Categories
System Administration

Parsing the EU Digital COVID Certificate

I recently go my first Covid-19 shot, and shortly after that I received my QR code that is supposed to prove to anybody that I’m vaccinated.

Of course, I was interested in the actual technical implementation of the thing so I started tinkering around. Initially, I wasn’t sure whether the QR code just links to a webpage or is a standalone document, but reading the documentation quickly made clear that it simply contains a signed document.

There is a python snippet floating around that does all the decoding (decode base45, decompress, decode cbor, ignore signature, cbor decode), but I was wondering whether I can just use standard Linux command-line tools to do the same.

To my big surprise, I could not find a simple base45 decoder to be used on the command line. Neither the GNU coreutils (which supports a bunch of encodings) or basez have implemented base45 yet. For a quick coding exercise, getting code into the coreutils was a bit too ambitious, so I rolled my own in a few minutes. I haven’t done coding in C for quite some time, so this was fun. (while probably not necessary, this should be doable as a one-liner in Perl)

Next step: The libz decompression. Here, too, I was surprised that my Debian box did not have a simple program ready to do it. After some googling, I found that
zlib-flate -uncompress
does the trick. zlib-flate is included in the qpdf package.

Update: The debian package zlib1g-dev contains a few example programs, zpipe.c does exactly what I need. Just copy the file from /usr/share/doc/zlib1g-dev/examples/ , compile with “cc -o zpipe zpipe.c -lz”.

Then cbor: at first this looked easy, there is a libcbor0 in Debian and appropriate modules for Perl and Python. But a command-line tool? That’s not included by default.

Initially, I tried using
python3 -m cbor2.tool
and then continue with jq to select the right element (jq ‘.”CBORTag:18″[2]’ seems to do the trick) but I ran into encoding issues: I did not manage to extract the element in binary form, I always had escape sequences like ‘\x04’ or ‘\u0012’ in there which are not suitable for next step of cbor decoding.

Update: I’ve now read a bit more about the cbor standard and on the things it can do that JSON can’t, is handling raw binary data. JSON knows strings, yes, but they are character strings encoded in utf-8, not sequences of octets. Back in the old days of latin1 that might not have mattered that much, but these days you really shouldn’t mix those two.

So this is still work in progress, watch this space for updates.

Updates:

  • I’m not the only one who tried this, see also this blogpost by Corentin Dupont.
  • Based on troubles with faked certificates, I had a closer look at the key distribtion and updates of the Austrian green pass system. I documented the results in a blogpost at CERT.at.

Categories
Internet

Ein anderer Vorschlag zu Facebook

Markus Sulzbacher schlägt im Standard vor, Facebook aus Datenschutz/Kartellrechtsgründen zu zerschlagen.

Ich hätte da einen andere, deutlich subtilere Idee:

Facebook (das social media network) selber halte ich nicht für wahnsinnig wichtig, diese Netze kommen und gehen und Facebook wird hier keine Ausnahme sein. Ich halte WhatsApp für die langfristig deutlich spannendere Plattform, weil sie ein deutlich grundlegenderes Thema mit noch stärkerem Metcalfe’s Law Effekt behandelt: Die simple (text/voice) Kommunikation zwischen zwei Menschen und (fast noch wichtiger) in Gruppen.

Es gibt aus regulatorischer Sicht dafür aber bereits eine klare Lösung, die beim Telefonnetz super funktioniert hat und die Monopole erfolgreich aufgebrochen hat: Die Pflicht zur transparenten Vernetzung der Telefonanbieter inklusive Nummernportierung.

Daher: es wäre einfach an der Zeit, IM Systeme mit einer gewissen Marktmacht, also etwa Skype, WhatsApp, Facebook Messenger, iChat, … genauso zu behandeln, wie Telefonnetze und SMS und deren Interoperabilität vorzuschreiben.

Ja, das kann Österreich nicht im nationalen Alleingang machen, aber die EU hätte die Macht dazu.

Ob die EU auch die Eier dafür hat, ist die offene Frage.

Categories
Windows 10

A nugget from the Windows 10 Event log

While investigating why Outlook stopped working, I found the following in the EventLog:

win10-event

2117? WTF?

Categories
Pet Peeves Windows 10

Win10: controlled folder access

I’ve enabled controlled folder access on my work Windows 10 machine.  Now it is giving me notifications like:

win10-ransomare

The idea is fine, of course I need to finetune the settings (and one click brings to the relevant settings page), but how the §$%& should I know which program to white-list? I cannot find a way to get the full path of the offending program.

I need to search.

Why is there no “Application ‘full path’ is trying to make changes: whitelist y/n” dialogue?

Categories
Windows 10

Windows accounts for Kids

While being logged in with my Microsoft Account I did not manage to create local accounts for the kids. There is this nice and fluffy “Create accounts for your family” system, but that implies that you create Microsoft Accounts for everybody.

I refuse to do that for kids. Sorry Microsoft, they are kids, they should not need cloud-based accounts yet.

Apparently you can create additional local account if you’re logged in on a local account. Great.

But there is no GUI to set the time limits for the kids if they are using a local account. You have to do this one the command line. e.g. with

net user kid1 /times:Sa,08:00-20:00

See this article.

Categories
Pet Peeves Windows 10

Windows 10 peeves

I’m not a computer newbie. Neither am I a first-time Windows user.

Windows 10 has proved to be a very mixed bag for me. Some things are very clever and nicely done, and then there are a bunch of “what the f*ck were they thinking” moments for me.

I’ve now added the category “Windows 10” to this blog to keep track of my peeves and my workarounds.

 

Categories
System Administration

Testing …

Is this thing still on?

My old wordpress installation has been suffering from bit-rot and the upgrade to Debian jessie completely killed the wordpress installation. I’m moving over posts and pages manually, let’s see if I get this blog (including pictures) up and running again.

 

 

Categories
CERT Internet Pet Peeves

Of Ads and Signatures

Both advertisements and signatures have been with us in the analogue realm for ages, the society has learned about their usefulness and limits. We have learned that it’s (usually) hard to judge the impact of a single ad, and that the process of actually validating a contested signature is not trivial. There is a good reason why the law requires more than a single signature to authorize the transfer of real estate.

Both concepts have been translated to the digital, online world.

And in both cases, there were promises that the new, digital and online versions of ads/signatures can deliver features that their old, analogue counterparts could not do.

For ads, it was the promise of real-time tracking of their effectiveness. You could do “clickthrough rates” measuring how often the ad was clicked by a viewer. The holy grail of ad effectivity tracking is the fabled “conversion rate”: you can measure how many people actually bought your product after clicking an ad.

For signatures, it was the promise of automated validation. If you get a digitally signed document, you should be able to actually verify (and can have 100% trust in the result) whether it was really signed by the signatory. Remember: in the analogue world, almost nobody actually does this. The lay person can detect crude forgeries, but even that only if the recipient has access to samples of authentic signatures. In reality, a closer inspection of handwritten signatures is only done for important transactions, or in the case of a dispute.

So how did things work out after a few years of experience with digital ads and signatures?

Digital ads are in a midlife crisis. We’re in a death spiral of low clickthrough rates, more obnoxious formats, ad-blockers and ad-blocker-blockers. Just look at the emergence of Taboola and similar click-bait.
Digital signatures are at a cross-road as well: The take-up rates of solutions based on smart-card readers have been underwhelming so far. This applies to the German ePerso as well as to the Austrian citizen card. The usability just isn’t there. So there has been a push to increase the take-up rate by introducing alternatives to smart-card technology. That won’t make it more secure. Not at all.

So what’s the common lesson? In theory, both digital ads and signatures can offer features that their old, analogue counterparts just cannot deliver. In practice, they are killing themselves by over-promising. As long as click-through rates are the prime measurement of online ads, their death spiral will continue. And as long as digital signatures continue to promise instant, high-confidence validation, they will not achieve the take-up rates needed for broad acceptance.

Continuing the current trajectory will lead to a hard crash for both technologies. On one side it’s the ad-blocker, on the other side it’s malware.

The level of spam in the email ecosystem meant that no mail-service can exist in the market without a built-in spam-filtering solution. And given the early ad-excesses every browser includes a pop-up blocker these days. If the advertisers continue on their path of getting attention at all costs, ad-blocking will become a must-have feature in all browsers, and not just an optional ad-on (as right now).

Any digital security solution that protects actual money has been under vigorous attack. The cat and mouse game between online-banking defenders and attackers is a good lesson. The same will happen if digital signature solutions start to be actually relevant. And good luck if your “let’s make digital signatures more user-friendly” approach is actually less secure than what online-banking is using these days.

So what’s the solution?

In my opinion the right way to approach both topics is to reduce the promise. Make digital ads static images. No animation. No dynamic loading of js-code (which is its own security nightmare). Don’t overtax the visitor’s resources (bandwidth, browser-performance). No tracking. Tone it down. Don’t expect instant effects. Don’t promise clicktrough rate.

For digital signatures: Mass deployment is only possible for “non-qualified signatures”. Don’t promise “you can fully and solely rely on our solution”. Just sell “this is a good indication”, or “use this as one factor in your security design”. Prepare for it to be attacked and broken. Only use it when you have a pre-planned way to recover from such a breach. The real word is full of applications where signatures are used in a very low-security / low-impact settings. The state-sponsored digital identity solutions needs to think of those, too. For the high-impact, high-confidence settings I always have to think about the mantra we use at work: “You can’t mandate trust.”

Categories
CERT Pet Peeves

The Edge browser

Wasn’t one of the main goals of junking the Internet Explorer codebase and building a brand new browser “Edge” the hope that there won’t be the monthly batch of patches for remote code execution vulnerabilities?

I haven’t tabulated the advisories but somehow I don’t have the feeling that things have gotten substantially better.

Why?

It looks to me like we still aren’t using the right programming environments for such complex pieces of software. There is still way too much basic security tooling the programmers have to do by themselves. Just like you shouldn’t do string operations in pure ANSI C, we need to rise the level of abstractions that all these browser bugs (that lead to RCE) just are not possible any more.

Categories
Pet Peeves

StartSSL, S/MIME and Thunderbird

This cost me an hour or two:

If you try to get a free S/MIME certificate from StartCom / StartSSL, this worked fine and in Firefox the certificate was shown as valid. But once I transferred it to Thunderbird, I got an unspecified certificate error.

Solution: Turn off OCSP.