We’re talking with Josh Aas, the Executive Director of the Internet Security Research Group, which is the legal entity behind the Let’s Encrypt certificate authority. In June of 2017, Let’s Encrypt celebrated 100 Million certificates issued. Now, just about 2.5 years later, that number has grown to 1 Billion and 200 Million websites served. We talk with Josh about his journey and what it’s taken to build and grow Let’s Encrypt to enable a secure by default internet for everyone.
There are many ways to SSH. Some have more security “risks” than others. Yet, we SSH everyday…but could you improve the security of your SSH infrastructure? Maybe. Let’s find out.
Most people can agree that using public key authentication for SSH is generally better than using passwords. Nobody ever types in a private key, so it can’t be keylogged or observed over your shoulder. SSH keys have their own issues, however, some of which we’ve covered in a previous post about SSH key management.
The next level up from SSH keys is SSH certificates. … With SSH certificates, you generate a certificate authority (CA) and then use this to issue and cryptographically sign certificates which can authenticate users to hosts, or hosts to users….
José Valim, writing on the Dashbit blog:
I have thought about launching “Devise for Phoenix” probably hundreds of times. I had long conversations with Chris McCord (creator of Phoenix) and co-workers about this. Helping Phoenix users get past the burden of setting up authentication can be a great boost to adoption. At the same time, I never found a proper way to approach the problem.
You can probably guess what’s coming next…
About 2 months ago I decided to handwrite a simple and secure authentication solution on top of a Phoenix application.
Cool stuff. Click through to learn the details of what he came up with (and what’s happening next).
Vulns sourced from the community-maintained elixir-security-advisories.
Hey folks! Feross from JS Party here. I taught a course on web security last quarter at Stanford. All the course materials, slides, and videos are freely available online and I wanted to share with the broader community, in case anyone is interested in learning more about secure web programming.
The course goal is to build an understanding of the most common web attacks and their countermeasures. Given the pervasive insecurity of the modern web landscape, there is a pressing need for programmers and system designers improve their understanding of web security issues. We’ll be covering the fundamentals as well as the state-of-the-art in web security.
In June of 2017, Let’s Encrypt celebrated 100 Million certificates issued. Now, just about 2.5 years later, that number has grown to 1 billion. What’s changed since 2017?
In June of 2017 approximately 58% of page loads used HTTPS globally, 64% in the United States. Today 81% of page loads use HTTPS globally, and we’re at 91% in the United States! This is an incredible achievement. That’s a lot more privacy and security for everybody.
In June of 2017 we were serving approximately 46M websites, and we did so with 11 full time staff and an annual budget of $2.61M. Today we serve nearly 192M websites with 13 full time staff and an annual budget of approximately $3.35M.
What’s driving this adoption?
Nothing drives adoption like ease of use, and the foundation for ease of use in the certificate space is our ACME protocol. ACME allows for extensive automation, which means computers can do most of the work. … Since 2017 browsers have started requiring HTTPS for more features, and they’ve greatly improved the ways in which they communicate to their users about the risks of not using HTTPS.
Firefox is mostly written in C and C++. These languages are notoriously difficult to use safely, since any mistake can lead to complete compromise of the program.
The team has thus far had 2 strategies for securing the codebase, breaking code into multiple sandboxed processes with reduced privileges and rewriting code in a safe language like Rust.
today, we’re adding a third approach to our arsenal. RLBox, a new sandboxing technology developed by researchers at the University of California, San Diego, the University of Texas, Austin, and Stanford University, allows us to quickly and efficiently convert existing Firefox components to run inside a WebAssembly sandbox.
This strikes me as a bonkers idea and kinda brilliant.
The core implementation idea behind wasm sandboxing is that you can compile C/C++ into wasm code, and then you can compile that wasm code into native code for the machine your program actually runs on.
Click through to read more about how they’re pulling this off.
Following up on our awesome episode of The Changelog with Algo creator Dan Guido, I thought I’d kick the tires on this Ansible-based, self-hosted VPN solution to see what it’s like to actually set it up and configure my phone to use it. This is my first video of this kind. I’d love to know what you think! How can I do this better? Do you want moar like this? Keep my day job? What?!
Dan Moren writing for Six Colors:
News out of last week’s meeting of the CA/Browser Forum is that Apple has announced Safari will no longer accept HTTPS certificates older than about 13 months, as of September 1.
The rationale? Shorter certificate lifetimes are safer, for a variety of reasons. For one thing, it prevents a valid (and perhaps abandoned) certificate from being stolen or misappropriated by a bad actor, then used to trick consumers. While there is a process for revoking known bad certificates, it’s cumbersome and many browsers don’t even check the revocation lists.
This may be annoying to many of us in the short-term (our certificate here at changelog.com is a few years old), but it’s a good thing for the security of the web. Suddenly, Let’s Encrypt’s 90 day expirations look both prudent and prescient.
Dan Guido mentioned this might be a thing on our Algo VPN episode. Turns out he was right (once version 5.6 of the Linux kernel hits package mirrors for download).
“Can I just once again state my love for it and hope it gets merged soon? Maybe the code isn’t perfect, but I’ve skimmed it, and compared to the horrors that are OpenVPN and IPSec, it’s a work of art,”
Little Snitch is cool because it surfaces network connection attempts and lets you decide whether or not to allow them. OpenSnitch is cool because it is open source and built with Python and Go. Buyer beware:
THIS SOFTWARE IS WORK IN PROGRESS, DO NOT EXPECT IT TO BE BUG FREE AND DO NOT RELY ON IT FOR ANY TYPE OF SECURITY
Typosquatting is a way to lure users into divulging sensitive data to cybercriminals. Learn how to protect your organization, your open source project, and yourself.
I wish there were some better solutions to this particularly annoying threat, but this opensource.com piece is the best I’ve seen it covered.
While I’m not exactly surprised at this headline and the findings shared by William Budington and the EFF, I AM, however, deeply disturbed that this is the world we now live in. So, what findings did the EFF share? Here’s a snippet…
Our testing, using Ring for Android version 3.21.1, revealed PII delivery to
facebook.com. Facebook, via its Graph API, is alerted when the app is opened and upon device actions such as app deactivation after screen lock due to inactivity. Information delivered to Facebook (even if you don’t have a Facebook account) includes time zone, device model, language preferences, screen resolution, and a unique identifier (
anon_id), which persists even when you reset the OS-level advertiser ID.
Branch, which describes itself as a “deep linking” platform, receives a number of unique identifiers (
identity_id) as well as your device’s local IP address, model, screen resolution, and DPI.
Some backstory on the acquisitions of Ring (and Nest)…
Google acquired Nest way back in January 2014 for $3.2 billion, in cash. Amazon acquired Ring in February 2018 for more than $1 billion. Coincidentally, Google reabsorbed Nest that very same month by folding Nest into its hardware division. The point is that those are a lot of BILLIONS. You don’t spend that many billions without a plan to make more billions. Sadly, selling access to sensitive data to third parties is a part of making those billions — at least for Ring.
This repository is an overview of what you need to learn penetration testing and a collection of hacking tools, resources and references to practice ethical hacking. Most of the tools are UNIX compatible, free and open source.
A severe security vulnerability impacted all popular npm package managers: npm, yarn and pnpm and even triggered a release for Node.js 12.4.0. What is behind this vulnerability and why is it so important for us to understand? I wrote about it in a post that also explains how npm handles executables.
The commercial VPN industry is a minefield to navigate and many open source solutions are a pain to use or ill-suited for the task. Algo VPN, on the other hand, is a self-hosted personal VPN designed for ease of deployment and security. It uses the securest industry standards, builds on rock-solid solutions like WireGuard and Ansible, and runs on an ever-growing list of cloud hosting providers.
On this episode Dan Guido –CEO of security firm Trail of Bits and Algo’s creator– joins Jerod to discuss the project in depth.
It features small explicit keys, no config options, and UNIX-style composability.
$ age-keygen -o key.txt Public key: age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p $ tar cvz ~/data | age -r age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p > data.tar.gz.age $ age -d -i key.txt data.tar.gz.age > data.tar.gz
If Rust is more your thing, check out the perfectly named port: rage.
DockerSlim promises a lot:
docker-slimwill optimize and secure your containers by understanding your application and what it needs using various analysis techniques. It will throw away what you don’t need reducing the attack surface for your container. What if you need some of those extra things to debug your container? You can use dedicated debugging side-car containers for that.
Their minification examples are impressive…
Certbot was first released in 2015, and since then it has helped more than two million website administrators enable HTTPS by automatically deploying Let’s Encrypt certificates. Let’s Encrypt is a free certificate authority that EFF helped launch in 2015, now run for the public’s benefit through the Internet Security Research Group (ISRG).
A lot of progress has been made since we first talked about Let’s Encrypt on The Changelog.
Corsy is a lightweight program that scans for all known misconfigurations in CORS implementations.
CORS is easy to get wrong. Point this at your URLs and sleep a little easier tonight.
Flan Scan is a lightweight network vulnerability scanner. With Flan Scan you can easily find open ports on your network, identify services and their version, and get a list of relevant CVEs affecting your network.
This is a wrapper around Nmap which turns it into a full-fleged network scanner and makes it easy to deploy on Kubernetes.
This is a short introduction on methods that use neural networks in an offensive manner (bug hunting, shellcode obfuscation, etc.) and how to exploit neural networks found in the wild (information extraction, malware injection, backdooring, etc.).
The RadVPN doesn’t need any central point as it connects to other nodes directly (full mesh) it has built-in router that helps packets to route to the appropriate destinations.
Linux only at the moment.
Mozilla, Fastly, Intel, and Red Hat are forming a “Bytecode Alliance”, which is described as:
a new industry partnership coming together to forge WebAssembly’s outside-the-browser future by collaborating on implementing standards and proposing new ones.
We have a vision of a WebAssembly ecosystem that is secure by default, fixing cracks in today’s software foundations. And based on advances rapidly emerging in the WebAssembly community, we believe we can make this vision real.
Security seems to be at the dead center of this alliance. Click through for an in-depth rundown of why this is a problem and what they plan to do about it. Also, some awesome code cartoons from Lin Clark (I assume).
Algo automatically deploys an on-demand VPN service in the cloud that is not shared with other users, relies on only modern protocols and ciphers, and includes only the minimal software you need. And it’s free.
For anyone who is privacy conscious, travels for work frequently, or can’t afford a dedicated IT department, this one’s for you.
Algo’s list of features (and anti-features) is compelling and most VPN services are terrible. 👀