Bookmark
OWASP ZAP
https://www.zaproxy.org/, posted Jul '22 by peter in development free opensource security software toread
The world’s most widely used web app scanner. Free and open source. Actively maintained by a dedicated international team of volunteers.
Bookmark
Seriously, stop using RSA
https://blog.trailofbits.com/2019/07/08/fuck-rsa/, posted Feb '22 by peter in communication opinion security
RSA is an intrinsically fragile cryptosystem containing countless foot-guns which the average software engineer cannot be expected to avoid. Weak parameters can be difficult, if not impossible, to check, and its poor performance compels developers to take risky shortcuts. Even worse, padding oracle attacks remain rampant 20 years after they were discovered. While it may be theoretically possible to implement RSA correctly, decades of devastating attacks have proven that such a feat may be unachievable in practice.
Bookmark
espoofer: An email spoofing testing tool that aims to bypass SPF/DKIM/DMARC
https://github.com/chenjj/espoofer, posted Jan '22 by peter in communication email free security testing
espoofer is an open-source testing tool to bypass SPF, DKIM, and DMARC authentication in email systems. It helps mail server administrators and penetration testers to check whether the target email server and client are vulnerable to email spoofing attacks or can be abused to send spoofing emails.
Bookmark
Using Let's Encrypt for internal servers
https://blog.heckel.io/2018/08/05/issuing-lets-encrypt-certificates-for-65000-internal-servers/, posted Dec '21 by peter in development howto networking security toread
But while there are many tools to automatically renew certificates for publicly available webservers (certbot, simp_le, I wrote about how to do that 3 years back), it's hard to find any useful information about how to issue certificates for internal non Internet facing servers and/or devices with Let's Encrypt.
Bookmark
The Cryptopals Crypto Challenges
https://cryptopals.com/, posted Feb '21 by peter in development learning security toread
This is a different way to learn about crypto than taking a class or reading a book. We give you problems to solve. They're derived from weaknesses in real-world systems and modern cryptographic constructions. We give you enough info to learn about the underlying crypto concepts yourself. When you're finished, you'll not only have learned a good deal about how cryptosystems are built, but you'll also understand how they're attacked.
Bookmark
Visual guide to SSH tunnels
https://robotmoon.com/ssh-tunnels/, posted Feb '21 by peter in communication howto networking reference security
This page explains use cases and examples of SSH tunnels while visually presenting the traffic flows.
Bookmark
GitHub - FiloSottile/mkcert: A simple zero-config tool to make locally trusted development certificates
https://github.com/FiloSottile/mkcert, posted 2020 by peter in automation development networking security
mkcert is a simple tool for making locally-trusted development certificates. It requires no configuration.
Bookmark
Hostnames and usernames to reserve - Geoffrey Thomas (geofft)
https://ldpreload.com/blog/names-to-reserve, posted 2020 by peter in development howto list reference security webdesign
If you're setting up a service where people can register their own usernames to be used as a hostname (
username.example.com
), email address (username@example.com
), or URL path (example.com/username
) within your domain, there are some common names you should avoid letting the general public register.
...
This is a list of all the names I know that should be restricted from registration in automated systems. If you know of others, please let me know and I'll update this page.
Bookmark
SSH Agent Explained
https://smallstep.com/blog/ssh-agent-explained/, posted 2020 by peter in communication howto networking reference security
The SSH agent is a central part of OpenSSH. In this post, I'll explain what the agent is, how to use it, and how it works to keep your keys safe. I'll also describe agent forwarding and how it works. I'll help you reduce your risk when using agent forwarding, and I'll share an alternative to agent forwarding that you can use when accessing your internal hosts through bastions.
Bookmark
Dangerzone: Working With Suspicious Documents Without Getting Hacked
https://tech.firstlook.media/dangerzone-working-with-suspicious-documents-without-getting-hacked, posted 2020 by peter in email free pdf security software
Dangerzone, a new open source tool that First Look Media just released at the Nullcon 2020 hacker conference in Goa, India, aims to solve this problem. You can install dangerzone on your Mac, Windows, or Linux computer, and then use it to open a variety of types of documents: PDFs, Microsoft Office or LibreOffice documents, or images. Even if the original document is dangerous and would normally hack your computer, dangerzone will convert it into a safe PDF that you can open and read.
...
When dangerzone starts containers, it disables networking, and the only file it mounts is the suspicious document itself. So if a malicious document hacks the container, it doesn’t have access to your data and it can’t use the internet, so there’s not much it could do.