Interesting, as this opens LDAP server to a lot more tools and development environments: ADAP Open Source REST API Layer For LDAP | Dr Dobb’s.
–jeroen
Archive for the ‘Security’ Category
ADAP Open Source REST API Layer For LDAP | Dr Dobb’s
Posted by jpluimers on 2014/05/06
Posted in Communications Development, Development, HTTP, Internet protocol suite, JavaScript/ECMAScript, JSON, LDAP, Power User, REST, Scripting, Security, Software Development, TCP, Web Development | Leave a Comment »
Fighting Cargo Cult – The Incomplete SSL/TLS Bookmark Collection (via: Danimo’s blog and Kristian Köhntopp G+)
Posted by jpluimers on 2014/04/21
Thanks Kristian Köhntopp for sharing a link to Fighting Cargo Cult – The Incomplete SSL/TLS Bookmark Collection | Danimo’s blog.
–jeroen
Share this:
Posted in OpenSSL, Power User, Security | Leave a Comment »
WinSCP 5.5.3 released (via: WinSCP :: Free SFTP and FTP client for Windows
Posted by jpluimers on 2014/04/15
Yesterday WinSCP 5.5.3 got released. Among other fixes, the most imporant one is this:
- Fix for CVE-2014-0160 OpenSSL vulnerability;
They upgraded to OpenSSL 1.0.1g, so the infamous Heartbleed vulnerability is solved.
–jeroen
via: WinSCP :: Free SFTP and FTP client for Windows.
Share this:
Posted in OpenSSL, Power User, Security | Leave a Comment »
On resetting passwords because of the OpenSSL vulnerability
Posted by jpluimers on 2014/04/15
As a continuation of More OpenSSL and certificate things (in the aftermath of Heartbleed): on resetting passwords.
- What’s an efficient way to change my 200+ account passwords? – Super User.
- Should I change all my passwords due to heartbleed – Information Security Stack Exchange.
On other news:
–jeroen
Share this:
Posted in OpenSSL, Power User, Security | Leave a Comment »
More OpenSSL and certificate things (in the aftermath of Heartbleed)
Posted by jpluimers on 2014/04/13
So you think Heartbleed is over. Think again. Not only servers are affected. Clients too. And you need to tighten your security even more.
Basically it comes down to this:
Expect all sites using HTTPS to have been vulnerable, and all data you exchanged to be captured. Unless you can have hard proof they were not vulnerable, or the traffic was not captured. If you have not started changing passwords, private keys, credit card numbers, etc: do so now.
and
In layman’s terms/pictures: xkcd: Heartbleed Explanation.
If you still don’t get it: anyone with any HTTPS connection to a once vulnerable system could copy data out of that system. There is no guarantee that data did not contain your identity (username, password, public key, credit card check-digits, etc) or server identity (private and public key).
Since often you cannot prove a system was using OpenSSL, there is no way to prove your data didn’t get copied.
Here are some interesting reads from last week: Read the rest of this entry »
Share this:
Posted in OpenSSL, Power User, Security | Tagged: Heartbleed | 1 Comment »
Android 4.1.1 Devices are Vulnerable to Heartbleed
Posted by jpluimers on 2014/04/13
Whereas the OpenSSL heartbleed vulnerability investigations initially were aimed towards servers, over the last few days the client side got more attention.
Ouch. This might count for more than 30% of the Android devices out there: Android 4.1.1 Devices are Vulnerable to Heartbleed.
Time to check which Android version your device is running.
The @Lookout security firm did some statistics and published them on Twitter:
Detector app data: Germany has the most affected phones at 12.46%. Check out our geographical break down: Read the rest of this entry »
Share this:
Posted in OpenSSL, Power User, Security | 1 Comment »
xkcd: Heartbleed Explanation, or why you should reset passwords, certificates and request new credit cards.
Posted by jpluimers on 2014/04/11
In layman’s terms/pictures: xkcd: Heartbleed Explanation.
If you still don’t get it: anyone with any HTTPS connection to a once vulnerable system could copy data out of that system. There is no guarantee that data did not contain your identity (username, password, public key, credit card check-digits, etc) or server identity (private and public key).
Since often you cannot prove a system was using OpenSSL, there is no way to prove your data didn’t get copied.
–jeroen (who just discovered this is post #2000 on my blog; ain’t this cool? <g>)
Read the rest of this entry »
Share this:
Posted in Internet, OpenSSL, Power User, Security | 8 Comments »
Heartbleed: Serious OpenSSL zero day vulnerability revealed | ZDNet
Posted by jpluimers on 2014/04/08
The fixed OpenSSL 1.01g is already available in source and for many platforms.
When do they become available anyone using OpenSSL 1.01 or 1.02 must deploy the patched version as fast as possible.
You also need to have all your certificates re-issued.
During the vulnerability period, your private keys may have been exposed, and there is no way to tell that they were not exposed.
Note the official binaries for Win32 1.01g are not available for yet (expect them soon), but the Indy team made Win32 and Win64 versions available.
Note that OpenSuSE did a backport of the patch to 1.01e for 12.3 and 13.1. Older openSuSE versions do not have updates for this issue, but you want to upgrade anything lower than 0.98 as they contain serious other vulnerabilities.
–jeroen
via
- Heartbleed Bug.
- Heartbleed: Serious OpenSSL zero day vulnerability revealed | ZDNet.
- OpenSSL.org.
- Critical crypto bug in OpenSSL opens two-thirds of the Web to eavesdropping | Ars Technica.
- Massive Security Bug In OpenSSL Could Affect A Huge Chunk Of The Internet | TechCrunch.
Share this:
Posted in *nix, Delphi, Delphi 2006, Delphi 2007, Delphi 2009, Delphi 2010, Delphi 6, Delphi 7, Delphi XE, Delphi XE2, Delphi XE3, Delphi XE4, Delphi XE5, Development, Linux, OpenSSL, openSuSE, Power User, Security, Software Development, SuSE Linux | 7 Comments »
Time for a new “-goto cleanup;+goto fail;” T-Shirt; The Story of the GnuTLS Bug (via: existential type crisis)
Posted by jpluimers on 2014/03/05
A new *n*x bug got discovered in TLS certificate handling that is similar to the recently discovered iOS and OS X “goto fail” security issue.
This time the fix is performing a few replacements linke this:
-goto cleanup;
+goto fail;
Plus one addition:
+fail: // ADDED
+ result = 0;
Applications depending on GnuTLS are affected (there are other libraries providing TLS like OpenSSL), which are many.
Two must-do things:
- Closely watch the Linux, BDS, other *n*x and application security updates, as exploits will be available soon
- Read via: existential type crisis : The Story of the GnuTLS Bug as it explains the bug, tracks down the cause, and talks about “lessons to learn”.
I’m with Jan Wildeboer here and updates should get in very soon: Read the rest of this entry »
Share this:
Posted in Communications Development, Development, Internet protocol suite, Power User, Security, TCP, TLS | Tagged: GnuTLS, goto cleanup, TLS | Leave a Comment »
KISS: stickers to protect your webcam from being spied (Dutch: Bescherm je laptop met een principiële sticker « Bits of Freedom)
Posted by jpluimers on 2014/02/27
Didn’t notice they published these stickers while I was on holiday earier this year: Bescherm je laptop met een principiële sticker « Bits of Freedom.
There must be stickers like that in other languages as well, just did not yet search for them (:
–jeroen
Share this:
Posted in Power User, Security | Leave a Comment »
The Wiert Corner - irregular stream of stuff 