Opt out of global data surveillance programs like PRISM, XKeyscore, and Tempora - PRISM Break - PRISM Break. Qualys SSL Labs - Projects / SSL/TLS Deployment Best Practices. SSL/TLS is a deceptively simple technology.
It is easy to deploy, and it just works . . . except that it does not, really. The first part is true—SSL is easy to deploy—but it turns out that it is not easy to deploy correctly. To ensure that SSL provides the necessary security, users must put more effort into properly configuring their servers. In 2009, we began our work on SSL Labs because we wanted to understand how SSL was used and to remedy the lack of easy-to-use SSL tools and documentation.
We have achieved some of our goals through our global surveys of SSL usage, as well as the online assessment tool, but the lack of documentation is still evident. Our aim here is to provide clear and concise instructions to help overworked administrators and programmers spend the minimum time possible to obtain a secure site or web application. Download the guide: Encryption and Security Tutorial. This page contains my godzilla crypto tutorial, totalling 973 slides in 12 parts, of which the first 10 (+ part 0) are the tutorial itself and the 12th is extra material which covers crypto politics.
Part 12 isn't officially part of the technical tutorial itself, and much of it is now also rather dated (the material is extensively covered elsewhere so I haven't spent much time updating it). The tutorial is done at a reasonably high level, there are about two dozen books which cover things like DES encryption done at the bit-flipping level so I haven't bothered going down to this level.
Instead I cover encryption protocols, weaknesses, applications, and other crypto security-related information. Boneh Publications: The most dangerous code in the world: validating SSL certificates in non-browser software. Authors: M.
Georgiev, S. Iyengar, S. Jana, R. Anubhai, D. Boneh, and V. The Most Dangerous Code in the World: FAQ. RFC 5280 - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. RFC 6125 - Representation and Verification of Domain-Based Application Service Identity within Internet Public Key Infrastructure Using X.509 (PKIX) Certificates in the Context of Transport Layer Security (TLS) [Docs] [txt|pdf] [draft-saintandre-...]
[Diff1] [Diff2] [Errata] PROPOSED STANDARD Errata Exist Internet Engineering Task Force (IETF) P. Saint-Andre Request for Comments: 6125 Cisco Category: Standards Track J. Hodges ISSN: 2070-1721 PayPal March 2011 Abstract Many application technologies enable secure communication between two entities by means of Internet Public Key Infrastructure Using X.509 (PKIX) certificates in the context of Transport Layer Security (TLS). This document specifies procedures for representing and verifying the identity of application services in such interactions.
RFC 6125 Service Identity March 2011 Table of Contents 1. RFC 6125 Service Identity March 2011 9. 1. 1.1. Xkcd Password Generator. The button below will generate a random phrase consisting of four common words.
According to yesterday’s xkcd strip, such phrases are hard to guess (even by brute force), but easy to remember, making them interesting password choices. It’s a novel idea, but xkcd stops short of actually recommending such passwords, and so will I. Use at your own peril! I’m not responsible for anything that happens as a result of your password choice. The First Few Milliseconds of an HTTPS Connection. Convinced from spending hours reading rave reviews, Bob eagerly clicked “Proceed to Checkout” for his gallon of Tuscan Whole Milk and… Whoa!
What just happened? In the 220 milliseconds that flew by, a lot of interesting stuff happened to make Firefox change the address bar color and put a lock in the lower right corner. With the help of Wireshark, my favorite network tool, and a slightly modified debug build of Firefox, we can see exactly what’s going on. By agreement of RFC 2818, Firefox knew that “https” meant it should connect to port 443 at Amazon.com: Most people associate HTTPS with SSL (Secure Sockets Layer) which was created by Netscape in the mid 90’s.
Client Hello. A (relatively easy to understand) primer on elliptic curve cryptography. Author Nick Sullivan worked for six years at Apple on many of its most important cryptography efforts before recently joining CloudFlare, where he is a systems engineer.
He has a degree in mathematics from the University of Waterloo and a Masters in computer science with a concentration in cryptography from the University of Calgary. This post was originally written for the CloudFlare blog and has been lightly edited to appear on Ars. Readers are reminded that elliptic curve cryptography is a set of algorithms for encrypting and decrypting data and exchanging cryptographic keys. Dual_EC_DRBG, the cryptographic standard suspected of containing a backdoor engineered by the National Security Agency, is a function that uses elliptic curve mathematics to generate a series of random-looking numbers from a seed. This primer comes two months after internationally recognized cryptographers called on peers around the world to adopt ECC to avert a possible "cryptopocalypse. "