Microsoft to Provide Timeline for SSL, Release Date Postponed Further

Microsoft has committed to providing a timeline for fixing the SSL issues with Hotmail/Live by next Friday and has requested that the tool release be postponed at least until then. I will of course grant this request. I had previously already agreed to delay until end of day on Monday for a similar timeline from Google to provide automatically negotiated secure cookie support, but this does extend things a bit further. However, I will still provide copies of the tool to anyone who contacts me from an email matching the contact info of a domain that is fully paid up with its protection money to the SSL mafia for a current, valid SSL certificate.

Need More Time to Fix Your Sites? Please contact me

If you are a site maintainer who has become aware of the pending release of my automated https cookie hijacking tool and you still need time to adjust your site to handle ssl correctly for people who need it, please contact me, and I will delay the release of the tool for a short period of time. You should be able to infer my email address from my posting username and the name of this site. As of this date, I still have received no requests for extension from any major websites save Google, and so the tool is currently scheduled for tentative release on EOD Monday. I can also provide pre-release copies of the tool to site maintainers interested in testing their sites.

How to Properly Provide Mixed HTTP and HTTPS Support

I've noticed that many sites seem to want to only support SSL partially, so that they don't have to invest in expensive SSL accelerators. While I can't necessarily say this fits in with my grand design to move the entire web over to SSL for good, if it has to be done, it might as well be done securely. This post attempts to describe the general pattern for how to do it.

Why Full Disclosure?

When I explain the completeness and the automated nature of my HTTPS cookie hijacking tool, the first reaction of many of my friends was to remark "Are you sure it is a good idea to release this?"

Why the Gmail HTTPS "Fix" Isn't

About a week before my talk, Google announced that they are "making security easier" by providing people with the option of using only https for gmail. I think this "fix" is still broken for several reasons.

Automated HTTPS Cookie Hijacking

This past weekend I gave a talk at DEFCON 16 describing a very common vulnerability with many SSL-secured websites (slides are here). It actually all started last year when I began development on The Torbutton Firefox Extension and agreed to speak at Black Hat USA 2007 and DEFCON 15 on my findings with respect to Tor Security. In that talk, I announced that many sites used over Tor were not setting the 'Encrypted Sessions Only' bit on cookies they set over https. This is the case with GMail,, most Drupal sites, Facebook, Amazon's purchase history, Yahoo mail, Hotmail/MSN, many many online merchants, and a few of my friends' banks. is reborn

They say that after 7-10 years, every atom that makes up your body has been replaced. Brand new stardust, as it were. Well, this domain turned 8 last year when I took down all the content. It turned 9 today, and so like a phoenix rising from the ashes, has been reborn.

My How Things Have Changed

What follows is an expert from my old blog in 2003 about the Microsoft graduating intern barbecue held at Bill Gates's house on Lake Washington. It's very interesting to compare and contrast with Microsoft's recent attempts to cozy up with the open source community and court developers. Makes me wonder if someone at Microsoft saw this journal entry before I took it down :)

Something is Rotten in #opdarknet

Update 9/9/14 @ 10:30am: This post was originally published on November 2nd, 2011. I altered the date to bury it so I wouldn't have to look at it every time I went to update my site. The memory of this horrible event was discouraging me from writing new content.

Update 11/2/11 @ 4:50pm: I again have experienced a DDoS against, again through Tor (though some IPs also appeared to be non-Tor), shortly after posting this article. It seems to have subsided, and was not as strong in intensity as the original attack.

I seem to be the target of a vigilante lynch mob (or a subset of one) who will not dispose themselves of the notion that I run a service called Freedom Hosting (despite having evidence in their possession to the contrary).

I have nothing to do with Freedom Hosting. I have no idea who runs it. I have never even used it.

I assume Freedom Hosting is a Tor hidden service that will host content for money and does not reject clients regardless of content, as long as they can pay the bills. This service has attracted the attention of #opdarknet because it apparently has become a home to child porn hosters.

I am not sure exactly why they are targeting me, but I strongly suspect it is meant as a distraction campaign at a key time in Tor's funding and development cycle.

I don't believe all #opdarknet members are involved in this campaign. Indeed, from what I hear, there are a few camps among them: some of them are rational people who think the campaign against me is distracting them from attacking the actual child porn sites, and they have argued vehemently against smearing me. However, the crazy contingent appears to keep winning out somehow, and the libel against me keeps getting posted to pastebin (and then later revised to conceal exonerating evidence).

My guess: The crazy contingent are the ones who started work at 10am sharp each day for three days in a row (even spanning the Halloween weekend) to harass me on IRC, until I pointed it out, after which they stopped. Who pays their salary, I wonder?

Here's the TL;DR breakdown of their "evidence" so far:

Syndicate content