Articles with tag “TLS”

Postfix Encryption

I've been tinkering with the encryption options in Postfix for a while.  Encryption between clients and their SMTP server and between SMTP servers is necessary to protect the to, from, and subject fields, along with the rest of the header, of an email.  The body of the message is also …

Continue reading…

How to really screw up TLS

I've noticed a few of my favorite websites failing with some odd error from Firefox.

Firefox's Unable to connect securely error messageThe Firefox error message is a bit misleading.  It actually has nothing to do with the website supporting SSL 3.0 but the advanced info is spot on.  The error "ssl_error_no_cypher_overlap" means that the client …

Continue reading…

Ability to remove TLS 1.0 from httpd in CentOS 6

Due to a bug in mod_ssl, the ability to remove TLS 1.0 (and only support TLS 1.1 and/or TLS 1.2) has not been available.  The fix has now made it to CentOS 6 and you can now fine-tune your cryptographic protocols with ease.

Before the fix …

Continue reading…

STARTTLS for SMTP

Okay, I don't really mean to advocate this as a privacy solution because it is and it isn't.  If you truly want privacy of your email you mustuse end-to-end encryption like PGP/GnuPG or S/MIME.  That said, I think it's good to encrypt things, even ciphertext, over the …

Continue reading…

256 Bits of Security

This is an incomplete discussion of SSL/TLS authentication and encryption.  This post only goes into RSA and does not discuss DHE, PFS, elliptical, or other mechanisms.

In a previous post I created an 15,360-bit RSA key and timed how long it took to create the key.  Some may …

Continue reading…

Kicking RC4 out the door

I've been arguing with my web hosting company about their use of RC4.  Like many enterprise networks they aren't consistent across all their servers with respect to available ciphers and such.  It appears that all customer servers support TLS_RSA_WITH_CAMELLIA_256_CBC_SHA and TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, in addition to TLS_RSA_WITH_RC4_128_SHA (although the latter is preferred …

Continue reading…

How secure are those SSL and SSH keys anyway?

Thought I'd pass along this research study, The keys to the kingdom, as I found it to be quite interesting (especially when you scan the entire Internet for your data).  If you don't understand the math explanation at the beginning just continue reading as you don't need to have a …

Continue reading…

Trusting Trusted CAs

Like it or not, the basis of trust for much of the Internet is based on Certificate Authorities (CA).  Companies like Verisign, GoDaddy, and GeoTrust are in the trust business.  They will sell you cryptographic proof of your Internet assets (namely your domain name) that others can use to verify …

Continue reading…