So, as I said yesterday, I'm a big fan of Microsoft Tags. There have been many times when I've been out and about and I've seen an ad or poster that I've wanted more details on, snapping a picture of a small barcode is much easier than jotting down the details. However, as I played with creating my own barcodes last night I thought about the security implications of them.
Let's imagine it's a year from now and tags are wildly popular. They are on every concert poster on every light post on the street. They are on billboards, bus schedules and in stores (put a barcode on your box so shoppers can pull up additional product info). Everyone is snapping pics and storing information. It's fast, it's easy and it's convenient.
Now I come along, Mr. Malicious... I visit the Microsoft Tag website and create tags pointing to malicious sites. The site detects if you have a Blackberry, iPhone or Windows Mobile and serves up custom browser exploits. I print out hundreds of these tags and start going into stores and pasting them to products, or walking down the street and covering up the tags on the posters with the malicious tags.
There's no confirmation of the site you're visiting, no testing (that I'm aware of) to ensure the link in the tag isn't malicious. Where's the defense against this?
What if they contain a malicious vcard file that harvests your contacts, or turns your phone into a sms spamming device?
I realize that Microsoft Tag is still a beta product, but I'm wondering what thoughts Microsoft has had around tag security, if any. Before I become to attached, it would be nice to know that when the subway gets Tag support, I won't be killing my phone by snapping the tag to get updated route schedules.
I was unaware of Microsoft Tag until I saw a post the other day that a Tag application had been released for the iPhone. I read a little bit and was rather impressed, but disappointed because I don't have an iPhone. I did a little more reading, however, and found that there were already apps for Blackberry and Windows Mobile (I have both). I've download the Blackberry app and tested on the demo image. I'm really impressed. It was easy enough to snap (even with the crappy camera on the Pearl) and get the page to load. I don't know if these tags are very wide spread or in use, but I'm excited to see them get a foot hold and become popular.
Tags are free to create on the Microsoft website and you can create them for URLs, vCards or Free Text.
I thought this was pretty cool
treguly@ns:~$ host -t txt foobar.wp.dg.cx
foobar.wp.dg.cx descriptive text "The term foobar is a common
placeholder name, also referred to as metasyntactic variable, used in
computer programming or computer-related documentation. In technology,
the word was probably originally propagated through system manuals by
Digital Equipmen" "t Corporation in 1960s and early 1970s. Another
possibility is that foobar evolved from electronics, as an inverted
foo... http://a.vu/w:Foobar"
Simple replace foobar with the search term of your choice.
The Author's page describing this is available here:
https://dgl.cx/wikipedia-dns
Guess what, this isn't a post about the recent Rogue CA presentation... just something I came across that frustrated me.
I recently went to check out adsense to see if it's ever actually made me any money. Being Canadian and using google.ca hourly (since google.com forces me to google.ca I might as well type it myself), I typed in www.google.ca/adsense. I was kicked over to https://www.google.ca/adsense and had the following appear in Firefox
I know it's obvious what the problem is, but let's look at my other screenshots since I took the time to take them.
Now why can't a company like Google get their SSL certs right? How's the general public ever supposed to trust SSL if major web-based companies are too lazy to get proper SSL certs? I'm actually rather disppointed by this. I've actually trained some of my family to not venture into sites with improper SSL certs (or at least investigate them first) and this would confuse them and set all the effort that I've made back several steps.
We always talk about educating the user, and I believe that SSL is something we can properly educate the end user about, however that requires an effort on the part of the website / vendor in question. This time Google has failed.
