Tag Archives: Security

VCloud Director 5.6.4 Distant Consoleproxy Issues

Оид ба | Октябр 21, 2017

vCloud Director is a superb IaaS addition to any lab, growth, or manufacturing surroundings. When its working correctly, it’s a really satisfying expertise wielding the facility of agility, consistency, and effectivity vCD supplies. Бо вуҷуди ин, like many issues tech with upstream and human dependencies, it will possibly and does break. Notably in lab or lesser maintained… Read More »

Insecure Updates in Joomla Earlier Than 3.6

Оид ба | Октябр 9, 2017

In early April I reported safety issues with the replace course of to the safety contact of Joomla. Whereas the problem has been fastened in Joomla 3.6, the communication course of was removed from ideal. The subject itself is fairly easy: Up till lately Joomla fetched details about its updates over unencrypted and unauthenticated HTTP… Read More »

TLS Interception Thought Of DangerousVideo And Slides

Оид ба | Октябр 9, 2017

On the latest Chaos Communication Camp I held a chat summarizing the issues with TLS interception or Man-in-the-Middle proxies. This was initially motivated by the occurence of Superfish and my very own investigations on Privdog, however I discovered prior to now month that this may be a far greater drawback. I used to be stunned… Read More »

Zero Days And Cargo Cult Science

Оид ба | Октябр 9, 2017

I’ve complained prior to now concerning the lack of rigorous science in giant elements of IT security. Nevertheless there is not any lack of stories and publications that declare to offer information about this space. Recently RAND Company, a US-based assume tank, printed a report about zero day vulnerabilities. Many individuals praised it, an article… Read More »

Superfish 2.0: Harmful Certificates on Dell Laptops Breaks Encrypted HTTPS Connections

Оид ба | Октябр 5, 2017

tl;dr Dell laptops come preinstalled with a root certificates and a corresponding personal key. That fully compromises the safety of encrypted HTTPS connections. I’ve supplied an online check, affected customers ought to delete the certificate. It appears that Dell hasn’t discovered something from the Superfish-scandal earlier this yr: Laptops from the corporate include a preinstalled… Read More »

A Little POODLE Left in GnuTLS (old Versions)

Оид ба | Октябр 5, 2017

tl;dr Older GnuTLS variations (2.х) fail to examine the primary byte of the padding in CBC modes. Numerous secure Linux distributions, together with Ubuntu LTS and Debian wheezy (oldstable) use this model. Present GnuTLS variations usually are not affected. A few days in the past an email on the ssllabs mailing list catched my consideration.… Read More »

The Drawback with OCSP Stapling And Should Staple And Why Certificates Revocation Continues to Be Broken

Оид ба | Октябр 5, 2017

Today the OCSP servers from Lets Encrypt have been offline for a while. This has precipitated way more hassle than it ought to have, as a outcome of in principle we’ve got all of the applied sciences out there to deal with such an incident. Nonetheless resulting from failures in how they’re carried out they… Read More »

What Acquired Us Into the SHA1 Deprecation Mess?

Оид ба | Октябр 5, 2017

Important notice: After I revealed this textual content Adam Langley pointed out that a main assumption is incorrect: Android 2.2 really has no issues with SHA256-signed certificates. I checked this myself and in an emulated Android 2.2 instance I used to be in a position to join with a website with a SHA256-signed certificates. I… Read More »

Safer Use Of C CodeWorking Gentoo with Tackle Sanitizer

Оид ба | Октябр 5, 2017

Навсозии: After I wrote this weblog put up it was an open query for me whether or not utilizing Tackle Sanitizer in manufacturing is a good suggestion. A current analysis posted on the oss-security mailing list explains intimately why utilizing Asan in its present type is nearly actually not a good suggestion. Having any suid… Read More »

Don’t Depart Coredumps on Internet Servers

Оид ба | Октябр 5, 2017

Coredumps are a characteristic of Linux and different Unix methods to research crashing software program. If a software program crashes, for instance on account of an invalid reminiscence entry, the working system can save the present content material of the application’s reminiscence to a file. By default it’s merely known as core. While that is… Read More »