Tuesday, June 11, 2013

Introduction to the CILogon Basic CA

CILogon Basic CA is a service that allows students at Universities with existing single sign-on systems to use their campus credentials to get a certificate issued by the CILogon Basic CA instantly. This certificate is only issued if the campus single sign-on system verifies the users credentials.

If you manage an OSG VO and your University is already on the list of sites on the CILogon Basic CA web page, http://cilogon.org/osg, then you can have your VO members get CILogon Basic CA certificates now. Note that in addition to getting a certificate, it will also have to be registered with your VO's VOMS service. This provides an additional security check on all certificate registrations.

If you run an OSG site, the OSG Security Team is looking for sites willing to accept CILogon Basic CA certificates from users for access to your resources. In most cases this involves just installing the cilogon-ca-certs rpm.

The downside to the CILogon Basic CA for some people is that there is one provider, protect.net, which will let anyone with a valid email address request an account.

This is not a problem for grid services, since in addition to a valid certificate, a grid user will need a DN mapping entry in their VO's VOMS server or gridmap files before they can access any grid resources. If, however, other services such as web pages are restricted to any valid client certificate, then those permissions might want to be revisited with CILogon Basic CA certificates installed, as they will more than likely include more than just research related individuals.

Friday, March 8, 2013

Java security updates released this week

Oracle has released a new version of Java 6 and Java 7 in response to new vulnerabilities that allow malicious web sites to allow full access to systems when web browsers with Java enabled visit them.

This only affects client side use of Java, as in web start apps or the Java plugin in web browsers. It should not be exploitable by server side uses of Java. 

As a precaution, however everyone is recommended to install the latest Java patches. Scientific Linux and Red hat have both released updated Java 6 and 7 packages. New packages for Mac and Windows systems are also available. 

Tuesday, January 15, 2013

New Java Exploit in the Wild

Last week a vulnerability was discovered in Java 7 that allowed compromised web sites to take control of computers visiting the site with a web browser with the Java plugin enabled. This has been reported to be actively exploiting systems in the wild.

The vulnerability seems to be specific to Java 7, and specifically the web browser plugin, so grid services do not seem to be vulnerable.

Oracle has released a new version of Java as of Sunday that should fix this vulnerability. It is recommended that people disable the Java browser plugin if its not needed until the update is installed.

Here's an article that has a good list of FAQs about this vulnerability: