Tag: tls

Key pinning in Golang

Jun 13, 2016 2 min.

Key pinning is a technique that can protect clients from rogue or compromised certificate authorities [1, 2, 3]. If you have control over the client and the server, you can bake the server’s public key into the client and bypass (or supplement) trust in certificate authorities. Many mobile applications on iOS and Android do this using these libraries: AFNetworking TrustKit AndroidPinning The Chrome and Firefox web browsers also allow pinning with pre-loaded pins and support of the HTTP Public Key Pinning (HPKP) protocol.

MailChimp Information Disclosure

Jun 27, 2015 2 min.

Earlier this year I was working on a MailChimp integration for my “Real Job” and spent the evening poking around their application. I found a few small things that, when combined, allow a man-in-the-middle to view a user’s entire MailChimp account data (including a lists of their subscribers and campaigns). Cross Site Request Forgery I first noticed that the account data export endpoint had no CSRF protections. The following HTML, served from any website, would trigger an export for users who are logged into MailChimp.

Securing ruby SSL connections

Nov 18, 2014 1 min.

By default, ruby uses OpenSSL settings that leave you open to insecure cipher combinations when making HTTPS requests. I wrote the following gist to document my attempt to secure HTTP requests from a rails application following the poodle vulnerability.

nginx self signed cert

Oct 5, 2014 1 min.

Create your self-signed certificate: openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 3650 -nodes Configure your nginx: server { listen 443 ssl; listen [::]:443 ssl ipv6only=on; # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits ssl_dhparam /etc/nginx/ssl/dhparam.pem; # enables server-side protection from BEAST attacks # http://blog.ivanristic.com/2013/09/is-beast-still-a-threat.html ssl_prefer_server_ciphers on; # disable SSLv3(enabled by default since nginx 0.8.19) since it's less secure then TLS http://en.wikipedia.org/wiki/Secure_Sockets_Layer#SSL_3.0 ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # ciphers chosen for forward secrecy and compatibility # http://blog.

Heartbleeding an OpenVPN server

Apr 21, 2014 2 min.

Everyone has been atwitter lately over the heartbleed bug which motivated me to look into what lesser known implementations of OpenSSL might be vulnerable. My ddwrt home router seemed like a good choice because releasing and installing updates isn’t as ubiquitous for firmware as it is for desktop software. I started by looking into the HTTP admin interface. httpd I identified the web server by browsing the source code and found that SSL was most likely performed by MatrixSSL.