Cool: [WayBack] Test for modern Internet Standards like IPv6, DNSSEC, HTTPS, DMARC, STARTTLS and DANE.
Their motivation and background: [WayBack] About Internet.nl
–jeroen
Archive for the ‘Encryption’ Category
Test for modern Internet Standards like IPv6, DNSSEC, HTTPS, DMARC, STARTTLS and DANE.
Posted by jpluimers on 2021/01/11
Posted in Encryption, HTTPS/TLS security, Power User, Security | Leave a Comment »
mkcert: valid HTTPS certificates for localhost (Windows/Mac/Linux) — a short blog post about it, by FiloSottile
Posted by jpluimers on 2020/12/21
Cool: [WayBack] Filippo Valsorda on Twitter: “mkcert: valid HTTPS certificates for localhost — a short blog post mkcert now that it’s almost done 🔒 “
Blog post: [WayBack] mkcert: valid HTTPS certificates for localhost:
The web is moving to HTTPS, preventing network attackers from observing or injecting page contents. But HTTPS needs TLS certificates, and while deployment is increasingly a solved issue thanks to the ACME protocol and Let’s Encrypt, development still mostly ends up happening over HTTP because no one can get an…
Code: [WayBack] GitHub – FiloSottile/mkcert: A simple zero-config tool to make locally trusted development certificates with any names you’d like.
It is cross platform and works way better than good old Windows makecert (which is from the 2000’s era: [Archive.is] Public Key Infrastructure: Second European PKI Workshop: Research and … – David Chadwick, Greece) European PKI Workshop: Research and Applications (1st : 2004 : Samos Island – Google Books).
Related:
- [WayBack] node.js – create a trusted self-signed SSL cert for localhost (for use with Express/Node) – Stack Overflow
- [WayBack] mkcert.sh for MacOS in the 2000’s era too
–jeroen
Share this:
Posted in *nix, Apple, Encryption, HTTPS/TLS security, Linux, Mac OS X / OS X / MacOS, Power User, Security, Windows | Leave a Comment »
Facebook ist in Bezug auf Kundenzufriedenheit und Vertrauen in Umfragen zieml…
Posted by jpluimers on 2020/10/16
Nice thread as it talks a bit about how keep your own stuff secure with companies doing MitM, or have VPN infrastrcuture.
[WayBack] Facebook ist in Bezug auf Kundenzufriedenheit und Vertrauen in Umfragen zieml…
Most larger TLS based web-sites now have HSTS so detect MitM.
Having a proxy locally helps checking the certificates.
Corporate laptops usually has device management. If they use MitM, their root certificates are usually put back automatically. But not all software uses the same root certificate store (:
In the past, I have used [WayBack] cntlm, or VPN (routing only corporate traffic over VPN).
There are corporate VPN variants, which take over the complete routing table or even run arbitrary scripts as root on your box on connect in order to do “endpoint validation”. And then there is OpenVPN, which routes the traffic that the company shall see to the company and lets you use normal connectivity for the rest.
You want openvpn, in all cases.
Another trick I have used is to VPN/SSH out of a corporate box and route some of the traffic over it.
Finally, for some larger corporate VPN software, there is an open source replacement that has better configuration options: OpenConnect supports AnyConnect, Juniper and GlobalProtect.
Related: picture on the right via [WayBack] Torsten Kleinz – Google+
–jeroen
Share this:
Posted in Cntlm, Encryption, HTTPS/TLS security, Power User, Security, Windows, Windows-Http-Proxy | Leave a Comment »
SSL certificates – not optional | Open Query Pty Ltd
Posted by jpluimers on 2020/09/04
Some tips on using the certbot for Let’s Encrypt and the support for wildcard certificates through DNS updates: [WayBack] SSL certificates – not optional | Open Query Pty Ltd
–jeroen
Share this:
Posted in Encryption, HTTPS/TLS security, Let's Encrypt (letsencrypt/certbot), Power User, Security | Leave a Comment »
Cipher: a command-line tool to decrypt/encrypt files and directories (een recursively) on Windows
Posted by jpluimers on 2020/07/03
A while ago, I had to mass encrypt a lot of directories and files on Windows for some directories in an existing directory structure.
This helped me to find out which ones were already done (it lists all encrypted files on all drives; the /n ensures the files or encryption keys are not altered):
cipher.exe /u /n /h
This encrypted recursively in one directory B:\Directory:
cipher /D /S:B:\Directory /A
It also has options to wipe data (/W), export keys into transferrable files (/X) and many more.
If you like the Windows Explorer more then to encrypt/decrypt (it is a tedious process): [WayBack] How do I encrypt/decrypt a file? | IT Pro.
Via:
- [WayBack] Microsoft Technet – File Systems: Cipher.exe
- [WayBack] cipher | Microsoft Docs
- [WayBack] encryption – How to list encrypted files in Windows 7? – Super User
- [WayBack] Windows 7 – How to use Cipher.exe – A Critical Win 7 security Tool
- [WayBack] Encrypted Files – Find All on the Local Hard Drives – Windows 7 Help Forums
–jeroen
Share this:
Posted in Encryption, NTFS, Power User, Security, Windows | Leave a Comment »
Hardening: sshd_config – How to configure the OpenSSH server | SSH.COM
Posted by jpluimers on 2020/06/05
If you want to harden your ssh server, read at least [WayBack] sshd_config – How to configure the OpenSSH server | SSH.COM.
After that use some ssh tools to check your config from the outside world. They work in a similar way as the TLS/SSL/https scans from Source: SSL Server Test (Powered by Qualys SSL Labs) or these console based scans and documentation references:
- /bin/bash based SSL/TLS tester: testssl.sh
- GitHub – ssllabs/research
- GitHub – ssllabs/ssllabs-scan: A command-line reference-implementation client for SSL Labs APIs, designed for automated and/or bulk testing.
Simiarly for SSH:
- GitHub – mozilla/ssh_scan: A prototype SSH configuration and policy scanner (Blog: https://mozilla.github.io/ssh_scan/)
- GitHub – arthepsy/ssh-audit: SSH server auditing (banner, key exchange, encryption, mac, compression, compatibility, security, etc)
- Rebex SSH Check
Then read further on more in depth SSH topics around key management:
- [WayBack] What is SSH Public Key Authentication – How to configure? | SSH.COM
- [WayBack] Configure SSH key based secure authentication | SSH.COM
- [WayBack] How to kill a Fortune 500? | SSH.COM
- [WayBack] SSH Key Management | SSH.COM
–jeroen
Share this:
Posted in Encryption, Hashing, https, HTTPS/TLS security, OpenSSL, Power User, Security, testssl.sh | Leave a Comment »
Expect your sites to be accessed over https and ensure your certificates match
Posted by jpluimers on 2020/05/22
igOver the last lustrum, there has been a steady increase in https usage. It crossed the 30% mark early 2016, crossing the 50% mark early 2017 and 80% mark early 2018, even the https-by-default configuration is now pretty large:
- [WayBack] Why You Should Move Your Site to HTTPS
- [WayBack] HTTPS Tops 30%: How Google Is Winning the Long War – Moz
- [WayBack] Measuring HTTPS Adoption on the Web – Research at Google
- [WayBack] Let’s Encrypt Stats – Let’s Encrypt – Free SSL/TLS Certificates
Ever since 2012, but especially with the increased HTTPS adoption, you can expect more and more users to run plugins like HTTPS Everywhere – Wikipedia which switch a request from insecure http to secure https.
Share this:
Posted in Encryption, HTTPS/TLS security, Let's Encrypt (letsencrypt/certbot), Power User, Security | Leave a Comment »
On my list of things to try: GitHub – arthepsy/ssh-audit; SSH server auditing
Posted by jpluimers on 2020/05/18
This looks like an ssh equivalent to testssl.sh: [WayBack] GitHub – arthepsy/ssh-audit: SSH server auditing (banner, key exchange, encryption, mac, compression, compatibility, security, etc).
It is on my list of things to try, so I’ve put a watch on the repository changes.
–jeroen
Share this:
Posted in Communications Development, Development, Encryption, Internet protocol suite, Power User, Security, SSH, TCP | Leave a Comment »
SSH through HTTPS
Posted by jpluimers on 2020/05/04
Often, hotspots only allow http/https traffic. Other traffic – like SSH – is blocked. Nowadays, fewer hotspots block that, but too many still do.
So it can be worth a while to route your SSH server through HTTPS (I don’t like Web-based SSH that much as terminal emulation in browsers isn’t that well yet, but that seems to change rapidly, more on that in the “Further reading” section below).
After some background reading at apache – Tunnel over HTTPS – Stack Overflow, here are a few links that help you do it:
Server side: DAG: Tunneling SSH over HTTP(S).
You need:
- An internet connected Apache server (eg. with IP address 10.1.2.3)
- A FQDN that points to this IP address (eg. ssh.yourdomain.com)
- A virtual host configuration in Apache for this domain (eg. /etc/httpd/conf.d/ssh.yourdomain.com.conf)
- A configuration to adapt ssh to use the HTTP tunnel
Read more at DAG: Tunneling SSH over HTTP(S) and SSH over SSL, a quick and minimal config..
Client side: Using SSH over the HTTPS port · GitHub Help.
Steps:
- Test of it works at all
- Edit your local ~/.ssh/config file to redirect SSH to HTTPS
Read more at Using SSH over the HTTPS port · GitHub Help.
Using Putty and an HTTP proxy to ssh anywhere through firewalls | Me in IT.
Tunneling SSH through HTTP proxies using HTTP Connect – ArchWiki.
Running SSHD on port 443.
Not all proxy configurations and hotspots support this. But it might be worth a look: SSH Over Proxy.
Further reading: Web-based SSH.
SSH plugins for browsers:
Web based SSH:
- Shell In A Box – A Web-Based SSH Terminal to Access Remote Linux Servers / Shell in a box – LinuxIntro /shellinabox – Web based AJAX terminal emulator – Google Project Hosting; works on OpenSuSE too; tried it with the shellinabox-2.10-9.1.1 that does need very little configuration.
- SSH from a web browser tutorial | Linux User & Developer – the Linux and FOSS mag for a GNU generation.
- WebSSH.
- Free web-based SSH client – serFISH.com.
- SSH Online – ssh, terminal online, access your server, online ssh client, web ssh – ServerDo.in.
- SSH connectivity via Online Code Editor – Codeanywhere / 3.6. SSH Terminal : Support – Codeanywhere.
- liftoff/GateOne / Gate One ✈ Web Terminal Emulator and SSH Client | Liftoff Software.
- EricDaugherty.com – SSH Web Proxy – Getting Started.
- Ajaxterm for Java –.
- Commando.io – Manage servers easily online. / Security – Commando.io.
- KeyBox: A better way to SSH.
- Anyterm – Introduction.
- fgallaire/achilterm.
–jeroen
Share this:
Posted in Communications Development, Development, Encryption, HTTP, https, HTTPS/TLS security, Internet protocol suite, Power User, Security, SSH, TCP | Leave a Comment »
OpenSSH keygen guidelines
Posted by jpluimers on 2020/05/01
Verify [WayBack] OpenSSH: Key generation before generating keys.
At the time of grabbing it was this (for the mozilla tag; use another tag if you prefer):
# RSA keys are favored over ECDSA keys when backward compatibility ''is required'',
# thus, newly generated keys are always either ED25519 or RSA (NOT ECDSA or DSA).
$ ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_rsa_mozilla_$(date +%Y-%m-%d) -C "Mozilla key for xyz"
# ED25519 keys are favored over RSA keys when backward compatibility ''is not required''.
# This is only compatible with OpenSSH 6.5+ and fixed-size (256 bytes).
$ ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_mozilla_$(date +%Y-%m-%d) -C "Mozilla key for xyz"
This was not changed based on [WayBack] Key generation: pass-a and -o argument? · Issue #68 · mozilla/wikimo_content · GitHub: a discussion on the KDF rounds (-a parameter) and storage format (-o parameter).
This is slightly less strong than in [WayBack] Upgrade Your SSH Key to Ed25519 | Programming Journal, but seems to be OK when writing this in 2018.
For comparison, a similar discussion is at [WayBack] public key – How many KDF rounds for an SSH key? – Cryptography Stack Exchange.
In practice, I am not for one ssh ID per host, but I use different tags depending on where the ssh ID applies. More discussion on this is at [WayBack] privacy – Best Practice: ”separate ssh-key per host and user“ vs. ”one ssh-key for all hosts“ – Information Security Stack Exchange
Based on the above, I also learned about this password generator: [WayBack] GitHub – gdestuynder/pwgen
–jeroen
Share this:
Posted in *nix, *nix-tools, Encryption, Hashing, Power User, Security, ssh/sshd | Leave a Comment »
The Wiert Corner - irregular stream of stuff 