Infinite second

Enter the 36 chambers of infrastructure wu-tang

Saturday, August 23, 2008

Tuesday, July 01, 2008

ratproxy unleashed

Google just released their internal tool for passive web security assessment. While it has the unfortunate name ratproxy, it looks, frankly, badass. If you care about the security of your site (and even if you don't, your users probably do), you should consider making ratproxy a regular part of your secure development process.

Sunday, June 15, 2008

What not to do, part 2

As expected, there are many TLS sites using keys generated using the flawed, Ubuntu version of OpenSSL. Netcraft has the latest.

Thursday, June 12, 2008

Selecting cryptographic key sizes

Selecting cryptographic key sizes is a valuable reference for estimating the security margin for algorithms and key sizes and is deliciously applicable to TLS configuration choices.

A few tasty tidbits:

Does anyone seriously believe that published attacks represent the state of the art? It may safely be assumed that unpublished work is many years ahead of what the public at large gets to see: a public announcement that a system is broken provides at best a rather trivial upper bound – and a very simple-minded one, in our opinion – for the date that the system became vulnerable.

According to Table 1, 512-bit RSA keys should not have been used beyond 1986.

According to Table 1 usage of 768-bit RSA keys can no longer be recommended. Even in the cost-equivalent model 768-bit RSA keys will soon no longer offer security comparable to the security of the DES in 1982.

SNI is goodness

SSL-enabled Name-based Apache Virtual Hosts with mod_gnutls.

I encourage you to try it out. I have no experience with mod_gnutls, but gnutls is top notch and 80% less code than mod_ssl is a good thing.