Właśnie skończyłem opisywać proces konfiguracji #SSL #LetsEncrypt dla #Apache w #Ubuntu LTS. Na pewno przyda się to nie tylko początkującym. Dla mnie jest sposobem na porządkowanie wiedzy i naukaę tworzenia dokumentacji dla innych: https://blog.jurkiewicz.tech/how-to-configure-free-ssl-certificate-with-certbot-letsencrypt-on-ubuntu-linux-20-04-61e1553f250b
Which SSL library should you chose? This is a nice review of the many options available today. It was written for HAProxy but most of the information is valid for any server. https://github.com/haproxy/wiki/wiki/SSL-Libraries-Support-Status
OpenSSL is clearly not an option anymore for production servers.
Towards zero-config #ssl/#tls with #mariadb #opensource #database https://mariadb.org/mission-impossible-zero-configuration-ssl/
Anyone know of a CouchDB cloud service? All I can find are cloud machines that can install CouchDB, but I want to not do all that setup and configuration. Just need admin on a CouchDB installation over SSL. It's to be synced with PouchDB running in the browser from a GitHub Pages kind of setup.
Gestern erreichte mich eine E-Mail von einem ehemaligen Kollegen. Dieser wollte mir unter anderem mitteilen, dass mein TLS/SSL-Kochbuch von 2016 immer noch hoch geschätzt und gelobt wird. Darüber habe ich mich sehr gefreut. 😀
Artikel zum TLS/SSL-Kochbuch: https://www.my-it-brain.de/wordpress/mein-tls-kochbuch/
The issue's pattern: you have a #cloudflare DNS service routing traffic to your Meshcentral instance, often behind an #nginx reverse proxy. The main website works, but the remote connections start failing half the time. Now they always fail at a 0 sec timeout.
It seems caused by a change in cloudflare likely with #websockets but possibly #ssl certs?
Thoughts on this?
OpenSSL 1.1.1 End of Life
Save 50% off w/ CODE: “TRYRAD” 🌞
✅ Free #SSL Certificates!
✅ Free white-glove #migration!
✅ Nightly/Weekly/Monthly + Offsite #backups
✅ #Malware scanning & removal
✅ 100% #SSD-powered servers
✅ Multiple #PHP (PHP7.3-PHP8.2)
✅ #Softaculous 1-click #App #Installer
✅ Drag & Drop #Website Builder
✅ 24/7 US-based #Support
✅ #Redundant Power Feeds at every Rack
✅ #Uninterruptible Power supplies to All Racks
🌐 Get Yours👉 https://radwebhosting.com/shared-hosting
Mail ist halt aus Datenschutzsicht auch nix. Denn man hat keinen Einfluss, über welche Server das läuft und was die Serverbetreiber mitlesen oder gar speichern und weitergeben.
Insbesondere, wenn man womöglich sogar #Gmail benutzt, ist zu 100% gewiss, dass man die Daten Dritten zur Verfügung stellt.
Secure your Website and all its Sub-domains with a single Wildcard SSL Certificate from globally reputed CAs such as Sectigo, Certera, etc. at affordable pricing starting at just $19.99/year!
Anyone know of an #http parsing library or code for classic #macos? After decrypting a #SSL #TCP stream I’d love to shove it into a lib that can parse it all out and let me extract the relevant bits. I found HTTP sample code for OpenTransport but not sure if that’s right path. I may also not be thinking of the problem correctly but having fun experimenting and kinda don’t want to write it from scratch #RetroComputing #macintosh
And the story continues. Maybe it worth to read.
Today I had a meeting at a bigger traffic hub of #Budapest, #Hungary. At the time I arrived to the meeting I thought I will let my partner know about it so I was about to send a message. If I could. Because to push the power button on my the the reaction of the phone was a buzz and that's it. At that time I know already there's shit in the soup. I just tried push the button, buzz, nothing, push the button, buzz nothing but I tried further. I tried to perform a hard reset. The phone turned on. I saw the average animation at the boot screen and I lifted my middle finger to the air (obviously several cameras was staring at me). The screen went blank. I could push the buttuns later, nothing happend. I could push any combination of the buttons. Nothing happened. Literally nothing as my phone died. I had an idea to check what wappens if I plug the charger in. I plugged my phone to the wall when it normally turns on and starts charge but no. Literally nothing happened. What does it mean? Biatch, the hungarian government have cyber weapons and they are using them against CIVILS. My sin was to BE THERE! In both cases that happened to me, first the police officer turned on my phone with his cyber weapon, later some security related contractor of the hungarian government didn't let me to turn on my phone. This means for me there is a hardware backdoor in my phone since they are able to control turned off devices, doesn't matter what kind privacy OS do you have. I was able to turn on the phone only after my meeting when I was about to leave the place. Later I met with symptoms, however my #Orbot did work, my #VPN too, I could not use #Firefox, it did not accept some #SSL certificate. I could not use the #Tor browser eighter since it connected to the first node, to the second it couldn't. It was just trying, trying and that's it. At that point I thought it's smarter to wipe that phone. And you think that the promblem is at #China, because they need to use Tor to reach the internet. No. The problem is at #Hungary, where the government uses cyberweapons against it's citizens, during the day, because they are! Maybe they will make my #wifi and #bluetooth disappear of the system, as they do sometimes after I post here, but whatever. 🖕
SSL-Zertifikat: Okay, das Einrichten der erforderlichen ".htaccess" Datei hat funktioniert, war aber ein rechtes Gefrickel, wenn ich das mal sagen darf, liebes IONOS. Kann man sowas nicht automatisieren, wenn man ein SSL-Zertifikat mit der Domain verbindet? Moderne Texteditoren, zum Beispiel auf dem macOS, kennen gar keine schnöden "txt" Dateien mehr und weigern sich auch eine Datei abzuspeichern, der ein "." voran steht. Egal, irgendwie hat es funktioniert, und meine Webseite hat jetzt eine gesicherte Verbindung.
#ssl #ionos #https
The #reorder function was easier to implement than I thought, and
<iframe src="?timestamp=<?php echo time(); ?>" width="600" height="400"></iframe>
I finally 1. Can use my own custom status update #wordpress plugin. Though I still need to connect it to #activitypub once I figure out how to do #rss. And 2. Solved the #SSL issue for a second blog without spending money, by setting up the blog as subfolder instead of su domain. All which means, I will post less here and once I have activity pub implemented, not at all. 👌
Anyone familiar with #Java’s SSL code? The SSLSession.getPeerCertificates() method, which you can use on the server to lookup any client certificates provided, has gained a warning that the returned certificate chain may be incomplete and shouldn’t be used for trust decisions. Anyone know the story behind this? - because a lot of code is using this precisely to make trust decisions. (The method is already supposed to throw an exception if the peer is not authenticated).
My best guess is that it’s because the SSLSession can be got hold of during the handshake and the authenticity can’t be guaranteed until after the handshake completes, but I want to make sure I’m understanding. The JDK bug referenced in the git repo for the change is not public.
How is a Wildcard SSL Certificate Beneficial for your Website?
Unlock the Key Benefits of using a Wildcard SSL Certificate for your website
Can I please ask for help from anyone who's good on #WordPress? or #SSL? I have a problem with SSL on my website: I installed Really Simple SSL to allow my site to be https, but it doesn't seem to be updating properly, because... I dunno, it's beyond me. As such my website has a security block for visitors. I think it's an expiry thing. I'm not in the mood to pay for anything, so what should I do in terms of plugins or whatever?
Sorry, I am a bit of a dunce at this sort of stuff.
My goal was to exlusively use the #SSL e-channel plugin which almost worked. 😅 I had to use the #FabFilter #ProQ3 to get rid of annoying snare ring, as well as #Izotope #Ozone10 and #Softube Tape for sound shaping, but that's it!
I also used the #CheatSheet from #HardcoreMusicStudio and it helped me a lot! It was very freeing to not rely on your eyes anymore and I'm also a big fan of SSL, as it was my first console I ever mixed on. And I also own and love the SSL 2+ #AudioInterface! 😍
5 of 6
I'm always so happy that I can learn from friends. For today, I've set up a web hosting panel (CloudPanel) on my server. This server has a bit of an unusual setup, which makes it sometimes harder to get things working.
https://cytag.nl/@email@example.com has helped me with a "Too many redirects" issue when I set up this Mastodon instance, and his advice helped me today to solve the same bug.
So, if you are running an NGINX server and you have this "Too many redirects" issue, go have a look at my post at 3XN.nl. This particular case is about the correct configuration in case you have a proxy that controls all your SSL certificates instead of the server itself.
The article is subject to change, some code could be uncommented to still work, but this is a quick hack.
:birdsite: :twitter: :deadbird:
We are pleased to announce that Whonix and Kicksecure are utilizing website TLS with the highest available security options
We are pleased to announce that Whonix and Kicksecure are utilizing website TLS with the highest available security options:
I finally understood how to create #TLS client certificates, and I like it. It would be a good way to access services in my home network remotely without having to enter a password.
I can access https://fellr.net:1234 just fine, but you can't unless you have the certificate.
Why isn't there already a Get-WebCertificate or something, for fetching the TLS certificate being used by a web server?
Well, my old version doesn't work in PowerShell 7, so I had to put this together for someone this week:
@animemer @thecatcollective @torproject not to mention all the protocols of all their applications and devices from #DVB over #TCP / #UDP ( #IPv & #IPv6 ) are #OpenSource.
- Even if they use shitty #MicrosoftExchange's #MAPI instead of #IMAP, the #Mailserver still uses #SMTP to sent out stuff.
- #HTTP (#Apache, #ngnix)
- #FTP (#vsftpd)
- #SSL (#OpenSSL & #Mozilla NSS)
Now, only the user can view it and not the owner of the database.
Then you take it a step further. Encrypted messages between users. Okay, cool. Public-Private key encryption with an alternating k, because we learned from Sony's mistakes.
But what if you have a service that provides an additional service and requires a user's private key, api key, or secret? So, for example, an automated system performing actions on an API, so the user provides their API keys?
How do you securely store this, that your service can use it, decrypt it, and securely perform operations but still be safe if your infrastructure is ever hacked?
Is the answer just simply environmental variables and .env, or is it more complicated than that?
Is there something odd going on somewhere in #SSL/cert land? Last night a whole bunch of fresh Ubuntu boxes stopped being able to curl lots of well known sites (terragrunt, pypi etc) with cert errors yet not all, and nothing broken from my old Mac.
I'll dig in today, but this is just the sort of thing where Squitter was handy
By the way, if you want to test your TLS configuration for potential security issues and you don’t want to use a web site like SSL Labs, you can do so locally with a free and open cross-platform bash-based tool called testssl.sh.
Jetzt patchen! Über 335.000 SSL-VPN-Interfaces von Fortinet attackierbar
Sicherheitsforscher warnen vor weiteren Attacken auf eine kritische Lücke in FortiOS. Patches zum Schließen der Schwachstelle sind verfügbar.
One thing social media doesn't do well is secure messaging. So, of the options out there, what do you believe is the most secure messaging app? If you find this useful, please boost.
#secureChat #SocialMedia #Security #Messaging #Poll #mastodonpoll #Telegram #WhatsApp #Signal #Messages #SMS #SSL #Encryption
Hoy fue día de mejorar seguridad y rendimiento para la infraestructura de @impulsait incluyendo mastodon.cr
✅ #DNSSEC y conectividad #IPv6 para los servidores de nombre y dominio mastodon.cr
✅ Mejoras en conexiones seguras TLS/SSL: Registro CAA, OCSP stapling, HSTS Preloading
✅ Actualización de proxy web que sirve mastodon.cr a Debian 12
Instead of @letsencrypt, we should've pushed for #CAcert since the latter one actually does #DueDiligence and is harder to penetrate or even abuse than getting an EV-SSL - cert fraudulently via #SocialHacking...
9️⃣ We recommend staying away from websites that don't use #SSL certificates. If a business or service provider doesn't deserve your trust if they're not using an SSL certificate.
@maxandersen Oh, and do you remember the days when #Maven central was serving JAR files using unencrypted #HTTP (without #SSL/#TLS)? With simple Man-in-the-middle proxy you could inject any code to any #Java dependency... https://max.computer/blog/how-to-take-over-the-computer-of-any-java-or-clojure-or-scala-developer/
Das in einer Zeit, wo es #Certbot und #Letsencrypt gibt, #SSL-Zertifikate auslaufen, ist mir irgendwie unverständlich. Diese ganze SSL-Verscherblerei war auch nur moderner Ablasshandel in meinen Augen.
"Aber hinter einem Proxy, im internen Netz geht das nicht...": Doch: sobald ich eine externe IP an den Service binden kann, geht das..ich brauche nur eine Domain mit authoritativem, automatisierbaren DNS.
* Eigene Domain darauf zeigen lassen
* Certbot-Challenge via DNS
It has always annoyed me that SSL Self-Signed-Certificate messaging gives the impression that by accepting the SSC you will not have secure communications. The data will indeed be encrypted in transport; what you lose is a level of certainty that the endpoint is who you think it is, which is a different issue that deserves to be considered on its own merits. #HTTPS #SSL #Self-Signed-Cert
Just released version 5.0.0 of @small-tech/https: A batteries-included version of the standard Node.js https module.
Replace https with @small-tech/https to get:
- Automatically-provisioned trusted local development TLS certificates.
- Automatically-provisioned Let’s Encrypt TLS certificates.
- Automatic HTTP to HTTPS forwarding.
How have we not solved #WiFi redirects yet? If you're activating a new model or accessing a public network, you just get a bunch of #SSL errors as the network tries to redirect you but the browser refuses them. Users don't understand what these errors mean and definitely don't know the neverssl.com trick.
Is there really no way we can securely say: "The router is refusing your connection and redirecting you to your ISP's website"? This feels solvable, isn't it?
Just released version 8.2.0 of Auto-Encrypt Localhost
All status changes are now communicated via events instead of console messages.
Think I’m pretty much done with v8 now.
Next: update https (https://codeberg.org/small-tech/https) to use it and then update Kitten (https://codeberg.org/kitten/app) to use the updated https. (Which should make Kitten cross-platform, including on ARM.)
Auto-Encrypt Localhost version 8.1.0 released
Now with 100% more Command-Line Interface (CLI).
To create your local development certificates using the CLI:
npm install --global @small-tech/auto-encrypt-localhost
#NewYear - new opportunities!
Knock yourself out with this little tutorial for Docker or for #archlinux
Also available in #german
How very bizarre… Chrom(ium) chokes if your TLS server certificate has an @ symbol in the Common Name (CN) field. It also fails with an “unable to parse file” error if you try to import a certificate authority that has the same (but, if you add the same certificate authority to the system trust store, it imports it without issue when you next start the browser).
TL; DR: Do not use the @ symbol in the Common Name (CN) fields of your TLS certificates.
Right, there is a way: Here’s how you can add a certificate authority (CA) to Firefox on Linux that also works on Fedora Silverblue: https://github.com/fedora-silverblue/issue-tracker/issues/397#issuecomment-1372211636
I’m not going to use bloody bugzilla, so if anyone from Mozilla sees this, your enterprise flow for adding certificate authorities (CAs) to Firefox on Linux fails on Fedora Silverblue.
Since Fedora Silverblue is seen as the possible future of Fedora/Red Hat, you folks might want to talk to the Fedora folks about it and come up with a solution.
If you get #SSL_ERROR_NO_CYPHER_OVERLAP (Firefox) or #ERR_SSL_VERSION_OR_CIPHER_MISMATCH (Chromium) errors when calling https.createServer() in Node.js, you’ve got your options and listener order reversed in your method call. It should be options first, listener second.
(I’m actually working on generating certificate authorities/certificates so I was frantically searching the X.509 code for some obscure bug.)
My kingdom for parameter objects/named parameters.
Just released v4.0.0 of Auto Encrypt (Automatically-provisioned TLS certificates for Node.js servers using Let’s Encrypt.)
This is a semver major release that requires Node.js LTS 18.2+.
A client of mine hired Ernest & Young 🤑 to run a vulnerability scan (with tenable #Nessus) against a site I built and it seems to not like the Let’s Encrypt X.509 certificate. Now, I was asked to fix it within two weeks. Does anyone know if there’s another option than buying a certificate from a “trusted” authority? #SSL #certificates #infosec
Det här med Internets rotcertifikat är inte alltid helt lätt att sätta sig in i, ändå spelar de en viktig roll för säkerhet på Internet ... 🧐 🤔 🔐