This service allows you to check your XMPP server's #TLS setup, helps you publicly store the hash of the public key in a secure way, and then monitors your server to make sure that connections to it get the same public key that you have configured and sends notifications if anything changes (which may indicate a #mitm attack on your service).
Earlier we were talking about DDOS & a colleague asked what TLS versions are used by the botnets these days...So I checked the most recent big-ish one we had : TLS Protocol Percentage
TLSv1.3 55.77%
TLSv1.2 44.23%
TLSv1 0.00%
This was over something like 115M total requests.
So the answer is that the botnets have better TLS libs than our overall audience. Fun times. #infoSec#webDev#TLS#DDOS
See the "visited certain websites not using HTTPS" part?
Unencrypted websites are an essential part of some exploitation chains, due to an attack method called "network injection". If the attacker can get between your website and a vulnerable visitor ... game over.
If your site is worth visiting ... aren't its visitors worth protecting?
#TLS in a private home network: is there anything being worked on to make this easier? The options seem to be:
get a valid cert using a purchased domain name and use it internally
become your own root CA and install root certs on each device
Both have significant downsides. But if you do neither you don't get that sweet sweet HTTPS that is needed for so many web features (webcam access, PWA, etc..)
Is any work being done to help improve this situation?
Yaaaaay, we have a new (old) branded #TLS vulnerability, name, logo and all: "The Marvin Attack"
"In this paper we show that Bleichenbacher-style attacks on RSA decryption are not only still possible, but also that vulnerable implementations are common. We have successfully attacked multiple implementations using only timing of decryption operation and shown that many others are vulnerable."
This is the first post of a series where we go through the performance work we did in rustls, a modern TLS library in Rust. Today we tame the borrow checker using mem::take.
Does ECH (Encrypted Client Hello) make sense in the context of "small tech", i.e. hosting your own services, or only when using global CDNs / platforms? I'm guessing the latter...
It is tough place to be in. ECH makes some sense and could "protect" the users, but only if you use Cloudflare. But then Cloudflare gets all the data 🤷
Für Leute, die eigene Server betreiben und mal Klarheit bei der vorliegenden #TLS#SSL#encryption benötigen, können es hiermit testen.
testssl.sh is a free command line tool which checks a server's service on any port for the support of TLS/SSL #ciphers, protocols as well as recent cryptographic flaws and more.
Very cool new Wireshark @wireshark feature "TLS Keylog Launcher" (1) can automatically set the SSLKEYLOGFILE environment variable (2), start an application/browser (3) and directly decrypt the data (4) so you can see the cleartext (5) of TLS connections. No need to manually configure the environment/file anymore. #wireshark#tls#encryption#network#security
Veckans poddavsnitt handlar om säkrare webbanslutningar, bättre pixlar, Gmails säkerhetskrav på nyhetsbrev och Europols önskade ändamålsglidning (som avslöjades innan Chat Control 2.0 ens har gått igenom). https://www.youtube.com/watch?v=MHpwv91wLYw
TIL you can show only the SAN list of a cert via openssl: echo| openssl s_client -connect www.bbc.co.uk:443 -showcerts 2>/dev/null | openssl x509 -noout -ext "subjectAltName"
I'd always parsed that out manually..🤦🏻♂️. #OpenSSL#TLS#InfoSec#DevOps#SysEng
I had to install #Git on a #Windows machine today and OH MY GOD I forgot how complex of a set up process it is. I went through it again just to count the unbelieveable number of steps it took:
License agreement.
Which components to install (includes proper nouns like "Git Bash", "Git LFS", and "Scalar"). Notably does not enable automatic updates by default.
Default editor for Git (doesn't include #Emacs as an option).
NIST has a practice guide for "Addressing Visibility Challenges with #TLS 1.3 within the Enterprise", discussing "key-management" (control/collect/keep all encryption keys), #middleboxes, and, you know, not encrypting data ("alternative network security protocols where forward secrecy is optional or not supported").
If you have opinions, the public comment period is now open until 2024-04-01...