Russian-funded English-language website aimed at sowing divisions among Americans has had a vital internet security certificate yanked, meaning U.S. internet users will have difficulty accessing the site.
Those that know me or have followed me online will know I'm a massive advocate of encryption on the web. One of my goals is to help encrypt as much of the web as I can by sharing knowledge and information, building tools and services, speaking at conferences and countless other things. I see this blog post as part of that mission.
First, I find amusing that many people like to quote "if that is free, then you are the product", but when it comes to Let's Encrypt, they forget this statement and enjoy their certificates carelessly.
The DoH specification in RFC 8484 defines a standardized format and protocol for sending Domain Name System (DNS) queries through HTTP rather than the traditional DNS protocol.
DNS-over-HTTPS (DoH) : Mozilla détaille les prochaines étapes pour Firefox
We use our web browsers to communicate, shop, get directions, research, and ask questions we are too embarrassed to ask a person. It’s no wonder that “How do I protect my web browsing?” is one of the most common questions people ask when they start learning about digital security. The various methods for protecting your browser security can be confusing, and can work together in counterintuitive ways.
A revised edition in which we dissect the new manner of secure and authenticated data exchange, the TLS 1.3 cryptographic protocol.
Nginx (short for Engine-x) is a free, open source, powerful, high-performance and scalable HTTP and reverse proxy server, a mail and standard TCP/UDP proxy server. It is easy to use and configure, with a simple configuration language. Nginx is now the preferred web server software for powering heavily loaded sites, due its scalability and performance.
TLS-Scanner is a tool created by the Chair for Network and Data Security from the Ruhr-University Bochum to assist pentesters and security researchers in the evaluation of TLS Server configurations.
Firefox Nightly now supports encrypting the TLS Server Name Indication (SNI) extension, which helps prevent attackers on your network from learning your browsing history. You can enable encrypted SNI today and it will automatically work with any site that supports it. Currently, that means any site hosted by Cloudflare, but we’re hoping other providers will add ESNI support soon.
In this demonstration a client has connection to a server, negotiated a TLS 1.2 session, sent "ping", received "pong", and then terminated the session. Click below to begin exploring.
Automate Let's Encrypt certificate issuance, renewal and synchronize with CleverCloud.
Si vous utilisez votre propre autorité de certification (Active Directory par exemple) il peut-être utile de générer une demande de signature de certificat (CSR) autorisant plusieurs noms communs (common name) dans le but d'obtenir un certificat HTTPS (X.509).
Last week, the new DNS resolver Quad9 has been announced. It is a public DNS resolver with the additional benefit that it is accessible in a secure way over TLS (RFC 7858).
Recently, the Chrome developers announced Intent to Deprecate and Remove: Public Key Pinning (via). The unkind way to describe HTTP Public Key Pinning is that it's a great way to blow your foot off, or in our situation have well-meaning people blow it off for us.
Last year, almost exactly to the day, I declared HPKP effectively dead. I believed then—and I still do—that HPKP is too complex and too dangerous to be worth the effort. The biggest problem lies in the fact that there is no sufficient margin of safety; pinning failures are always catastrophic. That’s always bothered me and I wondered if it was possible to somehow fix HPKP without starting from scratch. That’s what this blog post is about.
nginx configuration w/ Mozilla modern compatibility · GitHub
Yesterday I changed the SSL Labs rating criteria to stop penalizing sites that do not implement server-side mitigations for the BEAST attack. That means that we now consider this attack sufficiently mitigated client-side, but, there are still some things you should now.
A flaw was recently found in OpenSSL that allowed for an attacker to negotiate a lower version of TLS between the client and server (CVE-2014-3511). While this vulnerability was quickly patched, an attacker that has control of your traffic can still simulate this attack today. Let’s explore how this is possible through looking at man-in-the-middle attacks and how browsers handle SSL/TLS connections. In addition, we will see the implications of the attack on cryptographic security.