À chaque fois qu’on configure une application avec SSL/TLS, on se retrouve toujours à jongler avec des fichiers aux extensions spécifiques. Pour ne rien arranger, ces extensions changent d’une documentation à l’autre... Histoire de vous y retrouver, voici ce qu’elles cachent.
DNS-OARC held its 30th meeting in Bangkok from 12 to 13 May. Here’s what attracted my interest from two full days of DNS presentations and conversations, together with a summary of the other material that was presented at this workshop.
Comme nous avons pu le voir dans la première partie de cet article consacré au HTTPS, la sécurisation de la communication dans le monde du web est primordiale. Cette seconde partie est donc logiquement dédiée à sa mise en pratique, pour montrer qu’il est très facile de déployer des certificats gratuits, valables 90 jours et délivrés par une autorité certifiée.
Le HTTPS est au centre de pratiquement toute notre utilisation régulière de l’internet mondial. Facebook, Google, Amazon, Twitter, le présent blog et sûrement votre site de cuisine préféré utilisent le HTTPS. Dans un écosystème où les mesures de sécurité les plus élémentaires sont parfois négligées, voyons ensemble comment et pourquoi mettre en place le HTTPS sur votre propre site web.
Un certain nombre de services sur l'Internet, notamment de serveurs Web, sont protégés par le protocole TLS, qui utilise presque toujours un certificat X.509 pour vérifier l'authenticité du serveur. Ces certificats ont une durée de vie limitée et doivent donc être renouvelés de temps en temps. Comme un certain nombre d'administrateurs ont oublié, au moins une fois, un tel renouvellement, il me semble utile de donner ce conseil : intégrez la surveillance des dates d'expiration dans votre système de supervision !
Russian-funded English-language website aimed at sowing divisions among Americans has had a vital internet security certificate yanked, meaning U.S. internet users will have difficulty accessing the site.
Those that know me or have followed me online will know I'm a massive advocate of encryption on the web. One of my goals is to help encrypt as much of the web as I can by sharing knowledge and information, building tools and services, speaking at conferences and countless other things. I see this blog post as part of that mission.
First, I find amusing that many people like to quote "if that is free, then you are the product", but when it comes to Let's Encrypt, they forget this statement and enjoy their certificates carelessly.
The DoH specification in RFC 8484 defines a standardized format and protocol for sending Domain Name System (DNS) queries through HTTP rather than the traditional DNS protocol.
DNS-over-HTTPS (DoH) : Mozilla détaille les prochaines étapes pour Firefox
We use our web browsers to communicate, shop, get directions, research, and ask questions we are too embarrassed to ask a person. It’s no wonder that “How do I protect my web browsing?” is one of the most common questions people ask when they start learning about digital security. The various methods for protecting your browser security can be confusing, and can work together in counterintuitive ways.
A revised edition in which we dissect the new manner of secure and authenticated data exchange, the TLS 1.3 cryptographic protocol.
Nginx (short for Engine-x) is a free, open source, powerful, high-performance and scalable HTTP and reverse proxy server, a mail and standard TCP/UDP proxy server. It is easy to use and configure, with a simple configuration language. Nginx is now the preferred web server software for powering heavily loaded sites, due its scalability and performance.
DoHC2 allows the ExternalC2 library from Ryan Hanson (https://github.com/ryhanson/ExternalC2) to be leveraged for command and control (C2) via DNS over HTTPS (DoH).
TLS-Scanner is a tool created by the Chair for Network and Data Security from the Ruhr-University Bochum to assist pentesters and security researchers in the evaluation of TLS Server configurations.
Firefox Nightly now supports encrypting the TLS Server Name Indication (SNI) extension, which helps prevent attackers on your network from learning your browsing history. You can enable encrypted SNI today and it will automatically work with any site that supports it. Currently, that means any site hosted by Cloudflare, but we’re hoping other providers will add ESNI support soon.
In this demonstration a client has connection to a server, negotiated a TLS 1.2 session, sent "ping", received "pong", and then terminated the session. Click below to begin exploring.
Automate Let's Encrypt certificate issuance, renewal and synchronize with CleverCloud.
Si vous utilisez votre propre autorité de certification (Active Directory par exemple) il peut-être utile de générer une demande de signature de certificat (CSR) autorisant plusieurs noms communs (common name) dans le but d'obtenir un certificat HTTPS (X.509).
Last week, the new DNS resolver Quad9 has been announced. It is a public DNS resolver with the additional benefit that it is accessible in a secure way over TLS (RFC 7858).
Recently, the Chrome developers announced Intent to Deprecate and Remove: Public Key Pinning (via). The unkind way to describe HTTP Public Key Pinning is that it's a great way to blow your foot off, or in our situation have well-meaning people blow it off for us.
Last year, almost exactly to the day, I declared HPKP effectively dead. I believed then—and I still do—that HPKP is too complex and too dangerous to be worth the effort. The biggest problem lies in the fact that there is no sufficient margin of safety; pinning failures are always catastrophic. That’s always bothered me and I wondered if it was possible to somehow fix HPKP without starting from scratch. That’s what this blog post is about.
nginx configuration w/ Mozilla modern compatibility · GitHub
Yesterday I changed the SSL Labs rating criteria to stop penalizing sites that do not implement server-side mitigations for the BEAST attack. That means that we now consider this attack sufficiently mitigated client-side, but, there are still some things you should now.
A flaw was recently found in OpenSSL that allowed for an attacker to negotiate a lower version of TLS between the client and server (CVE-2014-3511). While this vulnerability was quickly patched, an attacker that has control of your traffic can still simulate this attack today. Let’s explore how this is possible through looking at man-in-the-middle attacks and how browsers handle SSL/TLS connections. In addition, we will see the implications of the attack on cryptographic security.
OpenVPN 2.4.0 Security Assessment
Google has warned that all certificates issued by Chinese company WoSign and subsidiary StartCom will be distrusted with the release of Chrome 61.
Let’s Encrypt will begin issuing wildcard certificates in January of 2018. Wildcard certificates are a commonly requested feature and we understand that there are some use cases where they make HTTPS deployment easier. Our hope is that offering wildcards will help to accelerate the Web’s progress towards 100% HTTPS.
I've written quite a few blogs on how to get started with Let's Encrypt and covered both RSA and ECDSA certificates. In this blog I'm going to look at how we revoke them.
L’offre de certificats gratuits proposée par Let’s Encrypt est généralement vue comme une aubaine qui a permis aux administrateurs de site web de facilement adopter le chiffrement HTTPS sur leurs sites. Mais ces certificats sont également utilisés par des cybercriminels qui souhaitent légitimer leurs sites contrefaits.
Nick Sullivan and I gave a talk about TLS 1.3 at 33c3, the latest Chaos Communication Congress. The congress, attended by more that 13,000 hackers in Hamburg, has been one of the hallmark events of the security community for more than 30 years.
Si vous avez une application avec un protocole ne supportant pas SSL, la solution est de l'encapsuler dans un tunnel SSL.
Bien entendu, il s'agit là d'un exemple, qui fonctionne chez-moi, n'hésitez pas à améliorer.
The encrypted Internet is about to become a whole lot snappier. When it comes to browsing, we’ve been driving around in a beat-up car from the 90s for a while. Little does anyone know, we’re all about to trade in our station wagons for a smoking new sports car.
SMTP STS is a mechanism enabling mail service providers to declare their ability to receive TLS-secured connections, to declare particular methods for certificate validation, and to request sending SMTP servers to report upon and/or refuse to deliver messages that cannot be delivered securely.
Parmi les outils des pirates informatiques, nous trouvons l’attaque de l’homme du milieu. Un projet Français, baptisé CheckMyHTTPS, souhaite permettre de contrer le Man in the Middle SSL TLS.
How do I secure my Nginx web server with Let’s Encrypt free ssl certificate on my Ubuntu Linux 14.04 LTS or Debian Linux 8.x server?
With last week's OpenSSL vulnerabilities questions came up when LibreSSL would replace OpenSSL in FreeBSD base. This was picked up by the HardenedBSD developers and they asked me if I'd be interested in adding LibreSSL as alternative libcrypto/ssl in HardenedBSD. Well SURE I do! This post describes the early stages of this project.
Le monde du web regorge de vieilles rengaines, et « HTTPS c’est lent » en est une des plus persistantes … S’il est vrai que la négociation TLS ajoute un aller-retour à la connexion initiale, les navigateurs récents utilisent de nombreuses techniques pour accélérer cela.
Depuis quelques semaines, vous pouvez installer simplement et gratuitement un certificat Let's Encrypt sur votre serveur et disposer d'une connexion HTTPS. Mais que se cache-t-il derrière cette petite révolution qui veut généraliser le fameux cadenas vert ?
L’OpenSSL Software Foundation a mis à disposition hier une nouvelle version d’OpenSSL. Cette mouture règle un sérieux problème de sécurité qui, s’il devait être exploité, permettrait de déchiffrer les communications transitant sur une connexion HTTPS ou n’importe quel canal TLS (Transport Layer Security). La faille est d’autant plus dangereuse qu’OpenSSL est largement utilisé.
During this week, I've been playing with CloudFlare free plan in order to turn my websites into HTTPS protected websites, while configuring my account and playing a little bit with bettercap I figured out something really weird and I tweeted this ( from the @bettercap account ).
J’ai moi aussi sauté le pas vers let’s encrypt avec toute l’encre numérique qu’il a fait couler ces dernières semaines j’ai eu envie d’en voir un peu plus. Cela tombe bien je projetais depuis un moment de chiffrer le blog alors « endavant ! » comme on dit par chez moi.
This application is intended for creating and managing X.509 certificates, certificate requests, RSA, DSA and EC private keys, Smartcards and CRLs. Everything that is needed for a CA is implemented. All CAs can sign sub-CAs recursively. These certificate chains are shown clearly. For an easy company-wide use there are customiseable templates that can be used for certificate or request generation. All crypto data is stored in an endian-agnostic file format portable across operating systems.
Les autorités de certification racine… Comment pourrait-on ne pas en parler quand on parle de TLS ou de HTTPS…
Ça y est, je me suis lancé ! J'ai testé Let's Encrypt, dont j'ai beaucoup entendu parler.
Enfin. On l'attendait depuis longtemps. À chaque message publié sur leur blog, je lisais vite pour voir s'illes parlent d'une date de sortie. Il y avait d'abord eu une beta fermée (avec inscription sur un google docs), puis avant-hier, jeudi 3 décembre la beta a été ouverte à tou⋅te⋅s. Enfin.
This is an Acme Protocol implementation written fully using PHP language. It allows you to create manage and revoke certificates using ACME protocol used by Let's Encrypt
Its aim is to be used by hosting control panel software and hosting companies using PHP for their hosting panel.
Now that the cat is firmly out the bag, and it's clear that the NSA has cracked the encryption behind, potentially, a huge amount of internet traffic, the question inevitably turns to: what are internet engineers going to do about it ?
Probably one of the smallest SSL MITM proxies you can make. Only using openssl, netcat and a couple of other standard command line tools.
Encrypted key transport with RSA-PKCS#1 v1.5 is the most com-
monly deployed key exchange method in all current versions of the
Transport Layer Security (TLS) protocol, including the most re-
cent version 1.2.