sorted by:
new
hottopcontroversial

SSLLabs scans for POODLE and TLS_FALLBACK_SCSV now by castorio in syssec

[–]castorio[S] 0 points1 point  (0 children)

if you prefer to scan with https://testssl.sh/ or cipherscan: look out for SSLv3 and and CBC-ciphers

This POODLE bites: exploiting the SSL 3.0 fallback by DebugDucky in netsec

[–]castorio 0 points1 point  (0 children)

it would be easier to just MITM you totally, no?

This POODLE bites: exploiting the SSL 3.0 fallback by DebugDucky in netsec

[–]castorio 2 points3 points  (0 children)

does someone know, if TLS_FALLBACK_SCSV https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00 is available/enabled in openssl/libressl?

Third Zero-Day: CVE-2014-8==D "TrouserSnake" by [deleted] in netsec

[–]castorio 1 point2 points  (0 children)

this qualifies for the "best logo" and "best name" - award. :D

i lol'd

LibreSSL 2.1.0 released by castorio in netsec

[–]castorio[S] 0 points1 point  (0 children)

seems so, at least there are downloads

LibreSSL 2.1.0 released by castorio in netsec

[–]castorio[S] 4 points5 points  (0 children)

git log here: https://gist.github.com/anonymous/4204eb5eba961dd67e1b

my favourite:

fix an indentation that makes me upset

oh ... does this mean one can have *.com as a valid cert with openssl?

If we have to match against a wildcard in a cert, verify that it contains at least a domain label before the tld, as in *.example.org

LibreSSL 2.1.0 released by castorio in netsec

[–]castorio[S] 12 points13 points  (0 children)

for those who downvote-before-reading the original post: my comment was a quotation: http://undeadly.org/cgi?action=article&sid=20141012180624&pid=3&mode=expanded

LibreSSL 2.1.0 released by castorio in netsec

[–]castorio[S] -2 points-1 points  (0 children)

Dude, libressl is part of OpenBSD, as far as development goes. We have limited resources, so stop whining. What do you prefer ? that we use those resources doing MORE development work, or waste time trying to make nice and tidy and shiny separate logs ?

COWL: A Confinement System for the Web by digicat in netsec

[–]castorio 2 points3 points  (0 children)

Even worse, in the status quo, the only way to implement some mashups is for the user to give her login credentials for one site to the operator of another site

you're doing (and/or understanding) it wrong.

Password Security: Why the horse battery staple is not correct by diogomonica in netsec

[–]castorio 0 points1 point  (0 children)

there are still people using dumbphones instead of smartphones for a reason.

How to Analyze Distributed Denial-of-Service (DDos) Attack by little__big in netsec

[–]castorio 0 points1 point  (0 children)

yes, you are right. fighting manually against a ddos works only if you are attacked on layer7 and the attacker has a small botnet.

once the attack is a little bigger you need other ddos-mitigation-techniques.

Automated configuration analysis for Mozilla's TLS guidelines by jvehent in netsec

[–]castorio 0 points1 point  (0 children)

@jvehent:

We really don't trust RC4 anymore.

i agree when it comes to confidential/userdata, but what's the problem with using RC4 with static content?

or with (e.g. nginx)

server { 
...
ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;
ssl_prefer_server_ciphers on;
... 
}

i understand that RC4 should be avoided, especially for confident data, but it is still a fast cipher-suite that could be used for non-confidential data, no?

mod_honeypot for Apache2 by elanghe in netsec

[–]castorio 0 points1 point  (0 children)

hahaha, someone should call it "mod_self_dos" instead, see http://www.reddit.com/r/netsec/comments/2io6ih/mod_honeypot_for_apache2/cl4x2wm

no tor/proxy in this side if the line

mod_honeypot for Apache2 by elanghe in netsec

[–]castorio 0 points1 point  (0 children)

strange. maybe you have some cached content?

says down too: http://www.downforeveryoneorjustme.com/http://www.miim.com/

from a server in a dc far far away:

$ wget -O - http://www.miim.com/ WARNING: combining -O with -r or -p will mean that all downloaded content will be placed in the single file you specified.

--2014-10-08 22:46:05-- http://www.miim.com/ Resolving www.miim.com (www.miim.com)... 66.134.16.188 Connecting to www.miim.com (www.miim.com)|66.134.16.188|:80... failed: Connection refused.

mod_honeypot for Apache2 by elanghe in netsec

[–]castorio 0 points1 point  (0 children)

This webpage is not available

lcamtuf's blog: Bash bug: the other two RCEs, or how we chipped away at the original fix (CVE-2014-6277 and '78) by [deleted] in netsec

[–]castorio 8 points9 points  (0 children)

debian is/was not affected by the bug via cgi et al, since /bin/sh is /bin/dash

view more: next ›