In a world that is now gradually adopting HTTP/3 (which, as you know, is implemented over QUIC), the problem with the missing API for QUIC is still a key problem. There are a number of existing QUIC library implementation now since a few years back, and they are slowly maturing. The QUIC protocol became RFC … Continue reading The QUIC API OpenSSL will not provide →| daniel.haxx.se
In a previous| /dev/posts/
You might want to use an open recursive DNS servers if your ISP's DNS| /dev/posts/
Unauthorized TLS certificates were issued for 1.1.1.1 by a Certification Authority without permission from Cloudflare. These rogue certificates have now been revoked.| The Cloudflare Blog
Nur die Wenigsten der weltweit eingesetzten Geräte nutzt quantensichere Verschlüsselung. Mit einer neuen Technologie lassen sich veraltete Kryptoprotokolle nun erstmals in Echtzeit erkennen. Gerade in IT-, OT- und IoT-Umgebungen drohen gravierende Sicherheitsrisiken. Angreifer könnten Daten heute abfangen und mit Quantencomputern später entschlüsseln. Forescout hat eine branchenweit einzigartige Lösung vorgestellt, die nicht-quantensichere Verschlüsselung in Echtzeit erkennt – ein en...| B2B Cyber Security
A deep dive into the Encrypted Client Hello, a standard that encrypts privacy-sensitive parameters sent by the client, as part of the TLS handshake.| The Cloudflare Blog
Ensuring SSL certificates are replaced before expiration is vital to an organization's health. Dealing with expired certificates can be done in several ways| Encryption Consulting
One of the biggest reasons users adopt service mesh is to enable secure communication among applications using mutual TLS (mTLS) based on cryptographically verifiable identities. In this blog, we’ll discuss the requirements of secure communication among applications, how mTLS enables and meets all those requirements, along with simple steps to get you started with enabling mTLS among your applications using Istio. What do you need to secure the communications among your applications? Modern...| Istio Blog
Most of today's cryptography is designed to be secure against an adversary with enormous amounts of computational power.| The Cloudflare Blog
In the curl project we have a long tradition of supporting a range of different third party libraries that provide similar functionality. The person who builds curl needs to decide which of the backends they want to use out of the provided alternatives. For example when selecting which TLS library to use. This is a … Continue reading Dropping some TLS laggards →| daniel.haxx.se
curl supports getting built with eleven different TLS libraries. Six of these libraries are OpenSSL or forks of OpenSSL. Allow me to give you a glimpse of their differences, similarities and some insights into what it takes to support them all. SSLeay It all started with SSLeay. This was the first SSL library I found … Continue reading A family of forks →| daniel.haxx.se
I managed to get modern SSL/TLS connections working under Windows XP, by running a lightweight Linux VM which strips the TLS headers and re-applies a self-signed certificate:| Kian Bradley’s Blog
The Army is pivoting away from its approach for the Multi-Function Electronic Warfare platform and using its TLS Manpack to mount to vehicles for a ground platform solution.| DefenseScoop
Introduction We at OVHcloud are committed to providing secure and professional email services that meet the latest industry standards. To boost security, we’re disabling TLS 1.0 and 1.1 protocols on our Exchange solutions, in line with international standards. Are you using a recent and updated email client? You don’t need to do anything; all email […]| OVHcloud Blog
Proxmox Virtual Environment (PVE) has a built-in clustering feature that allows you to access all PVE nodes within the cluster by connecting to any of the nodes, by using a web browser or by connec…| Majornetwork
Just a few days before turning off the lights, the Biden administration dropped a huge cybersecurity executive order including a lot of good stuff, that hopefully [cross your fingers, knock wood, spin around three times and spit] will last into future administrations. We snagged some time with Carole House, outgoing Special Advisor and Acting Senior Director for Cybersecurity and Critical Infrastructure Policy, National Security Council in the Biden-Harris White House, to give us a brain dump...| Security Cryptography Whatever
Adding HTTPS to your site used to take a good deal of time, a nice chunk of money, and some command-line expertise. These days, however, if you're an Amazon Web Services customer, enabling HTTPS on your site is easy.| Webinista, a freelance web developer
Well, I was certainly hoping for this result, but wasn't necessarily expecting it! I'm pleased to report that Ballot SC-081v3 passed, and that shorter certificate lifetimes are now coming! The Schedule I will go into more detail later in the post, but right now, let'| Scott Helme
Kubernetes (K8s) is the go-to platform for containerized applications, but it introduces significant security risks—especially when sensitive data, API communications, and multi-tenant environments are involved. Unlike traditional TLS encryption and secret management, Eclypses MTE (MicroToken Exchange) eliminates data exposure in Kubernetes environments by securing data at the application layer—before it enters the cluster network. Learn […] The post Using Eclypses MTE to Secure Kuberne...| Eclypses Inc.
The last two blog posts in this series were about SNI spoofing and Host header spoofing. We also learned that the latter is addressed by some vendors with a technique called “Domain Fronting Detection”. But what exactly is domain fronting? This will be explained in this blog post.| blog.compass-security.com
In the last post about bypassing web filters, I discussed how SNI spoofing works and how this can also be prevented by web filters. This post is about another bypass technique called Host Header spoofing.| blog.compass-security.com
This is the first part of a series of blog posts about techniques to bypass web filters, looking at increasingly advanced techniques with each part.| blog.compass-security.com
Continuing their trend of radical change for the better, Let's Encrypt have announced that, this year, you will be able to request certificates with a validity period of only 6 days! Let's Encrypt I remember sitting in the room for this DEF CON 23 panel discussion| Scott Helme
Ever wondered what the Alt-Svc response header is used for? Turns out it can be used to become a Man-in-the-Middle and attack TLS!| pspaul's blog
Updated in 2025-02. Thread-local storage (TLS) provides a mechanism allocating distinct objects for different threads. It is the usual implementation for GCC extension __thread, C11 _Thread_local, and| MaskRay
Hitless TLS certificate rotation is critical to continue our quest of reducing certificate expiration times, while keeping our sanity intact.| Diogo Mónica
В современном мире интернет-технологий, где один сервер часто обслуживает множество доменов, возникает вопрос эффективного управления безопасными соединениями. Здесь на помощь приходит SNI (Server Name Indication) — ключевое расширение протокола TLS (Transport Layer Security). Статья Руководс...| WP Yoda
Get the answer to what is an SSL/TLS certificate signed by a trusted CA and how it safeguards information shared between clients and servers in web browsing.| Encryption Consulting
February 27, 2024: AWS has completed our global updates to deprecate support for TLS 1.0 and TLS 1.1 versions on our AWS service API endpoints across each of our AWS Regions and Availability Zones. January 17, 2024: Over 96% of AWS service API endpoints have ended support for TLS versions 1.0 and 1.1. Over the […]| Amazon Web Services
Yesterday I released version 1.6.1 of bettercap and among other things, you can read in the changelog: * Huge improvement on HTTPS parser, now it parses TLS Client Hello messages with SNI extension in order to extract the real hostname. ... But what does this actually mean? And how can we protect ourselves from it? (Hint: we can’t, yet)| evilsocket
TLS Encrypted Client Hello用のSSLKEYLOGFILE拡張の提案仕様| ASnoKaze blog
1. What Is Security? The word “Security” is a very broad concept and could refer to completely different procedures and methodology to achieve. Knowing what security means to your application is very important, so you could execute proper security practices and procedures to ensure the safety of your company's assets. Data compromises could often lead| Highgo Software Inc. - Enterprise PostgreSQL Solutions
The Guile bindings for GnuTLS has been part of GnuTLS since spring 2007 when Ludovic Courtès contributed it after some initial discussion. I have been looking into getting back to do GnuTLS coding, and during a recent GnuTLS meeting one Continue reading On language bindings & Relaunching Guile-GnuTLS→| Simon Josefsson's blog
Simple Authentication and Security Layer (SASL, RFC4422) is the framework that was abstracted from the IMAP and POP protocols. Among the most popular mechanisms are PLAIN (clear-text passwords, usually under TLS), CRAM-MD5 (RFC2195), and GSSAPI (for Kerberos V5). The DIGEST-MD5 Continue reading What’s wrong with SCRAM?→| Simon Josefsson's blog
I have finished the SCRAM implementation in GNU SASL. The remaining feature to be added were support for the “enhanced” SCRAM-SHA-1-PLUS variant instead of just the normal SCRAM-SHA-1 mechanism. The difference is that the latter supports channel bindings to TLS, Continue reading GNU SASL with SCRAM-SHA-1-PLUS→| Simon Josefsson's blog
This post describe the process of identifying and profiling an inefficient part of GnuTLS. The tool I’m using is callgrind. I won’t describe the tool in detail since I’m not a callgrind expert, instead the focus is on the methodology Continue reading Real-world Performance Tuning with Callgrind→| Simon Josefsson's blog
I was catching up on the always excellent Security. Cryptography. Whatever. podcast, and enjoyed the episode with Colm MacCárthaigh about a bunch of topics around TLS. It’s a great episode th…| Neil Madden
Published on| offsec.almond.consulting
TLS is the fundamental protocol facilitating secure web browsing. Simply speaking it identifies the server identity and establishes an encrypted connection. That’s how we may securely use banking, do shopping, and do other things we take for granted. Establishing such a connection comes with a performance footprint because computation| Security, Privacy & Tech Inquiries
Notes on X3DH| www.gabriel.urdhr.fr
Lack of X.509 TLS certificate validation in OWASP ZAP| www.gabriel.urdhr.fr
Introduction to TLS v1.3| www.gabriel.urdhr.fr
Introduction to TLS v1.2| www.gabriel.urdhr.fr
Introduction to the Diffie-Hellman key exchange| www.gabriel.urdhr.fr
Disable certificate verification on Android with Frida| www.gabriel.urdhr.fr
Various compliance standards require protection of sensitive data environments. Some of the important standards and the types of sensitive data they protect appear in the following table: StandardSensitive data PCI DSSpayment card data FedRAMPfederal information, data and metadata HIPAApersonal health data GDPRpersonal data PCI DSS, for example, recommends putting cardholder data environment on a network, separate from the rest of the system. It also requires using a DMZ, and setting firewall...| Istio Blog
Welcome to part 3 in our series about secure control of egress traffic in Istio. In the first part in the series, I presented the attacks involving egress traffic and the requirements we collected for a secure control system for egress traffic. In the second part in the series, I presented the Istio way of securing egress traffic and showed how you can prevent the attacks using Istio. In this installment, I compare secure control of egress traffic in Istio with alternative solutions such as u...| Istio Blog
Welcome to part 2 in our new series about secure control of egress traffic in Istio. In the first part in the series, I presented the attacks involving egress traffic and the requirements we collected for a secure control system for egress traffic. In this installment, I describe the Istio way to securely control the egress traffic, and show how Istio can help you prevent the attacks. Secure control of egress traffic in Istio To implement secure control of egress traffic in Istio, you must di...| Istio Blog
minikube makes it easy to spin up a local Kubernetes cluster on macOS, and adding an Ingress is convenient with its built-in Addons. In this article, I want to take it one step further and show how to expose the Ingress via TLS (secure https) using a custom key/certificate chain. Prerequisites MacOS Brew package manager ... minikube: installing minikube on Mac with secure TLS ingress| Fabian Lee : Software Engineer
The Vault Secrets Operator is a Vault integration that runs inside a Kubernetes cluster and synchronizes Vault-level secrets to Kubernetes-level secrets. This secret synchronization happens transparently to the running workloads, without any need to retrofit existing images or manifests. In this article, I will show how to: Install the Vault Secrets Operator (VSO) Configure the ... Vault: synchronizing secrets from Vault to Kubernetes using Vault Secrets Operator| Fabian Lee : Software Engineer
minikube makes it easy to spin up a local Kubernetes cluster, and adding an Ingress is convenient with its built-in Addons. In this article, I want to take it one step further and show how to use a custom key/certificate to expose a service using TLS (secure https). Prerequisites A container or virtual machine manager ... minikube: exposing a deployment using ingress with secure TLS| Fabian Lee : Software Engineer
K3s is deployed by default with a metrics-server, but if you have a multi-node cluster it will fail unless you add the names of all the nodes to the kube-apiserver certificate. Symptoms of this problem include: metrics-server deployment will throw x509 errors in its log Error when you try to run “kubectl top pods” No ... Kubernetes: fixing x509 certificate errors from metric-server on K3s cluster| fabianlee.org
There are multiple options for creating a TLS secret using kustomize. One is to embed the certificate content as a base64 string directly in the data, the other is to use an external file. Below is an example kustomization.yaml file that serves as an entry point for both methods. --- apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: ... Kubernetes: creating TLS secrets with kustomize using embedded or external content| Fabian Lee : Software Engineer
How to improve Firefox SSL/TLS security by enabling TLS 1.2 and disabling insecure ciphersuites.| blog.dbrgn.ch
| The Grumpy Troll: The Grumpy Troll
| The Grumpy Troll: The Grumpy Troll
| The Grumpy Troll: The Grumpy Troll
| The Grumpy Troll: The Grumpy Troll
| The Grumpy Troll: The Grumpy Troll
| The Grumpy Troll: The Grumpy Troll
| The Grumpy Troll: The Grumpy Troll
| The Grumpy Troll: The Grumpy Troll
| The Grumpy Troll: The Grumpy Troll
Phil P| The Grumpy Troll
When you deploy your Zeek sensor for the first time, after a while you will...| #Threat Hunting Tails
Sometimes hacking requires doing things that, while possible to do with some algorithm, simply aren’t supported by any existing implementation. Usually for good reason. A good example of this…| rya.nc
Caddy offers a great web and proxy server experience with minimal configuration and automated TLS certificates. Learn how to connect Caddy to Porkbun to get TLS certificates by managing your DNS records for you automatically. 🐷| Major Hayden
You can now expose SSH, HTTPS and Kubernetes through a single tunnel from your homelab. I’ll show you how.| inlets.dev
Nordic’s nRF9160 cellular modem includes a great peripheral called the Key Management Unit (KMU). This secure key storage mechanism lets you write keys to it which cannot be read back. However, they can still be used for DTLS authentication. In this video and blog post I’ll walk you through how to use the feature with […]| The Golioth Developer Blog
Access all your remote SSH servers on your network from a single TCP tunnel using the new sshmux feature in inlets-pro 0.9.28.| inlets.dev
2 months ago I wrote a blog post describing the really bad state of STARTTLS support of Greek email providers. Things have slightly gotten better since then. Updates on STARTTLS support per provider The following is current as of 2016/03/26 and are only the updates since the previous blog post. FORTHNET: Supports TLS 1.2 (at […] The post Update on the state of STARTTLS support of Greek email providers first appeared on Into.the.Void..| Into.the.Void.
I started looking into the STARTTLS support of Greek email providers completely by accident when one email of mine wasn’t being delivered for some reason to a friend who has an email address at a traditional Greek ISP. I started looking into the delivery issues by running swaks against the email server of the ISP […] The post The sorry state of STARTTLS support of Greek email providers first appeared on Into.the.Void..| Into.the.Void.
Tailscale and Docker Remote| The Grumpy Troll
setting up a proof-of-concept connectivity with a VM in an Istio mesh| gruchalski.com
cert-manager ACME Let's Encrypt with working catch-all HTTPS redirect, the how and the why| gruchalski.com
Была задача добавления tls директории в файлы PE32+. В win xp 64 все нормально, а в windows 7 — софт падал. Виновником оказался флаг IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE в OptionalHeader.Dl…| Lhc645's Blog
A while ago I mentioned I use Android-10 with the built in SIP stack and that the Google stack was pretty buggy and I had to fix it simply to get it to function without disconnecting all the time. Since then I’ve upported my fixes to Android-11 (the jejb-11 branch in the repositories) by using LineageOS-19.1. However, another major deficiency in the Google SIP stack is its complete lack of security: both the SIP signalling and the media streams are all unencrypted meaning they can be inte...| James Bottomley's random Pages
We revisit batch signatures (previously considered in a draft RFC, and used in multiple recent works), where a single, potentially expensive, "inner" digital signature authenticates a Merkle tree constructed from many messages. We formalise a construction and prove its unforgeability and privacy properties. We also show that batch signing allows us to scale slow signing algorithms, such as those recently selected for standardisation as part of NIST's post-quantum project, to high throughput, ...| IACR Cryptology ePrint Archive
Published on| offsec.almond.consulting
这篇文章是《HTTP API 认证授权术》的姊妹篇,在那篇文章中,主要介绍了 HTTP API 认证和授权技术中用到的 HTTP Basic, Digest Access, HMAC, OAuth, JWT 等各种方式,主要是 API 上用到的一些技术,这篇文章主要想说的是另一个话题——身份认证。也就是说,怎么确认这个数据就是这个人发出来的?| 酷 壳 - CoolShell
Five years ago I started a small GitHub project aimed to run Bitlbee seamlessly in a container.| Michele Bologna
Let’s Encrypt (the free, automated and open certificate authority) has just announced its launch schedule. According to it, certificates will be released to the public starting from the week of September 14, 2015.| andrea.corbellini.name
HTTP Strict Transport Security (HSTS [https://scotthel.me/d8j3]) is a policy mechanism that allows a web server to enforce the use of TLS [https://scotthel.me/s8d7]in a compliant User Agent (UA), such as a web browser. HSTS allows for a more effective implementation of TLS by ensuring| Scott Helme
Reviewing the "production" build of CyberAlarm. Good grief - you couldn't make it up.| Paul Moore