> > So far, I see:
> >
> > Thawte - 1 year:  $200
> > VeriSign - 1 year:  $400
> > IPSCA - 2 years:  $69
>
> I've tried a couple from RackShack.net for $50 and they work great.
>
There is also
instantssl.com
freessl.com

most of the cheaper ones only work with IE 5.01 x and above and NE 4.7
and
above



_______________________________________________
cobalt-security mailing list
cobalt-security@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-security

--__--__--

Message: 5
From: "Zeffie" <cobaltlist@xxxxxxxx>
To: <cobalt-security@xxxxxxxxxxxxxxx>
Subject: Re: [cobalt-security] Security Hardening Update 2.0.1 MAJOR
FLAW!!!!!!  ACTION REQUIRED!
Date: Sat, 17 Aug 2002 03:17:47 -0400
Reply-To: cobalt-security@xxxxxxxxxxxxxxx

> Like the man says, just disable logging/emails
>
> I am sure it will just be a remotely exploitable filelimit / email ddos,
>
> Each scan will result in an admin email,  do enough scans form enough
> simulated host in such a short period, and the box will die due to
> number of concurrent open emails / drain on resources sending them..

you are incorrect sir...

> I could be wrong tho.. :)

you are :)

Zeffie
http://www.zeffie.com/



--__--__--

Message: 6
From: "Zeffie" <cobaltlist@xxxxxxxx>
To: <cobalt-security@xxxxxxxxxxxxxxx>
Subject: Re: [cobalt-security] Security Hardening Update 2.0.1 MAJOR
FLAW!!!!!! ACTION REQUIRED!
Date: Sat, 17 Aug 2002 05:15:49 -0400
Reply-To: cobalt-security@xxxxxxxxxxxxxxx

> > The recent RaQ4-en-Security-2.0.1-SHP.pkg allows a remote attacker to
> > cause system crashes.  To avoid this I suggest you disable the Scan
> > Detection in Parameters by selecting "do nothing".  Else you might not
be
> > happy...
> > I have written a small script that can reproduce the problem
consistently.
> > I don't seem to be able to find any way to contact Sun cobalt about
this.
> > what to do?  maybe a whitepaper advert??
> > Sun Cobalt Please Call or contact me
> Email Shaun White (shaun.white@xxxxxxx) - he's in charge of security
> stuff, and runs cobalt-security list as well...
> Bruce Timberlake
> Cobalt/Linux Technology Engineer
> Communications Market Area
> Sun Microsystems, Inc. - San Diego

done.
I have ask Shaun to let me know that he has received it.

Zeffie
http://www.zeffie.com/



--__--__--

Message: 7
Date: Sat, 17 Aug 2002 07:38:30 -0500
Subject: Re: [cobalt-security] Security Hardening Update 2.0.1 MAJOR
	FLAW!!!!!!  ACTION REQUIRED!
From: Mailing Lists <listonly@xxxxxxxxxxxxxxxxxxxx>
To: <cobalt-security@xxxxxxxxxxxxxxx>
Reply-To: cobalt-security@xxxxxxxxxxxxxxx

on 8/17/02 2:17 AM, Zeffie stated:

>> Like the man says, just disable logging/emails
>>
>> I am sure it will just be a remotely exploitable filelimit / email ddos,
>>
>> Each scan will result in an admin email,  do enough scans form enough
>> simulated host in such a short period, and the box will die due to
>> number of concurrent open emails / drain on resources sending them..
>
> you are incorrect sir...
>
>> I could be wrong tho.. :)
>
> you are :)
>
> Zeffie
> http://www.zeffie.com/
>
What is the issue with SHP installed on the Raq4's???

Dave


--__--__--

Message: 8
From: "Zeffie" <cobaltlist@xxxxxxxx>
To: <cobalt-security@xxxxxxxxxxxxxxx>
Subject: Re: [cobalt-security] Security Hardening Update 2.0.1 MAJOR
FLAW!!!!!!  ACTION REQUIRED!
Date: Sat, 17 Aug 2002 13:06:16 -0400
Reply-To: cobalt-security@xxxxxxxxxxxxxxx

> > Well, theoretically it is not impossible to save all replaced files in a
> > safe place (== directory unique to this package), together with
> > checksums of _replacing_ files.  Then the uninstaller could restore the
> > files from backup, and do it only if they where not replaced by yet
> The underlying OS on the Cobalt's is an RPM based Linux distribution. You
> install and uninstall RPM packages at leizure - as often as you want.
> Ok, lets say we install the package Neomail-1.20-1.PKG which contains the
> file neomail-1.2.5-1.noarch.rpm. When you install a PKG file (which
> one or more RPMs), then the RPMs are deleted after installation as they
> no longer needed. That's a standard procedure of the PKG installation
> With "rpm -ql neomail-1.2.5-1" you can query which files it brought aboard
> where they are on the system. However, you cannot (reasonably) recreate
> neomail-1.2.5-1.noarch.rpm and tuck it away as backup. The PKG file with
> which we installed it is gone and also the RPM which it contained has been
> erased automatically after or during the installation.

Actually you could...  and in some cases it's good to backup your configs
depending on who and how the rpms where built.

> Lets spin this thought further
Oh my head!
> Now we install a newer PKG file of the same software: Neomail-1.20-2.PKG
> It contains neomail-1.2.5-2.noarch.rpm and upon installation it replaces
> files which the older neomail-1.2.5-1.noarch.rpm brought aboard.
> Lets assume we don't like the new Neomail and want to go back to the old
> But even if we backed up all files of the old neomail-1.2.5-1.noarch.rpm
> copy 'em back to where they belong: The RPM database still will claim that
> the newer RPM neomail-1.2.5-1.noarch.rpm is installed.

that's because we don't do things like that.  We would just reinstall the
old rpm.  If for some reason we can't move forward.  which doesn't happen
often because of the ways we build things.  (me anyway)

> So although the original functionality could be restored by a smart and
> automated uninstaller, it wouldn't restore the server to the same exact
> condition, as the RPM database still claims otherwise. Unfortunately the
> RPM
> database is usually the authority which an installer queries to find out
> it's OK to go ahead with an installation or not.
> For unimportant stuff like Nemail this is of no consequence, but for
> critical
> stuff like Apache, Sendmail, Qpopper, IMAP and so on it's a different

there is no diffrence.  you should still manage all files on a system.  .

> The resolution would be:
> If an installer replaced an existing (older) RPM, then a proper and
> complete
> uninstall has to reinstall the old RPM which previously was aboard. But
> where
> do you get it from when RPMs are always deleted after PKG installation?

well thats what we have ftp sites for. :)
Granted that Sun.Cobalt does not have a location where we can get current
rpms and srpms.
grrrrrr

ak
> It could be remotely downloaded from the internet and then installed.
> ftp.cobalt.com contains the RPMs which a stock and unpatched RaQ usually
> aboard. That would be one possibility in case were third party software
> installs RPM which replace system services. Or an uninstaller could
> download
> and (partially or completly) re-install the official Sun Cobalt PKG which
> contains the replaced RPM file in such a case.

not really because there are scripts inside of rpms and like a program there
is an order to these things..

<snip>

> FWIW: Windows 2000 Service Pack 3 can't be uninstalled either. ;o)
> Michael Stauber
> Unix/Linux Support Engineer

Ok I'm starting to see the problem.  But I knew it the first time I saw your
work. :) This is not windows.
Things work much different here..  In the development of rpms we have the
ability to verify how things are building through simple testing before
installing on production machines and then we are installing the same exact
thing.  We don't do ./configure make make install all over.  There is rarely
a need at all to uninstall things...  Unlike MS we build things correctly
and maintain various versions.  Which sometimes can make it into
production... but only after development on devel boxes.

There are reasons for all this rpm fun.

Zeffie
http://www.zeffie.com/
"Windows 2000 Support Engineer" (not)



--__--__--

Message: 9
From: Michael Stauber <cobalt@xxxxxxxxxxxxxx>
Organization: SOLARSPEED.NET
To: cobalt-security@xxxxxxxxxxxxxxx
Subject: Re: [cobalt-security] Security Hardening Update 2.0.1 MAJOR
FLAW!!!!!!  ACTION REQUIRED!
Date: Sat, 17 Aug 2002 19:35:51 +0200
Reply-To: cobalt-security@xxxxxxxxxxxxxxx

Hi Zeffie,

> that's because we don't do things like that.  We would just reinstall the
> old rpm.

EXACTLY. ;o) That's how do do it properly. That's how you and I and a few
others would do it.

The whole point I was trying to make with my previous message was about
that.
You can't reasonably put that much logic in an installer that it in all
cases
allows you to go back all the way if something fails. In some cases you can
do it, but not in all.

> If for some reason we can't move forward.  which doesn't happen
> often because of the ways we build things.  (me anyway)

Same here.

> Granted that Sun.Cobalt does not have a location where we can get current
> rpms and srpms. grrrrrr

Yeah, I also agree that this would make life a whole deal easier if it were
otherwise. :o(

> >  Or an uninstaller could download
> > and (partially or completly) re-install the official Sun Cobalt PKG
which
> > contains the replaced RPM file in such a case.
>
> not really because there are scripts inside of rpms and like a program
> there is an order to these things..

If you'd do an uninstaller that way, then you'd have to take that into
account, of course. But in most cases the scripts in the RPM are very well
needed, so that's not a problem. If it is, then there is always the
--noscripts parameter of the RPM command.

> > FWIW: Windows 2000 Service Pack 3 can't be uninstalled either. ;o)

> Ok I'm starting to see the problem.  But I knew it the first time I saw
> your work. :) This is not windows.

You don't know anything about me, dear colleague. I'm a Linux man trough and
through. The only thing I use Windows for is for accounting and for web- and
image design.

> In the development of rpms we have the ability to verify how things are
> building through simple testing before installing on production machines
and
> then we are installing the same exact thing.

You're preaching to the choir, so please turn around if you want to continue
your lecture. ;o)

I was using that analogy just to show that even in the Windows world (to
which
so many others are used to) a clean uninstall is sometimes not possible.
"Clean" and Windows are contradicting terms anyway <shrug>.

> There are reasons for all this rpm fun.

I wouldn't exactly call it fun, especially not after porting 20 RPMs from
the
Qube3 to the RaQ550, which is what I did the last two days.

--

With best regards,

Michael Stauber
mstauber@xxxxxxxxxxxxxx
Unix/Linux Support Engineer



--__--__--

_______________________________________________
cobalt-security mailing list
cobalt-security@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-security


End of cobalt-security Digest
Follow-Ups:
- Re: [cobalt-security] Re: OT: SSL Certs
  - From: Up The Blues
Prev by Date: Re: [cobalt-security] Security Hardening Update 2.0.1 MAJOR FLAW!!!!!! ACTION REQUIRED!
Next by Date: Re: [cobalt-security] Re: OT: SSL Certs
Previous by thread: Re: [cobalt-security] OT: SSL Certs
Next by thread: Re: [cobalt-security] Re: OT: SSL Certs
Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index