asteroza + certificate   122

Firefox to Import Windows Root Certs To Avoid Antivirus SSL Scanning Issues
Uh, no , part of why Firefox doesn't suck is that it used an independent certificate store. sucking in the windows cert store is asking for trouble.
firefox  browser  security  NSS  SSL  TLS  certificate  CA  store  windows  root 
23 days ago by asteroza
Colm MacCárthaigh on Twitter: "Client certs and Mutual-Auth TLS is TERRIBAD."
I never really thought deep about client certs, but this makes a real case for why they actually suck, and possibly suck worse than anything else before...
client  certificate  TLS  MTLS  mutual  authentication  security  layer  violation 
october 2018 by asteroza
Let's Encrypt SSL for ESXi
offboard script to generate ESXi SSL certs from Letsencrypt
VMware  ESXi  SSL  TLS  certificate  letsencrypt  sysadmin  tools  utilities 
october 2018 by asteroza
CSR Viewer
A not broken CSR decoderthat doesn't choke on let's encrypt CSR's that are mostly empty
SSL  TLS  certificate  CSR  decoder  letsencrypt 
september 2018 by asteroza
LAteral Movement Encryption technique (a.k.a. The "LAME" technique)
I wonder why let's encrypt didn't isolate the internal IP range DNS entry SSL certificates to a child CA cert that enterprises could explicitly distrust, which would quash this in a heartbeat.
internal  IP  range  SSL  TLS  certificate  letsencrypt  lateral  movement  encryption  security  hacking  pentesting 
september 2018 by asteroza
Oh god, smuggling C2 commands in TLS cert subject names. I suppose it should be possible to be bidirectional using both server and client selfsign certs....
covert  channel  TLS  SSL  certificate  subject  name  C2  command  security  hacking  pentesting 
february 2018 by asteroza
Signed Malware
Implies the codesign certs and private keys leaked, which would be the older SHA-1 type that used files/exportable keys. That, or people using the newer dongle based SHA-2 codesign certificates were leaving the dongle plugged in, someone infiltrated the malware to be signed, performed the signature, then exfiltrated the signed malware back out of that company's build environment.
codesign  certificate  private  key  signed  malware  security  reference  information 
november 2017 by asteroza
letsencrypt/boulder: An ACME-based CA, written in Go.
FOr setting up a private CA with ACME support. Usable for short lived certs?
CA  certificate  authority  software  ACME  protocol  on-premisis  server  PKI  SSL  TLS 
october 2017 by asteroza
A specification and reference implementation of a framework for secure distributed identity provisioning. Intended for short lived certs between microservices for mutual TLS authentication, but should be usable for other identity scenarios...
microservice  identity  framework  security  software  PKI  certificate  authentication  TLS  short  lived 
october 2017 by asteroza
gravitational/teleport: Modern SSH server for clusters and teams.
Interesting authentication proxy/SSH bastion host software, for allowing distributed teams to safely access distributed resources
SSH  bastion  host  authentication  proxy  SSO  cloud  management  devops  kubernetes  security  certificate  sysadmin  software 
september 2017 by asteroza
ssl - Create self signed certificate with subjectAltName to fix [missing_subjectAltName] in Chrome 58 - Super User
So the short version is a v3 certificate, plus SAN of IP.1 = for self signed IP address sites
SSL  certificate  chrome  self-signed  SAN  v3  PKI  OpenSSL 
july 2017 by asteroza
Interesting, using DNS-over-HTTPS to improve security of lookups, assuming you trust google DNS.
NSS  module  DNS-over-HTTPS  DNS  SSL  TLS  certificate  pinning  domain  name  lookup  hardening  security  Delicious 
october 2016 by asteroza
Using tor as a second circuit to check for MitM SSL/TLS attacks. Not entirely out-of-band, but close enough?
SSL  TLS  security  rogue  CA  certificate  inspection  tor  checker  tester  MitM  Delicious 
october 2016 by asteroza
RFC 6844 DNS Certificate Authority Authorization
New CAA record for DNS, which in theory CA's will look at to stop issuing fake certs, assuming the CA is not a bad actor...
RFC6844  DNS  CAA  PKI  SSL  TLS  CA  certificate  authority  authorization  security  Delicious 
september 2016 by asteroza | 19538258
Why is this cert not revoked? Bluecoat definitely should not have an global intermediate CA certificate considering they sell to repressive regimes...
bluecoat  intermediate  CA  certificate  SSL  MitM  security  WTF  TLS  search  engine  Delicious 
june 2016 by asteroza
thinkst Thoughts...: Certified Canarytokens: Alerts from signed Windows binaries and Office documents
Using a certificate's AIA URL, which can be triggered on executable launch of office file opening. But requires serious screwing with the certificate though...
canary  token  office  certificate  validation  URL  security  embedded  tips  tricks  Delicious 
may 2016 by asteroza
Trusty CAs
Interesting CA trust mapping, but hope you got a beefy PC/browser...
CA  certificate  authority  trust  mapping  infoviz  information  visualization  map  treemap  cluster  Delicious 
december 2015 by asteroza
Check out the cert chain on this link. It's such a long beast that most browsers croak. See also
SSL  TLS  certificate  length  abuse  humor  security  chain  Delicious 
september 2015 by asteroza
Certificate Transparency Watch
Busting bad actor CA's (cough,cough,Symantec,cough,cough) since yesterday...
RFC  6962  certificate  transparency  monitoring  logging  auditing  RSS  feed  SSL  TLS  security  Delicious 
september 2015 by asteroza
EV Certificate and ClickOnce result in Unknown Publisher | Microsoft Connect
SO, the fix is VS2015RTM, targeting .NET 4.5+, for client PC with .NET 4.6RTM. What a mess...
EV  SHA-2  codesign  certificate  unknown  publisher  visualstudio  2012  2013  2015  4.0  4.5  4.6  Delicious 
june 2015 by asteroza
ClickOnce, Windows 8 , SmartScreen, Unknown Publisher & EV Certificate
What a mess. This needs to get straightened out pronto or a lot of people will be screwed.
authenticode  EV  SHA-2  codesign  certificate  unknown  publisher  smartscreen  warning  visualstudio  2013  2015  2012  4.0  4.5  4.6  Delicious 
june 2015 by asteroza
« earlier      
per page:    204080120160

related tags

4.0  4.5  4.6  abuse  access  ACME  active  AD  add  addon  amazon  analysis  android  anonymity  anonymous  antimalware  app  atheism  Atmel  attack  attribute  auditing  authentication  authenticode  authority  authorization  authroots  automated  automatic  AWS  baptism  bastion  Berkeley  binary  biometric  blacklist  blocklist  bluecoat  bouncycastle  browser  bug  bypass  C2  CA  CAA  CAC  cache  canary  card  cert  certificate  certification  chain  channel  check  checker  checking  china  chip  chrome  chromebook  chromeOS  cleanup  CLI  client  cloud  cloudflare  cluster  code  codesign  collection  command  comparison  content  conversion  cost  covert  credential  CRL  cryptography  CSP  CSR  CT  CTL  CTl  DANE  dashboard  database  deb  debaptism  decoder  defense  Delicious  department  desktop  development  device  devices  devops  digicert  digital  directory  distribution  distrust  DNS  DNS-over-HTTPS  DNSSEC  DoD  domain  download  driver  DRM  DSEO  ecosystem  EFF  electronics  email  embedded  enclave  encryption  endpoint  energy  enforcement  engine  enterprise  enumeration  ESXi  EV  exchange  exe  executable  expiry  exploit  export  extension  extraction  FAIL  fake  feed  file  fingerprint  fingerprinte  firefox  framework  free  FreeDNS  frontend  FUSE  fuzzer  generator  go  google  government  green  group  GTK  guide  hack  hacking  handling  hardening  hardware  hidden  hierarchy  host  howto  HPKP  HTST  HTTPS  humor  ID  identity  IEEE  industry  information  infoviz  inspection  intel  intermediate  internal  internet  intranet  iOS  IoT  IP  iPhone  issuance  japan  java  KB2677070  key  Keywhiz  knowledge  kubernetes  lateral  layer  leak  leakage  length  letsencrypt  line  linux  list  littleblackbox  lived  local  localhost  log  logging  lookup  low  mac  malware  management  map  mapping  message  microservice  microsoft  migration  military  minutae  MitM  MITM  mode  module  monitoring  monnitoring  movement  MTA  MTA-STS  MTLS  multi  multiple  mutual  name  Namecheap  NAP  network  notary  npm  NSS  observatory  office  on-premisis  online  open  opensource  OpenSSL  openSSL  OSX  outlook  override  overrider  page  PAM  passphrase  password  pentesting  perl  perspectives  PFX  pin  pinning  PIV  PKCS#7  PKCS7  PKI  platform  plugin  policy  power  powershell  prime  privacy  private  programming  proof  protocol  provider  proxy  public  publisher  PVK  range  RDP  recon  reference  registrar  religion  remote  removal  renewable  reputation  research  retrieval  revocation  revocaton  RFC  RFC6844  rogue  root  RPKI  RSA  RSS  S3  SAN  script  search  secret  secular  secure  security  self  self-signed  server  service  setting  SGX  SHA-1  SHA-2  SHA-256  SHA1  SHA2  SHA256  shell  shopping  short  sign  signature  signed  signing  site  smartcard  smartscreen  SMTP  software  SPC  SSH  ssl  sslstrip  SSO  StartSSL  steganography  store  subdomain  subject  support  Symantec  sysadmin  system  template  test  tester  testing  TinyCA  TinyCA2  tips  TLS  TLSA  token  tools  tor  TPM  transmission  transparency  tree  treemap  tricks  trust  trusted  tutorial  tweak  tweaking  U2F  unknown  update  URL  US  USB  USB-C  utilities  v3  validation  vCenter  vendor  verification  verisign  viewer  violation  Vista  visualization  visualstudio  VMware  warning  webdev  website  wildcard  windows  WoSign  WTF  x.509  x64  x509  zero 

Copy this bookmark: