Tag Archives: key

AWS PrivateLink

AWS 計畫把先前設計的 VPC Endpoint 都併到 AWS PrivateLink 裡,統一管理:「New – AWS PrivateLink for AWS Services: Kinesis, Service Catalog, EC2 Systems Manager, Amazon EC2 APIs, and ELB APIs in your VPC」。 Today we are announcing AWS PrivateLink, the newest generation of VPC … Continue reading

Posted in AWS, Cloud, Computer, Murmuring, Network, Security, Service|Tagged , , , , , , , , , , , , , , , , , , , , , , , , , , |Leave a comment

下一代的 Tor Hidden Service

Tor 公佈了下一代的 Hidden Service (Onion Service):「Tor's Fall Harvest: the Next Generation of Onion Services」。 三年前 Facebook 自己暴力算出 facebookcorewwwi.onion 這個很特別的名字 (參考「Facebook 證明 Tor 的 Hidden Service 不安全」),這陣子連紐約時報也能暴力算出 nytimes3xbfgragh.onion 這個好名字 (參考「紐約時報網站上 Tor 的 Hidden Service (i.e. Tor Onion Service)」,這讓只有 16 chars 的 … Continue reading

Posted in Computer, DNS, Murmuring, Network, P2P, Privacy, Security, Service, Software, WWW|Tagged , , , , , , , , , , , , , , |Leave a comment

The DUHK Attack:因為亂數產生器的問題而造成的安全漏洞

在 Bruce Schneier 那邊看到的:「Attack on Old ANSI Random Number Generator」,攻擊的網站在「The DUHK Attack」,論文在「Practical state recovery attacks against legacy RNG implementations (PDF)」。 攻擊的對象是 ANSI X9.31 Random Number Generator: DUHK (Don't Use Hard-coded Keys) is a vulnerability that affects devices using the ANSI … Continue reading

Posted in Computer, Murmuring, Network, Privacy, Security|Tagged , , , , , , , , , , , , , , , |Leave a comment

Let's Encrypt 的 Embed SCT 支援

翻到 Let's Encrypt 的 Upcoming Features 時看到: Embed SCT receipts in certificates ETA: February, 2018 對 Embed SCT 不熟,所以查了查這個功能。 這指的是在簽發 SSL certficiate 後,把資料丟給 Certificate Transparency (CT) 伺服器後,伺服器會提供 signed certificate timestamp (SCT);而這個資料放到 SSL certificate 內叫做 Embed SCT:(出自 CT 的 FAQ) What … Continue reading

Posted in Browser, Computer, DNS, GoogleChrome, Murmuring, Network, Privacy, Security, Service, Software, WWW|Tagged , , , , , , , , , , , , , , , , , , , |Leave a comment

Amazon Aurora (MySQL) 推出的 Asynchronous Key Prefetch

Amazon Aurora (MySQL) 推出新的效能改善,可以改善 JOIN 時的效能:「Amazon Aurora (MySQL) Speeds Join Queries by More than 10x with Asynchronous Key Prefetch」。 看起來像是某個情況的 optimization,將可能的 random access 換成 sequential access 而得到大量的效能: This feature applies to queries that require use of the Batched Key Access … Continue reading

Posted in AWS, Cloud, Computer, Database, Murmuring, MySQL, Network, Software|Tagged , , , , , , , , , , , , , , , , , , , , , , |Leave a comment

Chromium 內提案移除 HPKP (HTTP Public Key Pinning)

Twitter 上看到這則 tweet,提到要移除 HPKP (HTTP Public Key Pinning): Intent To Deprecate And Remove: Public Key Pinning (in Chromium) https://t.co/agS3fll7eR — Adam Langley (@agl__) October 27, 2017 blink-dev 上的討論可以參考「Intent To Deprecate And Remove: Public Key Pinning」(就是上面那個連結,只是拉出來)。 這個提案大概可以推敲出理由... 目前的作法必須寫進瀏覽器內,這樣明顯會有 scale 問題,而且這個作法本身就很 workaround,只能保護所謂「高價值」的 … Continue reading

Posted in Browser, Computer, DNS, GoogleChrome, Network, Security, Software, WWW|Tagged , , , , , , , , , , , , , , , , , , , |2 Comments

WPA2 安全漏洞

話說 WPA2 也撐了十三年了: WPA2 became available in 2004 and is a common shorthand for the full IEEE 802.11i (or IEEE 802.11i-2004) standard. 這次的漏洞可以參考「Severe flaw in WPA2 protocol leaves Wi-Fi traffic open to eavesdropping」這邊。 PoC 稱作 KRACK (Key Reinstallation Attacks),漏洞將會在十一月正式發表,從會議的標題名稱大概可以知道方向,是對 Nonce … Continue reading

Posted in Computer, Murmuring, Network, Privacy, Security, VPN|Tagged , , , , , , , , , , , , , , |Leave a comment

U2F Security Key 產品測試?

Adam Langley 的「Testing Security Keys」這篇測試了不少有支援 U2F Security Key 的產品,這邊作者是以 Linux 環境測試。 tl;dr:在 Linux 環境下,除了 Yubico 的產品沒問題外,其他的都有問題... (只是差在問題多與少而已) Yubico 的沒找到問題: Easy one first: I can find no flaws in Yubico's U2F Security Key. VASCO SecureClick 的則是 vendor ID 與 product ID … Continue reading

Posted in Computer, Hardware, Murmuring, Network, Privacy, Security|Tagged , , , , , , , , , , , , , , , |Leave a comment

Cloudflare 新推出的 Geo Key Manager

Cloudflare 對新推出的 Geo Key Manager 寫了兩篇文章說明:「Introducing the Cloudflare Geo Key Manager」、「Geo Key Manager: How It Works」。 這個服務是之前推出的 Keyless SSL 的延伸應用。 Keyless SSL 是將 Private Key 放在自己家,透過加密協定讓 Cloudflare 使用 (有點像是 HSM 的概念,也就是 Hardware security module,不讓應用的人存取到 Private Key)。這次推出的 Geo Key Manager 則是取中間值,希望針對效率與 … Continue reading

Posted in CDN, Cloud, Computer, Murmuring, Network, Political, Privacy, Security, WWW|Tagged , , , , , , , , , , , , |Leave a comment

Adobe Security Team 直接把 Private Key 貼到網誌上面...

Security Team 出這種包...:「In spectacular fail, Adobe security team posts private PGP key on blog」。 Oh shit Adobe pic.twitter.com/7rDL3LWVVz — Juho Nurminen (@jupenur) September 22, 2017 Adobe 這次的事情要怎麼說呢,hmmm...

Posted in Blog, Computer, Murmuring, Network, Privacy, Security|Tagged , , , , , , , , |Leave a comment