satchamo.com
Matt Johnson
http://satchamo.com/post/thoughts-on-breach
Posted Fri Aug 09 @ 07:10:30 PM PDT 2013. A new attack on HTTPS. Was recently published by Angelo Prado, Neal Harris and Yoel Gluck. It created quite a stir and now there are calls to disable gzip compression in HTTP responses. On how practical the attack is, the authors say:. For the attack to work, three conditions must be met by the web app:. Some form of HTTP-level compression must be used. The HTTP response must reflect user input (for example, outputting one of the GET parameters). If we assume the...
bitacoras.citius.usc.es
Reinicia antes de chamar | Bitácora da Unidade de Xestión de Infraestruturas TIC
https://bitacoras.citius.usc.es/tic
Reinicia antes de chamar. Bitácora da Unidade de Xestión de Infraestruturas TIC. Hemos sufrido un ataque de fuerza bruta en WordPress. Ayer algunos habéis notado que los dominios. Proxectos.citius.usc.es. Persoal.citius.usc.es. No funcionaban, y eso fue debido a que recibimos el aviso de que el servidor estaba infectado con un botnet. Ya hemos sufrido algo parecido en el pasado. El 4 de noviembre, a las 6 de la madrugada, recibimos durante 4 horas un total de 2411 peticiones de intento de identificación ...
nulab-inc.com
Securing Nginx Against SSL/TLS Related Attacks - Nulab Inc.
http://nulab-inc.com/blog/nulab/securing-nginx
Securing Nginx Against SSL/TLS Related Attacks. October 22nd, 2013. UPDATE: 2014-04-10 openssl version has been updated to openssl-1.0.1g. It is strongly recommended to use openssl-1.0.1g or later to mitigate the Heartbleed vulnerability. Last August, a new attack leveraging HTTP compression called BREACH. Was uncovered at Black Hat USA 2013. A post by Ivan Ristic on Qualys Community. Ssl ciphers ECDH AESGCM:DH AESGCM:ECDH AES256:DH AES256:ECDH AES128:DH AES:ECDH 3DES:DH 3DES:RSA AES:RSA 3DES:! We use AW...
lorrin.org
Apache httpd – lankycoder
http://www.lorrin.org/blog/tag/apache-httpd
Assorted Adventures in Software Development. Configuring Apache for Perfect Forward Secrecy. I had trouble finding a good recipe for Apache SSL configuration that achieves perfect forward secrecy while avoiding other pitfalls such as the BEAST attack. So I made my own. First, SSLv2 is vulnerable. So disable it. On my Ubuntu box this was already done in. Enable only secure protocols: SSLv3 and TLSv1, but not SSLv2 SSLProtocol all -SSLv2. TLSv1 is widely supported. So it makes sense to include. As a proxy ...
snelling.io
Understanding SSL Misconfiguration | Sam Snelling
http://snelling.io/ssl
The John Wick of PHP Software Development. To be honest, it’s relatively infuriating in 2015 to see so many sites that have misconfigured SSL. Including you business folks! Should have a basic understanding of how secure connections on the internet works. The goal is to have anyone understand it’s importance, the basic parts of SSL, and very quickly understand if you are doing it wrong. HTTP is a protocol that is used for communicating with web servers. Just as a recap - HTTP. Are different. The. Fill in...
googlecodejammer.blogspot.com
google code jammer: Protecting from POODLE SSL 3.0 attack
http://googlecodejammer.blogspot.com/p/protecting-from-poodle.html
Tech blog covering google code jam, computer and network security, microcontroller and SOC projects. Protecting from POODLE SSL 3.0 attack. The POODLE SSL 3.0 encryption downgrade attack was reported on 10/14/2014, and excellent traction has been gained toward remediation of this vulnerability. Http:/ googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html. Http:/ en.wikipedia.org/wiki/Transport Layer Security. To disallow SSL 3.0 on Apache2 servers:. You can check server side ...
dfranke.us
How POODLE Happened — Indistinguishable from Random
https://www.dfranke.us/posts/2014-10-14-how-poodle-happened.html
We (finally) Have the Technology: Creating Beautiful Typography for the Web. Shell Shock Exploitation Vectors. October 14, 2014. By Daniel Fox Franke. Bodo Möller, Thai Duong, and Krzysztof Kotowicz have just broken the internet again with. A new and devastating attack against. An acronym for Padding Oracle On Downgraded Legacy Encryption, permits a man-in-the-middle attacker to rapidly decrypt any browser session which utilizes. This post is meant to be a simple as possible, but no simpler explanation of.
tools.ietf.org
draft-ietf-httpbis-http2-17 - Hypertext Transfer Protocol Version 2 (HTTP/2)
https://tools.ietf.org/html/draft-ietf-httpbis-http2-17
HTTPbis Working Group M. Belshe Internet-Draft Twist Intended status: Standards Track R. Peon Expires: August 15, 2015 Google, Inc M. Thomson, Ed. Mozilla February 11, 2015 Hypertext Transfer Protocol version 2. Working Group information can be found at [ 2. That specific to HTTP/2 are at [ 3. The changes in this draft are summarized in Appendix B. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78. Internet-Draft HTTP/2 February 2015. In effect on the ...
alldnsleadsto.me
All DNS Leads To Me | # route add net all dev here | Pagina 2
http://alldnsleadsto.me/page/2
All DNS Leads To Me. Route add net all dev here. Vai al contenuto principale. Vai al contenuto secondario. Articoli più recenti →. Secure Boot, Microsoft si lascia scappare la backdoor. L’ecosistema a supporto del protocollo. Integrato nei firmware UEFI di milioni di dispositivi potrebbe aver sofferto un corpo letale proprio ad opera del suo sponsor principale. Due hacker, nickname my123 e slipstream, hanno pubblicato in un formato non esattamente austero. Continua a leggere →. La scoperta risale allo sc...
SOCIAL ENGAGEMENT