Recent Comments
Archives
- June 2017 (34)
- May 2017 (59)
- April 2017 (55)
- March 2017 (55)
- February 2017 (35)
- January 2017 (42)
- December 2016 (48)
- November 2016 (32)
- October 2016 (35)
- September 2016 (78)
- August 2016 (69)
- July 2016 (19)
- June 2016 (42)
- May 2016 (61)
- April 2016 (51)
- March 2016 (74)
- February 2016 (87)
- January 2016 (31)
- December 2015 (36)
- November 2015 (61)
- October 2015 (72)
- September 2015 (53)
- August 2015 (42)
- July 2015 (38)
- June 2015 (30)
- May 2015 (18)
- April 2015 (57)
- March 2015 (41)
- February 2015 (50)
- January 2015 (35)
- December 2014 (50)
- November 2014 (56)
- October 2014 (41)
- September 2014 (37)
- August 2014 (37)
- July 2014 (28)
- June 2014 (50)
- May 2014 (32)
- April 2014 (46)
- March 2014 (38)
- February 2014 (29)
- January 2014 (52)
- December 2013 (50)
- November 2013 (45)
- October 2013 (40)
- September 2013 (48)
- August 2013 (22)
- July 2013 (25)
- June 2013 (13)
- May 2013 (16)
- April 2013 (28)
- March 2013 (37)
- February 2013 (36)
- January 2013 (57)
- December 2012 (44)
- November 2012 (10)
- October 2012 (12)
- September 2012 (21)
- August 2012 (21)
- July 2012 (25)
- June 2012 (8)
- May 2012 (10)
- April 2012 (11)
- March 2012 (10)
- February 2012 (11)
- January 2012 (5)
- December 2011 (13)
- November 2011 (12)
- October 2011 (10)
- September 2011 (7)
- August 2011 (5)
- July 2011 (11)
- June 2011 (21)
- May 2011 (22)
- April 2011 (36)
- March 2011 (43)
- February 2011 (23)
- January 2011 (24)
- December 2010 (34)
- November 2010 (19)
- October 2010 (16)
- September 2010 (15)
- August 2010 (10)
- July 2010 (12)
- June 2010 (3)
- May 2010 (3)
- April 2010 (4)
- March 2010 (8)
- February 2010 (14)
- January 2010 (13)
- December 2009 (16)
- November 2009 (28)
- October 2009 (24)
- September 2009 (12)
- August 2009 (7)
- July 2009 (10)
- June 2009 (11)
- May 2009 (22)
- April 2009 (21)
- March 2009 (18)
- February 2009 (7)
- January 2009 (32)
- December 2008 (19)
- November 2008 (12)
- October 2008 (15)
- September 2008 (14)
- August 2008 (15)
- July 2008 (18)
- June 2008 (20)
- May 2008 (19)
- April 2008 (27)
- March 2008 (22)
- February 2008 (21)
- January 2008 (15)
- December 2007 (22)
- November 2007 (17)
- October 2007 (29)
- September 2007 (31)
- August 2007 (34)
- July 2007 (31)
- June 2007 (36)
- May 2007 (23)
- April 2007 (22)
- March 2007 (30)
- February 2007 (50)
- January 2007 (75)
- December 2006 (48)
- November 2006 (59)
- October 2006 (89)
- September 2006 (29)
- August 2006 (48)
- July 2006 (14)
- June 2006 (35)
- May 2006 (62)
- April 2006 (63)
- March 2006 (72)
- February 2006 (83)
- January 2006 (56)
- December 2005 (46)
- November 2005 (60)
- October 2005 (27)
- September 2005 (54)
- August 2005 (83)
Tags
Categories
- Anime (29)
- AWS (409)
- BBS (22)
- Blog (248)
- Book (31)
- Bridge (1)
- Browser (521)
- Cassandra (2)
- CDN (180)
- Cloud (551)
- CMS (58)
- Comic (19)
- Computer (4,394)
- Computer and Network Center (33)
- CSS (67)
- Database (415)
- DNS (124)
- Editor (24)
- Financial (88)
- Firefox (230)
- Food (14)
- FreeBSD (139)
- FTP (3)
- Game (60)
- GCP (4)
- Go (1)
- GoogleChrome (162)
- Hardware (379)
- IE (96)
- Joke (159)
- Lab (4)
- Library (2)
- Linux (171)
- MacOS (30)
- Mail (118)
- MariaDB (19)
- Movie (35)
- Murmuring (4,531)
- Music (49)
- MySQL (292)
- NCTU (65)
- NetBSD (7)
- Network (3,209)
- OpenBSD (8)
- Opera (26)
- OS (387)
- P2P (131)
- Photo (72)
- Political (123)
- PostgreSQL (41)
- Privacy (2)
- Programming (754)
- Recreation (533)
- RSS (78)
- Safari (38)
- Science (95)
- Search Engine (180)
- Security (1,028)
- Service (24)
- SMS (10)
- Social (210)
- Software (2,325)
- Spam (107)
- Sport (10)
- Telephone (115)
- Television (62)
- Usenet (14)
- Vim (13)
- VPN (17)
- Wiki (48)
- Windows (74)
- WWW (1,607)
Blogroll
Meta
Category Archives: Security
最近 OpenVPN 的安全性漏洞...
看到「The OpenVPN post-audit bug bonanza」這個只有苦笑啊... 作者在 OpenVPN 經過一連串的安全加強後 (包括 harden 計畫與兩個外部單位的程式碼稽核找到不少問題),決定出手挖看看: After a hardening of the OpenVPN code (as commissioned by the Dutch intelligence service AIVD) and two recent audits 1 2, I thought it was now time for some … Continue reading
Google 推的 BeyondCorp
Google 在推的 BeyondCorp 發了一篇介紹出來:「How to use BeyondCorp to ditch your VPN, improve security and go to the cloud」。 裡面有提到幾篇研究: BeyondCorp: A New Approach to Enterprise Security BeyondCorp: Design to Deployment at Google Beyond Corp: The Access Proxy 在文章開頭處有提到 BeyondCorp 的想法是「zero-trust … Continue reading
Posted in Computer, Murmuring, Network, Security
Tagged beyondcorp, google, network, security, vpn
Leave a comment
重設密碼 + Social Engineering
在「The password reset MitM attack」這邊看到 PRMitM (Password Reset Man-in-the-Middle) 這樣的攻擊,原始論文在「The Password Reset MitM Attack」這邊可以取得。 用圖說明基本版的攻擊方式: 另外列出了各大站台的狀態: 以及各家簡訊的文字,可以發現不是每一家都有把產品的名稱寫上去: 這方法好有趣啊... XD
AWS WAF 支援速率限制了
AWS WAF 宣佈支援 Rate-based 條件了,不過目前只支援五分鐘為單位的限制:「Protect Web Sites & Services Using Rate-Based Rules for AWS WAF」。 算是還不錯的功能,雖然目前稍微陽春一點...
把自己的 Blog 丟上 CloudFront
因為 CloudFront 也支援 HTTP/2 了,對於效能的衝擊應該小不少。另外當初希望多用點 IPv6,CloudFront 也支援了。最後看了一下自己的流量,每個禮拜大約 380MB 與 210K requests,也還能接受。 就把自己的 blog 再次丟上 CloudFront 玩看看,不過這次只上了 Price Class 100 (只有歐美與加拿大)。之後也許來玩看看 AWS WAF,不過開起來應該就跟 CloudFront 費用差不多了?XD 先來看看效果以及有沒有 bug 吧...
nginx 記錄 TLS 連線資訊
想要在 nginx 的 access log 裡面記錄使用者在 HTTPS 連線使用的 TLS protocol 與 cipher。 在「How can I let nginx log the used SSL/TLS protocol and ciphersuite?」這邊有提到方向是 $ssl_protocol 與 $ssl_cipher (出自「Module ngx_http_ssl_module」內的 Embedded Variables 章節)。 他的方式是在前面就插入 protocol,但我希望前面的欄位保持不變,把 protocol & cipher 放到後面,所以我就加了一個 /etc/nginx/conf.d/combined_ssl.conf (這邊我用 … Continue reading
Web Cache Deception Attack
在「How (Not) to Control Your CDN」這邊看到了「Web Cache Deception Attack」這個攻擊方式。 攻擊的手法是利用網站會把 /user/personal-info/foo.css 與 /user/personal-info 視為一樣的內容時,配合 CDN 或是 reverse proxy server 會把 .css 設定無差異 cache 時,就可以在 cache server (cache edge) 取得使用者的敏感資料。 這主要是 url routing 的條件放太寬造成的。 另外 Mark Nottingham 還建議 cache 應該在 origin … Continue reading