Certificate Transparency Verification in Java

So I had this naive idea that it would be easy to do certificate transparency verification as part of each request in addition to certificate validity checks (in Java). With half of the weekend sacrificed, I can attest it’s not that trivial. But what is certificate transparency? In short – it’s a publicly available log of all TLS certificates in the world (which are still called SSL certificates even though SSL is obsolete). You can check if a log is published in that log and if it’s not, then something is suspicious, as CAs have to push all of their issued certificates to the log. There are other use-cases, for example registering for notifications for new certificates for your domains to detect potentially hijacked DNS admin panels or CAs (Facebook offers such a tool for free). What I wanted to do is the former – make each request from a Java application verify the other side’s certificate in the certificate transparency log. It seems that this is not available out of the box (if it is, I couldn’t find it. In one discussion about JEP 244 it seems that the TLS extension related to certificate transparency was discussed, but I couldn’t find whether it’s supported in the end). I started by thinking you could simply get the certificate, and check its inclusion in the log by the fingerprint of the certificate. That would’ve been too easy – the logs to allow for checking by hash, however it’s not the fingerprint of a certificate, but instead a signed certificate timestamp – a signature issued by the log prior to inclusion....

Integrating Applications As Heroku Add-Ons

Heroku is a popular Platform-as-a-Service provider and it offers vendors the option to be provided as add-ons. Add-ons can be used by Heroku customers in different ways, but a typical scenario would be “Start a database”, “Start an MQ”, or “Start a logging solution”. After you add the add-on to your account, you can connect to the chosen database, MQ, logging solution or whetaver. Integrating as Heroku add-on is allegedly simple, and Heroku provides good documentation on how to do it. However, there are some pitfalls and so I’d like to share my experience in providing our services (Sentinel Trails and SentinelDB) as Heroku add-ons. Both are SaaS (one is a logging solution, the other one – a cloud datastore), and so when a Heroku customer wants to add it to their account, we have to just create an account for them on our end. In order to integrate with Heroku, you need to implement several endpoints: provisioning – the initial creation of the resources (= account)plan change – since Heroku supports multiple subscription plans, this should also be reflected on your enddeprovisioning – if a user stops using your service, you may want to free some resourcesSSO – allows users to log in your service by clicking an icon in the Heroku console. Implementing these endpoints following the tutorial should be straightforward, but it isn’t exactly. Hence I’m sharing our Spring MVC controller that handles it – you can check it here. A few important bits: You may choose not to obtain a token if you don’t plan to interact with the Heroku API further.We are registering the...

Types of Data Breaches and How To Prevent Them

Data breaches happen practically every day. Personal, including financial and medical data leak to cyber criminals as well as intelligence agencies. Some notable breaches include the Equifax breach, where dozens of personal data fields were leaked, and the recent Marriott breach, where passports, credit cards and locations of people at a given time were breached. I’ve been doing some data protection consultancy as well as working on a data protection product and decided to classify the types of data breaches and give recommendations on how they can be addressed. We don’t always get to know how exactly the breaches happen, but from what is published in news articles and post-mortems, we can have a good overview on the breach landscape. Control over target server – if an attacker is able to connect to a target server and gains full or partial control on it, they can do anything, including running SELECT * FROM ... , copying files, etc. How do attackers gain such control? In many ways, most notably RCE (remote code execution) vulnerabilities and weak admin authentication. How to prevent it? Follow best security practices – regularly update libraries and software to get security patches, do not run native commands from within the application layer, open only necessary ports (80 and 443) to the outside world, configure 2-factor authentication for administrator login. Aim at having an intrusion detection / prevention system. Encrypt your data, and make the encryption as granular as possible for the most sensitive data (e.g. for SentinelDB we utilize per-record encryption) to avoid SELECT * breaches. SQL injections – this is a rookie mistake that...

Blockchain – What Is It Good For? [slides]

Last week I gave a 20 minute talk on the way I see blockchain applicability. I’ve always been skeptical of the blockchain hype, having voiced my concerns, my rants and other thoughts on the matter. I’ve followed actual blockchain projects that didn’t really need blockchain but managed to yield some very good results by digitizing processes, by eliminating human error, and occasionally, by guaranteeing the integrity of data. And recently I read an article that put these observations into perspective – that blockchain is just a tool for digital transformation (a buzzword broadly meaning “doing things on a computer and more efficiently”). That rarely the distributed consensus is needed, let alone public ledgers. But that doesn’t matter, as long as the technology has lead to some processes being digitized and transformed. So here are the slides from my talk: And people are usually surprised that I have a blockchain-related company and I’m so skeptical at the same time. But that’s actually logical – I know how the technology works, what problems it solves and how it can be applied in a broad set of domains. And that’s precisely why I don’t think it’s a revolution. It’s a wonderful piece of technological innovation that will no doubt solve some problems much better than they were solved before, but it won’t be the new internet and it won’t change everything. Doesn’t that skepticism hurt my credibility as a founder of a blockchain-related startup? Not at all – I don’t want to get a project just because of a buzzword – that’s not sustainable anyway. I want to get it because it...

Technical Innovation vs. Process Innovation

We are often talking about “innovation” and “digital innovation” (or “technical innovation”) in particular, when it comes to tech startups. It has, unfortunately, become a cliche, and now “innovation” is devoid of meaning. I’ve been trying to put some meaningful analysis of the “innovation landscape” and to classify what is being called “innovation”. And the broad classification I got to is “technical innovation” vs “process innovation”. In the majority of cases, tech startups are actually process innovations. They get existing technology and try to optimize some real world process with it. These processes include “communicating with friends online”, “getting in touch with business contacts online”, “getting a taxi online”, “getting a date online”, “ordering food online”, “uploading photos online”, and so on. There is no inherent technical innovation in any of these – they either introduce new (and better) processes, or they optimize existing ones. And don’t get me wrong – these are all very useful things. In fact, this is what “digital transformation” means – doing things electronically that were previously done in an analogue way, or doing things that were previously not possible in the analogue world. And the better you imagine or reimagine the process, the more effective your company will be. In many cases these digital transformation tools have to deal with real-world complexities – legislation, entrenched behaviour, edge cases. E.g. you can easily write food delivery software. You get the order, you notify the store, you optimize the delivery people’s routes to collect and deliver as much food as possible, and you’re good to go. And then you “hit” the real world, where there...