Don’t forget your padding: Hello,I’m playing with the APK format of a sample “Hello world” Android application.my (first) goal is to be able to rebuild an APK from a unzipped one… – Paul TOTH – Google+
References: RSA Algorithm
–jeroen
Archive for the ‘Encryption’ Category
Don’t forget your padding… playing with the APK format of a sample “Hello world” Android app
Posted by jpluimers on 2019/01/23
Posted in Android, Development, Encryption, Mobile Development, Power User, Security, Software Development | Leave a Comment »
If parts of your letsencrypt renewals succeed and others give you “urn:acme:error:connection” then just retry
Posted by jpluimers on 2018/12/10
On the same server, part of my letsencrypt renewals worked fine, while others had an error like this:
------------------------------------------------------------------------------- Processing /etc/letsencrypt/renewal/spring4d.4delphi.com.conf ------------------------------------------------------------------------------- Cert is due for renewal, auto-renewing... Renewing an existing certificate Performing the following challenges: tls-sni-01 challenge for spring4d.4delphi.com Waiting for verification... Cleaning up challenges Attempting to renew cert from /etc/letsencrypt/renewal/spring4d.4delphi.com.conf produced an unexpected error: Failed authorization procedure. spring4d.4delphi.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Error getting validation data. Skipping. ... - The following errors were reported by the server: Domain: spring4d.4delphi.com Type: connection Detail: Error getting validation data To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.
A retry worked fine:
------------------------------------------------------------------------------- Processing /etc/letsencrypt/renewal/spring4d.4delphi.com.conf ------------------------------------------------------------------------------- Cert is due for renewal, auto-renewing... Renewing an existing certificate Performing the following challenges: tls-sni-01 challenge for spring4d.4delphi.com Waiting for verification... Cleaning up challenges ... The following certs were successfully renewed: /etc/letsencrypt/live/spring4d.4delphi.com/fullchain.pem (success)
–jeroen
Share this:
Posted in Encryption, Let's Encrypt (letsencrypt/certbot), Power User, Security | Leave a Comment »
Some links on encrypting configuration files or sections
Posted by jpluimers on 2018/10/18
All encryption comes down to a combination of key management and tooling.
With more and more communication projects going on, encryption of the secrets (passwords, API keys, etc) in configuration files, especially the ones that might end up in (sometimes public) repositories will need my attention some day.
My gut feeling is that an asymmetric solution might work best for these kinds of problems.
Here are some links:
- [WayBack] How to securely store API keys – DEV Community 👩💻👨💻
- [WayBack] Rails 5.2 credentials – cedarcode – Medium
- [WayBack] The best way to store secrets in your app is not to store secrets in your app
- via [WayBack] Where is the right place to store db passwords, api keys, etc? What is best prac… | Hacker News:
- [WayBack] GitHub – StackExchange/blackbox: Safely store secrets in Git/Mercurial/Subversion
- [WayBack] Introduction – Vault by HashiCorp (which has key expiration)
- [WayBack] Matthew D Fuller – Blog: Using IAM Roles and S3 to Securely Load Application Credentials
- [WayBack] Keywhiz A file-based secret management and distribution system
- [WayBack] Windows Data Protection
- [WayBack] The Twelve-Factor App A methodology for building modern, scalable, maintainable software-as-a-service apps.
- [WayBack] Encrypting Secret Data at Rest – Kubernetes
- [WayBack] ASP.NET IIS Registration Tool (Aspnet_regiis.exe)
- [WayBack] Encrypting and Decrypting Configuration Sections
- It can do asymmetric encryption as explained at [WayBack] Encrypting Credentials in App.config for Multiple Machines | My Web Anecdotes
–jeroen
Share this:
Posted in Development, Encryption, Security, Software Development | Leave a Comment »
https://altd.embarcadero.com/ TLS certificate does not match domain name
Posted by jpluimers on 2018/09/07
One of the domains not yet monitored at embarcaderomonitoring.wiert.me, was the altd download server for ISOs and installers on http and https level. Ultimately you want https, as most of these are about installers, so you do not want any man-in-the-middle to fiddle with them.
TLS on altd fails
Upitmerobot is not yet smart enough to check validity of TLS certificates on https connections.
Chrome, Firefox, Safari, Internet Explorer, wget, curl and ssllabs however are.
- [Archive.is] SSL Server Test: altd.embarcadero.com (Powered by Qualys SSL Labs)
- [Archive.is] SSL Server Test: altd.embarcadero.com at 23.61.194.33 (Powered by Qualys SSL Labs)
- [Archive.is] SSL Server Test: altd.embarcadero.com at 23.61.194.25 (Powered by Qualys SSL Labs)
altd hides as much from itself as possible
Uptimerobot did not like monitoring the plain http://altd.embarcadero.com/ and https://altd.embarcadero.com/ URLs, because the altd is not browsable, so it tries to hide most of its structure from access. This means they both return an odd response:
Those responses are actually 404 errors (note the - minus sign after curl --trace-ascii: it sends the trace to stdout):
$ wget http://altd.embarcadero.com/ --2018-09-05 10:44:23-- http://altd.embarcadero.com/ Resolving altd.embarcadero.com (altd.embarcadero.com)... 88.221.144.40, 88.221.144.10 Connecting to altd.embarcadero.com (altd.embarcadero.com)|88.221.144.40|:80... connected. HTTP request sent, awaiting response... 404 Not Found 2018-09-05 10:44:23 ERROR 404: Not Found. $ curl --verbose http://altd.embarcadero.com/ * Trying 88.221.144.40... * TCP_NODELAY set * Connected to altd.embarcadero.com (88.221.144.40) port 80 (#0) > GET / HTTP/1.1 > Host: altd.embarcadero.com > User-Agent: curl/7.54.0 > Accept: */* > < HTTP/1.1 404 Not Found < Server: Apache < Content-Type: text/html; charset=iso-8859-1 < Content-Length: 16 < Date: Wed, 05 Sep 2018 08:45:57 GMT < Connection: keep-alive < * Connection #0 to host altd.embarcadero.com left intact File not found." $ curl --trace-ascii - http://altd.embarcadero.com/ == Info: Trying 88.221.144.40... == Info: TCP_NODELAY set == Info: Connected to altd.embarcadero.com (88.221.144.40) port 80 (#0) => Send header, 84 bytes (0x54) 0000: GET / HTTP/1.1 0010: Host: altd.embarcadero.com 002c: User-Agent: curl/7.54.0 0045: Accept: */* 0052: <= Recv header, 24 bytes (0x18) 0000: HTTP/1.1 404 Not Found <= Recv header, 16 bytes (0x10) 0000: Server: Apache <= Recv header, 45 bytes (0x2d) 0000: Content-Type: text/html; charset=iso-8859-1 <= Recv header, 20 bytes (0x14) 0000: Content-Length: 16 <= Recv header, 37 bytes (0x25) 0000: Date: Wed, 05 Sep 2018 08:47:19 GMT <= Recv header, 24 bytes (0x18) 0000: Connection: keep-alive <= Recv header, 2 bytes (0x2) 0000: <= Recv data, 16 bytes (0x10) 0000: File not found." File not found."== Info: Connection #0 to host altd.embarcadero.com left intact
This is also the reason that WayBack does not want to archive that link, but it can be archived at [Archive.is] https://altd.embarcadero.com/.
Luckily, a Google search for site:altd.embarcadero.com revealed there is a non-installer file short enough (~72 kibibytes) for Uptime robot to check, so it now verifies it can access these:
- http://altd.embarcadero.com/download/allaccess/allaccessserver/All-Access%20Server%201.0.1%20Installation%20Guide.pdf
- https://altd.embarcadero.com/download/allaccess/allaccessserver/All-Access%20Server%201.0.1%20Installation%20Guide.pdf
–jeroen
Share this:
Posted in *nix, *nix-tools, cURL, Encryption, HTTPS/TLS security, Monitoring, Power User, Security, Uptimerobot, wget | Leave a Comment »
Nice thread starting on the current state of CAs promoting OV/EV instead of doing innovation, with many comments on how to properly use LetsEncrypt
Posted by jpluimers on 2018/08/24
[Archive.is] Thread by @sleevi_: “It’s a real shame that CAs have gotten so high off their own supply, that they’ve become blind to the real problems they cause by p… – Kristian Köhntopp – Google+
On CAs: [Archive.is] Thread by @sleevi_: “It’s a real shame that CAs have gotten so high off their own supply, that they’ve become blind to the real problems they cause by promoting OV/EV. It’s almost as if they believe that 1988 had all the solutions, and we’ve been declining since then. Example: Let’s say we accept that organizational identity is a valuable component. Coupling it to TLS is terrible, because it encourages all the bad practices we see – such as making it hard to obtain or automate certificates, discouraging key rotation, extending cert lifetime […]”
–jeroen
Twitter thread:
https://twitter.com/sleevi_/status/1012321195562237952
Share this:
Posted in Encryption, Let's Encrypt (letsencrypt/certbot), Power User, Security | Leave a Comment »
Use TLS 1.2 or higher, as TLS 1.1 is phased out on many sites, after TLS 1.0/SLL has been disabled by most for a while now
Posted by jpluimers on 2018/07/23
If you get an error like this in one of your tools
OpenSSL: error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version
it means you are using a tool not yet properly supporting TLS 1.2 or higher.
Or in other words: update your tool set.
The reason is that – after turning off TLS 1.0 a while ago – more and more sites do the same for TLS 1.1.
A prime example of a site that warned on this in a clear way very early on is github:
- 2017-02-27: [WayBack] Discontinue support for weak cryptographic standards | GitHub Engineering
- 2018-02-01: [WayBack] Weak cryptographic standards removal notice | GitHub Engineering (including a list of incompatible clients)
- 2018-02-02: [WayBack] Weak cryptographic standards removal notice | The GitHub Blog
- 2018-02-23: [WayBack] Weak cryptographic standards removed | The GitHub Blog
Others have done this too, for instance:
- [WayBack] Are You Ready for 30 June 2018? Saying Goodbye to SSL/early TLS
- [WayBack] Deprecating TLS 1.0 and 1.1 – Enhancing Security for Everyone
TLS 1.0 is vulnerable to many attacks, and certain configurations of TLS 1.1 as well (see for instance [WayBack] What are the main vulnerabilities of TLS v1.1? – Information Security Stack Exchange), which means that properly configuring the non-vulnerable TLS 1.1 over times gets more and more complex. An important reason to say goodbye to that as well, as TLS 1.2 (from 2008) is readily available for a long time. The much more recent TLS 1.3 (from 2018) will take a while to proliferate.
I ran in the above error because on one of my systems, an old version of wget was luring around, so I dug up the easiest place to download recent Windows binaries for both win32 (x86) and win64 (x86_64):
[WayBack] eternallybored.org: GNU Wget for Windows having a table indicating the OpenSSL version for each wget build.
–jeroen
Reference: Transport Layer Security – Wikipedia: History and development
Share this:
Posted in *nix, https, HTTPS/TLS security, OpenSSL, Power User, Security, wget | Leave a Comment »
Packet Sender is a good tool when debugging protocols: free utility to send & receive network packets. TCP, UDP, SSL
Posted by jpluimers on 2018/03/07
It was fitting to bump into [WayBack] Packet Sender is a good tool when debugging protocols…” Written by Dan Nagle… – Lars Fosdal – Google+ on the day presenting [WayBack] Conferences/Network-Protocol-Security.rst at master · jpluimers/Conferences · GitHub
It also means that libssh2-delphi is getting a bit more love soon and will move to github as well after a conversion from mercurial.
Some of the things I learned or got confirmed teaching the session (I love learning by teaching):
- Automate the heck out of your job and new work finds you
- There is great integration for [WayBack] Bot Users | Slack which can hugely help you in status monitoring
- If you manage many domains, which might be troublesome to the default “
certbotclient”, so you might want to look into different [WayBack] ACME Client Implementations – Let’s Encrypt – Free SSL/TLS Certificates especially if you run nginx on Alpine Linux (but note you then need [WayBack] license_update.patch\acme-client\community – aports – Main aports tree to avoid [Archive.is] [400] does not match current agreement URL – Help – Let’s Encrypt Community Support)
Here is some more info:
- Blurb: “[a] free utility to send & receive network packets. TCP, UDP, SSL.”
- [WayBack] Packet Sender – Free utility to for sending / receiving of network packets. TCP, UDP, SSL.
- [WayBack] The latest Tweets from Dan Nagle (@NagleCode). Principal SW Engineer @HARMAN_Pro. Speaker. Author packetsender.com, paydowncalc.com, cryptoknife.com, github.com/dannagle . Huntsville, AL,
- [WayBack] Packet Sender – Send / Receive TCP / UDP – Android Apps on Google Play
- [WayBack] dannagle (Dan Nagle) · GitHub dannagle has 23 repositories available. Follow their code on GitHub.
–jeroen
Share this:
Posted in Communications Development, Delphi, Development, Encryption, Hardware, Harman Kardon, Home Audio/Video, HTTP, https, HTTPS/TLS security, Internet protocol suite, Let's Encrypt (letsencrypt/certbot), OpenSSL, Power User, Security, Software Development, TCP, TLS | Leave a Comment »
ACME TLS-SNI-01 validation disabled due to vulnerability – Incidents – Let’s Encrypt Community Support
Posted by jpluimers on 2018/01/11
Now that so many sites depend on LetsEncrypt: maybe it is time for a second one.
We’ve received a credible report of a problem with ACME TLS-SNI-01 validation which could allow people to get certificates they should not be able to get. While we investigate further we have disabled tls-sni-01 validation. We’ll post more information soon.
Source: [Archive.is] ACME TLS-SNI-01 validation disabled due to vulnerability – Incidents – Let’s Encrypt Community Support
Via:
- [WayBack] Wie viel Internet kippt mittlerweile eigentlich um, wenn letsencrypt weg ist? Ein zweites letsencrypt wäre toll. – Stefan Funke – Google+
- [WayBack] Wie viel Internet kippt mittlerweile eigentlich um, wenn letsencrypt weg ist? Ein zweites letsencrypt wäre toll. – Kristian Köhntopp – Google+
–jeroen
Share this:
Posted in Encryption, Let's Encrypt (letsencrypt/certbot), Power User, Security | Leave a Comment »
SSLLabs security reports for some embarcadero subdomains
Posted by jpluimers on 2018/01/09
I hope this is a coincidence. Before Nick Hodges left, the TLS security of the various embarcadero https servers was increased, most from grade F. Now they might soon be grade F again.
Hopefully somebody in IT has time to take a renewed look as security needs constant attention.
- “This server is vulnerable to the Return Of Bleichenbacher’s Oracle Threat (ROBOT) vulnerability. Grade will be set to F from February 2018.”
- “This server uses 64-bit block cipher (3DES / DES / RC2 / IDEA) with modern protocols. Grade capped to C. MORE INFO »“
I’ve only included a fraction of their sub-domains, as really this is a job for the Embarcadero IT department.
Related:
- Oh nice: the compiler settings in your .dproj files are not reflected in what Ctrl-O O emits in XE7
- Positive: Delphi 10.1 Berlin is out; negative all Embarcadero HTTPS sites still vulnerable to DROWN attack
- RAD Studio 10 next stop: Berlin (via: The inheritance tree of all Fire Monkey objects) but would you really trust it?
- New Delphi product version: will it be Seattle or 10? It might be both! radstudiodemos/code/…/branches now has RADStudio_Seattle branch, docwiki URLs with Seattle exists and nice YouTube preview image!
Share this:
Posted in Encryption, HTTPS/TLS security, Power User, Security | Leave a Comment »
Helft homepaginas van Nederlandse overheidswebsites gebruikt geen https – IT Pro – Nieuws – Tweakers
Posted by jpluimers on 2017/12/15
Still some work to do for some of my sites:
–jeroen
[WayBack] Helft homepaginas van Nederlandse overheidswebsites gebruikt geen https – IT Pro – Nieuws – Tweakers
Share this:
Posted in Communications Development, Development, Encryption, https, Internet protocol suite, Power User, Security, TLS | Leave a Comment »
The Wiert Corner - irregular stream of stuff 