Recent Comments
- s25g5d4 on Mozilla 的提案「HTTP Immutable Responses」
- EC2 與 EBS 十月開始以秒計費 | Gea-Suan Lin's BLOG on AWS CodeDeploy 支援 BlueGreenDeployment
- Google Chrome 將 .dev 設為 HSTS Preload 名單 | Gea-Suan Lin's BLOG on 在 Google Chrome 連上因 HSTS 而無法連線的網站
- Isaac Kwan on Google Chrome 對 Symantec 全系列憑證的不信任計畫
- Matt Mullenweg 決定對 React 的專利議題投下反對票 | Gea-Suan Lin's BLOG on React 的專利授權議題
Archives
- September 2017 (36)
- August 2017 (37)
- July 2017 (41)
- June 2017 (37)
- May 2017 (59)
- April 2017 (55)
- March 2017 (55)
- February 2017 (35)
- January 2017 (42)
- December 2016 (48)
- November 2016 (32)
- October 2016 (35)
- September 2016 (78)
- August 2016 (69)
- July 2016 (19)
- June 2016 (42)
- May 2016 (61)
- April 2016 (51)
- March 2016 (74)
- February 2016 (87)
- January 2016 (31)
- December 2015 (36)
- November 2015 (61)
- October 2015 (72)
- September 2015 (53)
- August 2015 (42)
- July 2015 (38)
- June 2015 (30)
- May 2015 (18)
- April 2015 (57)
- March 2015 (41)
- February 2015 (50)
- January 2015 (35)
- December 2014 (50)
- November 2014 (56)
- October 2014 (41)
- September 2014 (37)
- August 2014 (37)
- July 2014 (28)
- June 2014 (50)
- May 2014 (32)
- April 2014 (46)
- March 2014 (38)
- February 2014 (29)
- January 2014 (52)
- December 2013 (50)
- November 2013 (45)
- October 2013 (40)
- September 2013 (48)
- August 2013 (22)
- July 2013 (25)
- June 2013 (13)
- May 2013 (16)
- April 2013 (28)
- March 2013 (37)
- February 2013 (36)
- January 2013 (57)
- December 2012 (44)
- November 2012 (10)
- October 2012 (12)
- September 2012 (21)
- August 2012 (21)
- July 2012 (25)
- June 2012 (8)
- May 2012 (10)
- April 2012 (11)
- March 2012 (10)
- February 2012 (11)
- January 2012 (5)
- December 2011 (13)
- November 2011 (12)
- October 2011 (10)
- September 2011 (7)
- August 2011 (5)
- July 2011 (11)
- June 2011 (21)
- May 2011 (22)
- April 2011 (36)
- March 2011 (43)
- February 2011 (23)
- January 2011 (24)
- December 2010 (34)
- November 2010 (19)
- October 2010 (16)
- September 2010 (15)
- August 2010 (10)
- July 2010 (12)
- June 2010 (3)
- May 2010 (3)
- April 2010 (4)
- March 2010 (8)
- February 2010 (14)
- January 2010 (13)
- December 2009 (16)
- November 2009 (28)
- October 2009 (24)
- September 2009 (12)
- August 2009 (7)
- July 2009 (10)
- June 2009 (11)
- May 2009 (22)
- April 2009 (21)
- March 2009 (18)
- February 2009 (7)
- January 2009 (32)
- December 2008 (19)
- November 2008 (12)
- October 2008 (15)
- September 2008 (14)
- August 2008 (15)
- July 2008 (18)
- June 2008 (20)
- May 2008 (19)
- April 2008 (27)
- March 2008 (22)
- February 2008 (21)
- January 2008 (15)
- December 2007 (22)
- November 2007 (17)
- October 2007 (29)
- September 2007 (31)
- August 2007 (34)
- July 2007 (31)
- June 2007 (36)
- May 2007 (23)
- April 2007 (22)
- March 2007 (30)
- February 2007 (50)
- January 2007 (75)
- December 2006 (48)
- November 2006 (59)
- October 2006 (89)
- September 2006 (29)
- August 2006 (48)
- July 2006 (14)
- June 2006 (35)
- May 2006 (62)
- April 2006 (63)
- March 2006 (72)
- February 2006 (83)
- January 2006 (56)
- December 2005 (46)
- November 2005 (60)
- October 2005 (27)
- September 2005 (54)
- August 2005 (83)
Tags
Categories
- Anime (29)
- AWS (439)
- BBS (22)
- Blog (250)
- Book (31)
- Bridge (1)
- Browser (530)
- Cassandra (2)
- CDN (186)
- Cloud (587)
- CMS (58)
- Comic (19)
- Computer (4,507)
- Computer and Network Center (33)
- CSS (71)
- Database (423)
- DNS (132)
- Editor (26)
- Financial (89)
- Firefox (233)
- Food (14)
- FreeBSD (139)
- FTP (3)
- Game (63)
- GCP (8)
- Go (2)
- GoogleChrome (168)
- Hardware (386)
- IE (98)
- Joke (159)
- Lab (4)
- Library (7)
- Linux (175)
- MacOS (31)
- Mail (120)
- MariaDB (19)
- Movie (35)
- Murmuring (4,648)
- Music (49)
- MySQL (297)
- NCTU (65)
- NetBSD (7)
- Network (3,289)
- OpenBSD (8)
- Opera (26)
- OS (392)
- P2P (132)
- Photo (72)
- Political (124)
- PostgreSQL (41)
- Privacy (12)
- Programming (783)
- Recreation (536)
- RSS (79)
- Safari (38)
- Science (102)
- Search Engine (181)
- Security (1,061)
- Service (63)
- SMS (10)
- Social (220)
- Software (2,378)
- Spam (108)
- Sport (10)
- Telephone (118)
- Television (62)
- Usenet (15)
- Vim (14)
- VPN (19)
- Wiki (48)
- Windows (74)
- WWW (1,638)
Blogroll
Meta
Tag Archives: cipher
nginx 記錄 TLS 連線資訊
想要在 nginx 的 access log 裡面記錄使用者在 HTTPS 連線使用的 TLS protocol 與 cipher。 在「How can I let nginx log the used SSL/TLS protocol and ciphersuite?」這邊有提到方向是 $ssl_protocol 與 $ssl_cipher (出自「Module ngx_http_ssl_module」內的 Embedded Variables 章節)。 他的方式是在前面就插入 protocol,但我希望前面的欄位保持不變,把 protocol & cipher 放到後面,所以我就加了一個 /etc/nginx/conf.d/combined_ssl.conf (這邊我用 … Continue reading
OpenSSL 1.1.1 將支援 TLS 1.3
OpenSSL 的文章「Using TLS1.3 With OpenSSL」提到了: The forthcoming OpenSSL 1.1.1 release will include support for TLSv1.3. 另外也提到了 TLS 1.3 的標準是 blocker,在 TLS 1.3 沒出來前不會出 OpenSSL 1.1.1: OpenSSL 1.1.1 will not be released until (at least) TLSv1.3 is finalised. OpenSSL 實做的 TLS … Continue reading
OpenSSL 1.1.0
看到「OpenSSL 1.1.0 released」這篇得知大家期待已久的 OpenSSL 1.1.0 出了,在 1.1.0 的重要新功能中,對 ChaCha20 + Poly1305 的支援算是大家等很久的: Support for ChaCha20 and Poly1305 added to libcrypto and libssl 由於 RC4 已經被證明不安全,OpenSSL 內變成沒有堪用的 stream cipher,這邊總算要補上來了... 另外兩個也頗有趣的: Support for scrypt algorithm Support for X25519 多了些東西...
SWEET32:攻 Blowfish 與 3DES
最新的攻擊算是實戰類的攻擊,理論基礎以前都已經知道了,只是沒有人實際「完成」。算是近期少數直接對演算法的攻擊,而這些演算法剛好還是被用在 TLS 與 OpenVPN 上,所以嚴重性比較高:「SWEET32: Birthday attacks on 64-bit block ciphers in TLS and OpenVPN」。 攻擊的條件是 block cipher 的 block size,而非 key length,所以就算是 256 bits 的 Blowfish 也一樣也受到影響。 這次順利打下 Blowfish 與 3DES。這兩個 cipher 的 block size 都是 64 bits,所以對於 birthday … Continue reading
在 SSL Labs 上拿到 Perfect Score (完全滿分的 A+)
在「Achieving a Perfect SSL Labs Score with Go」這邊提到要如何在 Go 上面達到 SSL Labs 上 SSL Server Test 的 Perfect Score (完全滿分的 A+),但其實裡面大多數的東西都應該適用於其他地方。 其中 Cipher Strength 這邊讓人非常意外的是,只有在關閉 HTTP/2 的情況下才有可能達到 100%,因為 HTTP/2 規定強制要支援 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,而這是 128bits cipher,會導致無法達到 100%: No HTTP/2 for you! - HTTP/2 … Continue reading
OpenSSL 1.1.0 的 Release Notes 先放出來了 (現在是 Beta 1)
雖然才 Beta 1,但 OpenSSL 先放出 1.1.0 的 Release Notes 了:「OpenSSL 1.1.0 Series Release Notes」。 有幾個新的功能以及重大的改變,包括了對 ChaCha20 與 Poly1305 的支援,並且把 SSLv2、RC4、所有 40bits 與 56bits 的 cipher 拔掉,然後支援 Certificate Transparency。 讓人頗期待... 不知道來不來得及跟上 Ubuntu 16.04?
新的 RC4 攻擊:實戰化
在 Twitter 上看到對 RC4 的新攻擊,可以直接攻擊 TLS 與 WPA-TKIP,沒有 workaround:「All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS」。 對 TKIP 可以在一個小時內打下來: In practice the attack can be executed within an hour. 對於 TLS 則是 75 個小時有 94% 成功率,實際測試時只用了 … Continue reading
CloudFlare 對 Go 上面加解密系統的改善
CloudFlare 發佈了自己版本的 Go,修改了其中的 crypto subsystem:「Go crypto: bridging the performance gap」。 文章花了不少篇幅介紹 AEAD (Authenticated Encryption with Associated Data),而目前 CloudFlare 支援的是 AES-GCM 與 ChaCha20-Poly1305,也是兩大主流,分別佔了 60% 與 10% 的 HTTPS 流量: As such today more than 60% of our client facing traffic is … Continue reading
SSL Labs 對 RC4 的退役計畫
SSL Labs 的「SSL Server Test」是個經常被拿來檢測 SSL/TLS 相關設定的服務。 這兩天公佈了對 RC4 的退役計畫:「SSL Labs RC4 Deprecation Plan」。 分成兩個階段進行。 第一個階段會在五月啟用,對於因為需要支援舊的 client 而針對 SSLv3/TLSv1 + RC4 組合的,會給予 B 評價。而全面支援 RC4 的 (包括 TLSv1.1+) 則會給予 C 評價。 到了第二階段 (暫定九月),全面支援 RC4 的將會給予最低的 F 評價。
再度改善對 RC4 的攻擊效率...
在「RC4 must die」這個網站寫的真直接,正式標題是「Attacks Only Get Better: Password Recovery Attacks Against RC4 in TLS」。 可以在 226 次嘗試取得 TLS 裡傳輸的 password,相較於之前的 234 低了非常多。另外論文裡也說明了他們成功實作 PoC,取得 IMAP (TLS) 與 HTTP Basic Auth (TLS) 的密碼部份。 不過 RC4 的使用率比想像中高好多 (出自 ICSI Certificate Notary project 的「Connection Cipher … Continue reading