Skip to main content

Search

Items tagged with: TLS


New blog post: Post-OCSP certificate revocation in the Web PKI.

With OCSP in all forms going away, I decided to look at the history and possible futures of certificate revocation in the Web PKI. I also threw in some of my own proposals to work alongside existing ones.

I think this is the most comprehensive current look at certificate revocation right now.


#security #WebPKI #LetsEncrypt #TLS #OCSP


For a blog post I’m writing about dealing with certificate revocation, here are the topics I’m covering:

  • OCSP (inc. stapling, must-staple, the never-adopted expect-staple, discontinuation from BoringSSL and Let’s Encrypt)
  • CRLs, inc. CRLite, CRLSets, and Let’s Revoke.
  • Short-lived certs (inc. ACME-STAR, Delegated Credentials, and notAfter)

Anything else I should cover?

#WebPKI #TLS


#TLS #EncryptedClientHello #ECH support has been merged in #curl!

github.com/curl/curl/pull/1192…


Open Letter regarding the #eIDAS Regulation:

We strongly warn against the currently proposed trilogue agreement, as it fails to properly respect the right to privacy of citizens and secure online communication; without establishing proper safeguards as outlined above, it instead substantially increases the potential for harm.

See the full Joint statement of scientists and NGOs on the EU’s proposed eIDAS reform here: blog.fiff.de/eidas-open-letter… #TLS


We just created a #HOWTO for how to set up dev/test servers using our #TLS #EncryptedClientHello #ECH enabled forks of #OpenSSL #nginx and #curl running on #Debian. It should be very quick to get started using a new domain: guardianproject.info/2023/11/1…


Mitigating the Hetzner/Linode XMPP.ru MitM interception incident, part 2: XMPP-specific mitigations

devever.net/~hl/xmpp-incident-…

#xmpp #mitm #tls


Hey there -- we're Let's Encrypt, the free and open certificate authority serving over 300 million websites worldwide. We're new to Mastodon and are excited to get to know the infosec community in this new space!

letsencrypt.org/

#opensource #TLS #PKI #infosec


I've asked it in a poll in 8/2021 at Mastodon.technology, now it's time for a refresher: To improve #security I finally consider to really drop support for #TLS 1.0/1.1 (see blog.qualys.com/product-tech/2… and e.g. ssllabs.com/ssltest/analyze.ht…). This basically would affect devices running Android < 4.4. As I do not want to lock anybody out, I'd like to see how many of you would this effect.

🇩🇪 Noch wer mit Android < 4.4 unterwegs und somit auf TLS 1.0/1.1 angewiesen (1. ja, 2. macht nix, 3. nein)?

So:

  • I still use such a device and need compatibility (1%, 4 votes)
  • I still use such a device but wouldn't mind (6%, 21 votes)
  • I don't care (92%, 320 votes)
345 voters. Poll end: 1 year ago


I’m not going to use bloody bugzilla, so if anyone from Mozilla sees this, your enterprise flow for adding certificate authorities (CAs) to Firefox on Linux fails on Fedora Silverblue.

Since Fedora Silverblue is seen as the possible future of Fedora/Red Hat, you folks might want to talk to the Fedora folks about it and come up with a solution.

github.com/fedora-silverblue/i…

#mozilla #firefox #fedora #fedoraSilverblue #bug #tls #ssl #redHat #linux #enterprise #certificates


Now that we made it all through the holidays, we're happy to do some releases again!

First up is our #RPKI relying party software Routinator. 🚀 Version 0.12.1 fixes a small number of bugs. Most importantly, the #TLS-enabled servers for both HTTP and RTR now also accept private keys formatted as PKCS#1 RSA keys rather than only accepting PKCS#8 keys. #RoutingSecurity #rustlang

github.com/NLnetLabs/routinato…


Folks, if you’re using @small-tech/auto-encrypt in your projects, please make sure you’re running the latest version of the package (3.1.0) or certificate provisioning/renewal will fail due to the latest Let’s Encrypt protocol update.

codeberg.org/small-tech/auto-e…

#tls #https #letsEncrypt #autoEncrypt #js #javaScript #nodeJS #web #dev #smallWeb #smallTech