asteroza + tls   139

2020 LDAP channel binding and LDAP signing requirement for Windows
This is definitely gonna break some things, but will protect against NTLM relay attacks against LDAP. The problem is many third party software doesn't accept signed plaintext LDAP messages though, so the actual default will end up being LDAP over TLS. Which is another problem...
windows  AD  LDAP  signed  message  channel  binding  sysadmin  tips  tricks  TLS  security 
8 weeks ago by asteroza
Tunnel WireGuard via Websockets – 𓀬 – Notes on various tech things
Novel TLS/websocket proxy bypass method to tunnel WIreguard through a corporate HTTPS proxy supporting CONNECT, assuming the DPI doesn't catch you...
wireguard  TLS  websocket  TCP  proxy  bypass  networking  VPN  tunnel 
9 weeks ago by asteroza
colmmacc/nf_conntrack_tls: A Linux netfilter conntracking module that understands TLS records
crude linux netfilter plugin to drop TLS heartbeat connections, as a temporary shield for Heartbleed
linux  netfilter  module  security  defense  heartbleed  OpenSSL  TLS 
april 2019 by asteroza
TLS 1.2 for 2008 (non-R2) | Qualys Community
So you have to force IE9 to use TLS after the registry edits via group policy
Windows  2008  IE9  IE  TLS  1.1  1.2  sysadmin  tips  tricks  security 
march 2019 by asteroza
Firefox to Import Windows Root Certs To Avoid Antivirus SSL Scanning Issues
Uh, no , part of why Firefox doesn't suck is that it used an independent certificate store. sucking in the windows cert store is asking for trouble.
firefox  browser  security  NSS  SSL  TLS  certificate  CA  store  windows  root 
march 2019 by asteroza
Colm MacCárthaigh on Twitter: "Client certs and Mutual-Auth TLS is TERRIBAD."
I never really thought deep about client certs, but this makes a real case for why they actually suck, and possibly suck worse than anything else before...
client  certificate  TLS  MTLS  mutual  authentication  security  layer  violation 
october 2018 by asteroza
Publications | Outflank
DoH turning into a Doh! You may begin to hate yourselves...
virus  C2  secondary  communications  channel  beacon  DNS  DoH  HTTPS  SSL  TLS  SPF  security  hacking  pentesting  redteam 
october 2018 by asteroza
Let's Encrypt SSL for ESXi
offboard script to generate ESXi SSL certs from Letsencrypt
VMware  ESXi  SSL  TLS  certificate  letsencrypt  sysadmin  tools  utilities 
october 2018 by asteroza
CSR Viewer
A not broken CSR decoderthat doesn't choke on let's encrypt CSR's that are mostly empty
SSL  TLS  certificate  CSR  decoder  letsencrypt 
september 2018 by asteroza
Trying SSL with ALPN protocol for Amazon MQTT data, connects but no ALPN negotiation · Issue #31894 · dotnet/corefx
Huh, so Schannel for Windows 7 doesn't support ALPN, thus to can't actually connect properly to Amazon iot-core MQTT over TLS.
windows  7  bug  SSL  TLS  ALPN  schannel  AWS  IoT  MQTT 
september 2018 by asteroza
LAteral Movement Encryption technique (a.k.a. The "LAME" technique)
I wonder why let's encrypt didn't isolate the internal IP range DNS entry SSL certificates to a child CA cert that enterprises could explicitly distrust, which would quash this in a heartbeat.
internal  IP  range  SSL  TLS  certificate  letsencrypt  lateral  movement  encryption  security  hacking  pentesting 
september 2018 by asteroza
TLS 1.3 middleboxes test
Cloudflare's test for middlebox compatibility with TLS 1.3
TLS  1.3  middlebox  protocol  security  test  service  SSL 
june 2018 by asteroza
Oh god, smuggling C2 commands in TLS cert subject names. I suppose it should be possible to be bidirectional using both server and client selfsign certs....
covert  channel  TLS  SSL  certificate  subject  name  C2  command  security  hacking  pentesting 
february 2018 by asteroza
WrapAPI: APIs for the whole web
Build an API on top of any existing website or find an API for a site that you need
SSL  TLS  webAPIU  debug  proxy  service  wrapper  API  network  traffic 
december 2017 by asteroza
letsencrypt/boulder: An ACME-based CA, written in Go.
FOr setting up a private CA with ACME support. Usable for short lived certs?
CA  certificate  authority  software  ACME  protocol  on-premisis  server  PKI  SSL  TLS 
october 2017 by asteroza
A specification and reference implementation of a framework for secure distributed identity provisioning. Intended for short lived certs between microservices for mutual TLS authentication, but should be usable for other identity scenarios...
microservice  identity  framework  security  software  PKI  certificate  authentication  TLS  short  lived 
october 2017 by asteroza
HTTPS Interception Weakens TLS Security | US-CERT
Middleboxes/UTM suck at telling endpoints about TLS connections, ad nauseum...
HTTPS  interception  interceptor  middlebox  UTM  firewall  security  advisory  CERT  SSL  TLS  MitM  Delicious 
march 2017 by asteroza
Interesting, using DNS-over-HTTPS to improve security of lookups, assuming you trust google DNS.
NSS  module  DNS-over-HTTPS  DNS  SSL  TLS  certificate  pinning  domain  name  lookup  hardening  security  Delicious 
october 2016 by asteroza
Using tor as a second circuit to check for MitM SSL/TLS attacks. Not entirely out-of-band, but close enough?
SSL  TLS  security  rogue  CA  certificate  inspection  tor  checker  tester  MitM  Delicious 
october 2016 by asteroza
RFC 6844 DNS Certificate Authority Authorization
New CAA record for DNS, which in theory CA's will look at to stop issuing fake certs, assuming the CA is not a bad actor...
RFC6844  DNS  CAA  PKI  SSL  TLS  CA  certificate  authority  authorization  security  Delicious 
september 2016 by asteroza
Family Safety update improves web filtering and activity reporting in Windows 8....
So family safety features a SSL MitM proxy using a local trusted root CA. Which means firefox needs to import that cert to be able to use SSL sites.
windows  parental  controls  family  safety  local  SSL  TLS  MitM  intercept  proxy  Delicious 
september 2016 by asteroza
« earlier      
per page:    204080120160

related tags

1.1  1.1.1  1.2  1.3  abuse  access  ACME  ACMEv1  actionmailer  actionscript  AD  addon  advisory  ajax  ALB  ALPN  alternative  amazon  analysis  analyzer  android  anonymous  apache  API  app  article  asynchronous  attack  attribute  audit  auditing  authentication  authority  authorization  AWS  axTLS  backend  baseline  beacon  beast  best  binding  bitnami  block  blowfish  bluecoat  bouncycastle  box  browser  bug  bypass  C#  C2  CA  CAA  captive  capture  card  CERT  certificate  chain  channel  check  checker  checking  chosen  chrome  cipher  client  cloudflare  command  communications  compliance  configuration  connection  content  control  controls  converter  cookie  covert  credential  credit  crypto  cryptography  CSP  CSR  CT  DANE  debug  decoder  decryption  defense  Delicious  demo  DES  desktop  detection  development  devops  diffie-hellman  distrust  DNS  DNS-over-HTTPS  DNSSEC  DoH  domain  downgrade  dragnet  DSS  EFF  elasticsearch  email  embedded  encryption  engine  enterprise  EoL  ESNI  ESXi  eTLS  EV  evaluation  event  example  exchange  exploit  export  extension  facebook  FAIL  family  feed  file  fingerprint  fingerprinting  firefox  firewall  force  Force-TLS  fork  forward  framework  freak  free  fuzzing  gem  generator  gmail  go  google  goverment  government  GPL  grade  group  GUI  guide  guideline  hacking  handling  hardening  heartbleed  hello  howto  HPKP  HSTS  HTST  HTTP  https  humor  I/O  identity  IE  IE9  IEEE  IIS  implementation  industry  infographic  informance  information  infrastructure  inspection  integration  intercept  interception  interceptor  intermediate  internal  internet  intranet  inverting  IO  iOS  IoT  IP  iPhone  issuance  jabber  java  javascript  key  keyless  knowledge  lateral  layer  LDAP  learning  length  letsencrypt  library  linux  live  lived  local  localhost  log  logging  login  logjam  lookup  Lync  mac  machine  management  mbedTLS  memory  message  metasploit  meterpreter  microservice  microsoft  middle  middlebox  MitM  mixed  mode  model  module  monitor  monitoring  monnitoring  movement  mozilla  MQTT  MTA  MTA-STS  MTLS  mutual  name  netfilter  network  networking  nginx  Nmap  node.js  non-blocking  NSS  obfuscated  obstcp  on-premisis  online  open  opensource  openSSL  OpenSSL  opportunistic  order  OSX  overview  PA-DSS  packet  paranoid  parental  passive  patch  PCI  PCIDSS  penetration  pentest  pentesting  perfect  perl  PFS  pinning  PKI  plaintext  plugin  polarSSL  policy  portal  powershell  practice  practices  preload  privacy  private  processing  programming  project  proof  protection  protocol  proxy  public  python  QA  query  rails  range  RDP  recommendations  recon  recovery  redteam  reference  remote  removal  renewal  requirement  research  resolver  reverse  RFC  RFC6844  rogue  root  ROR  RoR  RSS  ruby  rust  safe  safety  scan  scanner  scanning  schannel  script  search  secondary  secrecy  secure  security  selector  self-signed  server  service  setting  setup  short  signature  signed  smtp  SNI  sniffing  software  sovereign  SPF  SSL  SSl  SSL3  standard  state  store  subject  suite  support  survey  Symantec  symantics  syntax  sysadmin  tcp  test  tester  testing  threat  tips  titus  TLS  TLS1.0  TLSA  tools  tor  traffic  transaction  transparency  transport  tricks  trust  tunnel  tutorial  U2F  unwrapping  update  upgrade  US  usage  utilities  UTM  V8  variant  verisign  version  viewer  violation  virus  visualization  VMware  VPN  vulnerability  wall-of-shame  warning  web  webAPIU  webdev  webserver  websocket  wifi  windows  wireguard  wireshark  wiretapping  WordPress  WoSign  wrapper  WTF  x.509  XMPP  zero 

Copy this bookmark: