MobileRead Forums
Register Guidelines E-Books Today's Posts Search

Go Back   MobileRead Forums > E-Book Readers > Amazon Kindle > Kindle Developer's Corner
Reload this Page Security Checking

Notices

Reply
 
Thread Tools Search this Thread
Old 09-09-2017, 09:35 PM   #1
knc1
Going Viral
knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.
 
knc1's Avatar
 
Posts: 17,212
Karma: 18210809
Join Date: Feb 2012
Location: Central Texas
Device: No K1, PW2, KV, KOA
Security Checking
With a Kindle?
Most certainly yes, it has everything you need to check any web-site.

With the recent security breach at Equifax in the USA;
https://qz.com/1073002/equifax-breac...t-your-credit/

There is an increased interest in on-line security used by web-sites.
(Or at least there certainly should be.)

Notices such as this:
Quote:
Secure Transaction:
For your protection, this website is secured with the highest level of SSL Certificate encryption.
are showing up on web pages everywhere you look.
But just because you read it on the site's web page, does that make it so?
Aren't they expecting you to believe the Wolf's statement on the security of the Hen House?

So how can you get a "second opinion" ?
What you need is a copy of OpenSSL, version 1.0.0 or newer.
(and an Internet connection of course.)

It you have command line access * to your Kindle running 5.x series firmware, you have all that you need to check any web-site.
The version of OpenSSL installed on your Kindle:
Code:
[root@kindle us]# openssl version
WARNING: can't open config file: /usr/ssl/openssl.cnf
OpenSSL 1.0.1s  1 Mar 2016
(The warning message is not significant in the following usage.)

Where in the following I have written: "$1" (in two places) use the full domain name (as in: www.mobileread.com for example):
Code:
knc1:~> openssl s_client -servername "$1" -connect "$1":443 </dev/null 2>/dev/null | openssl x509 -text
That will result in an output similar to the following (the first certificate is the server's certificate):
Spoiler:

Code:
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            2b:62:d9:6c:75:14:c6:99:61:8a:3e:8d:f4:49:b7:de
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3
        Validity
            Not Before: Aug  2 00:00:00 2017 GMT
            Not After : Jul  7 23:59:59 2018 GMT
        Subject: C=US, ST=Georgia, L=Atlanta, O=Central Source LLC, OU=IT, CN=www.annualcreditreport.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c0:3b:4e:f3:8f:10:0d:4e:dc:f1:48:a4:ab:21:
                    89:4a:d7:c8:c8:dc:94:94:28:53:c6:98:5c:13:d4:
                    33:54:bf:c2:47:30:cd:03:56:d7:58:4c:ae:a3:40:
                    16:fb:bf:b2:d7:69:f5:90:b7:78:0a:7b:47:17:c1:
                    c8:66:11:ec:69:ae:7c:3a:57:83:34:8f:45:91:0c:
                    f9:76:be:8f:30:31:96:55:55:63:db:40:70:ea:fa:
                    92:7d:e0:5a:3e:b6:6a:dc:e6:f9:ec:b2:b6:8d:7c:
                    7f:36:02:d8:81:13:53:60:e8:c3:60:9f:78:27:a7:
                    40:a9:81:75:81:e9:4f:b2:05:9f:cf:8d:5f:9e:c6:
                    8b:99:4f:41:93:cf:7f:cb:f4:8c:50:ad:df:f3:9a:
                    4f:40:27:9d:0b:e4:f8:04:36:a3:d5:1a:8b:b5:9a:
                    91:84:0d:41:5e:aa:96:2f:3c:41:4d:2c:ec:66:0f:
                    04:6e:b6:bb:8b:68:73:d1:93:7d:5d:c8:ba:cc:9e:
                    87:14:7d:8a:1b:b6:d4:f6:9a:f8:2a:85:6e:5e:2f:
                    d3:b1:24:1d:55:0d:7e:b1:34:60:40:d6:04:b1:db:
                    81:fc:39:13:a6:f8:d6:05:51:4a:fc:01:87:25:09:
                    a1:26:a0:c4:17:1a:17:54:e2:12:37:33:10:fc:c0:
                    fb:bf
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Alternative Name: 
                DNS:www.annualcreditrep.com, DNS:ws.annualcreditreport.com, DNS:annualcreditreport.com, DNS:ws.annualcreditrep.com, DNS:www.annualcreditreport.com
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://gn.symcb.com/gn.crl

            X509v3 Certificate Policies: 
                Policy: 2.23.140.1.2.2
                  CPS: https://www.geotrust.com/resources/repository/legal
                  User Notice:
                    Explicit Text: https://www.geotrust.com/resources/repository/legal

            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Authority Key Identifier: 
                keyid:D2:6F:F7:96:F4:85:3F:72:3C:30:7D:23:DA:85:78:9B:A3:7C:5A:7C

            Authority Information Access: 
                OCSP - URI:http://gn.symcd.com
                CA Issuers - URI:http://gn.symcb.com/gn.crt

            CT Precertificate SCTs: 
                Signed Certificate Timestamp:
                    Version   : v1(0)
                    Log ID    : DD:EB:1D:2B:7A:0D:4F:A6:20:8B:81:AD:81:68:70:7E:
                                2E:8E:9D:01:D5:5C:88:8D:3D:11:C4:CD:B6:EC:BE:CC
                    Timestamp : Aug  2 18:35:05.602 2017 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:21:00:8A:15:FF:4C:E9:31:C3:94:B7:AF:8B:
                                AA:E7:96:6F:6B:DD:60:FE:82:37:EE:92:F3:3F:6E:E6:
                                9C:B1:B9:D5:AB:02:20:79:7D:99:26:7D:98:9B:04:EC:
                                4E:45:A3:B6:3F:14:9D:9D:DC:9B:7A:6E:F4:FF:42:86:
                                59:F8:B1:AF:28:37:0B
                Signed Certificate Timestamp:
                    Version   : v1(0)
                    Log ID    : A4:B9:09:90:B4:18:58:14:87:BB:13:A2:CC:67:70:0A:
                                3C:35:98:04:F9:1B:DF:B8:E3:77:CD:0E:C8:0D:DC:10
                    Timestamp : Aug  2 18:35:05.621 2017 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:44:02:20:3E:A8:D5:FD:05:F6:32:F7:CC:2A:9D:36:
                                DD:BC:36:50:9E:CC:D4:AF:F7:5E:1D:42:C6:31:D6:7C:
                                A5:9B:4F:89:02:20:7F:3C:9D:F8:9D:16:C0:2F:24:CE:
                                F4:D0:F7:E3:7A:4A:C6:C0:61:32:8B:BB:4A:3A:46:A6:
                                78:A9:CF:23:96:03
    Signature Algorithm: sha256WithRSAEncryption
         cb:36:e8:00:03:23:02:1d:cb:2e:39:6a:0e:c9:82:28:86:11:
         81:5c:44:1d:60:32:9e:33:19:16:9f:41:a1:41:ea:84:8f:00:
         82:2f:e4:22:20:b7:b4:be:1a:a4:a0:ae:a6:82:0b:74:7a:20:
         a5:3f:e8:59:c3:8b:da:c0:6e:06:9e:c0:fe:8d:ab:31:43:18:
         66:1b:be:5e:e0:88:56:46:e9:dc:5e:f7:8c:10:c9:7e:e1:1d:
         17:4d:ac:26:c8:f5:a3:7f:57:9c:f0:57:d9:af:d4:87:c3:9a:
         69:4f:ce:e9:3e:9b:5b:ee:78:de:71:f1:09:fd:9a:65:16:0e:
         a7:a3:e8:70:53:2e:76:6d:1c:1f:96:59:0e:7f:25:7a:3a:11:
         40:7d:93:22:c4:0f:27:55:7b:b2:71:b1:78:bc:11:18:8a:b2:
         3b:af:ff:4b:6d:0c:78:b7:cf:7a:7b:35:9a:ef:25:76:78:c3:
         7e:58:6f:10:d3:f8:fd:d1:3a:32:26:1d:68:90:83:10:67:d5:
         2c:ad:7d:28:2f:ef:2f:61:3a:5c:8c:b6:d2:70:39:85:5a:81:
         f7:d2:ef:43:b4:7f:af:8e:5a:33:07:3d:58:1a:11:ea:1e:51:
         3d:93:ed:03:f2:2f:1b:b2:0d:06:4b:25:f3:11:9b:9d:13:78:
         cb:61:c0:37
-----BEGIN CERTIFICATE-----
MIIGazCCBVOgAwIBAgIQK2LZbHUUxplhij6N9Em33jANBgkqhkiG9w0BAQsFADBE
MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEdMBsGA1UEAxMU
R2VvVHJ1c3QgU1NMIENBIC0gRzMwHhcNMTcwODAyMDAwMDAwWhcNMTgwNzA3MjM1
OTU5WjCBgDELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB0dlb3JnaWExEDAOBgNVBAcM
B0F0bGFudGExGzAZBgNVBAoMEkNlbnRyYWwgU291cmNlIExMQzELMAkGA1UECwwC
SVQxIzAhBgNVBAMMGnd3dy5hbm51YWxjcmVkaXRyZXBvcnQuY29tMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwDtO848QDU7c8UikqyGJStfIyNyUlChT
xphcE9QzVL/CRzDNA1bXWEyuo0AW+7+y12n1kLd4CntHF8HIZhHsaa58OleDNI9F
kQz5dr6PMDGWVVVj20Bw6vqSfeBaPrZq3Ob57LK2jXx/NgLYgRNTYOjDYJ94J6dA
qYF1gelPsgWfz41fnsaLmU9Bk89/y/SMUK3f85pPQCedC+T4BDaj1RqLtZqRhA1B
XqqWLzxBTSzsZg8Ebra7i2hz0ZN9Xci6zJ6HFH2KG7bU9pr4KoVuXi/TsSQdVQ1+
sTRgQNYEsduB/DkTpvjWBVFK/AGHJQmhJqDEFxoXVOISNzMQ/MD7vwIDAQABo4ID
GjCCAxYwgYsGA1UdEQSBgzCBgIIXd3d3LmFubnVhbGNyZWRpdHJlcC5jb22CGXdz
LmFubnVhbGNyZWRpdHJlcG9ydC5jb22CFmFubnVhbGNyZWRpdHJlcG9ydC5jb22C
FndzLmFubnVhbGNyZWRpdHJlcC5jb22CGnd3dy5hbm51YWxjcmVkaXRyZXBvcnQu
Y29tMAkGA1UdEwQCMAAwDgYDVR0PAQH/BAQDAgWgMCsGA1UdHwQkMCIwIKAeoByG
Gmh0dHA6Ly9nbi5zeW1jYi5jb20vZ24uY3JsMIGdBgNVHSAEgZUwgZIwgY8GBmeB
DAECAjCBhDA/BggrBgEFBQcCARYzaHR0cHM6Ly93d3cuZ2VvdHJ1c3QuY29tL3Jl
c291cmNlcy9yZXBvc2l0b3J5L2xlZ2FsMEEGCCsGAQUFBwICMDUMM2h0dHBzOi8v
d3d3Lmdlb3RydXN0LmNvbS9yZXNvdXJjZXMvcmVwb3NpdG9yeS9sZWdhbDAdBgNV
HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHwYDVR0jBBgwFoAU0m/3lvSFP3I8
MH0j2oV4m6N8WnwwVwYIKwYBBQUHAQEESzBJMB8GCCsGAQUFBzABhhNodHRwOi8v
Z24uc3ltY2QuY29tMCYGCCsGAQUFBzAChhpodHRwOi8vZ24uc3ltY2IuY29tL2du
LmNydDCCAQMGCisGAQQB1nkCBAIEgfQEgfEA7wB2AN3rHSt6DU+mIIuBrYFocH4u
jp0B1VyIjT0RxM227L7MAAABXaQ61gIAAAQDAEcwRQIhAIoV/0zpMcOUt6+LqueW
b2vdYP6CN+6S8z9u5pyxudWrAiB5fZkmfZibBOxORaO2PxSdndybem70/0KGWfix
ryg3CwB1AKS5CZC0GFgUh7sTosxncAo8NZgE+RvfuON3zQ7IDdwQAAABXaQ61hUA
AAQDAEYwRAIgPqjV/QX2MvfMKp023bw2UJ7M1K/3Xh1CxjHWfKWbT4kCIH88nfid
FsAvJM700PfjekrGwGEyi7tKOkameKnPI5YDMA0GCSqGSIb3DQEBCwUAA4IBAQDL
NugAAyMCHcsuOWoOyYIohhGBXEQdYDKeMxkWn0GhQeqEjwCCL+QiILe0vhqkoK6m
ggt0eiClP+hZw4vawG4GnsD+jasxQxhmG75e4IhWRuncXveMEMl+4R0XTawmyPWj
f1ec8FfZr9SHw5ppT87pPptb7njecfEJ/ZplFg6no+hwUy52bRwfllkOfyV6OhFA
fZMixA8nVXuycbF4vBEYirI7r/9LbQx4t896ezWa7yV2eMN+WG8Q0/j90ToyJh1o
kIMQZ9UsrX0oL+8vYTpcjLbScDmFWoH30u9DtH+vjlozBz1YGhHqHlE9k+0D8i8b
sg0GSyXzEZudE3jLYcA3
-----END CERTIFICATE-----

In this example, the following snippet is of interest:
Code:
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
Now for the bottom line on what the server had to say about the human readable claim:
2048 bit, RSA Encryption is NOT the "highest level of ...", 2048 bits is the current minimum recommended RSA key length.
(It is probably the most widely level currently in use (even by the government in public facing networks), but not "the highest level" - that is the exaggeration.)

And nothing about the communications channel can be any more secure than the weakest link.

Note 1:
I am not claiming that the web-site that 143 million people are being directed to is not secure.
I am claiming that even such a site has exaggerated claims of the security level(s) they practice for the user to read.

(*) "command line access" : Any, serial port, ssh, telnet, kTerm ...

# 14 666
Last edited by knc1; 09-09-2017 at 11:17 PM.
knc1 is offline   Reply With Quote
Reply

« Previous Thread | Next Thread »

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
ADE Security Update & Security of Old Versions bookmarked General Discussions 9 03-09-2016 09:40 PM
Checking in Akulat Introduce Yourself 4 05-25-2012 08:08 PM
Checking in louturn Introduce Yourself 5 01-28-2010 08:23 PM
Hi... checking in from LA 911jason Introduce Yourself 11 08-23-2009 12:37 AM


All times are GMT -4. The time now is 06:38 AM.

Contact Us - FAQ - Guidelines - Privacy - Top

MobileRead.com is a privately owned, operated and funded community.