47-Day TLS Certificates
공개 TLS 인증서의 최대 유효기간이 현재 398일에서 2029년까지 47일로 대폭 단축된다. 이로 인해 도메인 제어 검증(DCV) 재사용 기간도 10일로 줄어들어 모든 인증서 갱신 시마다 새로운 검증이 필요해진다. 이러한 변화는 인증서 자동화 없이는 서비스 중단과 보안 위험을 초래할 수 있으며, 플랫폼 팀은 인증서 재고 관리, 자동화, DCV 자가복구, 외부 모니터링 등 준비가 필수적이다. 특히 2027년 3월 100일 제한 도입 전에 미리 테스트하는 것이 권장된다.

https://www.tidelock.dev/blog/47-day-tls-certificates

#tls #certificate #automation #security #dcv

Protocol implementation as art

https://tom7.org/httpv/

https://www.youtube.com/watch?v=M1si1y5lvkk

#TLS #LetsEncrypt

Got a pretty good handle on hare-nats auth now. The last part there is TLS which is in progress elsewhere in hare-tls.

#HareLang #TLS #NATS

A Caddy Cert Expired Because systemd-resolved Was Selectively Broken

https://rant.mvh.dev/a-caddy-cert-expired-because-systemd-resolved-was-selectively-broken/

#selfhosted #selfhosting #caddy #tls #matrix #dns

Zeit für mehr Privatsphäre! Aus der aktuellen gesamtpolitischen Lage heraus habe ich mich mal wieder mit der Fragestellung beschäftigt, wie ich meine Internetaktivitäten vertraulicher behandeln kann #privacy .

DNS läuft längst über #unbound mit TLS verschlüsselt, oder andererorts über DoH (DNS over HTTPS).

Mein "normaler" http Traffic läuft/lief bisher überwiegend auch nur mit #tls verschlüsselt (#https). Für sensibleren Traffic gehe ich über den #tor Browser.

Zusätzlich läuft jetzt lokal auch der tor-Service, um sämtlichen Traffic über das Tor-Netzwerk laufen zu lassen.

Jetzt stellen sich mir zwei Fragen - vielleicht könnt ihr mir auf die Sprünge helfen:

1) Läuft jetzt der tor-Browser mit seiner eigenen Verbindung zum tor-Netzwerk INNERHALB meines systemweiten tor-Service-Netzwerkes? Also tor-in-tor, oder torception? 🤔

2) Wie kann ich einen Browser konfigurieren, dass dessen Anfragen nicht über den systemweiten tor-Service laufen? Für wenn es mal kein tor sein soll oder darf? Gängige Optionen dafür wären "No Proxy", "Use System proxy" oder "Manual proxy configuration". Erstere beiden laufen dann über den systemweiten tor-Service... also bliebe vermutlich nur magic in der manual proxy configuration übrig?

Конфигурационный аудит веб-сайта с Termux на android за 15 минут. curl, ssl, dig — без взлома и без root

Анализ публично доступных HTTP-ответов и DNS-записей без аутентификации и активного вмешательства. Проверке подвергается только внешняя конфигурация: HTTP-заголовки, TLS/SSL, DNS, открытые порты. Уязвимости не эксплуатируются, нагрузки на сервер нет.

https://habr.com/ru/articles/1030924/

#Конфигурационный_аудит #Termux #Android #HTTP_Security_Headers #TLS #DNS #Порты

Kamal과 Caddy를 활용한 커스텀 도메인 와일드카드 TLS 설정

Kamal 2.7.0은 와일드카드 도메인 인증서를 직접 지원하지 않으므로, Caddy를 리버스 프록시로 활용하여 실시간 인증서 발급 문제를 해결할 수 있다.

🔗 원문 보기

After reading that the timeline for post-quantum cryptography is bumped closer to today I started looking into the standards and protocols that are going away and the ones that are coming. Then I started to look at the ESP32 chip: can it run post-quantum crypto?

Since there is no official PQC in the official SDK, to test that I needed to go a bit lower and find the building blocks of TLS. The conclusion: yes, it's powerful enough.

But I bumped into a separate problem: checking whether the TLS certificate is valid requires the device to know the time. How can the device know the time without TLS?

It turned out that it's a known problem: it's called the time bootstrap problem. It's about the circular requirements: secure communication needs the knowledge of time, but knowing the time needs communication when the device does not have an always-on clock.

This article is what I learned looking into the different technologies and how they shape the best practices. My conclusion is a bit anti-climatic: it's nice to use some protocols that have some security built-in, but for most cases I believe even the unencrypted, decades-old plain NTP is good enough.

Read it on my blog: https://advancedweb.hu/esp32-time-bootstrap-problem/

#iot #ntp #nts #tls