Interesting: Life in a post-database world: using crypto to avoid DB writes.
For some security related operations, you only need smart use of HMAC, and no temporary database entries.
Thanks for the Jan Wildeboer referral to this.
–jeroen
Archive for the ‘Security’ Category
Life in a post-database world: using crypto to avoid DB writes
Posted by jpluimers on 2015/11/05
Posted in Development, Hashing, Power User, Security, Software Development | Leave a Comment »
HTTPS Everywhere Firefox/Chrome/Opera extension – Electronic Frontier Foundation
Posted by jpluimers on 2015/09/11
Over time this has become a must have: HTTPS Everywhere | Electronic Frontier Foundation developed by EFF and TOR.
Too bad many sites still do not work correctly with it.
This is especially true for places or networks where HTTP (or even worse HTTPS) is going through a MitM layer, for instance many mobile providers do this by injecting tracking bits to your traffic:
- SSL all the things, all the time Greedy provider MITMs all traffic, adding user identifier to HTTP headersadding….
- How Verizon’s Advertising Header Works | Web Policy.
–jeroen
via: HTTPS Everywhere | Electronic Frontier Foundation.
Share this:
Posted in https, Power User, Security | Leave a Comment »
Dropbox adds u2f support … if you connect to it via Chrome. Using FIDO U2F. Easy with Plug-Up foldable key.
Posted by jpluimers on 2015/08/21
I like this: the plug-up affordable FIDO U2F Security Key by HAPPLINK.
You could already use it for Google 2nd factor authentication (2FA) through Chrome. You can do this from your own applications for instance through the U2F reference implementation.
Now you can also as 2FA to DropBox, also through Chrome. And it is easy with the plug-up key (Thanks Kristian):
Uuuund… umgestellt. Das war ja einfach.
http://www.amazon.de/dp/B00OGPO3ZS
Es gibt andere Fido Token, die können mehr. Ich nehme dieses, das kostet fast nix und man kann die kaufen und verteilen wie Konfetti.
Or inside the Europe mainland, for instance in:
–jeroen
via: Dropbox adds u2f support … if you connect to it via Chrome. If I’m not….
Share this:
Posted in Chrome, DropBox, Google, GoogleAuthenticator, LifeHacker, Power User, Security, SocialMedia, U2F FIDO Security Keys | Leave a Comment »
security – How do I view the contents of a PFX file on Windows? – Super User
Posted by jpluimers on 2015/07/27
Dumping any kind of certificate file gives you access to more details than the Windows UI usually shows you.
This is especially handy when checking out errors or issues (which can be very difficult to track down).
For binary PFX files, the certutil and openssl commands come in very handy:
Some options to view PFX file details:Open a command prompt and type: certutil -dump Install OpenSSL and use the commands to view the details, such as: openssl pkcs12 -info -in unverified.
OpenSSL is a separate download (from my OpenSSL category of articles, see Some command-line tips for OpenSSL and file format pfx, p12, cer, crt, key, etc. conversion of certificates, keys) to get it.
CertUtil now ships with Windows by default (it wasn’t in the Windows XP era, I’m not sure about Windows Server 2003).
Here is the CertUtil help for dumping certificate information;
Dump certificate file information CertUtil [Options] [-dump] [File] Options: [-f] [-silent] [-split] [-p Password] [-t Timeout]
Note:
- the [-v] option is not listed, but does work; it will give a more verbose dump.
- [-dump] also works other certificate file extensions like .p7b files.
Here is the OpenSSL help for dumping pkcs12 information:
openssl pkcs12 [-export] [-chain] [-inkey filename] [-certfile filename] [-name name] [-caname name] [-in filename] [-out filename] [-noout] [-nomacver] [-nocerts] [-clcerts] [-cacerts] [-nokeys] [-info] [-des | -des3 | -idea | -aes128 | -aes192 | -aes256 | -camellia128 | -camellia192 | -camellia256 | -nodes] [-noiter] [-maciter | -nomaciter | -nomac] [-twopass] [-descert] [-certpbe cipher] [-keypbe cipher] [-macalg digest] [-keyex] [-keysig] [-password arg] [-passin arg] [-passout arg] [-rand files] [-CAfile file] [-CApath dir] [-CSP name]
The pkcs12 command allows PKCS#12 files sometimes referred to as PFX files to be created and parsed. PKCS#12 files are used by several programs including Netscape, MSIE and MS Outlook.
There are a lot of options the meaning of some depends of whether a PKCS#12 file is being created or parsed. By default a PKCS#12 file is parsed. A PKCS#12 file can be created by using the -export option see below.
-in filenameThis specifies filename of the PKCS#12 file to be parsed. Standard input is used by default.
…
-infooutput additional information about the PKCS#12 file structure, algorithms used and iteration counts.
and the OpenSSL help for dumping pkcs7 information:
openssl pkcs7 [-inform PEM|DER] [-outform PEM|DER] [-in filename] [-out filename] [-print_certs] [-text] [-noout] [-engine id]
The pkcs7 command processes PKCS#7 files in DER or PEM format.
-inform DER|PEM; This specifies the input format. DER format is DER encoded PKCS#7 v1.5 structure.PEM the default is a base64 encoded version of the DER form with header and footer lines.
…
-print_certs; prints out any certificates or CRLs contained in the file. They are preceded by their subject and issuer names in one line format.
-text; prints out certificates details in full rather than just subject and issuer names.
…
Notes:
- do not forget the -inform DER option to specify a binary .p7b file.
- the -text option gives you more verbose information
–jeroen
via:
- security – How do I view the contents of a PFX file on Windows? – Super User.
- CertUtil Certification Authority Utility | Windows CMD | SS64.com.
- OpenSSL: Documents, openssl1.
- OpenSSL: Documents, pkcs121.
- OpenSSL: Documents, pkcs71.
Share this:
Posted in CertUtil, OpenSSL, PKI, Power User, Public Key Cryptography, Security, Windows | Leave a Comment »
Hacking Team had more and more need for SSL MITM
Posted by jpluimers on 2015/07/07
Interesting reads:
- https://ht.transparencytoolkit.org/rcs-dev%5cshare/HOME/Naga/httpX/Presentation.pptx
- Hacking Team Breach Shows a Global Spying Firm Run Amok | WIRED.
- “Hacking Team Transparency Report” could sign Windows Kernel Drivers.
–jeroen
Share this:
Posted in Communications Development, Development, https, Internet protocol suite, LifeHacker, Power User, Security, TCP, TLS | Leave a Comment »
Time to upgrade: SHAAAAAAAAAAAAA | Check your site for weak SHA-1 certificates.
Posted by jpluimers on 2015/06/01
They days of SHA-1 are quickly coming to an end. Chrome has already marked SHA-1 signed TLS/SSL certificates for having an expiration > 2015-12-31 as insecure for a few weeks now. They promised to sunset SHA-1 about 9 months ago.
So if you haven’t done so, upgrade your HTTPS (and HTTP/2 which defaults to TLS) certificates to SHA-2. A great site of help here is SHAAAAAAAAAAAAA | Check your site for weak SHA-1 certificates. It is open source at GitHub.
You’ve less than 6 months now.
More in dept-reading (especially the comments by Ryan Sleevi): Chrome 42 (next stable) will mark SHA-1 signed certs with a validation date >2015 as insecure!.
–jeroen
PS: if you really need to do the balancing act, you technically can serve old certificates to SHA-2 incompatible clients while serving more secure certificates to modern clients. But it’s a risk, so you might as well tell these old clients they’re out.
Share this:
Posted in https, Power User, Public Key Cryptography, Security, TLS | Leave a Comment »
Enabling GIT_CURL_VERBOSE to research “unable to get local issuer certificate”
Posted by jpluimers on 2015/05/28
A while ago, I was fighting a corporate web proxy playing Man-in-the-Middle on all https sessions.
Though playing MitM on your employees is a debatable thing to do (especially without informing the employees, and illegal in certain countries, I had to get a GIT connection to the outside world working.
This helped tracking it down: GIT_CURL_VERBOSE “unable to get local issuer certificate”.
What I finally did was this:
- obtain the CA certificate that issues the MitM certificate in base-64 CRT form (which is the same as the PEM form):
- added it at the top of either of these files:
"%ProgramFiles%\Git\bin\curl-ca-bundle.crt""%ProgramFiles(x86)%\Git\bin\curl-ca-bundle.crt"
- added it to the top of either of these files:
"%ProgramFiles%\Mercurial\cacert.pem""%ProgramFiles(x86)%\Mercurial\cacert.pem"
–jeroen
PS: These were the failures I was getting:
Share this:
Posted in *nix, cURL, Development, DVCS - Distributed Version Control, git, PKI, Power User, Security, Source Code Management | Leave a Comment »
Patch soon and be careful: A Few Thoughts on Cryptographic Engineering: Attack of the week: FREAK (or ‘factoring the NSA for fun and profit’)
Posted by jpluimers on 2015/03/16
Hmm, I missed this earlier. So: watch your TLS stack (OpenSSL and others), then
Patch soon and be careful.
After that read A Few Thoughts on Cryptographic Engineering: Attack of the week: FREAK (or ‘factoring the NSA for fun and profit’).
Thanks Kristian Köhntopp for sharing.
–jeroen
Share this:
Posted in OpenSSL, Power User, Security | Leave a Comment »
Some notes on OpenSSL, S/MIME, email, various RFC standards and their relations.
Posted by jpluimers on 2015/03/10
Stuff I found out myself:
- OpenSSL does not like to have a period (dot) at the end of a S/MIME message (like many .EML files have as SMTP basically requires a period to terminate an email message.
- Indy sometimes changes the ContentType of S/MIME messages; you can reproduce this using the CopyEml demos; preliminary fix is in IdMessageHelperUnit.pas.
They should reorganize their site to make the most current version more findable; these links help me to track down what’s new: - Make sure your tools
- accept the old RSA MIME types:
- application/x-pkcs7-mime
- application/x-pkcs7-signature
- application/x-pkcs10
- but emit the new RFC 2311+ MIME types:
- application/pkcs7-mime
- application/pkcs7-signature
- application/pkcs10
- emit the new RFC MIME types:
- accept the old RSA MIME types:
Some links I found useful: Read the rest of this entry »
Share this:
Posted in Delphi, Development, OpenSSL, Power User, Security, Software Development | 3 Comments »
OpenSSL on Windows: fixing the “unable to write ‘random state'” (via: Stack Overflow)
Posted by jpluimers on 2015/03/05
If you are running OpenSSL as a regular user, or cannot perform “RunAs Administrator”, and you get this error message:
unable to write 'random state'
then make sure you have set your environment variables correctly before running OpenSSL:
RANDFILE=%LOCALAPPDATA%\.rnd
A full batch file front-end for OpenSSL.exe is this one:
Share this:
Posted in Batch-Files, Development, OpenSSL, Power User, Scripting, Security, Software Development, Windows | Leave a Comment »
The Wiert Corner - irregular stream of stuff 