The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

  • Twitter Updates

  • My Flickr Stream

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 2,115 other followers

Archive for the ‘Encryption’ Category

Facebook ist in Bezug auf Kundenzufriedenheit und Vertrauen in Umfragen zieml…

Posted by jpluimers on 2020/10/16

Nice thread as it talks a bit about how keep your own stuff secure with companies doing MitM, or have VPN infrastrcuture.

[WayBack] Facebook ist in Bezug auf Kundenzufriedenheit und Vertrauen in Umfragen zieml…

Most larger TLS based web-sites now have HSTS so detect MitM.

Having a proxy locally helps checking the certificates.

Corporate laptops usually has device management. If they use MitM, their root certificates are usually put back automatically. But not all software uses the same root certificate store (:

In the past, I have used [WayBack] cntlm, or VPN (routing only corporate traffic over VPN).

There are corporate VPN variants, which take over the complete routing table or even run arbitrary scripts as root on your box on connect in order to do “endpoint validation”. And then there is OpenVPN, which routes the traffic that the company shall see to the company and lets you use normal connectivity for the rest.

You want openvpn, in all cases.

Another trick I have used is to VPN/SSH out of a corporate box and route some of the traffic over it.

Finally, for some larger corporate VPN software, there is an open source replacement that has better configuration options: OpenConnect supports AnyConnect, Juniper and GlobalProtect.

Related: picture on the right via [WayBack] Torsten Kleinz – Google+

–jeroen

Posted in Cntlm, Encryption, HTTPS/TLS security, Power User, Security, Windows, Windows-Http-Proxy | Leave a Comment »

SSL certificates – not optional | Open Query Pty Ltd

Posted by jpluimers on 2020/09/04

Some tips on using the certbot for Let’s Encrypt and the support for wildcard certificates through DNS updates: [WayBack] SSL certificates – not optional | Open Query Pty Ltd

–jeroen

Posted in Encryption, HTTPS/TLS security, Let's Encrypt (letsencrypt/certbot), Power User, Security | Leave a Comment »

Cipher: a command-line tool to decrypt/encrypt files and directories (een recursively) on Windows

Posted by jpluimers on 2020/07/03

A while ago, I had to mass encrypt a lot of directories and files on Windows for some directories in an existing directory structure.

This helped me to find out which ones were already done (it lists all encrypted files on all drives; the /n ensures the files or encryption keys are not altered):

cipher.exe /u /n /h

This encrypted recursively in one directory B:\Directory:

cipher /D /S:B:\Directory /A

It also has options to wipe data (/W), export keys into transferrable files (/X) and many more.

If you like the Windows Explorer more then to encrypt/decrypt (it is a tedious process): [WayBack] How do I encrypt/decrypt a file? | IT Pro.

Via:

–jeroen

Posted in Encryption, NTFS, Power User, Security, Windows | Leave a Comment »

Hardening: sshd_config – How to configure the OpenSSH server | SSH.COM

Posted by jpluimers on 2020/06/05

If you want to harden your ssh server, read at least [WayBack] sshd_config – How to configure the OpenSSH server | SSH.COM.

After that use some ssh tools to check your config from the outside world. They work in a similar way as the TLS/SSL/https scans from Source: SSL Server Test (Powered by Qualys SSL Labs) or these console based scans and documentation references:

Simiarly for SSH:

Then read further on more in depth SSH topics around key management:

–jeroen

 

Posted in Encryption, Hashing, https, HTTPS/TLS security, OpenSSL, Power User, Security, testssl.sh | Leave a Comment »

Expect your sites to be accessed over https and ensure your certificates match

Posted by jpluimers on 2020/05/22

igOver the last lustrum, there has been a steady increase in https usage. It crossed the 30% mark early 2016, crossing the 50% mark early 2017 and 80% mark early 2018, even the https-by-default configuration is now pretty large:

Ever since 2012, but especially with the increased HTTPS adoption, you can expect more and more users to run plugins like HTTPS Everywhere – Wikipedia which switch a request from insecure http to secure https.

Users are right: http is a thing from the past and https is the way to go forward.

This means you need to ensure your web sites to serve https well, which starts with servicing https at all and includes serving a correct https certificate for them.

Often, IT departments are not even aware that when serving http for a domain, the endpoint also answers https requests for that domain.

WordPress.com was really bad at this when servicing custom domains ordered from their premium plans. Which was odd, as customers payed for those domains. They solved this in spring 2016, they started to use LetsEncrypt (which started in 2015) for their certificates: [WayBack] HTTPS Everywhere: Encryption for All WordPress.com Sites — The WordPress.com Blog.

So this is what you need to do for all your subdomains:

  1. check if they are serviced by http
  2. contemplate (in fact urge to) servicing https for them
  3. when an endpoint services https, ensure the certificates for it are correct
  4. do not mix https and http in the same site
  5. avoid redirecting from https to http

Adopting https can be tedious, but many sites have already done this and wrote down their experiences, even back in 2016:

Many sites still get their https configuration wrong though, and this post is a reminder to myself for one of them.

Read the rest of this entry »

Posted in Encryption, HTTPS/TLS security, Let's Encrypt (letsencrypt/certbot), Power User, Security | Leave a Comment »

 
%d bloggers like this: