Articles in category “Information Security”

How to really screw up TLS

I've noticed a few of my favorite websites failing with some odd error from Firefox.

Firefox's Unable to connect securely error messageThe Firefox error message is a bit misleading.  It actually has nothing to do with the website supporting SSL 3.0 but the advanced info is spot on.  The error "ssl_error_no_cypher_overlap" means that the client …

Continue reading…

Ability to remove TLS 1.0 from httpd in CentOS 6

Due to a bug in mod_ssl, the ability to remove TLS 1.0 (and only support TLS 1.1 and/or TLS 1.2) has not been available.  The fix has now made it to CentOS 6 and you can now fine-tune your cryptographic protocols with ease.

Before the fix …

Continue reading…

Okay, this is a neat attack...

This morning I received an email from my "administrator" saying that I needed to validate my email address within the next 48 hours or my email account would be suspended.  Seeing as how I'm my own email administrator, I couldn't remember sending out such a message, I decided that this …

Continue reading…

Signing PGP keys

If you've recently completed a key signing party or have otherwise met up with other people and have exchanged key fingerprints and verified IDs, it's now time to sign the keys you trust.  There are several different ways of completing this task and I'll discuss two of them now.

caff …

Continue reading…

PGP Keysigning Event and CACert Assertion at SELF2014

SouthEast LinuxFest is happening this upcoming weekend.  I offered to host a PGP (I'll substitute PGP for GPG, GnuPG, and other iterations) keysigning and CACert Assertion event and have been scheduled for 6:30 PM in the Red Hat Ballroom.  Since there is a little bit of planning needed on …

Continue reading…

Generating a PGP key using GnuPG

Generating a PGP using GnuPG (GPG) is quite simple.  The following shows my recommendations for generating a PGP key today.

$ gpg --gen-key
gpg (GnuPG) 1.4.16; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY …

Continue reading…

Secure E-mail

E-mail is inherently insecure.  Just as sending a post card, any message sent by e-mail can be read by any number of people, including those monitoring the network path, the servers that process the message along its route, or anyone with access to the distant computer.  Basically you should consider …

Continue reading…

SSL/TLS Trends

My friend Hubert has started compiling statistics of Alexa's top 1 million websites. Specifically, he's looking at their SSL/TLS settings and attempting to show trends in the world that is port 443.  He recently released his May numbers showing a slow but mostly improving security environment.  I'm hoping he'll …

Continue reading…

STARTTLS for SMTP

Okay, I don't really mean to advocate this as a privacy solution because it is and it isn't.  If you truly want privacy of your email you mustuse end-to-end encryption like PGP/GnuPG or S/MIME.  That said, I think it's good to encrypt things, even ciphertext, over the …

Continue reading…

256 Bits of Security

This is an incomplete discussion of SSL/TLS authentication and encryption.  This post only goes into RSA and does not discuss DHE, PFS, elliptical, or other mechanisms.

In a previous post I created an 15,360-bit RSA key and timed how long it took to create the key.  Some may …

Continue reading…