Collaborate Disseminate
I recently noticed a penetration test report wherein the non-compliance of the European Union (EU) cookie law was stated as a finding under an “other” category. I consider this more of a legal, privacy-related matter and not … Continue reading The non-compliance of the EU cookie law as a finding in a penetration test report?
An SPF record has several tags of which one can be the include tag, and the SPF record ends with a quantifier like +, ?, ~ or -.
When an include tag is used, the included SPF record has it’s own SPF quantifier. Let’s call t… Continue reading Which SPF quantifier applies when an SPF include is used?
Does a SPF record apply only on the domain it’s setup for or also for all it’s subdomains?
For example an SPF record that is configured for the domain example.com will set the policy for mails ending with @example.com.
So if that is the… Continue reading Do SPF records apply to all subdomains?
I’m trying to understand DANE and TLSA records more accurately. Is it fair to call DANE the DNS-variant of (or at least a very similar technique to) HTTP Public Key Pinning (HPKP)?
Because with HPKP a SSL certificate can be… Continue reading Is DANE the DNS-variant of HTTP Public Key Pinning (HPKP)?
I’m trying to understand DANE and TLSA records more accurately. Is it fair to call DANE the DNS-variant of (or at least a very similar technique to) HTTP Public Key Pinning (HPKP)?
Because with HPKP a SSL certificate can be… Continue reading Is DANE the DNS-variant of HTTP Public Key Pinning (HPKP)?
This question already has an answer here:
I recently read a somewhat funny article at crimeflair.net, questioning (read: murdering) the way CloudFlare provides SSL. In their words: “CloudFlare’s half-baked SSL: suspicious sockets layer”.
Note: The name crimeflair suggests some kind of propaganda against CloudFlare, and the text, design and images of the site almost make me feel like reading a conspiracy theory. Also the article has quite some unproven theories and assumptions. But…
Local authorities could be sniffing the plaintext available at these data centers, and CloudFlare wouldn’t have a clue.
This made me think about the current way CloudFlare works. CloudFlare is indeed a Man-in-the-Middle, encryption can never be end-to-end because then the CloudFlare CDN/proxy won’t work.
Using CloudFlare’s SSL to add a “free” SSL layer to some simple website of the local bakery (half-baked, got it?) seems to me like little risk. But using this in enterprise solutions with confidential data might be a thing.
It will probably protect the end-user against local network sniffing and spoofing fine! Since the connection from the end-user to CloudFlare is encrypted. But against a government or ISP that can just read the unencrypted connection behind the CloudFlare proxy towards the origin server? Probably not at all.
… it would make no difference whether the origin server has its own certificate.
Recap: CloudFlare might “secure” the availability by their great anti DDoS features but it might be a serious risk for the confidentiality and possibly even integrity of the connection due to the SSL tricks they need to use.
Interesting additional whitepaper: “When HTTPS Meets CDN: A Case of Authentication in Delegated Service” or mirror at ieee.org.
While some of those problems are operational issues only, others are rooted in the fundamental semantic conflict between the end-to-end nature of HTTPS and the man-in-the-middle nature of CDN involving multiple parties in a delegated service.
Question: Is CloudFlare’s SSL half-baked since they become the Man-in-the-Middle (MitM)? And so, should it be discouraged?
This question already has an answer here:
I recently read a somewhat funny article at crimeflair.net, questioning (read: murdering) the way CloudFlare provides SSL. In their words: “CloudFlare’s half-baked SSL: suspicious sockets layer”.
Note: The name crimeflair suggests some kind of propaganda against CloudFlare, and the text, design and images of the site almost make me feel like reading a conspiracy theory. Also the article has quite some unproven theories and assumptions. But…
Local authorities could be sniffing the plaintext available at these data centers, and CloudFlare wouldn’t have a clue.
This made me think about the current way CloudFlare works. CloudFlare is indeed a Man-in-the-Middle, encryption can never be end-to-end because then the CloudFlare CDN/proxy won’t work.
Using CloudFlare’s SSL to add a “free” SSL layer to some simple website of the local bakery (half-baked, got it?) seems to me like little risk. But using this in enterprise solutions with confidential data might be a thing.
It will probably protect the end-user against local network sniffing and spoofing fine! Since the connection from the end-user to CloudFlare is encrypted. But against a government or ISP that can just read the unencrypted connection behind the CloudFlare proxy towards the origin server? Probably not at all.
… it would make no difference whether the origin server has its own certificate.
Recap: CloudFlare might “secure” the availability by their great anti DDoS features but it might be a serious risk for the confidentiality and possibly even integrity of the connection due to the SSL tricks they need to use.
Interesting additional whitepaper: “When HTTPS Meets CDN: A Case of Authentication in Delegated Service” or mirror at ieee.org.
While some of those problems are operational issues only, others are rooted in the fundamental semantic conflict between the end-to-end nature of HTTPS and the man-in-the-middle nature of CDN involving multiple parties in a delegated service.
Question: Is CloudFlare’s SSL half-baked since they become the Man-in-the-Middle (MitM)? And so, should it be discouraged?
I wondered if there is a way to verify the correctness/validity of DKIM implementations without actually triggering an email event or sending an email to an external validator. So, remotely, on any domain.
I was thinking abo… Continue reading Is there a passive way to verify DKIM implementations (on DNS level) without triggering an actual email event?
I wondered if there is a way to verify the correctness/validity of DKIM implementations without actually triggering an email event or sending an email to an external validator. So, remotely, on any domain.
I was thinking abo… Continue reading Is there a passive way to verify DKIM implementations (on DNS level) without triggering an actual email event?
In accordance to the recent question Why is TCP more secure than UDP?. How would an “attack” look when it comes to the practical aspect? A great example would be the use of TCP or UDP for Microsoft Remote Desktop (RDP) sessio… Continue reading If TCP is more "secure" than UDP, how would a practical UDP "attack" look, for example during the initiation of a MS RDP connection?