Collaborate Disseminate
I have a reported finding saying that hostname verification is disabled.
This can be deduced from this line of code:
final HttpClientBuilder httpClientBuilder = HttpClientBuilder.create();
httpClientBuilder.setSSLContext(sslContext).se… Continue reading How to verify hostname of certificate? and Is it mandatory if client knows the certificate?
I have this line of code in a client server project:
sslContext.init(null, new TrustManager[]{new TrustAnyManager()}, null);
A security guy pointed out that this is skipping the validation of the certificate, but I don’t understand the se… Continue reading What is the security impact of disabling certificate check [duplicate]
Announced last year, Google’s proposal to reduce the lifespan of TLS (transport layer security) certificates from 13 months to 90 days could be implemented in the near future. It will certainly improve security and shrink the window of opportunity for … Continue reading How Google’s 90-day TLS certificate validity proposal will affect enterprises
Let’s Encrypt has made Domain Validated certificate ubiquitous and trusted by mainstream browsers. Against this backdrop, is there any reason for an Internet and general public-facing https website to obtain higher-level validated certific… Continue reading Given the wide trust of Domain Validated certificates by browsers, is there any reason to get higher validation for Internet/public-facing websites? [duplicate]
I was playing with httpbin.org to test a client and discovered that some sites will get an header I did not set (X-Amzn-Trace-Id). If I do a curl https://httpbin.org/headers (which will respond with the requested headers), I see the respon… Continue reading How can Amazon add its own headers when I make HTTPS requests to a web application?
Let’s say we produce IoT devices and want them to access AWS IoT Core.
The best solution is something like: every device has a (unique) private key and a public X.509 certificate signed by a valid Certification Authority.
This way, the dev… Continue reading AWS IoT – Use a temporary certificate created at build time to authenticate a device for self-enrolment
Digital Certificates are not new. In this Help Net Security video, Andreas Brix, Senior Program Manager at GlobalSign, discusses why they are back in the news and what you should do about it.
The post Why is everyone talking about certificate automatio… Continue reading Why is everyone talking about certificate automation?
Currently looking into OpenPubKey and more specifically into OpenPubkey SSH:
https://github.com/openpubkey/openpubkey
https://docs.bastionzero.com/openpubkey-ssh
Terminology:
OPK => OpenPubkey
OIDC => OpenID Connect
OP => OpenI… Continue reading Openpubkey SSH workflow details
If I have a java client that connects to a server, but in the java client code where the connection is built, it skips hostname verification disabled.
When a client tries to connect to serverA.com, what is the impact if hostname verificati… Continue reading What is the impact of disabled TLS hostname verification?
I am used to clicking on the padlock in Chrome downloading the certificate and installing that in my jre.
Now the padlock has gone, I can not find how to download the certificate anymore.
Continue reading How to get a certificate out of Chrome now the padlock has gone? [migrated]