Posted by jpluimers on 2014/12/08
I just added a FIDO U2F Security Key | Yubico as a FIDO second factor to my Google Account: Add a Security Key to your Google Account – Accounts Help.
The cool thing: if you don’t have your FIDO U2F key with you, you can fall back to Google two step verification mechanisms like Authenticator, SMS/Phone or pre-generated backup security codes.
–jeroen
Posted in Chrome, Google, Google Apps, GoogleAuthenticator, Power User, Security, U2F FIDO Security Keys | 4 Comments »
Posted by jpluimers on 2014/11/24
Posted in Google, Power User, Security | Leave a Comment »
Posted by jpluimers on 2014/11/07
Great! And it is open source at https://github.com/google/nogotofail:
The Android Security Team has built a tool, called nogotofail, that provides an easy way to confirm that the devices or applications you are using are safe against known TLS/SSL vulnerabilities and misconfigurations. Nogotofail works for Android, iOS, Linux, Windows, Chrome OS, OSX, in fact any device you use to connect to the Internet.
There’s an easy-to-use client to configure the settings and get notifications on Android and Linux, as well as the attack engine itself which can be deployed as a router, VPN server, or proxy.
–jeroen
via Google Online Security Blog: Introducing nogotofail—a network traffic security testing tool.
Posted in *nix, Android Devices, Chrome, Google, iOS, Mac OS X / OS X / MacOS, OpenSSL, Power User, Security, Windows | Leave a Comment »
Posted by jpluimers on 2014/09/29
Funny to discover these two articles today:
–jeroen
Posted in https, Power User, Security | Leave a Comment »
Posted by jpluimers on 2014/08/22
openssl s_client -connect localhost:443
I don’t have a Linux machine here, but this might work too:
gnutls www.somesite
And note that when using telnet, the hostnames must match:
$ openssl s_client -connect XXX.XX.XX.XXX:443
... connection information will be displayed …
GET / HTTP/1.1
host: XXX.XX.XX.XXXor
$ openssl s_client -connect www.example.com:443
... connection information will be displayed …
GET / HTTP/1.1
host: www.example.comDon’t MIX
Now I need to research how it works with a proxy… simulate a “connect http/1.1 443” proxy – Google Search.
–jeroen
via:
Posted in OpenSSL, Power User, Security, Windows, Windows-Http-Proxy | Leave a Comment »
Posted by jpluimers on 2014/05/06
Interesting, as this opens LDAP server to a lot more tools and development environments: ADAP Open Source REST API Layer For LDAP | Dr Dobb’s.
–jeroen
Posted in Communications Development, Development, HTTP, Internet protocol suite, JavaScript/ECMAScript, JSON, LDAP, Power User, REST, Scripting, Security, Software Development, TCP, Web Development | Leave a Comment »
Posted by jpluimers on 2014/04/21
Thanks Kristian Köhntopp for sharing a link to Fighting Cargo Cult – The Incomplete SSL/TLS Bookmark Collection | Danimo’s blog.
–jeroen
Posted in OpenSSL, Power User, Security | Leave a Comment »
Posted by jpluimers on 2014/04/15
Yesterday WinSCP 5.5.3 got released. Among other fixes, the most imporant one is this:
They upgraded to OpenSSL 1.0.1g, so the infamous Heartbleed vulnerability is solved.
–jeroen
via: WinSCP :: Free SFTP and FTP client for Windows.
Posted in OpenSSL, Power User, Security | Leave a Comment »
Posted by jpluimers on 2014/04/15
As a continuation of More OpenSSL and certificate things (in the aftermath of Heartbleed): on resetting passwords.
On other news:
–jeroen
Posted in OpenSSL, Power User, Security | Leave a Comment »
Posted by jpluimers on 2014/04/13
So you think Heartbleed is over. Think again. Not only servers are affected. Clients too. And you need to tighten your security even more.
Basically it comes down to this:
Expect all sites using HTTPS to have been vulnerable, and all data you exchanged to be captured. Unless you can have hard proof they were not vulnerable, or the traffic was not captured. If you have not started changing passwords, private keys, credit card numbers, etc: do so now.
and
In layman’s terms/pictures: xkcd: Heartbleed Explanation.
If you still don’t get it: anyone with any HTTPS connection to a once vulnerable system could copy data out of that system. There is no guarantee that data did not contain your identity (username, password, public key, credit card check-digits, etc) or server identity (private and public key).
Since often you cannot prove a system was using OpenSSL, there is no way to prove your data didn’t get copied.
Here are some interesting reads from last week: Read the rest of this entry »
Posted in OpenSSL, Power User, Security | Tagged: Heartbleed | 1 Comment »
The Wiert Corner - irregular stream of stuff 