Adito now OpenVPN ALS

SSL-Explorer --> Adito --> OpenVPN ALS

The Adito project, discussed often here and in toolsmith, is now OpenVPN ALS.
Back on April 23rd, Francis Dinha, CEO of OpenVPN Technologies, contacted me after reading my March 2009 toolsmith article on Adito and asked about working with the project to become part of OpenVPN. I connected Francis with Adito project developer Samuli Seppanen, they reached an agreement, and Adito is now OpenVPN ALS.

Francis recently indicated that he's in the process of hiring more developers and will assign a developer specifically to the ALS project. With more QA testing and improvement, OpenVPN Technologoies will soon consider OpenVPN ALS fully stable.



Download it today, give the project feedback, and look forward to further enhancements.

Cheers.

del.icio.us | digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)

toolsmith article on Adito SSL VPN now available

My toolsmith column in the March 2009 issue of the ISSA Journal is a comprehensive discussion on Adito, an open source, browser-based SSL VPN that, in essence, replaces SSL-Explorer.
It's a fantastic offering that is now enjoying enhanced development support and offers many of the feature you'd expect from a commercial SSL VPN solution.
Check it out at your earliest convenience.
Cheers.

del.icio.us | digg | Submit to Slashdot

The McAfee Secure Standard has been published

McAfee has alerted me that the McAfee Secure Standard has been published on the McAfee Secure (formerly ScanAlert Hacker Safe) website.
The McAfee SECURE Standard
Joe Pierini and Kirk Lawrence started this process with me prior to their departure from McAfee, and work continued in their absence, largely at the hands of Will M., who's been communicative and inclusive in their stead.
I applaud McAfee for staying true to their commitment to publish the McAfee Secure Standard.
While I may not agree with everything in it, a standard is better than no standard.
That said, my concerns with the Standard as discussed earlier remain unaddressed.
First, you will find that remediation of what McAfee deftly refers to as Client Side Vulnerabilities is Optional. The Client Side Vulnerabilities category includes the entire family of script insertions.
Clarified, this means that merchants displaying the McAfee Secure trustmark are under no obligation to repair such vulnerabilities; the trustmark will remain displayed unabated by the truth.
My position here is clear.
If a website declaring itself secure via a McAfee Secure trustmark is vulnerable to cross-site scripting (XSS), I believe that declaration to be false and misleading. Further elaborated, the McAfee Secure Standard's Client Side Vulnerability category includes cross-site request forgery (CSRF).
While I choose not to out any site in particular at this time, I can assure you with all professional certainty that there are sites displaying a McAfee Secure trustmark that are vulnerable to CSRF. In the case of sites using one particular application, the CSRF vulnerability is so severe, an attacker can escalate privilege in short order.
This is a vulnerability that I've discovered and disclosed responsibly, so I won't discuss it further at this time.
But I ask you, should a site vulnerable to such an attack be labeled as McAfee Secure, per their freshly published Standard?
I think not.
Also Optional on the McAfee Secure Standard: SSL Encryption.
Should a website that conducts financial transactions, yet does not choose to encrypt transaction traffic, be allowed to display a McAfee Secure trustmark?
I think not.
Ironically, the McAfee Secure Standard directly compares itself to PCI DSS. None of the vulnerabilities listed as Optional, per the McAfee Secure Standard, are acceptable for PCI certification.
While the McAfee Secure Standard careful delineates the difference between the Secure trustmark program and their PCI Compliance program, it's not as black and white as they may think. McAfee is a PCI approved scanning vendor (ASV), and a provider of a popular PCI compliance service.
Should they really hold one set of customers to a different standard than the other?
I think not.
Again, I applaud McAfee for publishing the McAfee Secure Standard.
I never imagined we'd get this far, so I humbly ask McAfee to consider the following.
1) Don't bury the Standard. Announce it. Publicize it. Embrace discussion about it. Provide a link to it from the McAfee Secure website. While we may have differences over some of its content, the McAfee Secure Standard is a bold step. Let people know.
2) Disguising script insertions (XSS and CSRF) in the Client Side Vulnerabilities category is a disservice to your customers, and their customers. The "clients" in Client Side Vulnerabilities are consumers using these sites. I believe you are beholden to these consumers as much as you are your own.
Extend the timetable for merchant repair of these vulnerabilities if you must, but said repair should not be Optional.
3) A McAfee Secure site, with a McAfee Secure trustmark, without an SSL certificate is unfathomable. While many a vulnerability can be exploited under the umbrella of SSL protection, SSL encryption is nonetheless an industry standard that should not be Optional.
These things I ask of McAfee in the name of common sense and consumer well-being.
To quote the McAfee Secure website:
"When you display the McAfee Secure certification mark, you not only increase sales by increasing shopper confidence, you build your brand with the security seal seen on more top sites than any other."
Is "increasing confidence" at the expense of industry standards, and real web security a violation of good faith and the very trust you seek to build?
I think so.

As always, I welcome constructive and thoughtful comments and feedback.

del.icio.us | digg | Submit to Slashdot

Adito: open source, browser-based SSL VPN replaces SSL-Explorer

Update 2/6/09:
The March 2009 issue of toolsmith in the ISSA Journal will feature a complete review of Adito, including installation and usage. Expect the article to go live around 3/1/09.

In February 2006 I discussed SSL-Explorer, a project that is no longer supported.
It does however have new life in a project called Adito.
Much as SSL-Explorer was described, Adito is an open-source, browser-based SSL VPN solution. It's a remote access solution that provides users and businesses alike with a means of securely accessing network resources from outside the network perimeter using only a standard web browser.

Further:
Adito was forked from SSL-Explorer 1.0.0-rc17 for several reasons:
- To keep the already robust and functional open source codebase from decaying
- To reform SSL-Explorer (now Adito) from one company's product and a brand into a true community project
- To add new, exciting functionality
- To integrate existing functionality (e.g. sslexplorer-pam) into the program without the need to maintain it out of the source tree

This project shows updates as recently as December 19, 2008, and is in need of a developer so I'm hopeful maintenance and project enhancement will continue in earnest.
Give Adito a good look and let me know what you think; I may cover it in toolsmith.

del.icio.us | digg | Submit to Slashdot

SSL-Explorer: Browser-based Open Source SSL VPN Solution

I've been waiting for a solution like SSL-Explorer to come along.
SSL VPN is undoubtedly the VPN solution that many enterprises will be moving to. Yes, the cost for appliance based SSL VPN platforms has dropped dramatically with the SonicWALL SSL-VPN $200 coming in around $450 to $600. But if you want to roll you own, SSL-Explorer is the way to go. A single port-forward to a dedicated SSL-Explorer server and you're on your way.
From Nottigham, UK comes 3SP and SSL-Explorer, described as "the world's first open-source, browser-based SSL VPN solution. This unique remote access solution provides users and businesses alike with a means of securely accessing network resources from outside the network perimeter using only a standard web browser."
I've successfully deployed this solution in a development environment and found it easy to install, quick to configure, and popular with users.
May I suggest trying it for yourself here: SSL-Explorer.
SSL-Explorer can leverage Active Directory, and yet is licensed under the GNU General Public License and you can install it on Windows or Linux.
You can use the free version or opt for the supported, feature-rich SSL-Explore Xtra.
The feature list is long, just go check it out: SSL-Explorer.