Got this on two Dutch Windows machines, not sure why yet:
Missing information on security certificate retraction
Certificate path is OK
–jeroen
Archive for the ‘Encryption’ Category
Not sure why: graph.windows.net is missing a security certificate retraction on some Windows machines?
Posted by jpluimers on 2022/02/28
Posted in Communications Development, Development, Encryption, Internet protocol suite, Power User, Security, TCP, TLS | Leave a Comment »
Some links on using and updating Let’s Encrypt certificates for internal servers
Posted by jpluimers on 2022/02/01
Sometimes it is easier to have current and public CA signed TLS certificates for internal servers than to setup and maintain an internal CA and register it on all affected browsers (including mobile phones).
One of my reasons to investigate this is that Chrome refuses to save credentials on servers that have no verifiable TLS certificate, see my post Some links on Chrome not prompting to save passwords (when Firefox and Safari do) about a week ago.
Below are some links for my link archive that hopefully will allow me to do this with Let’s Encrypt (msot via [Wayback/Archive] letsencrypt for internal servers – Google Search):
Share this:
Posted in Cloud, Cloudflare, Development, Encryption, ESXi6, ESXi6.5, ESXi6.7, ESXi7, Fritz!, Fritz!Box, Fritz!WLAN, Infrastructure, Internet, Let's Encrypt (letsencrypt/certbot), Power User, Security, Software Development, Virtualization, VMware, VMware ESXi, Web Development | Leave a Comment »
Some links on Chrome not prompting to save passwords (when Firefox and Safari do)
Posted by jpluimers on 2022/01/20
For quite some time now, Chrome (think years) refuses to prompt for saving passwords whereas Firefox and Safari do prompt and save them, even for site types that it used to save passwords for in the past.
It has been annoying enough for too long now that I tried to do better than the Google searches I used back when I saw this happen first.
Below are some links based on new searches (starting with [Wayback] adding a password in chrome settings – Google Search); hopefully I can try them after I made a list of sites that Chrome does not show the password save prompt for.
Solutions I tried that failed (but maybe useful for others):
- [Wayback] windows 7 – Chrome not asking to remember passwords – Super User: restart your browser
- First answer of [Wayback] How can I manually add a password to Chrome password manager? – Super User : check if “Autofill” a.k.a. “Offer to save passwords” is enabled and the site is not on the “Never Saved” list of sites.
- Second answer of [Wayback] How can I manually add a password to Chrome password manager? – Super User Check if there is a password
inputfield being marked withtype="password", and if not add it.
Solutions still to try:
Share this:
Posted in Chrome, Chrome, Communications Development, Development, Encryption, ESXi6, ESXi6.5, ESXi6.7, Firefox, Fritz!, Fritz!Box, Fritz!WLAN, Google, https, HTTPS/TLS security, Internet, Internet protocol suite, Let's Encrypt (letsencrypt/certbot), Power User, routers, Safari, Security, TCP, TLS, Virtualization, VMware, VMware ESXi, Web Browsers, Web Development | Leave a Comment »
To bypass a Chrome certificate/HSTS error, you can type ‘badidea’ (previously ‘thisisunsafe’) without quotes (this might change in the future)
Posted by jpluimers on 2021/11/11
For expired or self-signed certificates with an untrusted chain, you might want to by base the Chrome certificate/HSTS error message.
Instead of clicking a few times, you can also type ‘badidea’ (this used to be ‘thisisunsafe’ and might change again someday).
Based on: [WayBack] security – Does using ‘badidea’ or ‘thisisunsafe’ to bypass a Chrome certificate/HSTS error only apply for the current site? – Stack Overflow
Found via [WayBack] KPN-klanten kunnen Experiabox V10A niet benaderen door verlopen certificaat – Computer – Nieuws – Tweakers
Source code that handles this: [WayBack] components/security_interstitials/core/browser/resources/interstitial_v2.js – chromium/src – Git at Google
/** * This allows errors to be skippped by typing a secret phrase into the page. * @param {string} e The key that was just pressed. */ function handleKeypress(e) { var BYPASS_SEQUENCE = 'badidea'; if (BYPASS_SEQUENCE.charCodeAt(keyPressState) == e.keyCode) { keyPressState++; if (keyPressState == BYPASS_SEQUENCE.length) { sendCommand(SecurityInterstitialCommandId.CMD_PROCEED); keyPressState = 0; } } else { keyPressState = 0; } }
–jeroen
Share this:
Posted in Chrome, Development, Encryption, https, HTTPS/TLS security, Power User, Security, Web Browsers, Web Development | Leave a Comment »
Solved: ‘Answering Yes to “You have an older version of PackageManagement known to cause issues with the PowerShell extension. Would you like to update PackageManagement (You will need to restart the PowerShell extension after)?” hung my Visual Studio Code.…’
Posted by jpluimers on 2021/10/04
From a while back: [Archive.is] Jeroen Wiert Pluimers on Twitter: ‘Answering Yes to “You have an older version of PackageManagement known to cause issues with the PowerShell extension. Would you like to update PackageManagement (You will need to restart the PowerShell extension after)?” hung my Visual Studio Code.… ‘
After clicking “Yes”, the the only thing visible was this notification that had an ever running “progress bar”:
Notifications – Powershell – Source: Powershell (Extension)
The first part of the solution was relatively simple: restart Visual Studio code, then the original notification showed, and after clicking “Yes”, the “Panel” (you can toggle it with Ctrl+J) showed the “Terminal” output (yes, I was working on [Wayback/Archive.is] PowerShell script for sending Wake-on-LAN magic packets to given machine hardware MAC address, more about that later):
Share this:
Posted in .NET, Communications Development, Development, Encryption, HTTP, HTTPS/TLS security, Internet protocol suite, Power User, Security, Software Development, TCP, Visual Studio and tools, vscode Visual Studio Code, Windows, Windows 10 | Leave a Comment »
One of the Let’s Encrypt’s Root Certificates expired today (and their corresponding intermediate yesterday); how is your infrastructure doing?
Posted by jpluimers on 2021/09/30
Last weekend I published 5 days before the Let’s Encrypt’s Root Certificate is expiring!
It basically was a post trying to amplify the [Wayback/Archive.is] Let’s Encrypt’s Root Certificate is expiring! message by [Wayback] Scott Helme .
Yesterday and today, he is maintaining a Twitter thread on things that have broken.
Quite a few things have, including some versions of curl, on which a lot of infrastructure relies (the certificate for it got fixed later on 20120930), see:
- [Archive.is] Scott Helme on Twitter: “Yeah that’s reasonable, we’ve not had a notable certificate chain expiry issue like this to speak of really.… “
- [Archive.is] Daniel 🥌 Stenberg on Twitter: “the Mozilla CA cert bundle on curl.se now has the expired ‘DST Root CA X3’ cert removed: …”
- [Wayback/Archive.is] curl – Extract CA Certs from Mozilla:
This bundle was generated at Thu Sep 30 03:12:05 2021 GMT .
- [Wayback/Archive.is] curl – Extract CA Certs from Mozilla:
- [Archive.is] Daniel 🥌 Stenberg on Twitter: “The order is restored and https://libssh2.org/ is again served by a good cert. Sorry for the minor disruption.”
Two important starting points in his thread:
- [Archive.is] Scott Helme on Twitter: “🚨🚨🚨 5 minutes until the Let’s Encrypt R3 intermediate expires 🚨🚨🚨 29 September 2021 19:21:40 UTC”
- [Archive.is] Scott Helme on Twitter: “🚨🚨🚨 30 minute warning 🚨🚨🚨 IdentTrust DST Root CA X3 Expires: Sep 30 14:01:15 2021 UTC… “
If you want to check from one of your own clients, try [Archive.is] Scott Helme on Twitter: “I’ve created a test site to help identify issues with clients. If you can connect to https://t.co/bXHsnlRk8D then your client can handle being served the expired R3 Intermediate in the server chain!… “
[Wayback/Archive.is] https://expired-r3-test.scotthelme.co.uk/
Note that neither SSLabs, nor Cencys, nor CertCheckkerApp do show the expired certificate, only the new one:
- [Wayback/Archive.is] SSL Server Test: pluimers.com (Powered by Qualys SSL Labs)
- [Wayback/Archive.is] CN=pluimers.com – Censys
- [Wayback/Archive.is] CertCheckerApp Certificate Checker: pluimers.com
Yes, I know the pluimers.com web server is rated B from a TLS perspective. Will be working on it, but I’m still recovering from rectum cancer treatments, and have an almost 1.5 year backlog to get through.
–jeroen
Share this:
Posted in Communications Development, Development, Encryption, HTTP, https, HTTPS/TLS security, Internet protocol suite, Let's Encrypt (letsencrypt/certbot), Power User, Security, Software Development, TCP, TLS, Uncategorized, Web Development | Leave a Comment »
5 days before the Let’s Encrypt’s Root Certificate is expiring!
Posted by jpluimers on 2021/09/24
Only 5 days left to take a close look at both your web-clients (including back-end clients!) and servers to prevent potential Let’s Encrypt mayhem.
Last week, [Wayback] Scott Helme published about [Wayback/Archive.is] Let’s Encrypt’s Root Certificate is expiring!
Let’s Encrypt has done loads of work over the past lustrum to prevent trouble like cross-signing, issuing the successor certificates, and more.
The problem is that people like you and me have refrained from keeping their clients and servers up-to-date, so some security issues will occur. Hopefully they are limited to non-functioning communication and not leaking of data.
It is about this DST Root CA X3 certificate, used by the vast majority of Let’s Encrypt certificates, [Wayback/Archive.is] Certificate Checker: CN=DST Root CA X3, O=Digital Signature Trust Co.:
DST Root CA X3 Certificate Trusted anchor certificate Subject DN CN=DST Root CA X3, O=Digital Signature Trust Co. Issuer DN CN=DST Root CA X3, O=Digital Signature Trust Co. Serial Number 44AFB080D6A327BA893039862EF8406BValid to Key RSAPublicKey (2048 bit) SHA1 Hash DAC9024F54D8F6DF94935FB1732638CA6AD77C13MD5 Hash 410352DC0FF7501B16F0028EBA6F45C5SKI C4A7B1A47B2C71FADBE14B9075FFC41560858910AKI
Quoting Scott, these clients likely will fail, so need attention:
- OpenSSL <= 1.0.2
- Windows < XP SP3
- macOS < 10.12.1
- iOS < 10 (iPhone 5 is the lowest model that can get to iOS 10)
- Android < 7.1.1 (but >= 2.3.6 will work if served ISRG Root X1 cross-sign)
- Mozilla Firefox < 50
- Ubuntu < 16.04
- Debian < 8
- Java 8 < 8u141
- Java 7 < 7u151
- NSS < 3.26
- Amazon FireOS (Silk Browser)
On the server side, you can help Android devices by using a Let’s Encrypt certificate that is cross-signed with the ISRG Root X1 certificate [Wayback/Archive.is] Certificate Checker: CN=ISRG Root X1, O=Internet Security Research Group, C=US:
ISRG Root X1 Certificate Subject DN CN=ISRG Root X1, O=Internet Security Research Group, C=US Issuer DN CN=DST Root CA X3, O=Digital Signature Trust Co. Serial Number 4001772137D4E942B8EE76AA3C640AB7Valid to Key RSAPublicKey (4096 bit) SHA1 Hash 933C6DDEE95C9C41A40F9F50493D82BE03AD87BFMD5 Hash C1E1FF07F9F688498274D1A18053EABFSKI 79B459E67BB6E5E40173800888C81A58F6E99B6EAKI C4A7B1A47B2C71FADBE14B9075FFC41560858910
Via [Archive.is] Scott Helme on Twitter: “There are only 10 days left until the Let’s Encrypt root certificate expires and there are still questions over what the impact will be! Full details here: …” which links to the above article showing a nice graph of the current Let’s Encrtypt root certificate setup:
–jeroen
Share this:
Posted in Communications Development, Development, Encryption, https, HTTPS/TLS security, Internet protocol suite, Let's Encrypt (letsencrypt/certbot), Power User, Security, Software Development, TCP, TLS, Web Development | Leave a Comment »
For my link archive: DNS over https
Posted by jpluimers on 2021/09/02
DNS over HTTPS
For my link archive:
- DNS over HTTPS – Wikipedia / Public recursive name server – Wikipedia
- [WayBack] RFC 8484 – DNS Queries over HTTPS (DoH)
- [WayBack] DNS over HTTPS · curl/curl Wiki · GitHub (which has a list of publicly available servers)
- [WayBack] A cartoon intro to DNS over HTTPS – Mozilla Hacks – the Web developer blog
- [WayBack] DNS over HTTPS – Cloudflare Resolver
JSON DNS output
Some DNS over HTTSP providers support dns-json, which Cloudflare delivers non-pretty printed.
Share this:
Posted in Cloud, Cloudflare, Communications Development, Development, DNS, Encryption, HTTP, https, HTTPS/TLS security, Infrastructure, Internet, Internet protocol suite, Power User, Security, Software Development, TCP, TLS | Leave a Comment »
Ryan O’Horo on Twitter : “Computerphile with a clear and complete explanation of how the block cipher AES works and how it’s different from older ciphers. Background info… “
Posted by jpluimers on 2021/09/01
From a while back, but still relevant: [WayBack] Ryan O’Horo sur Twitter : “Computerphile with a clear and complete explanation of how the block cipher AES works and how it’s different from older ciphers. Background https://t.co/WyvYpM5JJN SP Networks https://t.co/MGILCxkqUR AES Cipher https://t.co/ReHpnCBTvI… https://t.co/VbZomPrOow”
Videos below the fold
–jeroen
Share this:
Posted in Development, Encryption, Hashing, Power User, Security, Software Development | Leave a Comment »
Many http headers via 🔎Julia Evans🔍 on Twitter: “some security headers… “
Posted by jpluimers on 2021/07/20
An image on CORS will follow; likely more on related topics too. [WayBack] 🔎Julia Evans🔍 on Twitter: “some security headers… “ about:
- Content-Security-Policy (CSP)
- Referrer-Policy
- Strict-Transport-Security (HSTS)
- Expect-CT
- X-XSS-Protection
Interesting comments in the thread.
More to follow: [Archive.is] 🔎Julia Evans🔍 on Twitter: “going to talk about CORS headers on a different page because that’s a Whole Thing but i’d love to know what else I left out / got wrong here :)” including these:
Share this:
Posted in Communications Development, Development, Encryption, HTTP, https, HTTPS/TLS security, Internet protocol suite, Power User, Security, TCP | Leave a Comment »
The Wiert Corner - irregular stream of stuff 