Archive for the ‘HTTPS/TLS security’ Category
Posted by jpluimers on 2022/03/15
This is cool: [Wayback ] Cryptosense Discovery :
Free tool that discovers security configuration errors in SSH and TLS servers and explains how to fix them. Supports STARTTLS and can also scan HTTPS, POP3, IMAP and SMTP servers.
It gives you a list of servers a target domain uses (for purposes like web, email, etc) that can have external encryption enabled, then allows you to test these.
The list by default has only servers within that target domain enabled, but you can optionally include other servers (for instance if a domain uses a third party for their SMTP handling).
Basically it is the web-counterpart of a tool like testssl.sh (which I have written about before ).
Found while checking out how to test the MX security of a domain using [Wayback ] testssl.shWayback ] tls – How to use testssl.sh on an SMTP server? – Information Security Stack Exchange (thanks [Wayback ] Z.T. !):
…
testssl.sh --mx <domain name>
works fine.
testssl.sh -t smtp <ip>:25
and
testssl.sh -t smtp <ip>:587
also work fine.
Note that not specifying the port assumes port 443, despite specifying protocol smtp. That doesn’t work.
…
Also, you might tryΒ discovery.cryptosense.com Β which does the same thing only better
That website is made by the cool people at [Wayback ] Cryptosense .
Both are a lot easier than the alternatives described in [Wayback ] Blog Β· How to test SMTP servers using the command-line Β· Halon MTA : using nslookup and dig for determining the affected hosts, using nctelnetWayback /Archive.is ] openssl s_client Wayback /Archive.is ] smtpping
In addition to the above tools mentioned in the blog, I’ve also used sendEmailehlo-sizeswaks
This is what I tested:
[Wayback ] Cryptosense Discovery:Β clientondersteuningplus.nl We found these machines for clientondersteuningplus.nl. Select those you would like to scan:
clientondersteuningplus.nl185.37.70.68
localhost.clientondersteuningplus.nl127.0.0.1
pop.clientondersteuningplus.nl5.157.84.75
These machines are also used by clientondersteuningplus.nl. They seem to be managed by a third party:
…
–jeroen
Posted in *nix , *nix-tools , Awk , bash , bash , Communications Development , Development , DNS , Encryption , grep , HTTPS/TLS security , Internet , Internet protocol suite , Power User , Scripting , Security , SMTP , Software Development , SSH , ssh/sshd , TCP , testssl.sh , TLS | Leave a Comment »
Posted by jpluimers on 2022/01/20
For quite some time now, Chrome (think years) refuses to prompt for saving passwords whereas Firefox and Safari do prompt and save them, even for site types that it used to save passwords for in the past.
It has been annoying enough for too long now that I tried to do better than the Google searches I used back when I saw this happen first.
Below are some links based on new searches (starting withΒ [Wayback ] adding a password in chrome settings – Google Search ); hopefully I can try them after I made a list of sites that Chrome does not show the password save prompt for.
Solutions I tried that failed (but maybe useful for others):
Solutions still to try:
Read the rest of this entry »
Posted in Chrome , Chrome , Communications Development , Development , Encryption , ESXi6 , ESXi6.5 , ESXi6.7 , Firefox , Fritz! , Fritz!Box , Fritz!WLAN , Google , https , HTTPS/TLS security , Internet , Internet protocol suite , Let's Encrypt (letsencrypt/certbot) , Power User , routers , Safari , Security , TCP , TLS , Virtualization , VMware , VMware ESXi , Web Browsers , Web Development | Leave a Comment »
Posted by jpluimers on 2021/11/11
For expired or self-signed certificates with an untrusted chain, you might want to by base the Chrome certificate/HSTS error message.
Instead of clicking a few times, you can also type ‘badidea’ (this used to be ‘thisisunsafe’ and might change again someday).
Based on: [WayBack ] security – Does using ‘badidea’ or ‘thisisunsafe’ to bypass a Chrome certificate/HSTS error only apply for the current site? – Stack Overflow
Found via [WayBack ] KPN-klanten kunnen Experiabox V10A niet benaderen door verlopen certificaat – Computer – Nieuws – Tweakers
Source code that handles this: [WayBack ] components/security_interstitials/core/browser/resources/interstitial_v2.js – chromium/src – Git at Google
/**
* This allows errors to be skippped by typing a secret phrase into the page.
* @param {string} e The key that was just pressed.
*/
function handleKeypress(e) {
var BYPASS_SEQUENCE = 'badidea';
if (BYPASS_SEQUENCE.charCodeAt(keyPressState) == e.keyCode) {
keyPressState++;
if (keyPressState == BYPASS_SEQUENCE.length) {
sendCommand(SecurityInterstitialCommandId.CMD_PROCEED);
keyPressState = 0;
}
} else {
keyPressState = 0;
}
}
–jeroen
Posted in Chrome , Development , Encryption , https , HTTPS/TLS security , Power User , Security , Web Browsers , Web Development | Leave a Comment »
Posted by jpluimers on 2021/10/04
From a while back:Β [Archive.is ] Jeroen Wiert Pluimers on Twitter: ‘Answering Yes to “You have an older version of PackageManagement known to cause issues with the PowerShell extension. Would you like to update PackageManagement (You will need to restart the PowerShell extension after)?” hung my Visual Studio Code.β¦ ‘
After clicking “Yes”, the the only thing visible was this notification that had an ever running “progress bar”:
Notifications – Powershell – Source: Powershell (Extension)
The first part of the solution was relatively simple: restart Visual Studio code, then the original notification showed, and after clicking “Yes”, the “Panel” (you can toggle it with Ctrl +J ) showed the “Terminal” output (yes, I was working on [Wayback /Archive.is ] PowerShell script for sending Wake-on-LAN magic packets to given machine hardware MAC address , more about that later):
Read the rest of this entry »
Posted in .NET , Communications Development , Development , Encryption , HTTP , HTTPS/TLS security , Internet protocol suite , Power User , Security , Software Development , TCP , Visual Studio and tools , vscode Visual Studio Code , Windows , Windows 10 | Leave a Comment »
Posted by jpluimers on 2021/09/30
Last weekend I published 5 days before the Letβs Encryptβs Root Certificate is expiring!
It basically was a post trying to amplify the [Wayback /Archive.is ]Β Letβs Encryptβs Root Certificate is expiring! message by [Wayback ]Β Scott Helme .
Yesterday and today, he is maintaining a Twitter thread on things that have broken.
Quite a few things have, including some versions of curl, on which a lot of infrastructure relies (the certificate for it got fixed later on 20120930), see:
Two important starting points in his thread:
[Archive.is ] Scott Helme on Twitter: “π¨π¨π¨ 5 minutes until the Let’s Encrypt R3 intermediate expires π¨π¨π¨ 29 September 2021 19:21:40 UTC”
[Archive.is ] Scott Helme on Twitter: “π¨π¨π¨ 30 minute warning π¨π¨π¨ IdentTrust DST Root CA X3 Expires: Sep 30 14:01:15 2021 UTCβ¦ “
If you want to check from one of your own clients, try [Archive.is ] Scott Helme on Twitter: “I’ve created a test site to help identify issues with clients. If you can connect to https://t.co/bXHsnlRk8D then your client can handle being served the expired R3 Intermediate in the server chain!β¦ “
[Wayback /Archive.is ] https://expired-r3-test.scotthelme.co.uk/
Note that neither SSLabs, nor Cencys, nor CertCheckkerApp do show the expired certificate, only the new one:
Yes, I know the pluimers.com web server is rated B from a TLS perspective. Will be working on it, but I’m still recovering from rectum cancer treatments, and have an almost 1.5 year backlog to get through.
–jeroen
Posted in Communications Development , Development , Encryption , HTTP , https , HTTPS/TLS security , Internet protocol suite , Let's Encrypt (letsencrypt/certbot) , Power User , Security , Software Development , TCP , TLS , Uncategorized , Web Development | Leave a Comment »
Posted by jpluimers on 2021/09/24
Only 5 days left to take a close look at both your web-clients (including back-end clients!) and servers to prevent potential Let’s Encrypt mayhem.
Last week, [Wayback ] Scott Helme published about [Wayback /Archive.is ] Let’s Encrypt’s Root Certificate is expiring!
Let’s Encrypt has done loads of work over the past lustrum to prevent trouble like cross-signing, issuing the successor certificates, and more.
The problem is that people like you and me have refrained from keeping their clients and servers up-to-date, so some security issues will occur. Hopefully they are limited to non-functioning communication and not leaking of data.
It is about this DST Root CA X3 certificate, used by the vast majority of Let’s Encrypt certificates, [Wayback /Archive.is ] Certificate Checker: CN=DST Root CA X3, O=Digital Signature Trust Co. :
DST Root CA X3
Certificate
Trusted anchor certificate
Subject DN
CN=DST Root CA X3, O=Digital Signature Trust Co.
Issuer DN
CN=DST Root CA X3, O=Digital Signature Trust Co.
Serial Number
44AFB080D6A327BA893039862EF8406B
Valid
September 30, 2000 Β toΒ September 30, Key
RSAPublicKey (2048 bit)
SHA1 Hash
DAC9024F54D8F6DF94935FB1732638CA6AD77C13MD5 Hash
410352DC0FF7501B16F0028EBA6F45C5
SKI
C4A7B1A47B2C71FADBE14B9075FFC41560858910AKI
Quoting Scott, these clients likely will fail, so need attention:
OpenSSL <= 1.0.2
Windows < XP SP3
macOS < 10.12.1
iOS < 10 (iPhone 5 is the lowest model that can get to iOS 10)
Android < 7.1.1 (but >= 2.3.6 will work if served ISRG Root X1 cross-sign)
Mozilla Firefox < 50
Ubuntu < 16.04
Debian < 8
Java 8 < 8u141
Java 7 < 7u151
NSS < 3.26
Amazon FireOS (Silk Browser)
On the server side, you can help Android devices by using a Let’s Encrypt certificate that is cross-signed with the ISRG Root X1 certificate [Wayback /Archive.is ] Certificate Checker: CN=ISRG Root X1, O=Internet Security Research Group, C=US :
ISRG Root X1
Certificate
Subject DN
CN=ISRG Root X1, O=Internet Security Research Group, C=US
Issuer DN
CN=DST Root CA X3, O=Digital Signature Trust Co.
Serial Number
4001772137D4E942B8EE76AA3C640AB7
Valid
January 20, 2021 Β toΒ September 30, 2024 Key
RSAPublicKey (4096 bit)
SHA1 Hash
933C6DDEE95C9C41A40F9F50493D82BE03AD87BFMD5 Hash
C1E1FF07F9F688498274D1A18053EABF
SKI
79B459E67BB6E5E40173800888C81A58F6E99B6EAKI
C4A7B1A47B2C71FADBE14B9075FFC41560858910
ViaΒ [Archive.is ] Scott Helme on Twitter: “There are only 10 days left until the Let’s Encrypt root certificate expires and there are still questions over what the impact will be! Full details here: …” which links to the above article showing a nice graph of the current Let’s Encrtypt root certificate setup:
–jeroen
Posted in Communications Development , Development , Encryption , https , HTTPS/TLS security , Internet protocol suite , Let's Encrypt (letsencrypt/certbot) , Power User , Security , Software Development , TCP , TLS , Web Development | Leave a Comment »
Posted by jpluimers on 2021/09/02
DNS over HTTPS
For my link archive:
JSON DNS output
Some DNS over HTTSP providers support dns-json, which Cloudflare delivers non-pretty printed.
Read the rest of this entry »
Posted in Cloud , Cloudflare , Communications Development , Development , DNS , Encryption , HTTP , https , HTTPS/TLS security , Infrastructure , Internet , Internet protocol suite , Power User , Security , Software Development , TCP , TLS | Leave a Comment »
The Wiert Corner - irregular stream of stuff 