Collaborate Disseminate
In a header you can have—for example—"Authorization: Basic " xor "Authorization: Bearer ".
If I use my Bearer token as Basic, then can this endpoint double as a give me fresh tokens for this access token"?
https://… Continue reading Bearer token in header as Basic token? – Does that violate the RFC6749 spec?
TLS 1.2 clients and servers are typically configured to support a limited set of cipher suites. These suites include signature algorithms that are typically used for the ephemeral key exchanges during the handshake. Additionally, the Clien… Continue reading In TLS 1.2 why are certificate signature algorithms not limited by supported cipher suites?
Scenario:
A web server with a web app for remote staff.
The web server is behind a reverse proxy (traefik)
The web server has a host based firewall configured to allow connections only from the proxy on the designated port. Those connectio… Continue reading Which external vulnerabilities remain for a web server secured with mTLS?
I performed an external vulnerability scan on a public IP address and it reported a critical vulnerability with the following details
NVT: SSL and TLS – SSL/TLS: Report Vulnerable Cipher Suites for HTTPS.
It has a summary of some outdate… Continue reading How to disable outdated ciphers [closed]
I am looking at this vulnerability: CVE-2019-0231
The NVD description says:
Handling of the close_notify SSL/TLS message does not lead to a
connection closure, leading the server to retain the socket opened and
to have the client potentia… Continue reading why CVE-2019-0231 is critical? [closed]
As we all know, SSL protocols as well as TLS 1.0 and TLS 1.1 are vulnerable to various types of attacks, such as BEAST, Padding Oracle Attack, Sweet32, Downgrade Attack, and others.
But have you ever come across any practical examples of e… Continue reading Practical examples of SSL and TLS vulnerabilities
I know that TLS MitM can get HTTP/S traffic decrypted when using certificates.
I’m wondering if it has the ability to decrypt the Apple Airdrop protocol as well as it doesn’t go through a server and uses WiFi Direct to create a peer-to-pee… Continue reading Can a TLS MITM decrypt Apple Airdrop files?
We have a public repository of a software that uses Docker container. Any thing that runs within the organization sees certificates signed by our org’s root CA. For the container to run properly within our org, the root CA certificate need… Continue reading Should I house my organization’s root CA certificate in public github repostiory?
My java program fails to download https://repo1.maven.org/maven2/org/apache/iceberg/iceberg-spark-extensions-3.5_2.12/1.5.2/iceberg-spark-extensions-3.5_2.12-1.5.2.pom
So I ran some commands to figure out why. My first steps is to find whi… Continue reading Why do none of the Global Sign CAs verify this cert that’s signed by Global Sign?
My java program fails to download https://repo1.maven.org/maven2/org/apache/iceberg/iceberg-spark-extensions-3.5_2.12/1.5.2/iceberg-spark-extensions-3.5_2.12-1.5.2.pom
So I ran some commands to figure out why. My first steps is to find whi… Continue reading Why do none of the Global Sign CAs verify this cert that’s signed by Global Sign?