Crypto https://tech.feedyourhead.at/tags/crypto en cryptorecord 0.9.2 released https://tech.feedyourhead.at/content/cryptorecord-0-9-2-released <span class="field field--name-title field--type-string field--label-hidden">cryptorecord 0.9.2 released</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>I proudly pronounce the first (pre-)release of <a href="https://github.com/whotwagner/cryptorecord">cryptorecord</a>. Cryptorecords is a ruby gem that provides an API and scripts for creating crypto-related dns-records(e.g. DANE). Currently it supports TLSA, OPENPGPKEYS and SSHFP but I plan to support other records in future. The API doesn't create any keys or certificates. It just takes existing keyfiles to create the DNS-records.<br /> &nbsp;</p> <ul> </ul> <h3>Installation</h3> <p>The gem is available on <a href="https://rubygems.org/">Rubygems</a>. Add this line to your application's Gemfile:</p> <pre> <code> gem 'cryptorecord' </code></pre> <p>And then execute:</p> <pre> <code> $ bundle </code></pre> <p>Or install it yourself as:</p> <pre> <code> $ gem install cryptorecord </code></pre> <h3>Usage</h3> <p>This gem comes with a bunch of handy executables that helps creating the dns-records:</p> <ul> <li>openpgpkeysrecord</li> <li>sshfprecord</li> <li>tlsarecord</li> </ul> <pre> <code> Usage: ./openpgpkeysrecord -u <email> -f <gpgkeyfile> -h, --help This help screen -f PGP-PUBLICKEY-FILE, PGP-Publickey-File --publickeyfile -u, --uid EMAIL email-address </gpgkeyfile></email></code></pre> <pre> <code> Usage: ./sshfprecord [ options ] -h, --help This help screen -f SSH-HOST-KEY-FILE, SSH-Hostkey-File --hostkeyfile -H, --host HOST host -d, --digest DIGEST HASH-Algorithm -r, --read-local-hostkeys Read all local Hostkeys.(like ssh-keygen -r) </code></pre> <pre> <code> Usage: ./tlsarecord [ options ] -h, --help This help screen -f, --certfile CERTIFICATE-FILE Certificatefile -H, --host HOST host -p, --port PORTNUMBER port -P, --protocol PROTOCOL protocol(tcp,udp,sctp..) -s, --selector SELECTOR Selector for the association. 0 = Full Cert, 1 = SubjectPublicKeyInfo -u, --usage USAGE Usage for the association. 0 = PKIX-CA, 1 = PKIX-EE, 2 = DANE-TA, 3 = DANE-EE -t, --mtype MTYPE The Matching Type of the association. 0 = Exact Match, 1 = SHA-256, 2 = SHA-512 </code></pre> <h4>TLSA-Example</h4> <pre> <code> #!/usr/bin/env ruby require 'cryptorecord' selector = 0 mtype = 0 usage = 3 port = 443 proto = "tcp" host = "www.example.com" tlsa = Cryptorecord::Tlsa.new(:selector =&gt; selector, :mtype =&gt; mtype, :usage =&gt; usage, :port =&gt; port, :proto =&gt; proto, :host =&gt; host ) tlsa.read_file("/etc/ssl/certs/ssl-cert-snakeoil.pem") puts tlsa </code></pre> <h4>SSHFP-Example</h4> <pre> <code> #!/usr/bin/env ruby require 'cryptorecord' sshfp = Cryptorecord::Sshfp.new(:digest =&gt; 1, :keyfile =&gt; '/etc/ssh/ssh_host_rsa_key.pub', :host =&gt; 'www.example.com') puts sshfp </code></pre> <h4>OPENPGPKEYS-Example</h4> <pre> <code> #!/usr/bin/env ruby require 'cryptorecord' sshfp = Cryptorecord::Openpgpkeys.new(:uid =&gt; "hacky@hacktheplanet.com") sshfp.read_file("resources/hacky.asc") puts sshfp </code></pre> <h3>Documentation</h3> <p>The documentation can be found at <a href="https://www.rubydoc.info/gems/cryptorecord/">rubydoc.info</a></p> </div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">May 17 2018</span> <div class="field field--name-field-tagies field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class='field__items'> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/ruby" hreflang="en">Ruby</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/download" hreflang="en">Download</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/downloads" hreflang="en">Downloads</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/Programming" hreflang="en">Programming</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/security" hreflang="en">Security</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/crypto" hreflang="en">Crypto</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/network" hreflang="en">Network</a></div> </div> </div> <section class="field field--name-comment-node-blog field--type-comment field--label-hidden comment-wrapper"> </section> <section class="field field--name-comment field--type-comment field--label-above comment-wrapper"> <h2 class='title comment-form__title'> <i class="fa fa-comments-o"></i> Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=266&amp;2=comment&amp;3=comment" token="8fEI7N9n01EddQ0Ug03YejZAPosvCE9slAcfuGxj-AI"></drupal-render-placeholder> </section> Thu, 17 May 2018 10:13:20 +0000 Hoti 266 at https://tech.feedyourhead.at Postfix: verified TLS with DANE https://tech.feedyourhead.at/content/postfix-verified-tls-with-dane <span class="field field--name-title field--type-string field--label-hidden">Postfix: verified TLS with DANE</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>TLS via SMTP is <a href="https://en.wikipedia.org/wiki/Opportunistic_TLS">opportunistic</a> which makes connections vulnerable to man-in-the-middle-attacks. In order to prevent mitm-attacks, <a href="https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities">DANE</a> could be used. The sender-server will first check the domain-records if dnssec is in use(and valid) and if a TLSA-record is published(and valid). If a TLSA-record is valid and matches with the certificate of the recipient-server the connection could be encrypted and the encryption is verified. Postfix was one of the first smtp-servers that implemented DANE since the <a href="https://tools.ietf.org/id/draft-dukhovni-smtp-opportunistic-tls-00.html">author of the DANE protocol is a postfix-developer</a>. This article describes how to enable DANE in postfix.</p> <h3>Preconditions</h3> <p>It's very easy to enable DANE in postfix. First we have to ensure that postfix can resolve DNSsec queries. I recommend to install the dns-resolver "<a href="https://unbound.net/">unbound</a>" on the postfix-server. Unbound does DNSsec pretty well. It also automatically manages the trust-anchors for DNSsec. We can check if DNSsec works, if the "ad"-flag is set. So lets use dig to test it:</p> <pre> <code>&gt; DiG 9.9.5-9+deb8u15-Debian &lt;&lt;&gt;&gt; gov. +dnssec ;; global options: +cmd ;; Got answer: ;; -&gt;&gt;HEADER&lt;&lt;- opcode: QUERY, status: NOERROR, id: 35764 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;gov. IN A </code></pre> <p>As we can see, the "ad"-flag was set. If we use a resolver without dnssec-support it would look like that:</p> <pre> <code> % dig gov. +dnssec ; &lt;&lt;&gt;&gt; DiG 9.8.4-rpz2+rl005.12-P1 &lt;&lt;&gt;&gt; gov. +dnssec ;; global options: +cmd ;; Got answer: ;; -&gt;&gt;HEADER&lt;&lt;- opcode: QUERY, status: SERVFAIL, id: 25074 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4000 ;; QUESTION SECTION: ;gov. IN A </code></pre> <p>As you can see, there is no "ad"-flag in this example. That indicates that DNSsec is not supported by the resolver.</p> <h3>Postfix-config</h3> <p>As soon as we set up a resolver with dnssec-support, we can easily enable DANE in postfix:</p> <pre> <code> # DANE-Settings smtp_dns_support_level=dnssec smtp_host_lookup=dns smtp_tls_security_level = dane smtp_tls_loglevel=1 </code></pre> <p>Now postfix will always try to verify the TLS-connection using DANE. If you just want to enable DANE for specific domains, I'll recommend have a look at the <a href="http://www.postfix.org/TLS_README.html#client_tls">example in the postfix-documentation</a>.</p> <h3>Test</h3> <p>We can test DANE by sending Emails to a server that has TLSA-Records. There is a list of domains with TLSA-records at the end of <a href="https://static.ptbl.co/static/attachments/169319/1520904692.pdf?1520904692">this pdf</a>. I just tested DANE by sending an email to a gmx.net-address:</p> <pre> <code> May 12 21:26:59 mymailserver postfix/smtp[3064]: Verified TLS connection established to mx01.emig.gmx.net[212.227.17.5]:25: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits) </code></pre> <p>The keyword "Verified" indicates that the TLS-connection could be verified.</p> <p>&nbsp;</p> </div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">May 14 2018</span> <div class="field field--name-field-tagies field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class='field__items'> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/sysadmin" hreflang="en">Sysadmin</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/Linux" hreflang="en">Linux</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/security" hreflang="en">Security</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/crypto" hreflang="en">Crypto</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/email" hreflang="en">Email</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/mail" hreflang="en">Mail</a></div> </div> </div> <section class="field field--name-comment-node-blog field--type-comment field--label-hidden comment-wrapper"> </section> <section class="field field--name-comment field--type-comment field--label-above comment-wrapper"> <h2 class='title comment-form__title'> <i class="fa fa-comments-o"></i> Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=265&amp;2=comment&amp;3=comment" token="oDTTj6SHpFvGYUI319oXvKTZNvcKlQalAHTJrUNU044"></drupal-render-placeholder> </section> Mon, 14 May 2018 12:11:10 +0000 Hoti 265 at https://tech.feedyourhead.at Thoughts about DNSsec https://tech.feedyourhead.at/content/thoughts-about-dnssec <span class="field field--name-title field--type-string field--label-hidden">Thoughts about DNSsec</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p><a href="https://en.wikipedia.org/wiki/Domain_Name_System">DNS</a> is one of the oldest but also one of the most important network protocols we have and actively use. Dan Kaminsky discovered 2008 some <a href="https://www.kb.cert.org/vuls/id/800113">serious flaws</a> in DNS <a href="http://unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html">which is very well explained on this site</a>. <a href="https://blog.cloudflare.com/dnssec-an-introduction/">DNSsec</a> is supposed to solve those problems.</p> <h3>Why don't we have it worldwide yet?</h3> <p>DNSsec uses a chain of trust and signed records. There are some problems with DNSsec too. One problem, for example, is that it doesn't protect against attacks from the governments. In conjunction with DANE, which could be a replacement for the existing Certificate-Authorities, DNSsec could make things <a href="https://sockpuppet.org/blog/2015/01/15/against-dnssec/">worser than it was before</a>.  Another problem is  that the records might get bigger and this makes it easier for attackers to abuse the <a href="https://www.computerworld.com/article/3097364/security/attackers-use-dnssec-amplification-to-launch-multi-vector-ddos-attacks.html">dns-servers for ddos-attacks</a>. In order to keep the records smaller, some DNS-servers  use <a href="https://www.cloudflare.com/dns/dnssec/ecdsa-and-dnssec/">elliptic curve-algorithms</a>. But elliptic curve-algorithms aren't supported widely and many tools still don't support records that are signed with elliptic curve-algorithms.</p> <h3>It's easy to monitor, right?</h3> <p>Talking about tools brings me to another thing that bothers me: there aren't much solid tools that work properly out there for Dnssec. It was very hard to find some monitoringtools or libraries that check if the Domain is signed correctly and when the keys do expire. I won't say that there are none, but it seems that there are a lot of broken tools out there. There are many reasons for that. Those tools have to speak DNS, DNSsec and all it's cryptographic algorithms. Some tools are old and don't compile anymore, or have weird dependencies. Some don't speak DNSsec directly and just utilize unbound. And some speak DNS and DNSsec but not with elliptic curve algorithms. I hope this situation changes soon.</p> <h3>Providers are familiar with DNSsec, right?</h3> <p>When I was activating DNSsec on my domain, I had to interact with my domain-provider. I realized that this provider has no standard procedure for DNSsec yet. There was no secure way to hand him over my keys(or hashes). That made me curious about the state of DNSsec in austrian companies. And I figured out that not many companies use DNSsec. Neither the biggest internet service providers nor the local banks have implemented DNSsec yet. I guess they might do that, as soon as Google starts using DNSsec(if it happens).</p> <h3>So why bother after all?</h3> <p>There are a couple of dns-records which solve some existing problems but require trusted domains. One of them is DANE/TLSA. Even if many SMTP-servers support TLS now, it still is opportunistic and they are vulnerable against Man-In-The-Middle-attacks. If people would have a trusted dns-zone, they could store the certificates(or fingerprints) as DNS-records and the other mailservers could validate the certificates. I believe this could be a good thing(as long as we trust the keys of the top-level domains). Since "email made in germany" has failed many german mail-provider(like web.de and gmx) use DANE. That's why I decided to give DNSsec a try.</p> <p> </p></div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">May 08 2018</span> <div class="field field--name-field-tagies field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class='field__items'> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/security" hreflang="en">Security</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/crypto" hreflang="en">Crypto</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/network" hreflang="en">Network</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/sysadmin" hreflang="en">Sysadmin</a></div> </div> </div> <section class="field field--name-comment-node-blog field--type-comment field--label-hidden comment-wrapper"> </section> <section class="field field--name-comment field--type-comment field--label-above comment-wrapper"> <h2 class='title comment-form__title'> <i class="fa fa-comments-o"></i> Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=264&amp;2=comment&amp;3=comment" token="BkT2xG6szICCwLsMrGEzc3x_9jyQKcl2VUooQikCslE"></drupal-render-placeholder> </section> Tue, 08 May 2018 09:36:20 +0000 Hoti 264 at https://tech.feedyourhead.at Utility to query certificate-transparency-database https://tech.feedyourhead.at/content/utility-to-query-certificate-transparency-database <span class="field field--name-title field--type-string field--label-hidden">Utility to query certificate-transparency-database</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p><a href="https://www.certificate-transparency.org/what-is-ct">Certificate Transparency</a> is a great idea. All certificate-related activities on a certificate authority will be logged into a public database(it's a merkle-table), so that anyone can monitor or review the certificates. Commodo published a very handy <a href="https://crt.sh/">web-tool</a> to query the logs.</p></div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">Jan 13 2017</span> <div class="field field--name-field-tagies field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class='field__items'> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/tricks" hreflang="en">Tricks</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/security" hreflang="en">Security</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/crypto" hreflang="en">Crypto</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/external" hreflang="en">External</a></div> </div> </div> <section class="field field--name-comment-node-blog field--type-comment field--label-hidden comment-wrapper"> </section> <section class="field field--name-comment field--type-comment field--label-above comment-wrapper"> <h2 class='title comment-form__title'> <i class="fa fa-comments-o"></i> Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=225&amp;2=comment&amp;3=comment" token="HPDFzG4-h-wX24DjfMFof0PqJ5pxbAaeYilZ-jFAA_g"></drupal-render-placeholder> </section> Fri, 13 Jan 2017 20:01:43 +0000 Hoti 225 at https://tech.feedyourhead.at End-To-End-Encryption for messengers https://tech.feedyourhead.at/content/e2e-encryption%20for%20messengers <span class="field field--name-title field--type-string field--label-hidden">End-To-End-Encryption for messengers</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>End-To-End-Encryption is nothing new. With messengers like Whatsapp or Telegram it's again an issue. If E2E-Encryption means that nobody but the endpoints are able to encrypt the messages, then how is this feature implemented so seamlessly?</p> <h2>What's E2E-Encryption</h2> <blockquote> <p><strong>End-to-end encryption</strong> (<strong>E2EE</strong>) is a system of <a href="https://en.wikipedia.org/wiki/Digital_communications">communication</a> where only the people communicating can read the messages. No eavesdropper can access the <a href="https://en.wikipedia.org/wiki/Key_%28cryptography%29">cryptographic keys</a> needed to <a href="https://en.wikipedia.org/wiki/Encryption">decrypt</a> the conversation, including <a href="https://en.wikipedia.org/wiki/Telecommunications_service_providers">telecom providers</a>, <a href="https://en.wikipedia.org/wiki/Internet_providers">Internet providers</a> and the company that runs the messaging service.<a href="https://en.wikipedia.org/wiki/End-to-end_encryption#cite_note-Wired_Lexicon-1">[1]</a> <a href="https://en.wikipedia.org/wiki/Surveillance">Surveillance</a> and tampering are impossible because no third-parties can decipher the data being communicated or stored. For example, companies that use end-to-end encryption can’t hand over texts of their customers’ messages to the authorities - <a href="https://en.wikipedia.org/wiki/End-to-end_encryption">Wikipedia</a></p> </blockquote> <h2>Whats problem with encryption in general?</h2> <p>The big problem with encryption, using an unsecure channel, is the way how endpoints exchange the cryptographic keys. And this is even much more difficult if the persons never met. If we are using an unsecure channel we have to trust something and this "something" is the breaking point. Of course we have cryptographic algorithms like <a href="https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange">Diffie-Hellman key exchange</a> but they just help us to exchange a key encrypted. If you don't know how the Diffie-Hellman key exchange works, here is the most simplest explanation in an lillustration(I borrowed the image from Wikipedia, just click on the image to get to the source):</p> <p> </p> <p><a href="https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange"><img alt="https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange" data-entity-type="file" data-entity-uuid="31798576-eacf-45f0-a05c-42a8e614f0f9" src="/sites/default/files/inline-images/Diffie-Hellman_Key_Exchange.svg_.png" /></a></p> <p> </p> <p>Algorithms like Diffie-Hellman do not ensure the integrity of our endpoints! Therefore an attacker can perform a Man-In-The-Middle attack to infiltrate the key exchange:</p> <h2><img alt="DH Key Exchange" data-entity-type="file" data-entity-uuid="33e7bc2f-97a8-44f8-a03d-86a4eb703958" src="/sites/default/files/inline-images/DHMiM.png" /></h2> <h2>Is there a solution?</h2> <p>We need a fixpoint we can trust somehow. The easiest way would be that if we know a person, we can meet and <a href="https://en.wikipedia.org/wiki/Key_exchange">exchange the keys</a> physically. In that way we use a different "secure" channel and we know each other(integrity). But that's not always possible.</p> <p>With public-key-algorithms it is possible to have central authorities we can trust(I don't really trust them, but that's another story..). Those authorities have 2 functions:</p> <ol><li>register a person's identity</li> <li>sign a certificate for this person</li> </ol><p>So if we trust the authority(our fixpoint here and we have the public-keys of the authority already installed on our machine) and our endpoint uses a certificate which is signed by this authority, we can trust the identity of our endpoint.</p> <p>Another approach would be to have a <a href="https://en.wikipedia.org/wiki/Web_of_trust">Web-Of-Trust.  </a><a href="https://gnupg.org/">GPG</a> uses this approach. We can sign other peoples public key if we trust them. In that way we have a network of people who trust each other(fixpoint here) transitively. Pretty cool, but this needs users with some knowledge  about public-key-technologies.</p> <p>Again: "<em>We need a fixpoint we can trust somehow".</em> And trust is an expendable word...</p> <h2>E2E-Implementations</h2> <h3>Email</h3> <p>End-to-End-encryption exists a long time for emailing. Users have to manually take care about the keys(PGP/<a href="https://gnupg.org/">GPG)</a>.  They can make use of the <a href="https://en.wikipedia.org/wiki/Web_of_trust">Web-Of-Trust</a> and it's up to the user how paranoid his key/trust-management is. The thunderbird-extensions <a href="http://www.enigmail.net/index.php/en/">Enigmail</a> makes it very easy to use E2E-encryption.</p> <h3>Jabber</h3> <p>Jabber (also known as XMPP) is an extendable chat-protocol. Many jabber-clients have a built-in button for GPG-encryption. The users still have to take care of their keys for themself. Since there are many open-source clients, we also exactly know the implementation of it.</p> <h4>Off-The-Record</h4> <p>Some Jabber-Clients also support <a href="https://en.wikipedia.org/wiki/Off-the-Record_Messaging">Off-The-Record</a>(OTR). Off-The-Record is supposed to make the key-exchange more easy. So this is great for users who don't want to take care about technical details. It work's like this in action: Alice clicks on a button "otr". Then a key is generated and sent to Bob. Bob's client will also generate a key and sends it to Alice. Both User just see the fingerprint of both keys and can compare them. If they want more security, they can use another channel(like the phone) to verify the keys. The problem with OTR: if the jabber-server is compromised, <a href="https://www.ejabberd.im/mod_otr">a Man-In-The-Middle-attack might be possible</a>. And of course: if both endpoints don't verify their keys, the integrity of the keys can also not be ensured. But that's the price for "easy-to-use"-encryption.</p> <h3>Telegram</h3> <p>When I started to write this article, I was thinking about Whatsapp. Because Whatsapp advertises with "we support E2E-encryption". Whatsapp is closed-source, so I was looking for an Open-Source-alternative for Whatsapp. And I came to <a href="https://telegram.org/">Telegram</a>.</p> <p>Telegram is a Whatsapp-like messenger. And it's open-source, isn't it? Not really. The client-application is open-source but not the server-part. I checked out it's <a href="https://github.com/telegramdesktop/tdesktop/blob/master/LICENSE">source-code.</a> And I was supprised because it just uses <a href="https://en.wikipedia.org/wiki/Remote_procedure_call">RPC</a>-calls rather than make use of any chat-protocol(which is not bad! I just wrote that because I expected something else). Another supprise appeared when I saw the crypto-implementation. They break the first rule of crypto-development: "DON'T IMPLEMENT YOUR OWN ALGORITHM!".  Some flaws already have been discovered and discussed:</p> <ul><li>http://www.cryptofails.com/post/70546720222/telegrams-cryptanalysis-contest:</li> <li>http://security.stackexchange.com/questions/49782/is-telegram-secure</li> <li>https://core.telegram.org/techfaq#q-how-does-end-to-end-encryption-work-in-mtproto</li> </ul><p>Here some quotes:</p> <blockquote> <p>They use the broken SHA1 hash function</p> </blockquote> <blockquote> <p>They include a hash of the plaintext message in the ciphertext. Essentially, they are trying to do “Mac and Encrypt” which is not secure. They should be doing “Encrypt then Mac” with HMAC-SHA512.</p> </blockquote> <blockquote> <p>They rely on an obscure cipher mode called “Infinite Garble Extension.”</p> </blockquote> <blockquote> <p>They do not authenticate public keys</p> </blockquote> <p>Even if these flaws would not exist anymore there is still one question in my mind: <em>How is the integrity of the keys ensured</em>? E2E really means end-to-end. This means that the only nodes in this communication who know the keys are our endpoints. But I have never seen a fingerprint on Telegram where I could verify the key of my chat-partner. Telegram makes it easy: "just trust our server, then everything is easy and everything is okay". What if the server is hacked? What if the server logs keys or  messages? For me, this is not End-To-End-Encryption.</p> <h3>Whatsapp</h3> <p>I don't know how Whatsapp has implemented E2E-encryption. I know that it has to be enabled and that there are QR-Codes. Yet I don't know  how it works and can't say anything about it, but I am very curious about it.</p> <p><strong>UPDATE</strong>: I found a <a href="https://www.whatsapp.com/security/WhatsApp-Security-Whitepaper.pdf">Whitepaper</a> about Whatsapps E2E-encryption</p> <h3>Another problem to deal with</h3> <p>So even if we use a messenger which really uses E2E-encryption, there is still one issue: What about the History-File? Thunderbird and Enigmail encrypts a message just for few minutes. After then you have to insert your GPG-mantra again. But I know some messengers, where you can encrypt your messages with GPG but the messages are still in plaintext in the history-file! And if you just disable history-logs on your client, you still can't be sure that your opposite did it too.</p> </div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">Jun 03 2016</span> <div class="field field--name-field-tagies field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class='field__items'> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/crypto" hreflang="en">Crypto</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/security" hreflang="en">Security</a></div> </div> </div> <section class="field field--name-comment-node-blog field--type-comment field--label-hidden comment-wrapper"> </section> <section class="field field--name-comment field--type-comment field--label-above comment-wrapper"> <h2 class='title comment-form__title'> <i class="fa fa-comments-o"></i> Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=182&amp;2=comment&amp;3=comment" token="gIczXyAcaNCr2hkff6uxY7aX7s3QC_J5yA-Jwm9JrJ0"></drupal-render-placeholder> </section> Fri, 03 Jun 2016 09:44:42 +0000 Hoti 182 at https://tech.feedyourhead.at Let's Encrypt this blog... https://tech.feedyourhead.at/content/lets-encrypt-this-blog <span class="field field--name-title field--type-string field--label-hidden">Let&#039;s Encrypt this blog...</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p><img alt="Letsenrypt" data-entity-type="file" data-entity-uuid="ab8fc64a-a62f-4e17-8d48-729a45365e04" src="/sites/default/files/inline-images/letsencrypt.jpg" /></p> <p>The connections to this blog are encrypted now. Youhuuuuu.....</p> </div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">Mar 19 2016</span> <div class="field field--name-field-tagies field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class='field__items'> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/crypto" hreflang="en">Crypto</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/blog" hreflang="en">Blog</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/security" hreflang="en">Security</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/news" hreflang="en">News</a></div> </div> </div> <section class="field field--name-comment-node-blog field--type-comment field--label-hidden comment-wrapper"> </section> <section class="field field--name-comment field--type-comment field--label-above comment-wrapper"> <h2 class='title comment-form__title'> <i class="fa fa-comments-o"></i> Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=170&amp;2=comment&amp;3=comment" token="6UZNLyZ06gHIIsofYr7DhBx6hWJ6k4oEzW95oKEVbr0"></drupal-render-placeholder> </section> Sat, 19 Mar 2016 19:43:18 +0000 Hoti 170 at https://tech.feedyourhead.at Let's Encrypt https://tech.feedyourhead.at/content/lets-encrypt <span class="field field--name-title field--type-string field--label-hidden">Let&#039;s Encrypt</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p><img alt="Letsenrypt" data-entity-type="file" data-entity-uuid="ab8fc64a-a62f-4e17-8d48-729a45365e04" src="/sites/default/files/inline-images/letsencrypt.jpg" /></p> <p><a href="https://letsencrypt.org">Lets Encrypt </a>was lately quite often in the media. Letsencrypt is a very easy to use tool which provides certificates for free. Those certificates are valid on most common browsers.  I never understood why certificates are expensive that's why I tried out letsencrypt(and I like it!).</p> <p>In this article, I will replace all <a href="https://www.cacert.org/">cacert-certificates</a> on a <a href="https://kolab.org/">kolab-server</a>. Therefore I will install the letsencrypt-certificate on: apache2, cyrus-imapd and postfix.</p> <h3>Installing letsencrypt</h3> <p>I just used git to obtain the letsencrypt-script:</p> <pre> <code> git clone https://github.com/letsencrypt/letsencrypt </code></pre> <p>Whenever letsencrypt is started it will search for dependencies and automatically install it using the package-manager of the Linux-distribution. So it's wise to open the help-page first:</p> <pre> <code> root@kolab:~/letsencrypt# ./letsencrypt-auto --help Updating letsencrypt and virtual environment dependencies...... Requesting root privileges to run with virtualenv: /root/.local/share/letsencrypt/bin/letsencrypt --help letsencrypt-auto [SUBCOMMAND] [options] [-d domain] [-d domain] ... The Let's Encrypt agent can obtain and install HTTPS/TLS/SSL certificates. By default, it will attempt to use a webserver both for obtaining and installing the cert. Major SUBCOMMANDS are: (default) run Obtain &amp; install a cert in your current webserver certonly Obtain cert, but do not install it (aka "auth") install Install a previously obtained cert in a server revoke Revoke a previously obtained certificate rollback Rollback server configuration changes made during install config_changes Show changes made to server config during installation plugins Display information about installed plugins Choice of server plugins for obtaining and installing cert: --apache Use the Apache plugin for authentication &amp; installation --standalone Run a standalone webserver for authentication (nginx support is experimental, buggy, and not installed by default) --webroot Place files in a server's webroot folder for authentication OR use different plugins to obtain (authenticate) the cert and then install it: --authenticator standalone --installer apache More detailed help: -h, --help [topic] print this message, or detailed help on a topic; the available topics are: all, automation, paths, security, testing, or any of the subcommands or plugins (certonly, install, nginx, apache, standalone, webroot, etc) </code></pre> <h3>Different Modes</h3> <p>Letsencrypt can just create and download a certificate(certonly) or it can create the certificate and install it on different services( at the moment only nginx and apache seems to be supported for this).  There is a <a href="http://letsencrypt.readthedocs.org/en/latest/using.html#plugins">list in the letsencrypt-documentation</a> which option just creates the certificate and which option also installs it.</p> <h3>How to authenticate the host</h3> <p>Every certification-authority has to validate if you are really the owner of the domain where you want to install the certificate. Sometimes you have to set an entry in your dns-zone, or you just get an email to one of the mail-addresses of this dns-zone. Letsencrypt is a script executed on the targethost. It will just call home using HTTPS. But then the letsencrypt-server has to call back to your host to validate if it is really yours. If you don't  have a webserver on your host, letsencrypt can create a temporary <strong>standalone</strong> webserver for you and does the authentication automatically. I already have a webserver installed, so I can use my apache-Installation. Letsencrypt has an option called <strong>webroot.</strong> If you use this option for authentication, you will have to provider the path to your webroot and letsencrypt will then just create a temporary and hidden directory(.well-known) in this webroot. Be aware that letsencrypt only uses HTTP for validation. So if your server just listens on port 443 it won't work. Another option for authentication is <strong>manual</strong>. Using manual, one has to do the authentication by hand(I never tried that).</p> <h3>So let's encrypt</h3> <pre> <code> ./letsencrypt-auto certonly --rsa-key-size 4096 --webroot -w /var/www/html/ -d kolab.example.com </code></pre> <p>This command will create a certificate for kolab.example.com using the webroot /var/www/html for authentication. This certificate is stored in /etc/letsencrypt/live/kolab.example.com:</p> <pre> <code> root@kolab:~/letsencrypt# ls -l /etc/letsencrypt/live/kolab.example.com/ total 0 lrwxrwxrwx 1 root root 42 Jan 28 15:34 cert.pem -&gt; ../../archive/kolab.example.com/cert1.pem lrwxrwxrwx 1 root root 43 Jan 28 15:34 chain.pem -&gt; ../../archive/kolab.example.com/chain1.pem lrwxrwxrwx 1 root root 47 Jan 28 15:34 fullchain.pem -&gt; ../../archive/kolab.example.com/fullchain1.pem lrwxrwxrwx 1 root root 45 Jan 28 15:34 privkey.pem -&gt; ../../archive/kolab.example.com/privkey1.pem </code></pre> <h3>Configuring the services</h3> <h4>Apache2( &gt;= 2.4.8 )</h4> <pre> <code> SSLCertificateFile /etc/letsencrypt/live/kolab.example.com/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/kolab.example.com/privkey.pem </code></pre> <h4>Apache2( &lt; 2.4.8 )</h4> <pre> <code> SSLCertificateFile /etc/letsencrypt/live/kolab.example.com/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/kolab.example.com/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/kolab.example.com/chain.pem </code></pre> <h4>Nginx</h4> <pre> <code> ssl_certificate /etc/letsencrypt/live/kolab.example.com/fullchain.pem ssl_certificate_key /etc/letsencrypt/live/kolab.example.com/privkey.pem </code></pre> <h4>Postfix</h4> <pre> <code> smtpd_tls_cert_file=/etc/letsencrypt/live/kolab.example.com/fullchain.pem smtpd_tls_key_file=/etc/letsencrypt/live/kolab.example.com/privkey.pem smtp_tls_cert_file=/etc/letsencrypt/live/kolab.example.com/fullchain.pem smtp_tls_key_file=/etc/letsencrypt/live/kolab.example.com/privkey.pem </code></pre> <h4>Cyrus Imapd</h4> <pre> <code> tls_server_cert: /etc/letsencrypt/live/kolab.example.com/cert.pem tls_server_key: /etc/letsencrypt/live/kolab.example.com/privkey.pem tls_server_ca_file: /etc/letsencrypt/live/kolab.example.com/chain.pem </code></pre> <p>DEBIAN-USERS: This won't work out of the box. Cyrus needs to have set the group-permissions for the certificate-files correctly:</p> <pre> <code> 403119 4 drwxr-x--- 3 root ssl-cert 4096 Jan 28 15:34 /etc/letsencrypt/archive 403129 4 -rw-r--r-- 1 root ssl-cert 3272 Jan 28 15:34 /etc/letsencrypt/archive/kolab.example.com/privkey1.pem 403130 4 -rw-r--r-- 1 root ssl-cert 1675 Jan 28 15:34 /etc/letsencrypt/archive/kolab.example.com/chain1.pem 403128 4 -rw-r--r-- 1 root ssl-cert 2151 Jan 28 15:34 /etc/letsencrypt/archive/kolab.example.com/cert1.pem 403131 4 -rw-r--r-- 1 root ssl-cert 3826 Jan 28 15:34 /etc/letsencrypt/archive/kolab.example.com/fullchain1.pem 403120 4 drwxr-x--- 3 root ssl-cert 4096 Jan 28 15:34 /etc/letsencrypt/live </code></pre> <h3>Renewal</h3> <p><a href="http://letsencrypt.readthedocs.org/en/latest/using.html#renewal">Letsencrypt says on it's page</a>:</p> <blockquote> <p>Let’s Encrypt CA issues short lived certificates (90 days). Make sure you renew the certificates at least once in 3 months.</p> </blockquote> <p>Let's create a renewal-script(/opt/letsrenew.sh):</p> <pre> <code> #!/bin/bash /opt/letsencrypt/letsencrypt-auto certonly --config /opt/letsencrypt/cli.ini --webroot -w /var/www/html/ -d kolab.example.com service apache2 restart service postfix restart service cyrus-imapd restart </code></pre> <p>So we can just create a cronjob(At 00:00 on the 1st in Jan, Mar, May, Jul, Sep and Nov):</p> <pre> <code> 0 0 1 */2 * /opt/letsrenew.sh &gt; /dev/null </code></pre> <p>Our /opt/letsencrypt/cli.ini looks like this:</p> <pre> <code> agree-tos renew-by-default = True </code></pre> </div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">Jan 30 2016</span> <div class="field field--name-field-tagies field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class='field__items'> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/crypto" hreflang="en">Crypto</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/kolab" hreflang="en">Kolab</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/mail" hreflang="en">Mail</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/apache" hreflang="en">apache</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/sysadmin" hreflang="en">Sysadmin</a></div> </div> </div> <section class="field field--name-comment-node-blog field--type-comment field--label-hidden comment-wrapper"> </section> <div class="node__links"> <ul class="links inline"><li class="comment-add"><a href="/content/lets-encrypt#comment-form" title="Share your thoughts and opinions." hreflang="en">Add new comment</a></li></ul> </div> <section class="field field--name-comment field--type-comment field--label-above comment-wrapper"> <h2 class="title">Comments</h2> <a id="comment-43"></a> <article data-comment-user-id="0" about="/comment/43" typeof="schema:Comment" class="comment js-comment by-anonymous"> <mark class="hidden" data-comment-timestamp="1465486717"></mark> <footer class="comment__meta"> <article typeof="schema:Person" about="/user/0" class="profile"> </article> <p class="comment__submitted"><span rel="schema:author">Submitted by <span lang="" typeof="schema:Person" property="schema:name" datatype="">DoktorBen (not verified)</span> on May 26 2016</span> <span property="schema:dateCreated" content="2016-05-26T08:21:35+00:00" class="rdf-meta hidden"></span> </p> <a href="/comment/43#comment-43" hreflang="en">Permalink</a> </footer> <div class="content"> <h3 property="schema:name" datatype=""><a href="/comment/43#comment-43" class="permalink" rel="bookmark" hreflang="en">not working</a></h3> <div property="schema:text" class="clearfix text-formatted field field--name-comment-body field--type-text-long field--label-hidden field__item"><p>Hello,</p> <p>I followed your steps but cyrus cant access the certs<br /> May 26 10:20:37 post imaps[13762]: unable to get certificate from &#039;/etc/letsencrypt/live/post.example.com/cert.pem&#039;<br /> May 26 10:20:37 post imaps[13762]: TLS server engine: cannot load cert/key data, may be a cert/key mismatch?<br /> May 26 10:20:37 post imaps[13762]: error initializing TLS</p> </div> <drupal-render-placeholder callback="comment.lazy_builders:renderLinks" arguments="0=43&amp;1=default&amp;2=en&amp;3=" token="0CBfscSMVhEtdl-7xNrRgPHHetR-E1pufZ6nBV81nNA"></drupal-render-placeholder> </div> </article> <div class="indented"><a id="comment-56"></a> <article data-comment-user-id="1" about="/comment/56" typeof="schema:Comment" class="comment js-comment by-node-author"> <mark class="hidden" data-comment-timestamp="1465486795"></mark> <footer class="comment__meta"> <article typeof="schema:Person" about="/users/hoti" class="profile"> </article> <p class="comment__submitted"><span rel="schema:author">Submitted by <span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span> on Jun 09 2016</span> <span property="schema:dateCreated" content="2016-06-09T15:39:55+00:00" class="rdf-meta hidden"></span> </p> <p class="parent visually-hidden">In reply to <a href="/comment/43#comment-43" class="permalink" rel="bookmark" hreflang="en">not working</a> by <span lang="" typeof="schema:Person" property="schema:name" datatype="">DoktorBen (not verified)</span></p> <a href="/comment/56#comment-56" hreflang="en">Permalink</a> </footer> <div class="content"> <h3 property="schema:name" datatype=""><a href="/comment/56#comment-56" class="permalink" rel="bookmark" hreflang="en">I had a similar problem, and…</a></h3> <div property="schema:text" class="clearfix text-formatted field field--name-comment-body field--type-text-long field--label-hidden field__item">I had a similar problem, and it turned out that the permissions of the keys/directories were wrong. Make sure that cyrus is able to read the files.</div> <drupal-render-placeholder callback="comment.lazy_builders:renderLinks" arguments="0=56&amp;1=default&amp;2=en&amp;3=" token="V1Qu_29upv6yDqy15gnEIfgDsb3NNBTcwTZyVhh4JBc"></drupal-render-placeholder> </div> </article> </div> <h2 class='title comment-form__title'> <i class="fa fa-comments-o"></i> Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=153&amp;2=comment&amp;3=comment" token="pc1RY_oYvkTBR6bosei7Urkg8_WX0lhDhQcvRdTyBG4"></drupal-render-placeholder> </section> Sat, 30 Jan 2016 10:04:41 +0000 Hoti 153 at https://tech.feedyourhead.at Breaking Diffie-Hellman with Massive Precomputation https://tech.feedyourhead.at/content/breaking-diffie-hellman-massive-precomputation <span class="field field--name-title field--type-string field--label-hidden">Breaking Diffie-Hellman with Massive Precomputation</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p><a href="https://www.schneier.com/blog/archives/2015/10/breaking_diffie.html">https://www.schneier.com/blog/archives/2015/10/breaking_diffie.html</a></p> </div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">Oct 16 2015</span> <div class="field field--name-field-tagies field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class='field__items'> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/crypto" hreflang="en">Crypto</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/news" hreflang="en">News</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/external" hreflang="en">External</a></div> </div> </div> <section class="field field--name-comment-node-blog field--type-comment field--label-hidden comment-wrapper"> </section> <section class="field field--name-comment field--type-comment field--label-above comment-wrapper"> <h2 class='title comment-form__title'> <i class="fa fa-comments-o"></i> Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=123&amp;2=comment&amp;3=comment" token="5oDFiQV5YTPXkiLiCxpITJbgqIjZXjycuKLaIVfwMUU"></drupal-render-placeholder> </section> Fri, 16 Oct 2015 16:39:34 +0000 Hoti 123 at https://tech.feedyourhead.at OpenSSL: Generating a Subject-Alternative-Names-Certificate https://tech.feedyourhead.at/content/openssl-generating-subject-alternative-names-certificate <span class="field field--name-title field--type-string field--label-hidden">OpenSSL: Generating a Subject-Alternative-Names-Certificate</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>If you want to setup a ssl-certificate with multiple subdomains(of the same domain), you'll have to generate a certificate with alternative names. We can achieve this using some parameters in our openssl.cnf...</p> <p>First we have to copy our default openssl.cnf:</p> <pre> <code> cp /etc/ssl/openssl.cnf /opt/mysworkingdir </code></pre> <p>Next we have to find and uncomment the following line(if it doesn't exist, we just add it):</p> <pre> <code> req_extensions = v3_req </code></pre> <p>Now we can add a new section called "[ v3_req ]" if it doesn't exist:</p> <pre> <code> [ v3_req ] # Extensions to add to a certificate request subjectAltName = @alt_names basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment </code></pre> <p>Now we just need another section for our alternative names:</p> <pre> <code> [ alt_names ] DNS.1 = myalternative.domain.com </code></pre> <p>Finally we can generate a Certificate-request(I assume that we already generated a private-key):</p> <pre> <code> openssl req -new -days 365 -key private_key.pem -out my.csr -config openssl.cnf </code></pre> </div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">Sep 18 2015</span> <div class="field field--name-field-tagies field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class='field__items'> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/crypto" hreflang="en">Crypto</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/openssl" hreflang="en">openssl</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/sysadmin" hreflang="en">Sysadmin</a></div> </div> </div> <section class="field field--name-comment-node-blog field--type-comment field--label-hidden comment-wrapper"> </section> <section class="field field--name-comment field--type-comment field--label-above comment-wrapper"> <h2 class='title comment-form__title'> <i class="fa fa-comments-o"></i> Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=105&amp;2=comment&amp;3=comment" token="X9yYA0tJrM5M9yEi2uNHK_kfx3U390M5r-ILIJ4vbJs"></drupal-render-placeholder> </section> Fri, 18 Sep 2015 11:20:57 +0000 Hoti 105 at https://tech.feedyourhead.at Logjam ( Attacks against Diffie-Hellman) https://tech.feedyourhead.at/content/logjam-attacks-against-diffie-hellman <span class="field field--name-title field--type-string field--label-hidden">Logjam ( Attacks against Diffie-Hellman)</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>There are <a href="https://weakdh.org/">several weaknesses</a> in how Diffie-Hellman key exchange are deployed. This weaknesses have a huge impact, since many servers are affected. <a href="https://weakdh.org/sysadmin.html">Here are some advices how to setup a prober key exchange on serveral servers</a>.</p> </div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">May 21 2015</span> <div class="field field--name-field-tagies field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class='field__items'> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/crypto" hreflang="en">Crypto</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/sysadmin" hreflang="en">Sysadmin</a></div> </div> </div> <section class="field field--name-comment-node-blog field--type-comment field--label-hidden comment-wrapper"> </section> <section class="field field--name-comment field--type-comment field--label-above comment-wrapper"> <h2 class='title comment-form__title'> <i class="fa fa-comments-o"></i> Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=87&amp;2=comment&amp;3=comment" token="3S0Fa81zNAUTJAdk1ddlPTY_sYuU6gOX9ofwNCMwtsU"></drupal-render-placeholder> </section> Thu, 21 May 2015 11:37:11 +0000 Hoti 87 at https://tech.feedyourhead.at