Category Archives: internet

internet security

CertGraph: visualizing the distribution of trusted CA’s

Much of the Internet’s security posture relies on the correct implementation of certificates or certs. We’ve all been taught to look for the “green lock” on websites, and things such as mixed mode and HSTS are a good push for that.

Certs 101:

Websites, say, have a leaf certificate. This certificate holds some metadata, including a key that’s used to decrypt traffic (I oversimplified it, TLS is explained in depth here). That leaf certificate needs to be trusted by your user-agent. Since you can’t trust all certificates in the world, you’d trust whoever issued it. That way, a certificate is signed by a trusted party (a CA); or by a party that’s trusted by a root CA. Typically, root CA’s are trusted by your computer, who allow intermediate CA’s to issue leaf certs.


User agents, and sometimes delegated to the operating system has several pre-installed certificates of these root CA’s. These may be larger number than initially anticipated. A typical windows installation has a few dozens if not hundreds of trusted root CA’s:

Now, each of these root CA’s can trust several intermediate certs, who can issue certs (or trust other CA’s, …). So, essentially you’re trusting hundreds, if not thousands, of entities. These are usually a combination of companies as well as governments.

Since these leafs create several paths to their roots, and since I’m a sucker for visualizing graphs; I decided to graph out the certificates of Alexa’s top 1m websites; but the script crashed after some 67.000 of it.

Note that this is a large dataset, which will slow down the visualization factor of it. You can download the JSON files from GitHub.

The Graph

You can play around with the data set at, (warning, graph rendering might be slow on large datasets) but eventually you’ll have something like the chart below.

distribution of top ~60k popular sites certificates.

Getting the data

The files come with a .NET core 3 client app which will scan a text file of hostnames, and store the certificate chains in a json blob. They’re essentially [rootca]->[intermediate]->[…]->leaf. I only opted for name, subject, expiry, serial and thumbprint, but you can get anything that the X509Certificate2 class gives you. For example., it might be cool to see what CA’s give the longest valid certs, or what keysizes are used, etc…

Technically, I created a custom RemoteCertificateValidationCallback, which is typically used to perform SSL validation, (such as checking CRL’s, as .NET doesn’t do that out of the box).

Again, please play around with, and let me know if you’d see something added to it.


internet security

Install Burp CA certificate on Android Emulator

Android SecuritySome people ask me how they can “hijack” HTTPS API calls from an Android app. One of the best ways is to use PortSwiggers free Burp Suite, and hijack all traffic between your app and the server. One of the problems is, how do you add burp’s CA certificate to your android (emulator)? Burp’s help page simply says to look it up on google. Well, I hope this is one of the results showing up.

Note: This does not require any ADB pushes or so, and can be done in a few minutes. This was done under Ubuntu, using Android Emulator version 22.6.4. I’m uploading it into a Android 4.4.2 image running on a virtual Nexus 4.

Adding a CA certificate can be done in just a few steps, and will take a few minutes… read more »

internet security uae

Phone numbers as default eLife WiFi keys

antsThe UAE’s internet is pretty much provided by two ISP’s: Etisalat and Du who provide broadband services to its customers.

Focusing on the largest of the two, Etisalat, they provide a eLife program that allows triple play services into the homes of their customer base, which include a WiFi network. The problem though is that many of these wireless access points are setup by Etisalat’s technicians themselves, sporting a certain convention for encryption keys; the client’s mobile phone number.

This mobile number convention is a limited keyspace, with just a few numbers short of 36 million possibilities. (8999999 * 4 prefixes). Knowing a possible key, helps tremendously in brute forcing the keys of a Wireless network. To create a list that creates all these numbers in a list, one could write that in Perl:

# generates 05[0256][1-9][0-9]{6} numbers
$| = 1;
foreach my $a (0, 2, 5, 6){
  foreach my $b (1000000..9999999){ print "05".$a.$b."\n"; }

*Note: this script can be optimized of course, since it will be unlikely that you’ll have networks with several repetitive numbers having a default eLife installation.

Another handy fact is that “default” eLife setups have their SSID configured as etisalat-XXXXX where XXXXX is a “random” number.

Aside from “having free Internet access” to load balance your torrent web surfing traffic, there’s a much greater risk here.

eLife is delivered with a Aztech HW550 3G wireless router. These devices have an embedded version of Linux available, and Aztech was so kind to have make the source code available. Alternatively, you can resort to OpenWRT’s efforts, but the latter might raise some suspicion if the original owners decide to change something about their WiFi network.

Now, the danger lies in the following scenario:

  • Attacker adds a backdoor into the HW550’s firmware.
  • Attacker cracks your wireless keys and accesses your network
  • Attacker accesses your wireless router (assuming you didn’t change the admin password)
  • Attacker uploads the new firmware
  • Attacker has access to your connection at all times, can use it to launch attacks and tunnel connections

Since the HW550 has a MIPS CPU of “only” 384 Mhz, and only 32 Megabytes of RAM, it can’t be used for heavy load network traffic, but you get the basic idea. Aside from creating “AP zombies”, one could redirect your traffic to do a MITM attack, etc …

So, to prevent this scenario from happening, choose a strong Wireless encryption key and change it regularly. Or, install OpenWRT yourself, or just get an other (better) Access Point.
That, and living inside a Faraday cage, so nobody picks up your wireless signals.

internet security uae

UAE issues new decree to combat cybercrime

The UAE has issues a new decree on “combating cyber crimes”. This decree, available in three parts (here, here and here) stipulates recent do’s and don’ts that amend the previous decree dated from 5 years ago.

In a world where we see religiously offensive cartoons and movements such as Occupy Wall Street, and all its derivatives; many countries in the region have had uprisings against their governments. This protests have largely been made possible due to technology.

Be warned though, although it is widely known that the promotion of prostitution and gambling is illegal in the country, some rules may not be so obvious. If you try to raise funds for a cause which isn’t authorized, you could end up in trouble.

fun internet

How to fake it with Alexa?

Many people ask me why their website has a low Alexa rank. Alexa, an Amazon-owned analytics service shows and ranks different websites and can even tell one the audience their website is getting; including gender, education and age groups. The question often remains; How does Alexa work? Do they monitor the entire Internet?

The answer is a lot less mythical; it uses statistics from users who download the Alexa Toolbar (and fill in their gender, education, etc) and visit your website. It is commonly statistical sampling and has been done for the past 60 years for tv shows.

Being an engineer at heart, How does Alexa work? A little analysis at hand. Furthermore, with some scripting, you can boost your Alexa ratings quite a bit. read more »

internet security

Privacy in a widgeted world

The Internet as we use it today, has very little privacy left. We all say that Facebook and Google know “too much”, only to realise that they don’t know anything aside from what we feed them, or do they?

Welcome the “widget”. A piece of html (with css, javascript..) to be included in another page, often to socially spread content (Facebook Like, Google +1, LinkedIN share, etc), or other added value (Analytics, sharing, etc) will tell many “providers” what content you are accessing.

It is difficult now to find a popular page without any widgets. Pages pack “like” buttons, “share this” widgets or tweet options to give you a instant way of sharing their content in your social network – banking on good ‘ole word of mouth marketing. If your friends like something, you might be interested also, even if it was only for peer pressure.

The problem that when something (such as the widget) is requested, browser data (such as your session’s information and the referer) also flow to the widget provider’s webserver. This provider will know what page you’re on and usually who you are (assuming you stay logged in into google, twitter, facebook, etc)

Thinking “but if I like a page, facebook will know it anyways“. This is true; the problem lies in the fact that providers know you’re accessing a page, regardless of performing any action (liking, sharing, etc). If you read X number of pages on a new model smartphone, chances are big you want to buy another one – and targeted ads become more… targeted.

From that advertising point of view, it creates mixed feelings. It’s like somebody overlooking your shoulder while you’re reading a magazine and changes the ads accordingly to which article you were staring at longer.

From a website owner point of view, this does create added value. If you can convince to have websites publish your widget code, you can track people’s interests, even before they ever came to your website. This (unidentifiable) user eventually ends up on your web app, identifies him/her self and you have great information. I’m just not sure how ethical this is, and even though Facebook’s outdated law enforcement guidelines don’t hold “webpages visited” in particular, they would have access to it.

Is this such a bad thing? Perhaps. “Widget providers” offer added value to website owners, who in turn decide what goes into their webpages. Vague idea, but maybe a browser extension could prevent the loading of these widgets, replacing them with a pseudo equivalent (fake buttons, etc) and only dynamically load the target script upon a click?

Food for thought. Now, look at the buttons below, they know you’ve been here already.


Simple file sharing, is one of those websites I wish existed more. A form to share files up to 100MB; simple, neat and fast (thank you, whoever, for fixing the broken cables).

A great, nifty tool from the guys at builtBackwards.

Love it!


Cable cuts make UAE’s internet slooooow

With recent cuts in “internet cables” off the coast of Sicily, the internet and voice traffic has been seriously affected in the region.

It would take several days to be repaired…

I forgot already what 14400 felt like..


Make HTML pages quickly, Drawter

Drawter is one of those tools that are just too good to be true. It allows you to “draw” a page, and then export it’s CSS and HTML code.

It uses JQuery heavily, and I’m loving it. It does one simple thing, making HTML pages, but does it very well.

internet web

Linked-In to have applications. Professional superpoke anyone?

Linked In, the professional social network introduced the possibility of using applications. Just as facebook, myspace and friendster did.

Linked in feels the threat of Facebook, especially combined with applications such as Kuhnektid to increase your professional “visibility” across the work. Most of linked-in users, are on facebook too.

A set of examples are there in their application directory. Tools such as file sharing, project collaboration, or being notified when one of your “contacts” is in the same city as you are there. No sight of a SDK yet, and no superpokes either.

Let’s see how users adapt to this.