Thursday, October 25, 2012

New study about Validating SSL Certificates in Non-Browser Software


Scientist from The University of Texas and the Stanford University have published a study about SSL encryption in several products and services.
Even applications using data encryption they do not perform an proper identity verification of the sender or receiver. I have seen this before for online backup services, password sync tools etc.
So that is not a new thing, but it is amazing that we still have to deal with that.

Read the article http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf

Thursday, October 11, 2012

1-2-3 : See what is in a SAML response



1. Get Fiddler 2 installed http://www.fiddler2.com/fiddler2/version.asp, downlaod  and active HTTPS inspection (HTTPS inspection can break the communication for some services when it is activated, e.g. Outlook using RPC over HTTP)

2. Download XML Notepad from here http://www.microsoft.com/en-us/download/details.aspx?displaylang=en&id=7973


3. Start Fiddler, hit F8 to see the Inspectors

4. Log on to your SaaS application

5. Go back to Fiddler. Click on the first entry in Web Sessions what is hiting the SaaS vendor, click on Inspectors and RAW on the right hand side. Copy the SAMLresponse from the RAW tab to https://rnd.feide.no/simplesaml/module.php/saml2debug/debug.php

and click on "Decode"

6. Copy the decoded  SAMLresponse to the clipboard.

7. Open XML notepad and hit CTRL-V.