Network Security (NetSec)

  • 0

Internet Research Task Force (IRTF)  irtf.org

"The Internet Research Task Force (IRTF) promotes research of importance to the evolution of the Internet by creating focused, long-term Research Groups working on topics related to Internet protocols, applications, architecture and technology."

  • 0

White Paper: ALIBI ROUTING   alibi.cs.umd.edu

"We introduce Alibi Routing, a peer-to-peer system that allows users to understand and control where in the world their packets don't go. In other words, it lets users provably avoid parts of the world while communicating with others or browsing the web."

  • 0

Blog: History and implementation status of Opportunistic Encryption for IPsec [2013]  nohats.ca

"A few people asked about the FreeS/WAN IPsec OE efforts and whatever happened to it. The short answer is, we failed and got distracted. The long answer follows below. At the end I will talk about the current plans that have lingered in the last two years to revive this initiative."

  • 0

HORNET: High-speed Onion Routing at the Network Layer (arXiv:1507.05724v1)  arxiv.org

"We present HORNET, a system that enables high-speed end-to-end anonymous channels by leveraging next generation network architectures. HORNET is designed as a low-latency onion routing system that operates at the network layer thus enabling a wide range of applications. Our system uses only symmetric cryptography for data forwarding yet requires no per-flow state on intermediate nodes. This design enables HORNET nodes to process anonymous traffic at over 93 Gb/s. HORNET can also scale as required, adding minimal processing overhead per additional anonymous channel."

  • 0

RC4 NOMORE: Numerous Occurrence MOnitoring & Recovery Exploit  rc4nomore.com

"In our demonstration the victim uses Internet Explorer, and we show how the attacker can take over an account of the victim. This is the first time weaknesses in RC4, when used in TLS and HTTPS, are exploited against real devices."

  • 0

The POODLE has friends  vivaldi.net

"If a server does not check this field, then it has ignored one of the primary goals of TLS: ensuring the integrity of the data communicated over the channel - The updated test found 269 servers (out of 530000 tested servers) that did not perform the check."

  • 0
  • 0
  • 0

@dotchloe: A month with BADONIONS  chloe.re

"Both Tor, independent security researchers and website owners need to work towards a safer Internet. In 32 days I've found 15 instances where a node is sniffing and using my credentials and over 650 uniqe pagevisits which means that others also sniffs."

  • 0

NET OF INSECURITY: A flaw in the design: The Internet’s founders saw its promise but didn’t foresee users attacking one another  washingtonpost.com

Washington Post: "The making of a vulnerable Internet: This story is the first of a multi-part project on the Internet’s inherent vulnerabilities and why they may never be fixed."

  • 0

Adios, Hola! Or: Why You Should Immediately Uninstall Hola  adios-hola.org

"Hola is harmful to the internet as a whole, and to its users in particular. You might know it as a free VPN or "unblocker", but in reality it operates like a poorly secured botnet - with serious consequences."

  • 0

FOXIT Blog: Deep dive into QUANTUM INSERT  blog.fox-it.com

"QUANTUMINSERT (QI) is actually a relatively old technique. In order to exploit it, you will need a monitoring capabilities to leak information of observed TCP sessions and a host that can send spoofed packets. Your spoofed packet also needs to arrive faster than the original packet to be able to be successful."

  • 0

Blog: About Public Key Pinning - RFC 7469, Public Key Pinning Extension for HTTP (HPKP)  noncombatant.org

"At long last, the Internet Engineering Task Force (IETF) has published RFC 7469, Public Key Pinning Extension for HTTP (HPKP)" "HPKP is an attempt to solve 1 of the big problems in the Web PKI: the fact that essentially any certification authority (CA) or intermediate issuer can issue end-entity (EE, or “leaf”) certificates for essentially any web site."

  • 0

Mozilla Security Blog: Deprecating Non-Secure HTTP  blog.mozilla.org

"In recent months, there have been statements from IETFIAB (even the other IAB), W3C, and the US Governmentcalling for universal use of encryption by Internet applications, which in the case of the web means HTTPS"

  • 0

HTTPSWatchAU: Project greenlight

Launching a side project to monitor/shame the HTTPS implementation or lack thereof.

  • 0

Whitepaper: GSM Association - Network Management of Encrypted Traffic  gsma.com

"Encrypted Web traffic is expected to continue its upward trend, driven by increased privacy awareness, uptake by major players and advocacy from the IETF and W3C. This document describes the technical details of options to persist certain network management functions for encrypted traffic."

  • 0
  • 0

Tor Summer of Privacy  trac.torproject.org

Applications Due April 17th!

  • 0
  • 0
  • 0

Secure Secure Shell  stribika.github.io

Warning: Contains Snowden related fluff and noise.

  • 0
  • 0
  • 0

Imperialviolet: The POODLE bites again  imperialviolet.org

"everything less than TLS 1.2 with an AEAD cipher suite is cryptographically broken"

  • 0
  • 0
  • 0

OpenVPN 2.3.6 fixes a critical DoS issue (CVE-2014-8104)

The vulnerability allows a tls-authenticated client to crash the server by sending a too-short control channel packet to the server.

  • 0

Letsencrypt.org - Free, Automated, and Open Certificate Authority

This service supporting Certificate Transparency and other security practices will be built on the Automated Certificate Management Environment (ACME) protocol with a draft specification available on GitHub.

SlashDot thread. HackerNews thread.

  • 0

18F: Why we use HTTPS for every .gov we make  18f.gsa.gov

"18F is an in-house government technology team that builds things for the rest of the US federal government, and we're committed to deploying HTTPS across all of our released websites."

  • 0

Internet Architecture Board statement on Internet confidentiality.   iab.org

'We recommend that encryption be deployed throughout the protocol stack since there is not a single place within the stack where all kinds of communication can be protected.'

  • 0

Cybershambles.com: Upgraded the signed certificate / Keybase Verified GPG

1) I've upgraded the signed TLS certificate... with the best practice 4096bit SHA256

  • SHA-256 Fingerprint: C1 65 50 3A 07 08 91 17 44 D7 A4 09 29 8D BF DD 1B 3C D3 81 8A 07 55 25 59 A4 59 C4 B8 B5 50 FB
  • SHA-1 Fingerprint: 01 83 22 BB 13 1F 00 DA B7 A4 14 AF 63 CE 09 66 57 F2 87 CF

2) I've verified my Keybase GPG key at https://keybase.io/cybershambles - 

  • 0

Kickstarter for anonabox : a Tor hardware router Suspended (Internet cheers)  kickstarter.com

We live in a world of CyberShambles and I'm glad to hear this project got nuked. On the plus side, thegrugq is likely in deep discussion with a number of internet rockstars on how we can turn the Anonabox trainwreak into something positive.

"I'm working on something to announce (hopefully) today. Will try to get a PORTAL to everyone that wants/needs one. :)" - @thegrugq

  • 0

The SSLappening: POODLE Major vulnerability in SSL 3.0 (CVE-2014-3566)

"Unlike with the BEAST there is no reasonable workaround ... SSL 3.0 must be avoided entirely"

​Google: In the coming months, we hope to remove support for SSL 3.0 completely from our client products.

Mozilla: SSLv3 will be disabled by default in Firefox 34, which will be released on Nov 25. Firefox 35 will support a generic TLS downgrade protection mechanism known as SCSV.

  • 0

Anonabox : a Tor hardware router reaches $250,000 on first day  kickstarter.com

@bunniestudios & Torproject.org dropped the TorRouter project years ago. Who wants responsibility shipping live targets ;) Good luck with all that. See: https://lists.torproject.org/pipermail/tor-talk/2012-March/023799.html

"If you run a privacy conference with only card payment methods or sell a TOR appliance with google-analytics on your site, rethink your life" - @Kxyne

  • 0

CloudFlare blog: Introducing Universal SSL  blog.cloudflare.com

"This morning we began rolling out the Universal SSL across all our current customers. We expect this process to be complete for all current customers before the end of the day. Yesterday, there were about 2 million sites active on the Internet that supported encrypted connections. By the end of the day today, we'll have doubled that."

"For all customers, we will now automatically provision a SSL certificate on CloudFlare's network that will accept HTTPS connections for a customer's domain and subdomains. Those certificates include an entry for the root domain (e.g., example.com) as well as a wildcard entry for all first-level subdomains (e.g., www.example.com, blog.example.com, etc.)"

  • 0

Cloudflare Keyless SSL: The Nitty Gritty Technical Details - PKCS11 over TCP/IP  blog.cloudflare.com

"In Keyless SSL, the key server only allows connections from clients with a certificate signed by a CloudFlare internal certificate authority. We use certificates granted by our own certificate authority for both sides of this connection. We have strict controls over how these certificates are granted and use the X.509 Extended Key Usage option to ensure that certificates are only used as intended."

"Sebastien was able to build the initial Keyless SSL prototype overnight. Making sure it was secure, fast, and could scale is what took us two years of engineering. Now, with persistent connections and advanced session resumption techniques, using Keyless SSL is not only safe, it’s blazing fast!"

  • 0

SMIMP: Simple Messaging and Identity Management Protocol  smimp.org

SMIMP is a secure messaging protocol aimed at addressing the flaws and failures of traditional email. By creating a new protocol, designed to be secure from day one, instead of gluing security on as an after thought, SMIMP intends to address the flaws and mistakes of traditional email.

“SMIMP can be divided into two major parts; identity management and messaging. The identity management system is the core of the design, which the messaging system leverages and builds upon. The identity management system can leverage for other systems, and such use is encouraged..

  • 0

Streisand: Silence censorship with pop-up anti-censorship.  github.com

A single command sets up a brand new server running a wide variety of anti-censorship software that can completely mask and encrypt all of your Internet traffic. -- “Streisand sets up a new server running L2TP/IPsec, OpenSSH, OpenVPN, Shadowsocks, Stunnel, and a Tor bridge. It also generates custom configuration instructions for all of these services.” – Joshua Lund.