Simon Willison's Weblog: ssl

Quoting James Donohue

2018-07-06T23:02:43+00:00

Over the last twenty years, publishing systems for content on [BBC] News pages have come and gone, having been replaced or made obsolete. Although newer content is published through dynamic web applications that can be readily modified, what lies beneath this sometimes resembles layers of sedimentary rock.

— James Donohue

Tags: bbc, bbcnews, ssl

Protecting Against HSTS Abuse

2018-03-19T22:21:57+00:00

Protecting Against HSTS Abuse

Any web feature that can be used to persist information will eventually be used to build super-cookies. In this case it’s HSTS—a web feature that allows sites to tell browsers “in the future always load this domain over HTTPS even if the request specified HTTP”. The WebKit team caught this being exploited in the wild, by encoding a user identifier in binary across 32 separate sub domains. They have a couple of mitigations in place now—I expect other browser vendors will follow suit.

Via @troyhunt

Tags: privacy, security, ssl, webkit

SSL Issuer Popularity

2017-11-21T14:44:56+00:00

SSL Issuer Popularity

The impressive growth of Let’s Encrypt in one graph: from 4.87% of TLS-enabled domains in May 2016 to 36.68% in November 2017.

Tags: domains, ssl

Side-Channel Leaks in Web Applications

2010-03-23T16:24:02+00:00

Side-Channel Leaks in Web Applications

Interesting new security research. SSL web connections encrypt the content but an attacker can still see the size of the HTTP requests going back and forward—which can be enough to extract significant pieces of information, especially in applications that make a lot of Ajax requests.

Tags: ajax, http, security, sidechannel, ssl

Researchers Show How to Forge Site Certificates

2008-12-30T15:27:33+00:00

Researchers Show How to Forge Site Certificates

Use an MD5 collision to create two certificates with the same hash, one for a domain you own and another for amazon.com. Get Equifax CA to sign your domain’s certificate using the outdated “MD5 with RSA” signing method. Copy that signature on to your home-made amazon.com certificate to create a fake certificate for Amazon that will be accepted by any browser.

Tags: collisions, ed-felten, equifaxca, hashes, md5, security, ssl

the tls report

2008-06-10T23:49:34+00:00

the tls report

Clever service that analyses a web server’s SSL implementation and grades it based on things like the protocols, certificates, ciphers and key lengths it supports. Includes public reports on the top and bottom 20 sites.

Via O'Reilly Radar

Tags: security, ssl, tls

MyOpenID relaunches

2007-04-17T15:40:40+00:00

MyOpenID relaunches

Now with a handsome redesign and support for SSL client certificates as a secure alternative to passwords.

Tags: janrain, myopenid, openid, ssl

prooveme.com

2007-02-22T12:01:58+00:00

prooveme.com

An OpenID provider that uses SSL client certificates (which you install in your browser) for authentication.

Tags: certificates, openid, prooveme, ssl

Windows SSL support in Python

2002-07-24T13:06:01+00:00

Adding SSL support to Python on Windows is as easy as dropping a couple of DLLs and a .pyd file in to your Python DLLs directory. Grab the zip file from this page and off you go. I haven't tried it out yet but it appears to work - the socket.ssl function miraculously appeared when I installed the new files. Why is this useful? Because it opens the way for secure XML-RPC calls from Python applications...

Tags: python, ssl