#ssl

Zoom’s Flawed Encryption Linked to China
▻https://theintercept.com/2020/04/03/zooms-encryption-is-not-suited-for-secrets-and-has-surprising-links-to

Meetings on Zoom, the increasingly popular video conferencing service, are encrypted using an algorithm with serious, well-known weaknesses, and sometimes using keys issued by servers in China, even when meeting participants are all in North America, according to researchers at the University of Toronto. The researchers also found that Zoom protects video and audio content using a home-grown encryption scheme, that there is a vulnerability in Zoom’s “waiting room” feature, and that Zoom (...)

#Zoom #cryptage #SSL/TLS #BigData #AccessNow #CitizenLab

##SSL/TLS

https://theintercept.imgix.net/wp-uploads/sites/1/2020/04/zoom-theintercept-folo-2.jpg

Complaint : Amazon doesn’t allow baseline TLS security
▻https://noyb.eu/en/complaint-amazon-doesnt-allow-baseline-tls-security

Baseline email security missing. During their route to the recipient, emails are handled by different entities, nodes and service providers which may intercept, manipulate and unlawfully use the content. In order to reduce these risks, it is a baseline industry standard to use so-called TLS encryption. Surprisingly the Amazon servers reject TLS connections in certain cases, for example when third party sellers on Amazon communicate with customers vie email. This means that millions of (...)

#Amazon #procès #[fr]Règlement_Général_sur_la_Protection_des_Données_(RGPD)[en]General_Data_Protection_Regulation_(GDPR)[nl]General_Data_Protection_Regulation_(GDPR) #écoutes (...)

##[fr]Règlement_Général_sur_la_Protection_des_Données__RGPD_[en]General_Data_Protection_Regulation__GDPR_[nl]General_Data_Protection_Regulation__GDPR_ ##SSL/TLS

SSL Configuration Generator

An easy-to-use secure configuration generator for web, database, and mail software

▻https://ssl-config.mozilla.org

#ssl #apache #nginx #hsts

Étrange que l’outil n’était pas encore référencé ici, voilà qui est fait :)

Certificate issue causing add-ons to be disabled or fail to install - Add-ons / Announcements - Mozilla Discourse
▻https://discourse.mozilla.org/t/certificate-issue-causing-add-ons-to-be-disabled-or-fail-to-install/39047

At about 6:10 PST we received a report that a certificate issue for Firefox is causing add-ons to stop working and add-on installs to fail.
Our team is actively working on a fix. We will update as soon as we have more information.

Ce matin toutes mes extensions Firefox désactivées d’un seul coup...
...et impossible d’en installer une que ce soit via le gestionnaire de modules ou directement depuis les fichiers.xpi
=> gros #fail chez Mozilla !

#firefox #mozilla #extension #add-on #SSL #certificat

Que faire devant l’erreur « SEC_ERROR_UNKNOWN_ISSUER » sur des sites web sécurisés | Résolution de problèmes | Assistance de Mozilla
▻https://support.mozilla.org/fr/kb/que-faire-devant-erreur-sec_error_unknown_issuer#w_avast

La bidouille pour débloquer les sites aléatoirement en erreur de sécurité SEC_ERROR_UNKNOWN_ISSUER sous Firefox 61+ pour cause d’antivirus Avast trop zélé (pfff ! encore des problèmes parce qu’on me veut du bien !)

#firefox #avast #SEC_ERROR_UNKNOWN_ISSUER #SSL

Set-up #ssl in #nodejs and Express using OpenSSL
▻https://hackernoon.com/set-up-ssl-in-nodejs-and-express-using-openssl-f2529eab5bb?source=rss---

https://cdn-images-1.medium.com/max/1024/1*49glYe-285UPvYW9xp7JFw.jpeg

This a simple, easy-to-follow tutorial on how to serve pages over https in NodeJS using Express Framework.Tools/Frameworks we would be using for this tutorial, are:NodeJS: You should’ve basic knowledge on how to program in NodeJS.OpenSSL: A tool to generate key and certificate.ExpressJS (npm i express): Back-end framework for writing web servers in NodeJS. More about Express.https : Comes with NodeJS.Let’s set-up our project directory. It’s not a directory with lots of files. Instead, it contains only 4 files which are package.json, key.pem, cert.pem and server.js. So, create a new directory node-https, cd node-https and run npm init -y to create package.json file.Now install express using npm i —save express. Create a server.js file and type the following code in it.Our server.js should (...)

#javascript #ssl-certificate #expressjs

This is an open letter to all #crypto writers and community managers.
▻https://hackernoon.com/this-is-an-open-letter-to-all-crypto-writers-and-community-managers-2053

https://cdn-images-1.medium.com/max/845/1*GKEyUSjYCc3twZuQME11RA.png

Please stop advising your readers, investors and community members to look for the padlock in their browser toolbar. This advice is dangerous.A padlock is the browser’s way of telling you that a website has installed an #ssl Certificate. SSL Certificates are used to encrypt the transmission of data between your browser and the website — that’s it. This prevents a third-party from stealing your personal information as you type it into the website.A padlock / SSL Certificate does not indicate that a website owner is who they claim to be — or that they can be trusted. SSL Certificates are FREE and are automatically issued. There is no verification process. You can not trust a website just because it has a padlock.I have witnessed community managers responsible for groups with more than 20k members, (...)

#padlock-cryptocurrency #padlocks #cybersecurity

Getting a Free #ssl Certificate on #aws a How-To Guide
▻https://hackernoon.com/getting-a-free-ssl-certificate-on-aws-a-how-to-guide-6ef29e576d22?source

https://cdn-images-1.medium.com/max/1000/1*7-ekxg6lcdudP8gA1oFy5w.png

AWS gives you a FREE SSL certificate if you use their load balancer (yes you do have to pay for the load balancer but its pretty cheap and in then end is something your site should have anyway) but I found the setup to be confusing. Setting up a load balancer, connecting it to the EC2 instance, configuring the DNS, and putting in all the correct information is not a trivial process. This guide gives you everything you need to get up and running with an SSL cert.What’s CoveredSetting up a Security GroupSetting up an EC2 Instance w/ Elastic IPSetting up SSL with the Amazon Certificate Manager (ACM)Setting up a Load BalancerSetting up Target GroupsI assume you have some app that is ready to deploy. Whether it uses NodeJS, Python, or Java on the backend doesn’t matter. All that does matter is (...)

#ssl-certificate-on-aws #aws-ssl-certificate #free-ssl-certificate

Easy, Let’s Encrypt Certificates on #aws
▻https://hackernoon.com/easy-lets-encrypt-certificates-on-aws-79387767830b?source=rss----3a8144e

https://cdn-images-1.medium.com/max/1024/1*1Ps831xlC_Yhlq6mMrmDOg.jpeg

Mike Milligan and the Kitchen brothersHere is a quick tutorial on how you can create free #ssl certificates for your AWS deployments.If you’re on AWS and hosting a large workload, you can actually get free certificates from Amazon by using their Certificate Manager. However these certificates can only be attached to an AWS Load Balancer, an API Gateway instance or a CloudFront distribution.For small Laravel staging deployments that don’t require a load balancer because you just need one front-end server, it is then not worth the overhead cost as a Load Balancer comes at around $17 per month, depending on the region.On the other hand, Let’s Encrypt offers a free Certificate Authority service, which means it will sign SSL/TLS certificates for free. The downside is that they expire every 90 (...)

#ssl-certificate #aws-certificates #encrypt-aws-certificates

Monitor your #https certificate expiry with this script
▻https://hackernoon.com/monitor-your-https-certificate-expiry-with-this-script-1338bf5acfe9?sour

https://cdn-images-1.medium.com/max/732/1*tbkfupwjSb5TiiI8iMadNQ.png

Last year’s new years eve, I got a call from my client. They said their website was infected by a virus and no one can access it.Now, my client runs a juice shop, and had no idea about how the web technically works, so I discarded the “virus” issue but he said site can’t be accessed so I fired up Firefox in my phone and I saw the Your connection is not secure page.Ever since Let’s Encrypt came out of beta, I’ve used it to convert all my and my clients’ sites to secure connections via HTTPS. I had set up a cron as instructed by certbot to renew the certificates regularly, but it used to fail every once in a while because I didn’t update the python packages, or something like that. Let’s Encrypt is kind enough to send a mail before expiring, but initial installations were done by an employee.Since (...)

#lets-encrypt #https-certificate-expiry #ssl-certificate #https-certificate-script

Setting up node app with #ssl on a #digitalocean droplet
▻https://hackernoon.com/setting-up-node-app-with-ssl-on-a-digitalocean-droplet-1813b6ae7de3?sour

https://cdn-images-1.medium.com/max/636/0*ZH_zwhk4Rj3r1Oet.png

credit: ▻https://www.linkedin.com/pulse/five-reasons-why-developers-love-digitalocean-janakiram-msv/You probably Googled it it and are here! Okey, no more time waste (for MYSELF in future)…Let’s see how to setup node app with SSL on a DigitalOcean VPSInstall Heroku for it’s versioning featureGit push the app to HerokuSetup a drop letGenerate SSH keysSetup git bash for SSH-ing to dropletConnect to Droplet using SSH keysInstall nodeConfirm node installation using node -vInstall MongoDB if the app needs to persist dataConfirm if mongodb is running using the command sudo systemctl status mongodbSetup and configure pm2 to orchestrate the node appConfirm pm2 installation using pm2 -vClone to a location in the serverStart the node app for first cut testingStart node app as a processInstall nginxMake sure (...)

#ubuntu #nodejs #linux

Create a private local #docker registry
▻https://hackernoon.com/create-a-private-local-docker-registry-5c79ce912620?source=rss----3a8144

On your machines inside a VPN, there are use-cases where a private docker registry is handy especially if you want to have a customized image built for your stack.The caveat is that docker automatically assumes that all your connections are encrypted via https . And that means you need to have domain to encrypt your traffic on https protocol. This guide will help you setup a regisry without having a DNS and a valid SSL/TLS Certificate:Question:Ahm.. Ken there is already a Tutorial on docker official docs about creating a private registryDeploy a registry serverAnswer:The docker official docs are a good enough starting point when you want to learn the basics and the theory. However you will need to dig around if you want to make it registry work without a proper SSL Certificate and (...)

#ssl-certificate #docker-registry #ubuntu #linux

User Guide — Certbot 0.19.0.dev0 documentation
▻https://certbot.eff.org/docs/using.html#webroot

La ligne de commande de certbot pour installer un certificat SSL associé à plusieurs noms de domaine et un document_root

#certbot #SSL #letsencrypt #serveur #apache

#macOS 10.12 Sierra #Apache Setup : Multiple #PHP Versions | Grav
▻https://getgrav.org/blog/macos-sierra-apache-multiple-php-versions

#stunnel pour chiffrer la connexion à #VNC
▻http://www.dsfc.net/infrastructure/securite/stunnel-chiffrer-connexion-vnc

http://www.dsfc.net/wp-content/uploads/2017/02/stunnel-creation-de-la-cle.jpg

Stunnel est un solution simple et remarquable pour chiffrer les accès à vos machines exécutant VNC !

#Sécurité #Chiffrement #Ipsec #Sécurité_des_réseaux #SSH #SSL #TightVNC_Server

La collecte des sites #SSL dans #Firefox !
▻http://www.dsfc.net/logiciel-libre/firefox-logiciel-libre/la-collecte-des-sites-ssl-dans-firefox

http://www.dsfc.net/wp-content/uploads/2016/12/firefox-sitesecurityservicestate-txt.jpg

Un peu surpris de voir les sites accédés en https consignés dans un fichier de mon profil Firefox !

#Cookies #Gestion_des_cookies #HPKP #HSTS #HTTP_Public_Key_Pinning #HTTP_Strict_Transport_Security

CheckMyHTTPS

These guys at ESIEA wrote a nice little FireFox extension that allows you to see if you are going through an SSL proxy (perhaps installed by your organisation), or being the victim of a MITM attack. (man-in-the-middle). (Or that you have an antivirus installed that does SSL inspection)

http://img15.hostingpics.net/pics/989224https.png

▻https://www.checkmyhttps.net

▻https://www.youtube.com/watch?v=TfNjycCcwDg

#privacy
#MITM
#TLS #SSL

Johns Hopkins researchers poke a hole in Apple’s encryption

Researcher Matthew Green from John Hopkins university claims to have found a way through iMessage to intercept messages, photos and encryption key, and this for iOS versions prior to 9.3. This is done by forging TLS certificates and intercepting traffic by pretending to be an Apple server.

The recently released iOS 9.3 is supposed to incorporate the mitigation advise proposed by the researchers and correct this problem.

The paper can be found here:

Dancing on the Lip of the Volcano: Chosen Ciphertext Attacks on Apple iMessage
▻https://isi.jhu.edu/~mgreen/imessage.pdf
▻http://docdro.id/0wPiqeJ

Our analysis shows that iMessage has significant vulnerabilities that can be exploited by a sophisticated attacker. In particular, we outline a novel chosen ciphertext attack on Huffman compressed data, which allows retrospective decryption of some iMessage payloads in less than 2^18 queries. The practical implication of these attacks is that any party who gains access to iMessage cipher texts may potentially decrypt them remotely and after the fact.

[...]

Specifically, we attempt to answer the following question: how secure is Apple iMessage?

[...]

To perform our analysis, we derived a specification for iMessage by conducting a partial black-box reverse engineering of the protocol as implemented on multiple iOS and OS X devices.

Also interesting statement in the paper:

Apple stores encrypted, undelivered messages on its servers and retains them for up to 30 days, such messages are vulnerable to any party who can obtain access to this infrastructure, e.g., via court order

Their long-term recommendation to Apple:
Replace the iMessage encryption mechanism. ;-)

The Washington Post wrote about this paper:

▻https://www.washingtonpost.com/world/national-security/johns-hopkins-researchers-discovered-encryption-flaw-in-apples-imessage/2016/03/20/a323f9a0-eca7-11e5-a6f3-21ccdbc5f74e_story.html

Christopher Soghoian, principal technologist at the American Civil Liberties Union, said that Green’s attack highlights the danger of companies building their own encryption without independent review. “The cryptographic history books are filled with examples of cryptoalgorithms designed behind closed doors that failed spectacularly,” he said.

Also funny is this quote from Green:

it scares me that we’re having this conversation about adding back doors to encryption when we can’t even get basic encryption right.

#iMessage
#FBI
#TLS #SSL
#backdoor
#MITM
APN - Apple Push Notification

#Certificat_SSL Let’s Encrypt sur #Fedora 23
▻http://www.dsfc.net/logiciel-libre/apache-logiciel-libre/certificat-ssl-letsencrypt-fedora-23

La création et le renouvellement d’un certificat #SSL #Let's_Encrypt pour #Apache sous Fedora sont loin d’être une sinécure !

#apache #Certificat_Let's_Encrypt #Fedora_23 #Formateur_Apache #Formateur_Fedora #Formateur_LAMP #Formateur_Linux #Https #Lamp #Linux #OpenSSL

#Google_Chrome / #Chromium et les #Certificats_auto-signés
▻http://www.dsfc.net/internet/navigateurs/google-chrome-chromium-certificats-auto-signes

http://4.bp.blogspot.com/-mrJYS268sYc/UbSqxR1H0TI/AAAAAAAAAEw/UAxbss6rg08/s1600/Google+Chrome.png

Empêcher l’accès à un site en mode #Https, parce que le #Certificat_SSL utilisé est auto-signé, est éminemment contestable !

#Navigateurs #Certificat_auto-signé #SSL

Créer un certificat auto-signé avec #OpenSSL sous Windows
▻http://www.dsfc.net/infrastructure/securite/creer-un-certificat-auto-signe-avec-openssl-sous-windows

Habituellement, je crée mon certificat OpenSSL auto-signé sous Linux.

#Sécurité #Certificat_auto-signé #Planet_Libre #SSL

Accélérer votre réponse SSL/TLS avec l’OCSP Stapling | Octopuce
▻https://www.octopuce.fr/accelerer-votre-ssl-tls-avec-ocsp-stapling

Le monde du web regorge de vieilles rengaines, et « HTTPS c’est lent » en est une des plus persistantes … S’il est vrai que la négociation TLS ajoute un aller-retour à la connexion initiale, les navigateurs récents utilisent de nombreuses techniques pour accélérer cela : HTTP/2 permet des flux multiples dans la même connexion, Les tickets de session SSL évitent la renégociation dès la 2e connexion, et l’OCSP Stapling permet de ne pas avoir à vérifier l’état d’un certificat auprès de l’autorité.

#ssl

#ssl Server Test: aldarone.fr (Powered by Qualys SSL Labs)
▻https://www.ssllabs.com/ssltest/analyze.html?d=aldarone.fr

Après tools.aldarone.fr c’est au tour de aldarone.fr de passer en full HTTPS.

Celui là était un peu tricky parce que c’est le domaine principal d’un WordPress Multisite et que les autres sites hébergés restent en HTTP pour l’instant.

Merci Let’s Encypt ! (Encore)(Permalink)

#letsencrypt #Informatique #sécurité

Install, configure and automatically renew Let’s Encrypt #ssl certificate (English) - Blog - Vincent Composieux, Développeur PHP Symfony, Golang, Python, NodeJS
▻https://vincent.composieux.fr/article/install-configure-and-automatically-renew-let-s-encrypt-ssl-certi

Un tuto avec un script pour renouveler les certificats let’s encrypt pour plusieurs domaines avec la méthode webroot et nginx. (Donc la méthode à utiliser pour ne pas couper sa prod lors du renouvellement de certificats)(Permalink)

#https #letsencrypt

#Web_Analytics : le choix de #OWA sur #nginx
▻http://www.dsfc.net/internet/web-analytics/web-analytics-le-choix-de-owa-sur-nginx

https://upload.wikimedia.org/wikipedia/commons/6/67/Openwebanalytics.png

De guerre lasse, j’ai fait le choix de Open Web Analytics sur Nginx !

#apache #Centos #Awstats #W3Perl #Webalizer #Formateur_Awstats #Formateur_Web_Analytics #Formateur_Apache #SSL #CentOS_7 #Formateur_Piwik #Formateur_Nginx #Formateur_OWA #Analog