Skip to content

Category Archives: Cryptography

ESFS, new perspectives for stenography ?

Tomas Touceda advertised a new project on Full Disclosure. The idea sounds good, so I will keep an eye on this very interesting project. Though I would like to know more about the methods that were used for encryption and stenography. Code and explanations are on the ESFS project homepage. Beyond the pratical usage, I [...]

Posted 14 January 2011 § Defense § Security Comments (0) ° Tagged: , ,

Ravan, password cracking using Javascript!

Ravan is a new password cracking tool based on Javascript. Wait, what ? Javascript ? Yes, as the author explains, modern Javascript engines are not so slow anymore, and in addition HTML 5 brings a new “feature” with webworkers which allow the browser to run Javascript in the background (e.g without waiting on the page [...]

Posted 18 December 2010 § Cracking § Security Comments (0) ° Tagged: , , , ,

Yet OpenSSL renegociation not fully fixed

How the hell is it possible that after so many months, the fix for OpenSSL renegociation has not been yet included in either Chrome (6.0.4) or Opera (10.61)? I haven’t tested other browsers though, except Firefox which at least has fixed the issue since several months.

Posted 16 October 2010 § Admin § Linux § Security § System Comments (0) ° Tagged: , , , ,

Beware of source code (even from your favorite portal/forum/…)

The other day I stumbed upon a weired piece of software on howtoforge.com : dns-add (code on sourceforge.net). Actually, the purpose of dns-add was very intriguing : update your DNS in one command ! The output should look like this: Who would need it these days where all distros include tools and script to update [...]

Posted 24 April 2010 § Admin § Linux § Malware forensics § openSUSE § Security Comments (4) ° Tagged: , , , , , , , ,

Updates on OpenSSL CVE-2009-3555 (client renegociation)

So there are some news from the front of OpenSSL CVE-2009-3555 (see this and this for the history). Now the latest version of Apache mod_ssl (2.2) embeds an option to reactivate old way client renegociation : Check the official doc for more details. With this option activated, you can now safely upgrade openSSL and mod_ssl [...]

Posted 05 April 2010 § Admin § Linux § openSUSE § Security § System § Web Comments (3) ° Tagged: , , , , ,

Possible use of SSL rogue certificates for spying purposes

Recent work of security researchers on SSL MiTM attacks have shown how fragile the whole Internet security design could be. But whereas some of these attacks concerns CA with insufficient security policies (md5 collisions) or some level of social engineering against the user (sslsniff), this paper alerts us on a more serious and stealth threat. [...]

Posted 04 April 2010 § Security § Web Comments (0) ° Tagged: , , ,

SSL/TLS RFC updated against CVE-2009-3555

A solution has been finally brought up to fix CVE-2009-3555 and the temporary solution that broke client authentication. At least, the IETF agreed on a fix as Marsh Ray informs us, though it will still take some weeks for the whole validation process to complete. Moreover, as it requires both the servers and the clients [...]

Posted 09 January 2010 § Admin § Linux § openSUSE § Security § System § Web Comments (0) ° Tagged: , , , , ,

OpenSSL : CVE-2009-3555 security fix and mod_ssl client authentication breakage

A security advisory on OpenSSL has recently been published. Details are there and there. It is vulnerable to a MiTM attack where the attacker can intercept and retrieve the credential to a trusted HTTPS website, by intercepting the session cookie sent back to the client. A proof of concept of an attack against Twitter was [...]

Posted 28 November 2009 § Admin § Linux § openSUSE § Security § System § Web Comments (2) ° Tagged: , , , , , ,