The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

  • Twitter Updates

  • My Flickr Stream

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,470 other followers

Archive for the ‘Security’ Category

Tools for TCP tunnels over HTTP/HTTPS

Posted by jpluimers on 2019/01/16

With the advent of WebSockets, it looks like TCP tunnels over HTTP/HTTPS are gaining more ground and I need to put some research time in them.

Some old to new links:

CONNECT requests are not supported by many HTTP proxies, especially in larger organisations, so chisel and crowbar have a much bigger chance there.

And of course there is SoftEtherVPN/SoftEtherVPN: A Free Cross-platform Multi-protocol VPN Software. * For support, troubleshooting and feature requests we have http://www.vpnusers.com/. For critical vulnerability please email us. (mail address is on the header.).

However, that is a VPN solution which is much broader than just a single TCP tunnel. You can so similar things with OpenVPN, but over HTTP/HTTPS, also requires CONNECT:

SoftEtherVPN seems to be more versatile though. I blogged about that before, but back then didn’t have needs for it yet. VPN over HTTPS: Ultimate Powerful VPN Connectivity – SoftEther VPN Project.

–jeroen

via: [WayBackVPN through only http – Server Fault answer by [WayBack] neutrinus

Posted in Communications Development, Development, HTTP, https, Internet protocol suite, Network-and-equipment, OpenVPN, Power User, TCP, VPN, WebSockets, Windows-Http-Proxy | Leave a Comment »

Top 25 Most Dangerous Programming Mistakes

Posted by jpluimers on 2019/01/15

10 years after the publication of the [WayBack] Top 25 Most Dangerous Programming Mistakes, the list for me is still the same.

You can see this from the CWE/SANS revisions: 1.0 in 2009 until 1.0.3 in 2011: not much changed.

Via: [WayBack] Top 25 Most Dangerous Programming Mistakes (2009) – Lars Fosdal – Google+

–jeroen

Posted in Development, Power User, Security, Software Development | Leave a Comment »

oath-toolkit / oath-toolkit · GitLab

Posted by jpluimers on 2019/01/15

Cool library with ditto command-line tools: oath-toolkit / oath-toolkit · GitLab.

It allows you to perform all sorts of OAUTH operations from your code or terminal window including generation and verification of OAUTH tokens through [WayBackOATHTOOL.

Which allows you to do “zero fucktor” authentication. [WayBack] Zero Fucktor Authentication – Kristian Köhntopp – Google+: [WayBackZero Factor Authentication – The Isoblog.

The project has it’s home at [WayBackOATH Toolkit, but the repository has done some traveling and for now ended up at GitLab: oath-toolkit / oath-toolkit together with the web-site source oath-toolkit / website.

–jeroen

Posted in Development, Power User, Security, Software Development | Leave a Comment »

If parts of your letsencrypt renewals succeed and others give you “urn:acme:error:connection” then just retry

Posted by jpluimers on 2018/12/10

On the same server, part of my letsencrypt renewals worked fine, while others had an error like this:

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/spring4d.4delphi.com.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for spring4d.4delphi.com
Waiting for verification...
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/spring4d.4delphi.com.conf produced an unexpected error: Failed authorization procedure. spring4d.4delphi.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Error getting validation data. Skipping.
...
 - The following errors were reported by the server:

   Domain: spring4d.4delphi.com
   Type:   connection
   Detail: Error getting validation data

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

A retry worked fine:

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/spring4d.4delphi.com.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for spring4d.4delphi.com
Waiting for verification...
Cleaning up challenges
...
The following certs were successfully renewed:
  /etc/letsencrypt/live/spring4d.4delphi.com/fullchain.pem (success)

–jeroen

Posted in Encryption, Let's Encrypt (letsencrypt/certbot), Power User, Security | Leave a Comment »

VirusTotal: Avira marks a Delphi built executable als false positive

Posted by jpluimers on 2018/12/06

Found out yesterday that Avira marks one of many Delphi 10.1 built executables as false positive; submitted, but VirusTotal shows it as false positive:

Related:

I think it was Avira too that interfered with my Delphi IDE compiling Delphi applications, especially resource compilation:

–jeroen

Read the rest of this entry »

Posted in Delphi, Development, Security, Software Development | 4 Comments »

 
%d bloggers like this: