This service allows you to check your XMPP server's #TLS setup, helps you publicly store the hash of the public key in a secure way, and then monitors your server to make sure that connections to it get the same public key that you have configured and sends notifications if anything changes (which may indicate a #mitm attack on your service).
Veckans poddavsnitt handlar om säkrare webbanslutningar, bättre pixlar, Gmails säkerhetskrav på nyhetsbrev och Europols önskade ändamålsglidning (som avslöjades innan Chat Control 2.0 ens har gått igenom). https://www.youtube.com/watch?v=MHpwv91wLYw
Does ECH (Encrypted Client Hello) make sense in the context of "small tech", i.e. hosting your own services, or only when using global CDNs / platforms? I'm guessing the latter...
It is tough place to be in. ECH makes some sense and could "protect" the users, but only if you use Cloudflare. But then Cloudflare gets all the data 🤷
Yaaaaay, we have a new (old) branded #TLS vulnerability, name, logo and all: "The Marvin Attack"
"In this paper we show that Bleichenbacher-style attacks on RSA decryption are not only still possible, but also that vulnerable implementations are common. We have successfully attacked multiple implementations using only timing of decryption operation and shown that many others are vulnerable."
See the "visited certain websites not using HTTPS" part?
Unencrypted websites are an essential part of some exploitation chains, due to an attack method called "network injection". If the attacker can get between your website and a vulnerable visitor ... game over.
If your site is worth visiting ... aren't its visitors worth protecting?
Gestern erreichte mich eine E-Mail von einem ehemaligen Kollegen. Dieser wollte mir unter anderem mitteilen, dass mein TLS/SSL-Kochbuch von 2016 immer noch hoch geschätzt und gelobt wird. Darüber habe ich mich sehr gefreut. 😀
Microsoft deprecates #tls 1.0 and 1.1 in major products including SQL Server.
My takeaway from the #sha1 deprecation was that we only see global change on rolled out #cryptography when the likes of #microsoft and #google turn a security #threat into an availability issue.
Does anyone know of a commonly used Chrome/ium extension which would set expect-ct on web pages?
We're getting several million deprecation reports on our web pages for expect-ct but we don't set it ourselves.
Weird. #WebDev#InfoSec#Security#ExpectCT#TLS
I finally understood how to create #TLS client certificates, and I like it. It would be a good way to access services in my home network remotely without having to enter a password.
I can access https://fellr.net:1234 just fine, but you can't unless you have the certificate.
I found a little malware on my wife's PC. It connects to cdn.discordapp.com and downloads about 1½ KB. Does anyone know a way of peeking into the #TLS traffic? Maybe I could trick it to connect to a proxy by installing a self signed certificate?