9 items tagged “ssl”
2018
Over the last twenty years, publishing systems for content on [BBC] News pages have come and gone, having been replaced or made obsolete. Although newer content is published through dynamic web applications that can be readily modified, what lies beneath this sometimes resembles layers of sedimentary rock.
Protecting Against HSTS Abuse (via) Any web feature that can be used to persist information will eventually be used to build super-cookies. In this case it’s HSTS—a web feature that allows sites to tell browsers “in the future always load this domain over HTTPS even if the request specified HTTP”. The WebKit team caught this being exploited in the wild, by encoding a user identifier in binary across 32 separate sub domains. They have a couple of mitigations in place now—I expect other browser vendors will follow suit.
2017
SSL Issuer Popularity. The impressive growth of Let’s Encrypt in one graph: from 4.87% of TLS-enabled domains in May 2016 to 36.68% in November 2017.
2010
Side-Channel Leaks in Web Applications. Interesting new security research. SSL web connections encrypt the content but an attacker can still see the size of the HTTP requests going back and forward—which can be enough to extract significant pieces of information, especially in applications that make a lot of Ajax requests.
2008
Researchers Show How to Forge Site Certificates. Use an MD5 collision to create two certificates with the same hash, one for a domain you own and another for amazon.com. Get Equifax CA to sign your domain’s certificate using the outdated “MD5 with RSA” signing method. Copy that signature on to your home-made amazon.com certificate to create a fake certificate for Amazon that will be accepted by any browser.
the tls report (via) Clever service that analyses a web server’s SSL implementation and grades it based on things like the protocols, certificates, ciphers and key lengths it supports. Includes public reports on the top and bottom 20 sites.
2007
MyOpenID relaunches. Now with a handsome redesign and support for SSL client certificates as a secure alternative to passwords.
prooveme.com. An OpenID provider that uses SSL client certificates (which you install in your browser) for authentication.
2002
Windows SSL support in Python
Adding SSL support to Python on Windows is as easy as dropping a couple of DLLs and a .pyd
file in to your Python DLLs directory. Grab the zip file from this page and off you go. I haven’t tried it out yet but it appears to work—the socket.ssl function miraculously appeared when I installed the new files. Why is this useful? Because it opens the way for secure XML-RPC calls from Python applications...