Archive for the ‘https’ Category
Posted by jpluimers on 2017/07/25
I’ve been using cURLcURL man page [WayBack ] is both massive and lacks concrete useful practical examples.
For instance, I knew about the --header and --verbose options (I always use verbose names even though shorter -H and -v exist) to pass a specific header and get verbose output, but the man page basic examples like this by Tader :
curl --header --verbose "X-MyHeader: 123" www.google.com
source: How to send a header using a HTTP request through a curl call? – Stack Overflow [WayBack ]
There are some more examples at bropages.org/curl but they’re hardly organised or documented.
So I was really glad I found the below answer [WayBack ] by Amith Koujalgi to web services – HTTP POST and GET using cURL in Linux – Stack Overflow .
But first note that recent versions (around 7.22 or higher) of cURL now need to combine the --silent and --show-error (or in short -sS) parameters to suppress progress but show errors: linux – How do I get cURL to not show the progress bar? – Stack Overflow [WayBack ]
Back to the examples
Read the rest of this entry »
Posted in *nix , Communications Development , cURL , Delphi , Development , HTTP , https , Internet protocol suite , JavaScript/ECMAScript , JSON , Power User , REST , Scripting , Security , Software Development , TCP , TLS , XML , XML/XSD | 1 Comment »
Posted by jpluimers on 2017/02/01
I need to check these against a Chromecast v2 as the below URLs are from a v1 device:
More is possible by using cURL: Chromecast Hacking Has Begun | fiquett.com
sleep 8h; while true; do
curl -H "Content-Type: application/json" http://192.168.71.113:8008/apps/YouTube -X POST -d 'v=somevideo';
done
Related:
–jeroen
via:
Posted in Chromecast , Communications Development , Development , Google , Hardware Interfacing , HTTP , https , Internet protocol suite , REST , Security , TCP | 3 Comments »
Posted by jpluimers on 2016/10/24
This Plain Text Offenders site lists email screenshots of organisations sending back plain-text passwords they kept on file (According to Robert Love , Idera/Embarcadero should be on the list as well).
It is one of the most horrible things that can be done for a password.
Business and IT do many horrible things, so I really hope someone will start a similar site about SSL Labs F-rated domains. The ones that are so broken that they degraded their https to virtually plain-text http quality.
In the past, a notorious example of this was Embarcadero, who in the past managed to get F-rating or had wrong configurations on the below domains, therefore preventing me from logging in and getting new products from them (which is far worse than them not cleaning up their bug database ):
Read the rest of this entry »
Posted in Delphi , Development , Hashing , https , OpenSSL , Power User , Public Key Cryptography , QC , Security , Signing , Software Development | 3 Comments »
Posted by jpluimers on 2016/09/26
Posted in https , Security | Leave a Comment »
Posted by jpluimers on 2016/09/23
Source: HTTPSWatch | Global
Like on the right side.
https isn’t everywhere yet, but growing.
–jeroen
Posted in https , Power User , Security | Leave a Comment »
Posted by jpluimers on 2016/08/08
Attack from the ’90s resurfaces more deadly than before
Source: Windows Flaw Reveals Microsoft Account Passwords, VPN Credentials
TL;DR: block LAN->WAN port 445
Note this won’t affect web-dav shares like \live.sysinternals.com\DavWWWRoot as that uses ports 443 and 80.
–jeroen
via:
Posted in Communications Development , Development , https , Internet protocol suite , Microsoft Surface on Windows 7 , NTLM , Power User , Security , SMB , TCP , WebDAV , Windows , Windows 10 , Windows 7 , Windows 8 , Windows 8.1 , Windows 9 , Windows Server 2008 , Windows Server 2008 R2 , Windows Server 2012 , Windows Server 2012 R2 , Windows Vista , Windows XP | Leave a Comment »
Posted by jpluimers on 2016/07/25
Interesting:
just for completeness:
testssl.sh is a nice, console-based tool to check ssl-setups of any ssl/ts – enabled servers, in oposite to ssllabs
It helped me solving this:
Host: http://www.beginend.net
Reason: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
Within the testssl.sh directory, you can use this to test with many cyphers:
OPENSSL=./openssl-bins/openssl-1.0.2-chacha.pm/openssl32-1.0.2pm-krb5.chacha+poly ./testssl.sh www.example.com
–jeroen
via
Posted in *nix , https , OpenSSL , Power User , Security | Leave a Comment »
Posted by jpluimers on 2016/07/20
Great explanation of Diffie-Hellman Key Exchange – YouTube .
It is based on mixing colors and some colors of the mix being private.
Brilliant!
–jeroen
VIDEO
Posted in Algorithms , Development , Encryption , Hashing , https , OpenSSL , Power User , Public Key Cryptography , Security , Software Development | Leave a Comment »
Posted by jpluimers on 2016/07/11
Still relevant after a few years: DEFCON 17: More Tricks For Defeating SSL – YouTube .
VIDEO
I landed there after trying to find out how to verify the Internic root server file is actually pubished by Internic via authentication – Ways to sign gpg public key so it is trusted? – Information Security Stack Exchange .
I remember reading his “if you have to perform any cryptographic operation before verifying the MAC on a message you’ve received, it will somehow inevitably lead to doom” post (Moxie Marlinspike >> Blog >> The Cryptographic Doom Principle ), but never noticed his videos .
It is still relevant as there are lots of implementations still vulnerable to these kinds of attacks.
Many more of his blog entries are interesting as well:
Read the rest of this entry »
Posted in Encryption , Hashing , https , OpenSSL , PKI , Power User , Public Key Cryptography , Security , Signing | Leave a Comment »
The Wiert Corner - irregular stream of stuff 