This presentation covers the current status of TLS 1.3 in the wolfSSL embedded TLS library (as of the time it was presented). It talks about the Draft status of TLS 1.3, middlebox compatibility, extensions, RSA-PSS negotiation and the specification's progress in the TLSWG (TLS Working Group).
www.wolfssl.com
www.wolfssl.com/tls13
FIWARE Wednesday Webinars - Short Term History within Smart SystemsFIWARE
FIWARE Wednesday Webinar - Short Term History within Smart Systems (2nd April 2020)
Corresponding webinar recording: https://youtu.be/fX_YAc7G4Dk
This webinar will show how to utilise times series components and monitor and display trends within FIWARE applications.
Chapter: Core Context
Difficulty: 3
Audience: Any Technical
Presenter: Jason Fox (Senior Technical Evangelist, FIWARE Foundation)
Kernel Security for 2.8 - Kernel Summit 2004James Morris
"Kernel Security for 2.8", presentation given at the Linux Kernel Summit in Ottawa in 2004.
Note that this was when we were still expecting to have versions 2.7/2.8.
Shared on 5th Dec at SGInnovate with Swirlds Mance Harmon, Jordan Fried and Edgar Seah.
Hashgraph consensus, demo apps in Swirlds Java SDK, babble (unofficial golang implementation of Hashgraph) and their implications for distributed ledger technology.
stackconf 2021 | First hand experience: How Nextcloud stayed productive durin...NETWAYS
We are all now experiencing that remote working and virtual conferencing are important tools to stay connected. Not just in current circumstances but also in the wider future. That is why it is important to offer an easy-to-use, efficient, and quick replacement. Nextcloud is a platform for complete online collaboration and communication and can help to quickly adept and stay connected. Nextcloud is built by Nextcloud GmbH that has employees in home-offices in 11 countries and the Nextcloud Community which is spread all over the world. This talk gives an inside look at how Nextcloud GmbH works together with the Nextcloud community-building Nextcloud. It covers different communication channels that work for synchronous and asynchronous communication, how coordination in distributed teams works, and how good and efficient collaboration around documents is possible. Additionally, but also very important to share, this talk covers some of the challenges and solutions on how to successfully work across different countries, time zones, languages, and cultures.
This presentation covers the current status of TLS 1.3 in the wolfSSL embedded TLS library (as of the time it was presented). It talks about the Draft status of TLS 1.3, middlebox compatibility, extensions, RSA-PSS negotiation and the specification's progress in the TLSWG (TLS Working Group).
www.wolfssl.com
www.wolfssl.com/tls13
FIWARE Wednesday Webinars - Short Term History within Smart SystemsFIWARE
FIWARE Wednesday Webinar - Short Term History within Smart Systems (2nd April 2020)
Corresponding webinar recording: https://youtu.be/fX_YAc7G4Dk
This webinar will show how to utilise times series components and monitor and display trends within FIWARE applications.
Chapter: Core Context
Difficulty: 3
Audience: Any Technical
Presenter: Jason Fox (Senior Technical Evangelist, FIWARE Foundation)
Kernel Security for 2.8 - Kernel Summit 2004James Morris
"Kernel Security for 2.8", presentation given at the Linux Kernel Summit in Ottawa in 2004.
Note that this was when we were still expecting to have versions 2.7/2.8.
Shared on 5th Dec at SGInnovate with Swirlds Mance Harmon, Jordan Fried and Edgar Seah.
Hashgraph consensus, demo apps in Swirlds Java SDK, babble (unofficial golang implementation of Hashgraph) and their implications for distributed ledger technology.
stackconf 2021 | First hand experience: How Nextcloud stayed productive durin...NETWAYS
We are all now experiencing that remote working and virtual conferencing are important tools to stay connected. Not just in current circumstances but also in the wider future. That is why it is important to offer an easy-to-use, efficient, and quick replacement. Nextcloud is a platform for complete online collaboration and communication and can help to quickly adept and stay connected. Nextcloud is built by Nextcloud GmbH that has employees in home-offices in 11 countries and the Nextcloud Community which is spread all over the world. This talk gives an inside look at how Nextcloud GmbH works together with the Nextcloud community-building Nextcloud. It covers different communication channels that work for synchronous and asynchronous communication, how coordination in distributed teams works, and how good and efficient collaboration around documents is possible. Additionally, but also very important to share, this talk covers some of the challenges and solutions on how to successfully work across different countries, time zones, languages, and cultures.
Hong Kong Hyperledger Meetup January 2018Tracy Kuhrt
Slides presented at the Hong Kong Hyperledger Meetup in January 2018 (https://www.meetup.com/Hyperledger-HK/events/246767267/) . This is a great opportunity to hear a leading blockchain expert address key technical developments, opportunities and challenges as we start 2018.
You will learn firsthand the latest developments in the global Hyperledger developer community and the progress of projects under the Hyperledger umbrella. Tracy will share latest details on the upcoming Hyperledger Sawtooth 1.0 release and roadmap for Hyperledger Fabric.
We hope you will join us to hear Tracy speak about Hyperledger projects today and what is in store in 2018 for the Hyperledger community, globally and in Asia Pacific, and how you can get involved.
Slides for the Denver Microservices meetup 9/27 presentation by Matt Reynolds, Dirk Butters, Kevin Kalmbach, Bill Bauernschmidt, Mike Sarver. Unfortunately with this upload the overview diagram didn't make it and you don't get to see the explosion animation...
Zero Day Malware Detection/Prevention Using Open Source SoftwareMyNOG
Zero Day Malware Detection/Prevention Using Open Source Software – Proof of Concept
Fathi Kamil Mohad Zainuddin
Senior Analyst (Malware Research Centre, MyCERT)
ION Bucharest, 12 October 2016 - DNSSEC helps prevent attackers from subverting and modifying DNS messages and sending users to wrong (and potentially malicious) sites. So what needs to be done for DNSSEC to be deployed on a large scale? We’ll discuss the business reasons for, and financial implications of, deploying DNSSEC, from staying ahead of the technological curve, to staying ahead of your competition, to keeping your customers satisfied and secure on the Internet. We’ll also examine some of the challenges operators have faced and the opportunities to address those challenges and move deployment forward.
FIWARE Wednesday Webinars - How to Secure FIWARE ArchitecturesFIWARE
How to Secure FIWARE Architectures - 10th April 2019
Corresponding webinar recording: http://bit.ly/2UsvtzZ
Introduction to basic Identity Management and Security within the FIWARE Catalogue. How to secure your microservices within a Smart Solution.
Chapter: Security
Difficulty: 1
Audience: Any Technical
Presenter: Jason Fox (Senior Technical Evangelist, FIWARE Foundation)
DevSecOps: The Open Source Way for CloudExpo 2018Gordon Haff
DevOps purists may chafe at the DevSecOps term given that security and other important practices are supposed to already be an integral part of routine DevOps workflows. But the reality is that security often gets more lip service than thoughtful and systematic integration into open source software sourcing, development pipelines, and operations processes--in spite of an increasing number of threats.
The extensive use of modular open source software from third-parties, distributed development teams, and rapid iterative releases require a commitment to security and the adoption of security approaches that are continuous, adaptive, and heavily automated.
In this session, Red Hat Technology Evangelist Gordon Haff look at successful practices that distributed and diverse teams use to iterate rapidly. While still reacting quickly to threats and minimizing business risk. I'll discuss how a container platform can serve as the foundation for DevSecOps in your organization. I'll also consider the risk management associated with integrating components from a variety of sources--a consideration that open source software has had to deal with since the beginning. Finally, I'll show ways by which automation and repeatable trusted delivery of code can be built directly into a DevOps pipeline.
Marco Balduzzi - Cyber-crime and attacks in the dark side of the web - Codemo...Codemotion
The dark-web including TOR, FreeNet and I2P, is that part of the Internet that is not indexed by traditional search engines and where anonymity and confidentiality is enforced at the root. For these characteristics, cyber- criminals started abusing the dark-web to conduct illicit or malicious activities like illegal trading, malware hosting, and more recently targeted attacks. In this talk, we explore the cyber-criminal ecosystem in the dark-web and provides insights on its activities against hidden services and other users.
20 years of web cryptography, and its amazing how frequently its configured sub-optimally. We've had numerous encryption algorithms, digests, protocols come, and should have GONE, but everyone has just left them on. Its time to shut out the legacy browser. The vast majority of the worlds browser install base now auto-updates, and with strict (and prescriptive) compliance in force, we get to drop the bloat form the past. In this talk we'll cover the current TRANSITIONS we're going through from a web admins perspective: TLS, Cipher Suites, HTTP Security Headers, CAs, the move to an encrypted-by-default web, and more.
Hong Kong Hyperledger Meetup January 2018Tracy Kuhrt
Slides presented at the Hong Kong Hyperledger Meetup in January 2018 (https://www.meetup.com/Hyperledger-HK/events/246767267/) . This is a great opportunity to hear a leading blockchain expert address key technical developments, opportunities and challenges as we start 2018.
You will learn firsthand the latest developments in the global Hyperledger developer community and the progress of projects under the Hyperledger umbrella. Tracy will share latest details on the upcoming Hyperledger Sawtooth 1.0 release and roadmap for Hyperledger Fabric.
We hope you will join us to hear Tracy speak about Hyperledger projects today and what is in store in 2018 for the Hyperledger community, globally and in Asia Pacific, and how you can get involved.
Slides for the Denver Microservices meetup 9/27 presentation by Matt Reynolds, Dirk Butters, Kevin Kalmbach, Bill Bauernschmidt, Mike Sarver. Unfortunately with this upload the overview diagram didn't make it and you don't get to see the explosion animation...
Zero Day Malware Detection/Prevention Using Open Source SoftwareMyNOG
Zero Day Malware Detection/Prevention Using Open Source Software – Proof of Concept
Fathi Kamil Mohad Zainuddin
Senior Analyst (Malware Research Centre, MyCERT)
ION Bucharest, 12 October 2016 - DNSSEC helps prevent attackers from subverting and modifying DNS messages and sending users to wrong (and potentially malicious) sites. So what needs to be done for DNSSEC to be deployed on a large scale? We’ll discuss the business reasons for, and financial implications of, deploying DNSSEC, from staying ahead of the technological curve, to staying ahead of your competition, to keeping your customers satisfied and secure on the Internet. We’ll also examine some of the challenges operators have faced and the opportunities to address those challenges and move deployment forward.
FIWARE Wednesday Webinars - How to Secure FIWARE ArchitecturesFIWARE
How to Secure FIWARE Architectures - 10th April 2019
Corresponding webinar recording: http://bit.ly/2UsvtzZ
Introduction to basic Identity Management and Security within the FIWARE Catalogue. How to secure your microservices within a Smart Solution.
Chapter: Security
Difficulty: 1
Audience: Any Technical
Presenter: Jason Fox (Senior Technical Evangelist, FIWARE Foundation)
DevSecOps: The Open Source Way for CloudExpo 2018Gordon Haff
DevOps purists may chafe at the DevSecOps term given that security and other important practices are supposed to already be an integral part of routine DevOps workflows. But the reality is that security often gets more lip service than thoughtful and systematic integration into open source software sourcing, development pipelines, and operations processes--in spite of an increasing number of threats.
The extensive use of modular open source software from third-parties, distributed development teams, and rapid iterative releases require a commitment to security and the adoption of security approaches that are continuous, adaptive, and heavily automated.
In this session, Red Hat Technology Evangelist Gordon Haff look at successful practices that distributed and diverse teams use to iterate rapidly. While still reacting quickly to threats and minimizing business risk. I'll discuss how a container platform can serve as the foundation for DevSecOps in your organization. I'll also consider the risk management associated with integrating components from a variety of sources--a consideration that open source software has had to deal with since the beginning. Finally, I'll show ways by which automation and repeatable trusted delivery of code can be built directly into a DevOps pipeline.
Marco Balduzzi - Cyber-crime and attacks in the dark side of the web - Codemo...Codemotion
The dark-web including TOR, FreeNet and I2P, is that part of the Internet that is not indexed by traditional search engines and where anonymity and confidentiality is enforced at the root. For these characteristics, cyber- criminals started abusing the dark-web to conduct illicit or malicious activities like illegal trading, malware hosting, and more recently targeted attacks. In this talk, we explore the cyber-criminal ecosystem in the dark-web and provides insights on its activities against hidden services and other users.
20 years of web cryptography, and its amazing how frequently its configured sub-optimally. We've had numerous encryption algorithms, digests, protocols come, and should have GONE, but everyone has just left them on. Its time to shut out the legacy browser. The vast majority of the worlds browser install base now auto-updates, and with strict (and prescriptive) compliance in force, we get to drop the bloat form the past. In this talk we'll cover the current TRANSITIONS we're going through from a web admins perspective: TLS, Cipher Suites, HTTP Security Headers, CAs, the move to an encrypted-by-default web, and more.
The best of Windows Server 2016 - Thomas MaurerITCamp
Join this session for The Best of Windows Server 2016 — The New Foundation of your Datacenter. You’ll get an overview about the new, exciting improvements that are in Windows Server 2016 and how they’ll improve your day-to-day job. In this presentation Thomas Maurer (Microsoft MVP) will guide you through the highly anticipated innovations including: •Hyper-V 2016 features •Nano Server •Storage Spaces Direct •Storage Replica •Windows Server Containers •And more!
With ever increasing Connectivity options, Security Protocols and Sophisticated Human Interfaces, Software and AP developers find themselves caught more deeply in the dichotomy of dealing with increasing complexity of designs and shrinking timelines. Resource constraints and constantly evolving software landscape provide challenges to software Integration that have to be overcome to enable designers to focus on the actual application.
Developers need a Modular Software Framework that accelerates software integration, provides flexible programming options and enables application re-use across multiple platforms. “That framework is MPLAB® Harmony.”
Join us for the webinar series where we provide a technical overview of MPLAB® Harmony, Live tool demos, Microchip and third party Middleware support and finally demonstrate how Harmony accelerates software integration and moves development focus and resources to Application Development and testing.
Building DLT-based multi-party consortia is hard due to multiple organizational, economic and technological challenges. In his talk, Eugene will describe a vision for a managed services platform that makes it easy to create and scale shared value networks, and how Chainstack is bringing it to the reality.
ADRecon BH USA 2018 : Arsenal and DEF CON 26 Demo Labs Presentationprashant3535
Demo of ADRecon presented on 08th and 12th August at BlackHat USA 2018 Arsenal and DEF CON 26 Demo Labs.
https://www.blackhat.com/us-18/arsenal/schedule/index.html#adrecon-active-directory-recon-11912
https://www.defcon.org/html/defcon-26/dc-26-demolabs.html
WebRTC transforms a Web browser into a fully fledged client for Real Time Communications (audio, video, IM, screensharing). Google and Mozilla have contributed to this Open Source project, creating a variety of business opportunities unthinkable just a few years ago. During this seminar we’ll see the technology aspects and potential, why this attracts Web developers and what the role of VoIP developers has become.
A practical guide to building secure composable SaaS solutions with Sitecore in the cloud. Learn the methodology, process, and get the blueprints for building secure exterprise applications with Sitecore XM Cloud in Azure Cloud.
Securing TodoMVC Using the Web Cryptography APIKevin Hakanson
The open source TodoMVC project implements a Todo application using popular JavaScript MV* frameworks. Some of the implementations add support for compile to JavaScript languages, module loaders and real time backends. This presentation will demonstrate a TodoMVC implementation which adds support for the forthcoming W3C Web Cryptography API, as well as review some key cryptographic concepts and definitions.
Instead of storing the Todo list as plaintext in localStorage, this "secure" TodoMVC implementation encrypts Todos using a password derived key. The PBKDF2 algorithm is used for the deriveKey operation, with getRandomValues generating a cryptographically random salt. The importKey method sets up usage of AES-CBC for both encrypt and decrypt operations. The final solution helps address item "A6-Sensitive Data Exposure" from the OWASP Top 10.
With the Web Cryptography API being a recommendation in 2014, any Q&A time will likely include browser implementations and limitations, and whether JavaScript cryptography adds any value.
"How overlay networks can make public clouds your global WAN" from LASCON 2013Ryan Koop
"How overlay networks can make public clouds your global WAN" by Ryan Koop of CohesiveFT at LASCON
The presentation "How overlay networks can make public clouds your global WAN" presented by Ryan Koop on Oct 24, 2013 at LASCON in Austin, TX.
Enterprises, organizations and governments are realizing the benefits of cloud flexibility, cost savings, scalability and connectivity. Yet the traditional approach focuses too much on the underlying infrastructure, instead of the applications.
So who is making solutions for the people who work at the application layer? Are software-defined things secure?
With a focus on application-layer integration, governance and security, overlay networks let developers, and the enterprise apps they work with, use the public clouds as a global WAN network, not just extra storage.
Developers can build on top of overlay networking to extend traditional networks to the cloud with added security such as encryption, IPsec connections, VLANs and VPNs into the public cloud networks.
Prime examples are the previously cost-prohibitive projects can now use public clouds as global points of presence to create cloud WAN to partners and customers.
Are you securing your microservice architectures by hiding them behind a firewall? That works, but there are better ways to do it. This presentation recommends 11 patterns to secure microservice architectures.
1. Be Secure by Design
2. Scan Dependencies
3. Use HTTPS Everywhere
4. Use Access and Identity Tokens
5. Encrypt and Protect Secrets
6. Verify Security with Delivery Pipelines
7. Slow Down Attackers
8. Use Docker Rootless Mode
9. Use Time-Based Security
10. Scan Docker and Kubernetes Configuration for Vulnerabilities
11. Know Your Cloud and Cluster Security
Blog post: https://developer.okta.com/blog/2020/03/23/microservice-security-patterns
Developer's Guide to JavaScript and Web CryptographyKevin Hakanson
The increasing capabilities and performance of the web platform allow for more feature-rich user experiences. How can JavaScript based applications utilize information security and cryptography principles? This session will explore the current state of JavaScript and Web Cryptography. We will review some basic concepts and definitions, discuss the role of TLS/SSL, show some working examples that apply cryptography to real-world use cases and take a peek at the upcoming W3C WebCryptoAPI. Code samples will use CryptoJS in the browser and the Node.js Crypto module on the server. An extended example will secure the popular TodoMVC project using PBKDF2 for key generation, HMAC for data integrity and AES for encryption.
Provisioning Windows instances at scale on Azure, AWS and OpenStack - Adrian ...ITCamp
In a cloud based environment, where automation is a primary concern, guest operating systems need to be provisioned at boot time.
There are a lot of actions that need to be performed at this stage, ranging from assigning the admin user’s credentials to creating WinRM listeners, storage configurations, RDP settings, guest agent installation, custom data execution and much more.
The de-facto standard guest provisioning tools are cloud-init on Linux and cloudbase-init on Windows.
I will present how cloudbase-init runs on all the Microsoft supported Windows editions (there are quite a few) and how it supports a plethora of metadata service implementations (EC2, OpenStack, the recently added Azure).
Cloudbase-init is being run thousands of times daily all over the world’s public clouds and data centers and it has reached more than 5 million known runs to date.
We will also take an in-depth look at the Argus integration testing framework, which automates the integration testing of cloudbase-init on real world platforms, to make sure it meets a very strict set of performance, compatibility and security requirements.
At the end I will show you a live demo with a cloudbase-init bootstrapped Windows instance on Azure, and how you can benefit from the provisioning process.
Decrypting and Selectively Inspecting Modern TrafficShain Singh
Some Security equipment vendors claim that modern Perfect Forward Secrecy (PFS)-encrypted traffic cannot be decrypted inline. Alternative techniques must be used to locate malware hiding in such encrypted traffic, such as using Artificial Intelligence to guess if a security threat is present.
Big Data security: Facing the challenge by Carlos Gómez at Big Data Spain 2017Big Data Spain
This talk gives a technical and innovative overview of how companies can face the challenge of protecting the data and services that are in their data-centric platform, focusing on three main aspects: implementing network segmentation, managing AAA and securing data processing.
https://www.bigdataspain.org/2017/talk/big-data-security-facing-the-challenge
Big Data Spain 2017
16th - 17th November Kinépolis Madrid
Similar to AISA 2018 Perth Conference: State Of Web Wecurity In 2018 (20)
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
# Internet Security: Safeguarding Your Digital World
In the contemporary digital age, the internet is a cornerstone of our daily lives. It connects us to vast amounts of information, provides platforms for communication, enables commerce, and offers endless entertainment. However, with these conveniences come significant security challenges. Internet security is essential to protect our digital identities, sensitive data, and overall online experience. This comprehensive guide explores the multifaceted world of internet security, providing insights into its importance, common threats, and effective strategies to safeguard your digital world.
## Understanding Internet Security
Internet security encompasses the measures and protocols used to protect information, devices, and networks from unauthorized access, attacks, and damage. It involves a wide range of practices designed to safeguard data confidentiality, integrity, and availability. Effective internet security is crucial for individuals, businesses, and governments alike, as cyber threats continue to evolve in complexity and scale.
### Key Components of Internet Security
1. **Confidentiality**: Ensuring that information is accessible only to those authorized to access it.
2. **Integrity**: Protecting information from being altered or tampered with by unauthorized parties.
3. **Availability**: Ensuring that authorized users have reliable access to information and resources when needed.
## Common Internet Security Threats
Cyber threats are numerous and constantly evolving. Understanding these threats is the first step in protecting against them. Some of the most common internet security threats include:
### Malware
Malware, or malicious software, is designed to harm, exploit, or otherwise compromise a device, network, or service. Common types of malware include:
- **Viruses**: Programs that attach themselves to legitimate software and replicate, spreading to other programs and files.
- **Worms**: Standalone malware that replicates itself to spread to other computers.
- **Trojan Horses**: Malicious software disguised as legitimate software.
- **Ransomware**: Malware that encrypts a user's files and demands a ransom for the decryption key.
- **Spyware**: Software that secretly monitors and collects user information.
### Phishing
Phishing is a social engineering attack that aims to steal sensitive information such as usernames, passwords, and credit card details. Attackers often masquerade as trusted entities in email or other communication channels, tricking victims into providing their information.
### Man-in-the-Middle (MitM) Attacks
MitM attacks occur when an attacker intercepts and potentially alters communication between two parties without their knowledge. This can lead to the unauthorized acquisition of sensitive information.
### Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) Attacks
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
This 7-second Brain Wave Ritual Attracts Money To You.!nirahealhty
Discover the power of a simple 7-second brain wave ritual that can attract wealth and abundance into your life. By tapping into specific brain frequencies, this technique helps you manifest financial success effortlessly. Ready to transform your financial future? Try this powerful ritual and start attracting money today!
9. PERTH CONFERENCE 2018
8
The legacy has gone in the real world.
It only remains in locked-down SOE/MOE
environments where admin/helpdesk staff
can’t keep up with test/image/distribute of
new browsers, and prefer to stay on legacy
instead of current like the rest of the world.
11. PERTH CONFERENCE 2018
10
Current generation TLS protocols
Strong Cipher Suites – minimise spread of support
HTTP Security Headers
SRI
Cookies SameSite
DNS CAA
HTTP/2
12. PERTH CONFERENCE 2018
11
0. Use HTTPS
Get rid of HTTP everywhere
Trusted certificates are free
Donate to LetsEncrypt!
14. PERTH CONFERENCE 2018
TLS Protocol: Major components by time
13
Time
Bulk cipher selection
Symmetric key exchange
Up to several gigabytes
Protocol Key Exchange Bulk Encryption
Cert exchange
15. PERTH CONFERENCE 2018
14
• There are just 7 TLS versions defined.
• Most are 10+ years old.
• Only 6 have been used in the wild.
• Only 3 are not yet known to be compromised.
• Do you support the use of known compromised protocols?
SSLv1
SSLv2
SSLv3
TLS 1
TLS 1.1
TLS 1.2
TLS 1.3
16. PERTH CONFERENCE 2018
15
1994
SSL 1.0
Netscape
1995
SSL 2.0
Netscape
1996
SSL 3.0
IETF
1999
TLS 1.0
IETF
2006
TLS 1.1
IETF
TLS 1.2
IETF
2008 2018
TLS 1.3
IETF
First
Chrome
release
First
Safari
release
First
Firefox
release
First
Opera
release
First
Edge
release
(last)
IE 11
release
17. PERTH CONFERENCE 2018
16
• You are highly unlikely to see clients using any service
with TLS 1.1
• Check logs; disable 1.1.
• Your stack probably doesn’t support TLS 1.3 yet.
• 5+ months since PCI DSS 3.2 prohibited use of “Early TLS”
(1.0 and earlier)
TLS 1.1
TLS 1.2
TLS 1.3
18. PERTH CONFERENCE 2018
17
Today’s Protocols Winners:
• TLS 1.2 [RFC 5246; August 2008]
• TLS 1.3 [RFC 8446; August 2018]
Ask your service team/provider for:
• TLS version and ciphers actively used from logs
• Turn off the compromised legacy you don’t use.
27. PERTH CONFERENCE 2018
Key Exchange
• Historically, RSA used the same
private/public key pair:
• DH (do not use now)
• Use temporary keys for Forward:
• DHE (ok)
• DH can now also be replaced by
Elliptical Curve DH Key
Ephemeral
• ECDHE (wow)
26
28. PERTH CONFERENCE 2018
X.509 Certificates
• CAs now require you to use RSA
2048 bit keys
• Even longer keys are better, but
way slower
• Move to Elliptical Curve Digital
Signing Algorithm (ECDSA) based
keys and certificates
• Still requires CAs and Clients to
upgrade to understand this
signature algorithm
27
29. PERTH CONFERENCE 2018
Bulk Encryption
• Disable DES, 3DES, RC4
• They are insecure or weak
• Enable AES 128/256, specifically
with GCM mode
• MS IE can’t do GCM (when not
used from Windows 10)
28
30. PERTH CONFERENCE 2018
29
Microsoft believes that it's no longer safe to decrypt data
encrypted with the Cipher-Block-Chaining (CBC) mode of
symmetric encryption when verifiable padding has been applied
without first ensuring the integrity of the ciphertext, except for
very specific circumstances
31. PERTH CONFERENCE 2018
30
The strongest Bulk encryption that MS Internet
Explorer can do (when not on Windows 10) is not
considered secure by its vendor.
37. PERTH CONFERENCE 2018
36
Content-Security-Policy: …
“Only load $content from $sources;
Only submit forms to these $destinations;
Only permit framing in on these $sites;
Only permit content from $sites in my frames”
38. PERTH CONFERENCE 2018
37
Content-Security-Policy: default ‘none’;
img-src ‘self’ data:; script-src ‘self’
‘unsafe-inline’ https://cdn.bootstrap.com;
frame-src ‘none’; font-src ‘self’
“Only load $content from $sources;
Only submit forms to these $destinations;
Only permit framing in on these $sites;
Only permit content from $sites in my frames”
46. PERTH CONFERENCE 2018
45
Risk: There are ~200 publicly trusted
Certificate Authorities., any of which can, if
presented with sufficient evidence, issue a
certificate to a customer in your name.
54. PERTH CONFERENCE 2018
53
Did you know…
…all the crypto ciphers we discussed here also
applies to native Windows Active Directory, based
upon your Domain Functional Level (DFL)?
• Level 2008: Enables AES 128/256
• Level 2012R2: Disables DES and RC4 for Kerberos
55. PERTH CONFERENCE 2018
54
1. HTTP redirect to HTTPS on main web site (all others remove HTTP completely)
2. Protocols: TLS 1.2 and/or newer (Apache: 2.4.36+, OpenSSL 1.1.1+)
3. Cipher suites:
1. Server Order Preference enabled
2. ECDHE-AES{128,256}-GCM-SHA{256,384,512} at or near the top
3. remove RC4, DES, 3DES bulk ciphers
4. remove DH (non ephemeral) key exchanges
5. remove SHA1, MD5 MAC
6. check with https://ssllabs.com
4. Security Headers:
1. add Strict-Transport-Security
2. add Content-Security-Policy
3. add Referer-Policy
4. add Feature-Policy
5. add X-Content-Type-Options
6. check with https://securityheaders.com
5. DNS: Add CAA record (low TTL, eg, 10 seconds)
6. Content: Add Sub Resource Integrity Checks for (versioned) content you don’t control
7. Content: Change Set-Cookie to add option: SameSite=Lax/Strict
8. Server: Enable HTTP/2 (Apache: a2enmod h2, IIS: Windows Server 2016)
56. PERTH CONFERENCE 2018
55
https://nephology.net.au/
In-person technology & cloud training.
Advanced concepts; expert trainers.
• Advanced Security & Operations on AWS
• Web Security
Too much? Really interesting? Got more questions? I can help…