The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My work

  • My badges

  • Twitter Updates

  • My Flickr Stream

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,342 other followers

Archive for the ‘Security’ Category

badssl.com

Posted by jpluimers on 2018/01/11

I wish I had bumped into this when it got released in 2015: [WayBackbadssl.com hosted in the cloud and maintained by two people from Google and Mozilla.

Where ssllabs.com is for checking server-side certificates, this one is for checking clients against many, many (did I already write MANY?) server side configurations both good (with a varying set of security settings like cyphers and key exchanges) and bad.

One of the bad ones is expired.badssl.com which your clients should not be able to connect to without throwing a big error.

Sources are at [WayBack] GitHub – chromium/badssl.com: Memorable site for testing clients against bad SSL configs.

Before using, please read their

Disclaimer

badssl.com is meant for manual testing of security UI in web clients.

Most subdomains are likely to have stable functionality, but anything could change without notice. If you would like a documented guarantee for a particular use case, please file an issue. (Alternatively, you could make a fork and host your own copy.)

badssl.com is not an official Google product. It is offered “AS-IS” and without any warranties.

–jeroen

Posted in Communications Development, Development, HTTP, https, Internet protocol suite, Security, Software Development, TCP, TLS, Web Development | Leave a Comment »

ACME TLS-SNI-01 validation disabled due to vulnerability – Incidents – Let’s Encrypt Community Support

Posted by jpluimers on 2018/01/11

Now that so many sites depend on LetsEncrypt: maybe it is time for a second one.

We’ve received a credible report of a problem with ACME TLS-SNI-01 validation which could allow people to get certificates they should not be able to get. While we investigate further we have disabled tls-sni-01 validation. We’ll post more information soon.

Source: [Archive.isACME TLS-SNI-01 validation disabled due to vulnerability – Incidents – Let’s Encrypt Community Support

Via:

–jeroen

Posted in Encryption, Let's Encrypt (letsencrypt/certbot), Power User, Security | Leave a Comment »

SSLLabs security reports for some embarcadero subdomains

Posted by jpluimers on 2018/01/09

I hope this is a coincidence. Before Nick Hodges left, the TLS security of the various embarcadero https servers was increased, most from grade F. Now they might soon be grade F again.

Hopefully somebody in IT has time to take a renewed look as security needs constant attention.

I’ve only included a fraction of their sub-domains, as really this is a job for the Embarcadero IT department.

Related:

Posted in Encryption, HTTPS/TLS security, Power User, Security | Leave a Comment »

1984 and (IT) (in)security – lots of Spectre / Meltdown links

Posted by jpluimers on 2018/01/07

Over the last few days I’ve collected a lot of Meltdown and Spectre links at 1984 and (IT) (in)security – Google+.

Most of them provide links to what happened this, year, but a few are also on the path leading to these vulnerabilities. In the links you will also find the affected architectures and patches by various vendors which I have tried to summarise below.

In the link collection, I’ve tried to keep the number of hops to the actual sources as short as possible (as many have re-shared original) links but still attribute to the first one I got the link from.

Since the WordPress “Press-This” functionality is limited, even after all these years, so for now it will be a one-time link dump; filling in more of the archival WayBack and Archive.is links and adding more context will hopefully come later.

I will try to keep links roughly in chronological order (please post a comment where I goofed up) and I hope to find some time to have a “most important” or “summary” list eventually.

A few notes first

Remember:

  • There are 2 hard problems in computer science: cache invalidation, naming things, and off-by-1 errors.

    via: [WayBackTwoHardThings There are only two hard things in Computer Science: cache invalidation and naming things — Phil Karlton (bonus variations on the page)

  • Caching is the root of all evil.

List

Read the rest of this entry »

Posted in Power User, Security | Leave a Comment »

Private keys in software from Blizzard, Electronic Arts, Microsoft, and the German Federal Bar (Bulletproof TLS Newsletter Issue #36)

Posted by jpluimers on 2018/01/07

In the blast of Spectre and Meltdown, don’t forget that humans still goof up: [WayBackPrivate keys in software from Blizzard, Electronic Arts, Microsoft, and the German Federal Bar (Bulletproof TLS Newsletter Issue #36).

Luckily enough people keep an eye on these too.

Via:

–jeroen

Posted in Power User, Security | Leave a Comment »

 
%d bloggers like this: