Connecting with the 21st century
Posted by Steve Revill Fri, 26 Apr 2019 21:33:00 GMT
Barely a day goes by without a data leak or hacking attempt on some of the world’s biggest corporations, so it’s more important than ever to keep your security software up to date. One of the aims of this first step in overhauling the RISC OS network stack was to purge any out of date and weak protocols.
Which areas were improved?
Firstly, the easily intercepted T/TCP protocol was stripped out of the Internet module (version 5.64 and later). In theory if a connection was made to a site using this a thief could sit between you and the site and either copy data you sent or return bogus pages to you.
For programmers, a handful of common name resolution and IPv6 functions were added to the TCP/IP library (version 5.66 and later) which crop up often in software that might be ported from other popular operating systems. Developers should start to migrate to these ahead of old functions becoming deprecated.
The internet database, held inside !Internet (version 5.60 and later), now contains a list of approved certificate issuers. A certificate is used to prove a connection is trustworthy but if the chain is compromised a malicious web site could be made to look genuine when it is not.
Lastly, a new generation of the AcornSSL module was created (version 1.04 and later). This uses a standard sockets interface that programmers will no doubt be familiar with, and despite its name doesn’t support SSL at all! TLS is the acronym for current state of the art security.
New applications, new possibilities
It’s great to see applications authors already taking advantage of the output of this bounty, including but not limited to:
- New application Recce from Sine Nomine which integrates with RiscOSM
- An updated Messenger from RComp to fetch email from a secure server
- Prophet business accounts from Elesar can send VAT data to the UK tax man
- The free of charge AntiSpam software fetches and filters email from a secure server
- Someone’s even used an old copy of Browse to go to https sites
So many services have online access this makes possible many other applications – let us know in the comments section if you hear of more!
Beyond 2019
It’s no good updating our security only to let it lapse again, putting RISC OS back in the position of using years old security protocols. To help combat this state the bounty has taken a view to the future.
- The new AcornSSL module is built on top of the mbedTLS library
- mbedTLS is regularly maintained by Arm
- Updating the library is a relatively mechanical process, and immediately brings AcornSSL up to date – for example when TLS 1.3 becomes available we should be able to add that within only a few weeks
- ROOL’s server checks the root certificate database every morning and will automatically update the copy in !Internet so it’s available to download within 48 hours should a bunch of certificates become compromised
Keep donating
There are many othe bounties on the horizon, so why not head over to the bounties page and get the next one moving.