Pinned toot

InfoSec Handbook introduces experimental P2P support via Dat protocol:

dat://4354ef3fa9ae5df664fd4a40707cab7450a24d29d4d9f2770b29ebdc720c7151/

(The URL may change during testing.)

About the Dat Project:

datproject.org/

Due to feedback of our readers, we just published part 0 of our web server security series:

infosec-handbook.eu/blog/wss0-

This part covers important considerations before actually setting up your new server.

We also updated some other parts of this series to address the release of Debian 10 and current security recommendations. The series consists of 8 parts at the moment: infosec-handbook.eu/as-wss/

Mozilla publishes post-mortem analysis after failing to provide a valid certificate for addon signing in May 2019:

hacks.mozilla.org/2019/07/add-

– this issue affected Firefox and Firefox-based browsers like Tor Browsers for days
– identified problems: communication/documentation issues, insufficient quality assurance, and no quick updates without Telemetry and Studies

In our article infosec-handbook.eu/blog/onlin, we show pros and cons of online assessment tools for web server security.

As some people don't want to use certain companies, we looked at the hosters. The following tools use such companies:

– Amazon AWS: observatory.mozilla.org
– CloudFlare: www.hardenize.com, securityheaders.com
– Google: csp-evaluator.withgoogle.com, hstspreload.org

Physical (de)centralization of Mastodon servers – after our XMPP scan, we took 1000+ random Mastodon servers and looked at their hosters:

gist.github.com/infosec-handbo

– about 50% of these servers are hosted by only 5 companies in 4 countries
– 26% of servers are hosted in Japan, followed by the USA (24%) and France (23%)

GnuPG 2.2.17 ignores all key signatures of key servers by default:

lists.gnupg.org/pipermail/gnup

– this could be the end of the the traditional web of trust of GnuPG
– there are additional changes to prefer WKD (tools.ietf.org/html/draft-koch) over key servers

Tor-focussed :tor: operating system Tails 3.15 released:

tails.boum.org/news/version_3.

– updates for Tor Browser (8.5.4), and Thunderbird (60.7.2)
– security updates for several vulnerabilities: tails.boum.org/security/Numero
– bug fixes

Tor Browser :tor: 8.5.4 released, fixes several security vulnerabilities:

blog.torproject.org/new-releas

– based on FF 60.8.0esr
– updates for HTTPS Everywhere, Tor, OpenSSL, and Torbutton

Physical (de)centralization of XMPP servers – we took 1000+ XMPP servers and looked at their hosters:

gist.github.com/infosec-handbo

– about 50% of these servers are hosted by only 7 companies in 3 countries
– logical decentralization obviously doesn't imply physical decentralization
– more than 50% of servers are hosted in Germany, followed by the USA (10%) and France (7%)

50 Ways to Leak Your Data – paper about apps circumventing the Android permissions system:

ftc.gov/system/files/documents (PDF file)

– there are several side channels for apps to collect data and track users – even if permission was denied
– such mechanisms contain MAC addresses, location data, and phone IMEI
– according to the paper, hundreds of millions of users are potentially affected

Notes on privacy and data collection of Matrix.org:

gist.github.com/maxidorius/573

"matrix.org and vector.im receive a lot of private, personal and identifiable data on a regular basis, or metadata that can be used to precisely identify and/or track users/server, their social graph, usage pattern and potential location. This is possible both by the default configuration values in synapse/Riot […]"

Modern TLS configuration: Let clients choose the cipher suite again.

Why? Because all modern cipher suites (which support AEAD and PFS) are considered "secure" at the moment. This means that their isn't a risk of downgrade attacks to insecure legacy cipher suites like before. Besides, clients without AES hardware acceleration can use smaller key sizes and/or EC-based cipher suites.

– Apache: SSLHonorCipherOrder off
– nginx: ssl_prefer_server_ciphers off;

Whonix 15 available:

forums.whonix.org/t/whonix-15-

– Whonix is another privacy-focused Linux distribution
– Whonix 15 is based on Debian 10, and comes with a hardened kernel
– support for Whonix 14 will end in one month!

Mozilla now provides an updated version of its SSL/TLS Configuration Generator:

ssl-config.mozilla.org/

– as mentioned before, "modern" is TLS 1.3 only now
– you can quickly generate configuration templates for web servers and other server software
– keep in mind that actual security includes much more than only setting up strict TLS configuration (see also infosec-handbook.eu/as-wss/)

Finished day 1 of the international Honeynet Project Annual Workshop 2019 in Innsbruck πŸ‡¦πŸ‡Ή.

Met many great people of the InfoSec community and shared lots of valuable security knowledge.

GnuPG β€” "SKS Keyserver Network Under Attack":

gist.github.com/rjhansen/67ab9

"If you fetch a poisoned certificate from the keyserver network, you will break your GnuPG installation."

"High-risk users should stop using the keyserver network immediately."

We start our new Hack The Box series with "Netmon", a machine that just retired:

infosec-handbook.eu/blog/htb-n

You don't know Hack The Box? It is a training platform for penetration testers, see infosec-handbook.eu/as-htb/#ho

Mozilla updated its recommended configurations for server-side TLS:

wiki.mozilla.org/Security/Serv

Modern configuration:
– TLS 1.3 only
– ECDSA certificate
– X25519, prime256v1, and secp384r1 curve

Show more
Mastodon

mastodon.at is a microblogging site that federates with most instances on the Fediverse.