The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My work

  • My badges

  • Twitter Updates

  • My Flickr Stream

    20140508-Delphi-2007--Project-Options--Cannot-Edit-Application-Title-HelpFile-Icon-Theming20140430-Fiddler-Filter-Actions-Button-Run-Filterset-now20140424-VMware-Fusion-6.0.3.-no-reclaimable
    More Photos

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,822 other followers

Archive for the ‘https’ Category

« Previous Entries

ssl/ssh multiplexer

Posted by jpluimers on 2017/08/07

sslh accepts connections on specified ports, and forwards them further based on tests performed on the first data packet sent by the remote client.

Probes for HTTP, SSL, SSH, OpenVPN, tinc, XMPP are implemented, and any other protocol that can be tested using a regular expression, can be recognised. A typical use case is to allow serving several services on port 443 (e.g. to connect to ssh from inside a corporate firewall, which almost never block port 443) while still serving HTTPS on that port.

Hence sslh acts as a protocol demultiplexer, or a switchboard. Its name comes from its original function to serve SSH and HTTPS on the same port.

sslh supports IPv6, privilege dropping, transparent proxying, and more.

Interesting…

–jeroen

Posted in *nix, https, Linux, OpenSSL, OpenVPN, Power User, Security | Leave a Comment »

Sending various HTTP request kinds using curl

Posted by jpluimers on 2017/07/25

I’ve been using cURL but always had a feeling not to its potential basically because the cURL man page [WayBack] is both massive and lacks concrete useful practical examples.

For instance, I knew about the --header and --verbose options (I always use verbose names even though shorter -H and -v exist) to pass a specific header and get verbose output, but the man page basic examples like this by Tader:

curl --header --verbose "X-MyHeader: 123" http://www.google.com

source: How to send a header using a HTTP request through a curl call? – Stack Overflow [WayBack]

There are some more examples at bropages.org/curl but they’re hardly organised or documented.

So I was really glad I found the below answer [WayBack] by Amith Koujalgi to web services – HTTP POST and GET using cURL in Linux – Stack Overflow.

But first note that recent versions (around 7.22 or higher) of cURL now need to combine the --silent and --show-error (or in short -sS) parameters to suppress progress but show errors: linux – How do I get cURL to not show the progress bar? – Stack Overflow [WayBack]

Back to the examples

Read the rest of this entry »

Posted in *nix, Communications Development, cURL, Delphi, Development, HTTP, https, Internet protocol suite, JavaScript/ECMAScript, JSON, Power User, REST, Scripting, Security, Software Development, TCP, TLS, XML, XML/XSD | 1 Comment »

Some ChromeCast URLs

Posted by jpluimers on 2017/02/01

I need to check these against a Chromecast v2 as the below URLs are from a v1 device:

More is possible by using cURL: Chromecast Hacking Has Begun | fiquett.com

sleep 8h; while true; do
curl -H "Content-Type: application/json" http://192.168.71.113:8008/apps/YouTube -X POST -d 'v=somevideo';
done

–jeroen

via:

https://www.reddit.com/r/Chromecast/comments/24i8x3/thoughts_on_a_chromecast_alarm_app/

Posted in Chromecast, Communications Development, Development, Google, Hardware Interfacing, HTTP, https, Internet protocol suite, REST, Security, TCP | 3 Comments »

List of “Plain Text Offenders”; hopefully someone publishes a list of https offenders too

Posted by jpluimers on 2016/10/24

This Plain Text Offenders site lists email screenshots of organisations sending back plain-text passwords they kept on file (According to Robert Love, Idera/Embarcadero should be on the list as well).

It is one of the most horrible things that can be done for a password.

Business and IT do many horrible things, so I really hope someone will start a similar site about SSL Labs F-rated domains. The ones that are so broken that they degraded their https to virtually plain-text http quality.

In the past, a notorious example of this was Embarcadero, who in the past managed to get F-rating or had wrong configurations on the below domains, therefore preventing me from logging in and getting new products from them (which is far worse than them not cleaning up their bug database):

Read the rest of this entry »

Posted in Delphi, Development, Hashing, https, OpenSSL, Power User, Public Key Cryptography, QC, Security, Signing, Software Development | 3 Comments »

Heittps enabled – a hardest part of https-ing a suite of sites is getting rid of “Mixed Content”

Posted by jpluimers on 2016/09/26

“Heittps enabled.” and working for most parts: Verschlüsselung: heise online und Heise-Onlinedienste per HTTPS erreichbar heise.de [WayBack]

A hard part in getting there is fixing “Mixed Content” errors. Report them at https://www.heise.de/newsticker/meldung/Verschluesselung-heise-online-und-Heise-Onlinedienste-per-HTTPS-erreichbar-3331421.html

Earlier this Dutch tech site did the same: Tweakers stapt over op https – Waarom https? – Achtergrond – Tweakers [WayBack] and faced similar “Mixed Content” fixing challenges [WayBack].

–jeroen

Source: Na endlich. – Kristian Köhntopp – Google+

 

Posted in https, Security | Leave a Comment »

« Previous Entries
 
%d bloggers like this: