The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

    Mastodon

  • Twitter Updates

  • My Flickr Stream

    20140508-Delphi-2007--Project-Options--Cannot-Edit-Application-Title-HelpFile-Icon-Theming20140430-Fiddler-Filter-Actions-Button-Run-Filterset-now20140424-VMware-Fusion-6.0.3.-no-reclaimable
    More Photos

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,854 other subscribers

Archive for the ‘Security’ Category

« Previous Entries
Next Entries »

testing HTTPS with openssl « The Sarth Repository

Posted by jpluimers on 2014/08/22

Interesting:

openssl s_client -connect localhost:443

I don’t have a Linux machine here, but this might work too:

gnutls www.somesite

And note that when using telnet, the hostnames must match:

$ openssl s_client -connect XXX.XX.XX.XXX:443
... connection information will be displayed …
GET / HTTP/1.1
host: XXX.XX.XX.XXX

or

$ openssl s_client -connect www.example.com:443
... connection information will be displayed …
GET / HTTP/1.1
host: www.example.com

Don’t MIX

Now I need to research how it works with a proxy… simulate a “connect http/1.1 443” proxy – Google Search.

–jeroen

via:

Posted in OpenSSL, Power User, Security, Windows, Windows-Http-Proxy | Leave a Comment »

ADAP Open Source REST API Layer For LDAP | Dr Dobb’s

Posted by jpluimers on 2014/05/06

Interesting, as this opens LDAP server to a lot more tools and development environments: ADAP Open Source REST API Layer For LDAP | Dr Dobb’s.

–jeroen

Posted in Communications Development, Development, HTTP, Internet protocol suite, JavaScript/ECMAScript, JSON, LDAP, Power User, REST, Scripting, Security, Software Development, TCP, Web Development | Leave a Comment »

Fighting Cargo Cult – The Incomplete SSL/TLS Bookmark Collection (via: Danimo’s blog and Kristian Köhntopp G+)

Posted by jpluimers on 2014/04/21

Thanks Kristian Köhntopp for sharing a link to Fighting Cargo Cult – The Incomplete SSL/TLS Bookmark Collection | Danimo’s blog.

–jeroen

Posted in OpenSSL, Power User, Security | Leave a Comment »

WinSCP 5.5.3 released (via: WinSCP :: Free SFTP and FTP client for Windows

Posted by jpluimers on 2014/04/15

Yesterday WinSCP 5.5.3 got released. Among other fixes, the most imporant one is this:

They upgraded to OpenSSL 1.0.1g, so the infamous Heartbleed vulnerability is solved.

–jeroen

via: WinSCP :: Free SFTP and FTP client for Windows.

Posted in OpenSSL, Power User, Security | Leave a Comment »

On resetting passwords because of the OpenSSL vulnerability

Posted by jpluimers on 2014/04/15

As a continuation of More OpenSSL and certificate things (in the aftermath of Heartbleed): on resetting passwords.

On other news:

–jeroen

Posted in OpenSSL, Power User, Security | Leave a Comment »

More OpenSSL and certificate things (in the aftermath of Heartbleed)

Posted by jpluimers on 2014/04/13

So you think Heartbleed is over. Think again. Not only servers are affected. Clients too. And you need to tighten your security even more.

Basically it comes down to this:

Expect all sites using HTTPS to have been vulnerable, and all data you exchanged to be captured. Unless you can have hard proof they were not vulnerable, or the traffic was not captured. If you have not started changing passwords, private keys, credit card numbers, etc: do so now.

and

In layman’s terms/pictures: xkcd: Heartbleed Explanation.

If you still don’t get it: anyone with any HTTPS connection to a once vulnerable system could copy data out of that system. There is no guarantee that data did not contain your identity (username, password, public key, credit card check-digits, etc) or server identity (private and public key).

Since often you cannot prove a system was using OpenSSL, there is no way to prove your data didn’t get copied.

Here are some interesting reads from last week:  Read the rest of this entry »

Posted in OpenSSL, Power User, Security | Tagged: | 1 Comment »

Android 4.1.1 Devices are Vulnerable to Heartbleed

Posted by jpluimers on 2014/04/13

Whereas the OpenSSL heartbleed vulnerability investigations initially were aimed towards servers, over the last few days the client side got more attention.

Ouch. This might count for more than 30% of the Android devices out there: Android 4.1.1 Devices are Vulnerable to Heartbleed.

Time to check which Android version your device is running.

The @Lookout security firm did some statistics and published them on Twitter:

Detector app data: Germany has the most affected phones at 12.46%. Check out our geographical break down: Read the rest of this entry »

Posted in OpenSSL, Power User, Security | 1 Comment »

xkcd: Heartbleed Explanation, or why you should reset passwords, certificates and request new credit cards.

Posted by jpluimers on 2014/04/11

In layman’s terms/pictures: xkcd: Heartbleed Explanation.

If you still don’t get it: anyone with any HTTPS connection to a once vulnerable system could copy data out of that system. There is no guarantee that data did not contain your identity (username, password, public key, credit card check-digits, etc) or server identity (private and public key).

Since often you cannot prove a system was using OpenSSL, there is no way to prove your data didn’t get copied.

–jeroen (who just discovered this is post #2000 on my blog; ain’t this cool? <g>)
Read the rest of this entry »

Posted in Internet, OpenSSL, Power User, Security | 8 Comments »

Heartbleed: Serious OpenSSL zero day vulnerability revealed | ZDNet

Posted by jpluimers on 2014/04/08

The fixed OpenSSL 1.01g is already available in source and for many platforms.

When do they become available anyone using OpenSSL 1.01 or 1.02 must deploy the patched version as fast as possible.

You also need to have all your certificates re-issued.

During the vulnerability period, your private keys may have been exposed, and there is no way to tell that they were not exposed.

Note the official binaries for Win32 1.01g are not available for yet (expect them soon), but the Indy team made Win32 and Win64 versions available.

Note that OpenSuSE did a backport of the patch to 1.01e for 12.3 and 13.1. Older openSuSE versions do not have updates for this issue, but you want to upgrade anything lower than 0.98 as they contain serious other vulnerabilities.

–jeroen

via

Posted in *nix, Delphi, Delphi 2006, Delphi 2007, Delphi 2009, Delphi 2010, Delphi 6, Delphi 7, Delphi XE, Delphi XE2, Delphi XE3, Delphi XE4, Delphi XE5, Development, Linux, OpenSSL, openSuSE, Power User, Security, Software Development, SuSE Linux | 7 Comments »

Time for a new “-goto cleanup;+goto fail;” T-Shirt; The Story of the GnuTLS Bug (via: existential type crisis)

Posted by jpluimers on 2014/03/05

A new *n*x bug got discovered in TLS certificate handling that is similar to the recently discovered iOS and OS X “goto fail” security issue.

This time the fix is performing a few replacements linke this:

-goto cleanup;
+goto fail;

Plus one addition:

+fail: // ADDED
+ result = 0;

Applications depending on GnuTLS are affected (there are other libraries providing TLS like OpenSSL), which are many.

Two must-do things:

  • Closely watch the Linux, BDS, other *n*x and application security updates, as exploits will be available soon
  • Read via: existential type crisis : The Story of the GnuTLS Bug as it explains the bug, tracks down the cause, and talks about “lessons to learn”.

I’m with Jan Wildeboer here and updates should get in very soon: Read the rest of this entry »

Posted in Communications Development, Development, Internet protocol suite, Power User, Security, TCP, TLS | Tagged: , , | Leave a Comment »

« Previous Entries
Next Entries »