Starting January 21, 2021 and ending September 1, 2021, sites using TLS/SSL certificates issued by ISRG‘s Let’s Encrypt service will be transitioning to a certificate chain based on the ISRG Root X1 certificate instead of IdenTrust‘s DST Root X3. After the DST Root X3 certificate expiry on September 30, 2021, it will no longer be usable to bootstrap ISRG in legacy trusted root certificate stores.[Read more…]
NCIX, Able Auctions, and Bowra Group Data Breach
A story recently began circulating about a situation in which it appears that NCIX’s customer and credit card data is being made available for sale. It reminded me of my experience when a friend and I visited NCIX‘s warehouse during their bankruptcy auction preview on February 21, 2018.
The RESTLESS Vulnerability: Non-Browser Based Cross-Domain HTTP Request Attacks
I am the author of the advisory below. As of publication, no CVE number has been issued. This post will be updated when a CVE number is issued.
This advisory describes a class of security vulnerabilities which can manifest due to choices made during HTTP API design and implementation. These vulnerabilities may be used to bypass network security policies and enable data exflitration or unauthorized API use.
Track OS X Users Remotely Using IPv6 Device Fingerprinting
As a developer writing a modern networked application, ignoring IPv6 is a mistake. It restores the internet’s capability of providing connections directly between all users & devices, which vastly simplifies building reliable and easy to use applications. Infuriating issues with port forwarding, NAT, and VPN address conflicts can be relegated to obscurity. Real world performance tests at Facebook show a 15% performance improvement. [Read more…]
Dear NSA: If you find yourself in a hole, stop digging
In the upcoming February 2015 edition of Notices, Michael Wertheimer, director of research at the NSA, consumed approximately 2000 words expressing that it was “regrettable” that they did not choose to withdraw their support for Dual_EC_DRBG. Dual_EC_DRBG is one of the computer security standards where a paper trail demonstrates that the NSA influenced the standard under suspicious circumstances. [Read more…]
Devops Developers: SSH Requires a Chain of Trust
It’s 2015 and your firm has decided that it’s finally time that you stop using your primary production systems as the first place you routinely run brand new versions of your software. And, after realizing that configuration files are often just software written in a domain-specific programming language, someone on the team dove deep down the dark devops rabbit hole, and, congratulations, your infrastructure is code now! [Read more…]