Ramen Code

The plaintiffs in Toyota’s Unintended Acceleration lawsuit had someone with knowledge in building embedded software had a look at Toyota’s source code:

possible bit flips, task deaths that would disable the failsafes, memory corruption, single-point failures, inadequate protections against stack overflow and buffer overflow, single-fault containment regions, thousands of global variables. The list of deficiencies in process and product was lengthy.


After reading how CloudFlare handles their PKI and that LetsEncrypt will use it I wanted to give CFSSL a shot.

Reading the project’s documentation doesn’t really help in building your own CA, but searching the Internet I found Fernando Barillas’ blog explaining how to create your own root certificate and how to create intermediate certificates from this.

I took it a step further I wrote a script generating new certificates for several services with different intermediates and possibly different configurations (e.g. depending on your distro and services certain cyphers (e.g. using ECC) may not be supported).
I also streamlined generating service specific key, cert and chain files. 😀

Have a look at the full Gist or just the most interesting part:

You’ll still have to deploy them yourself.

Update 2016-10-04:
Fixed some issues with this Gist.

  • Fixed a bug where intermediate CA certificates weren’t marked as CAs any more
  • Updated the example CSRs and the script so it can now be run without errors

NSA’s MITM attack on Cryptome

The moment you find out the NSA is performing MITM attacks on your website’s visitors from a leaked slide deck:

But here is the thing — and this is crucial — the address for Cryptome is listed to be the location of a fiber optic cable junction in Sterling, VA (next to an Amusement Machine company)… which is quite some distance away from your location in NYC, and a considerable distance from your ISP who hosts your file, and it is located away from any signal switching systems use in the area, but it is virtually next door to fiber that goes to a large NSA listening post nearby.

The reason it is notable, is that someone at or near the location in Sterling, VA is performing a MITM attack on Cryptome visitors, and this image out of the slidedeck with the two GPS coordinates is the U.S. Government performing a MITM attack against Cryptome and sharing the collected intelligence with the Brits, or the U.S. Government giving the British government backdoor access into the U.S. (illegal) collection systems.