Rohit Srivastawa
am I your ssladmin ?
In March this year, there were few shouts about US government forcing certifying Authorities (CAs) to had over SSL key to decrypt mail transfer. Personally I'm not worried till the time the decrypted data is with any govt but it would be a serious issue if anyone else reads my data.
Old school hacks using fake SSL were popular till sometime where the adversary used to issue a fake certificate and client application (mail client/browser) would throw a warning. Those attacks were banking on stupidity of users to ignore the warning and move forward.
Then came a time (I'm not sure if it is over yet) where shady CAs would provide certificate without proper verification.
Now latest findings says few webmail provider were not careful enough to disable few admin-like accounts due to which anyone could have generated a genuinely fake certificate and conduct man-in-the-middle account without ANY warning from any software.
So I thought of conducting the same test on Indian webmail providers which are still popular and may people use it for mailing. I choose following 4 popular services and tired to create an account ssladmin@
1. indiatimes.com2. rediff.com3. india.com4. sify.com
Here are my findings1. Indiatimes.com - the account creation interface gave an error saying the account is already in use2. rediff.com - denied saying this username is not allowed3. india.com - denied saying the username is forbidden4. sify.com - Oops! sify.com allowed me to create the account. Which means I could have gone to a CA and asked for a SSL certificate.
I got in touch with sify.com authorities but no one responded and they didn't either disabled my account for more than a week. Then I had to get in touch with head of portal business via LinkedIn and finally the account was closed. I'm still to receive a note of acknowledgement but atleast sify users are safe now.
Happy & Safe Browsing
Old school hacks using fake SSL were popular till sometime where the adversary used to issue a fake certificate and client application (mail client/browser) would throw a warning. Those attacks were banking on stupidity of users to ignore the warning and move forward.
Then came a time (I'm not sure if it is over yet) where shady CAs would provide certificate without proper verification.
Now latest findings says few webmail provider were not careful enough to disable few admin-like accounts due to which anyone could have generated a genuinely fake certificate and conduct man-in-the-middle account without ANY warning from any software.
So I thought of conducting the same test on Indian webmail providers which are still popular and may people use it for mailing. I choose following 4 popular services and tired to create an account ssladmin@
1. indiatimes.com2. rediff.com3. india.com4. sify.com
Here are my findings1. Indiatimes.com - the account creation interface gave an error saying the account is already in use2. rediff.com - denied saying this username is not allowed3. india.com - denied saying the username is forbidden4. sify.com - Oops! sify.com allowed me to create the account. Which means I could have gone to a CA and asked for a SSL certificate.
I got in touch with sify.com authorities but no one responded and they didn't either disabled my account for more than a week. Then I had to get in touch with head of portal business via LinkedIn and finally the account was closed. I'm still to receive a note of acknowledgement but atleast sify users are safe now.
Happy & Safe Browsing
Categories: Alumni
How to setup twitter anywhere
Today twitter announced public availability of @anywhere which I thought of giving a shot.
Yes it's easy to setup and works like charm
STEPS:1. Go to the dev site of twitter anywhere2. Login using your twitter account & go ahead to create an application3. All inputs asked are pretty much intuitive4. Go to you APP detail page & take a not of your API key5. On your website simply add the code snippet preferably at the end just before
<script src="http://platform.twitter.com/anywhere.js?id=YOUR_API_KEY_HERE&v=1"></script>
<script type="text/javascript">
twttr.anywhere(function(twitter) {
twitter.hovercards();
twitter(".post").linkifyUsers();
});
</script>
6. Bang you are done. Now any twitter username on your webpage will be linked to twitter hovercacrd & a mouse over will show the fun7. If you want to add this on any blog on blogger.com, simply add a "text/html box" under design layout and paste the code snippet in it.8. To test I have added the same in this blog & now we'll see a few example with a little shameless plug of my twitter handles ;)
Mouseover these twitter handles to see @anywhere in action
My Twitter handles:Technical tweets - @rohit11General fun & casual tweets - @_rohit11ClubHack - @clubhack
.
Yes it's easy to setup and works like charm
STEPS:1. Go to the dev site of twitter anywhere2. Login using your twitter account & go ahead to create an application3. All inputs asked are pretty much intuitive4. Go to you APP detail page & take a not of your API key5. On your website simply add the code snippet preferably at the end just before
<script src="http://platform.twitter.com/anywhere.js?id=YOUR_API_KEY_HERE&v=1"></script>
<script type="text/javascript">
twttr.anywhere(function(twitter) {
twitter.hovercards();
twitter(".post").linkifyUsers();
});
</script>
6. Bang you are done. Now any twitter username on your webpage will be linked to twitter hovercacrd & a mouse over will show the fun7. If you want to add this on any blog on blogger.com, simply add a "text/html box" under design layout and paste the code snippet in it.8. To test I have added the same in this blog & now we'll see a few example with a little shameless plug of my twitter handles ;)
Mouseover these twitter handles to see @anywhere in action
My Twitter handles:Technical tweets - @rohit11General fun & casual tweets - @_rohit11ClubHack - @clubhack
.
Categories: Alumni
The world with a new look
The way internet has barged into our lives, we have been seeing the world in a very new way.
I stumbled on this image created by Byte Level research LLC which shows the new world
As per Byte LevelEach ccTLD is sized relative to the population of the country or territory, with the exception of China and India, which were restrained by 30% to fit the layout. At the other end of the spectrum, the smallest type size used reflects those countries with fewer than 10 million residents.
[click image to enlarge]
I stumbled on this image created by Byte Level research LLC which shows the new world
As per Byte LevelEach ccTLD is sized relative to the population of the country or territory, with the exception of China and India, which were restrained by 30% to fit the layout. At the other end of the spectrum, the smallest type size used reflects those countries with fewer than 10 million residents.
[click image to enlarge]
Categories: Alumni