I recently read an article on the TriLUG blog mirror discussing access to data after the death of the owner. I've also given this a lot of thought as well and had previously come to the same conclusion as the original author of the article has:
read more"I created a file …
I've been working on securing my postfix configuration to enforce certificate validation and encryption on some known, higher-volume, or more sensitive connections between SMTP servers (port 25).
On many of the connections I've setup for secure transport there have been no problems (assuming proper TLS certificates are used). Unfortunately Gmail …
read moreCatching up on my blog reading, this morning, led me to an article discussing Apple's iMessage program and, specifically, the encryption it uses and how it's implemented. Go ahead and read the article; I'll wait.
The TL;DR of that article is this: encryption you don't control is not a …
read moreAs a security engineer it's usually difficult for me to endure many of dumb things companies do. It's quite sad when a company that prides itself on creating solutions for building internal solutions to protect customer data actually starts pushing its own data out to Google and other "solution" providers …
read moreI was passed an interesting article, this morning, regarding hardening secure shell (SSH) against poor crypto that can be a victim of cracking by the NSA and other entities. The article is well written and discusses why the changes are necessary in light of recent Snowden file releases.
read moreI've noticed a few of my favorite websites failing with some odd error from Firefox.
The Firefox error
message is a bit misleading. It actually has nothing to do with the
website supporting SSL 3.0 but the advanced info is spot on. The error
"ssl_error_no_cypher_overlap" means that the client …
My friend Hubert has been doing a lot of work to make better the world a little safer. Glad he's getting some recognition. Here's a great article on testing your server for proper SSL/TLS configurations.
read moreGenerating a PGP using GnuPG (GPG) is quite simple. The following shows my recommendations for generating a PGP key today.
$ gpg --gen-key gpg (GnuPG) 1.4.16; Copyright (C) 2013 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY …read more
My friend Hubert has started compiling statistics of Alexa's top 1 million websites. Specifically, he's looking at their SSL/TLS settings and attempting to show trends in the world that is port 443. He recently released his May numbers showing a slow but mostly improving security environment. I'm hoping he'll …
read moreThis is an incomplete discussion of SSL/TLS authentication and encryption. This post only goes into RSA and does not discuss DHE, PFS, elliptical, or other mechanisms.
In a previous post I created an 15,360-bit RSA key and timed how long it took to create the key. Some may …
read moreI've been arguing with my web hosting company about their use of RC4. Like many enterprise networks they aren't consistent across all their servers with respect to available ciphers and such. It appears that all customer servers support TLS_RSA_WITH_CAMELLIA_256_CBC_SHA and TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, in addition to TLS_RSA_WITH_RC4_128_SHA (although the latter is preferred …
read moreThought I'd pass along this research study, The keys to the kingdom, as I found it to be quite interesting (especially when you scan the entire Internet for your data). If you don't understand the math explanation at the beginning just continue reading as you don't need to have a …
read moreJust ran across this article discussing how horrible the cipher preference list is in Android. That's a lot of bad crypto on the streets right now.
Why Android SSL was downgraded from AES256-SHA to RC4-MD5 in late 2010
read moreSFGate: If You Send To Gmail, You Have 'No Legitimate Expectation Of Privacy'
Not that this is really news but if you hand your message to a third-party for delivery you have no expectation of privacy. Agree with it or not that's the way it is inside the United States …
read moreAn excellent description of how Tor and HTTPS can help protect your online privacy and secure your web communications.
read moreMuch of our daily lives are contained within our smartphones and computers. Email, text messages, and phone calls all contain bits and pieces of information that, in the wrong hands, could harm our privacy. Unfortunately many people either don't understand how vulnerable their data is when sent across the Internet …
read moreClimate talk, Alaska government business, and Dave Briggs. What do these three things have in common? Each of these subjects had more light shown on them by someone cracking email messages and releasing those messages to the public over the Internet. Of course there are many more of these events …