The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

    Mastodon

  • Twitter Updates

  • My Flickr Stream

    20140508-Delphi-2007--Project-Options--Cannot-Edit-Application-Title-HelpFile-Icon-Theming20140430-Fiddler-Filter-Actions-Button-Run-Filterset-now20140424-VMware-Fusion-6.0.3.-no-reclaimable
    More Photos

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,860 other subscribers

Archive for the ‘TLS’ Category

Next Entries »

Getting A or better grading on SSL Labs HTTPS tests

Posted by jpluimers on 2016/12/30

Now that everyone has had enough time to get proper TLS certificates using for instance LetsEncrypt, it’s time to up the ante: score better than an A on the SSL Labs tests from either their main site or dev site:

Here are some links to get there:

–jeroen

Posted in *nix, Apache2, Communications Development, Development, Encryption, Internet protocol suite, Let's Encrypt (letsencrypt/certbot), Power User, Security, TCP, TLS | Leave a Comment »

Differences between SFTP and “FTP over SSH” – Stack Overflow

Posted by jpluimers on 2016/10/13

As I will likely have to secure some external FTP sessions soon and the endpoints the current FTP connects to are vague in what they support:

Here is the difference:

  • SFTP (SSH file transfer protocol) is a protocol that provides file transfer and manipulation capabilities. It can work over any reliable data stream, but is typically used with SSH
  • “FTP over SSH” uses the regular old FTP protocol, but an SSH tunnel is placed between client and server.

Source: Kristopher Johnson answering in c# – Differences between SFTP and “FTP over SSH” – Stack Overflow

–jeroen

Posted in Communications Development, Development, Internet protocol suite, Software Development, SSH, TCP, TLS | Leave a Comment »

Hacking Team had more and more need for SSL MITM

Posted by jpluimers on 2015/07/07

Interesting reads:

–jeroen

Posted in Communications Development, Development, https, Internet protocol suite, LifeHacker, Power User, Security, TCP, TLS | Leave a Comment »

Time to upgrade: SHAAAAAAAAAAAAA | Check your site for weak SHA-1 certificates.

Posted by jpluimers on 2015/06/01

They days of SHA-1 are quickly coming to an end. Chrome has already marked SHA-1 signed TLS/SSL certificates for having an expiration > 2015-12-31 as insecure for a few weeks now. They promised to sunset SHA-1 about 9 months ago.

So if you haven’t done so, upgrade your HTTPS (and HTTP/2 which defaults to TLS) certificates to SHA-2. A great site of help here is SHAAAAAAAAAAAAA | Check your site for weak SHA-1 certificates. It is open source at GitHub.

You’ve less than 6 months now.

More in dept-reading (especially the comments by Ryan Sleevi): Chrome 42 (next stable) will mark SHA-1 signed certs with a validation date >2015 as insecure!.

–jeroen

PS: if you really need to do the balancing act, you technically can serve old certificates to SHA-2 incompatible clients while serving more secure certificates to modern clients. But it’s a risk, so you might as well tell these old clients they’re out.

Posted in https, Power User, Public Key Cryptography, Security, TLS | Leave a Comment »

Time for a new “-goto cleanup;+goto fail;” T-Shirt; The Story of the GnuTLS Bug (via: existential type crisis)

Posted by jpluimers on 2014/03/05

A new *n*x bug got discovered in TLS certificate handling that is similar to the recently discovered iOS and OS X “goto fail” security issue.

This time the fix is performing a few replacements linke this:

-goto cleanup;
+goto fail;

Plus one addition:

+fail: // ADDED
+ result = 0;

Applications depending on GnuTLS are affected (there are other libraries providing TLS like OpenSSL), which are many.

Two must-do things:

  • Closely watch the Linux, BDS, other *n*x and application security updates, as exploits will be available soon
  • Read via: existential type crisis : The Story of the GnuTLS Bug as it explains the bug, tracks down the cause, and talks about “lessons to learn”.

I’m with Jan Wildeboer here and updates should get in very soon: Read the rest of this entry »

Posted in Communications Development, Development, Internet protocol suite, Power User, Security, TCP, TLS | Tagged: , , | Leave a Comment »

Next Entries »