À chaque fois qu’on configure une application avec SSL/TLS, on se retrouve toujours à jongler avec des fichiers aux extensions spécifiques. Pour ne rien arranger, ces extensions changent d’une documentation à l’autre... Histoire de vous y retrouver, voici ce qu’elles cachent.

DNS-OARC held its 30th meeting in Bangkok from 12 to 13 May. Here’s what attracted my interest from two full days of DNS presentations and conversations, together with a summary of the other material that was presented at this workshop.

Comme nous avons pu le voir dans la première partie de cet article consacré au HTTPS, la sécurisation de la communication dans le monde du web est primordiale. Cette seconde partie est donc logiquement dédiée à sa mise en pratique, pour montrer qu’il est très facile de déployer des certificats gratuits, valables 90 jours et délivrés par une autorité certifiée.

Le HTTPS est au centre de pratiquement toute notre utilisation régulière de l’internet mondial. Facebook, Google, Amazon, Twitter, le présent blog et sûrement votre site de cuisine préféré utilisent le HTTPS. Dans un écosystème où les mesures de sécurité les plus élémentaires sont parfois négligées, voyons ensemble comment et pourquoi mettre en place le HTTPS sur votre propre site web.

Un certain nombre de services sur l'Internet, notamment de serveurs Web, sont protégés par le protocole TLS, qui utilise presque toujours un certificat X.509 pour vérifier l'authenticité du serveur. Ces certificats ont une durée de vie limitée et doivent donc être renouvelés de temps en temps. Comme un certain nombre d'administrateurs ont oublié, au moins une fois, un tel renouvellement, il me semble utile de donner ce conseil : intégrez la surveillance des dates d'expiration dans votre système de supervision !

Russian-funded English-language website aimed at sowing divisions among Americans has had a vital internet security certificate yanked, meaning U.S. internet users will have difficulty accessing the site.

Those that know me or have followed me online will know I'm a massive advocate of encryption on the web. One of my goals is to help encrypt as much of the web as I can by sharing knowledge and information, building tools and services, speaking at conferences and countless other things. I see this blog post as part of that mission.

First, I find amusing that many people like to quote "if that is free, then you are the product", but when it comes to Let's Encrypt, they forget this statement and enjoy their certificates carelessly.

The DoH specification in RFC 8484 defines a standardized format and protocol for sending Domain Name System (DNS) queries through HTTP rather than the traditional DNS protocol.

DNS-over-HTTPS (DoH) : Mozilla détaille les prochaines étapes pour Firefox

We use our web browsers to communicate, shop, get directions, research, and ask questions we are too embarrassed to ask a person. It’s no wonder that “How do I protect my web browsing?” is one of the most common questions people ask when they start learning about digital security. The various methods for protecting your browser security can be confusing, and can work together in counterintuitive ways.

A revised edition in which we dissect the new manner of secure and authenticated data exchange, the TLS 1.3 cryptographic protocol.

Nginx (short for Engine-x) is a free, open source, powerful, high-performance and scalable HTTP and reverse proxy server, a mail and standard TCP/UDP proxy server. It is easy to use and configure, with a simple configuration language. Nginx is now the preferred web server software for powering heavily loaded sites, due its scalability and performance.

DoHC2 allows the ExternalC2 library from Ryan Hanson (https://github.com/ryhanson/ExternalC2) to be leveraged for command and control (C2) via DNS over HTTPS (DoH).

TLS-Scanner is a tool created by the Chair for Network and Data Security from the Ruhr-University Bochum to assist pentesters and security researchers in the evaluation of TLS Server configurations.

Firefox Nightly now supports encrypting the TLS Server Name Indication (SNI) extension, which helps prevent attackers on your network from learning your browsing history. You can enable encrypted SNI today and it will automatically work with any site that supports it. Currently, that means any site hosted by Cloudflare, but we’re hoping other providers will add ESNI support soon.

In this demonstration a client has connection to a server, negotiated a TLS 1.2 session, sent "ping", received "pong", and then terminated the session. Click below to begin exploring.

Automate Let's Encrypt certificate issuance, renewal and synchronize with CleverCloud.

Si vous utilisez votre propre autorité de certification (Active Directory par exemple) il peut-être utile de générer une demande de signature de certificat (CSR) autorisant plusieurs noms communs (common name) dans le but d'obtenir un certificat HTTPS (X.509).

Last week, the new DNS resolver Quad9 has been announced. It is a public DNS resolver with the additional benefit that it is accessible in a secure way over TLS (RFC 7858).