Security

Security related information

Oct 20 2019

DNS over HTTPS (and all its friends & relations)

Due to pervasive unpreparedness of users, applications, operating systems, and protocols, DNS has become an essential control point for “cyber” security. Most networks have a mix of legacy, modern, safe, and unsafe devices attached to them, and this condition won’t change as quickly as the Beyondcorp initiative might suggest. However, DNS is also an important control point for authoritarian regimes, and so “bypass” innovation is continuous, rapid, and ambitious. Here, Dr. Vixie pays special attention to the “bypass” innovation called “DNS over HTTP” or “DoH” protocol, now being strongly pushed by Mozilla, Cloudflare, and others, and outlines its problems and risks. In addition, a brief mention is made of IRTF Resolverless DNS.

Source: vBSDcon – Paul Vixie

By ,

Sep 25 2019

Centralised DoH is bad for privacy

I came across an article on DoH (DNS over HTTPS), below a small part of the article. Please read the whole blog entry.

DoH

Recapping what DoH does

DNS is currently typically provided by the operator of a network, which could be your Internet Service Provider, your phone company, your employer or your proverbially evil coffee-shop WiFi.

DNS provided this way is never encrypted. Anyone observing your network traffic can see which DNS look-ups are made. A more capable person could also inject fake answers, potentially rerouting your traffic.

DNS over HTTPS meanwhile encrypts DNS queries going over the network, which means that no one between you and the DoH server can see your DNS queries or modify the DNS responses.

Crucially, in both plain DNS and DoH, the operator of the DNS server can see, sell, block and modify your DNS data. It is only the people in between that get locked out.
DNS & Metadata Privacy

DNS privacy matters. Or more in general, knowing what sites you visit matters: your traffic metadata. A complete listing of sites (and servers) contacted will reveal where you work, live, study, what your hobbies are, what equipment/devices you own, what sports teams you follow, which health care providers you frequent, what brand of car you (want to) own & likely your sexual preferences.

Many governments will also be very interested in who communicates with political parties or organizations they don’t like.

Restricting and choosing who can see the meta-data of what sites you visit is therefore very worthwhile.

Source: PowerDNS blog

By , • Tags:

Apr 20 2016

Time for change

Finally Checkpoint changed the way how objects are stored with the R80 release. This release is only running management, wonder when the gateways will be available.

CP-R80-GAIA-Login

Installed this version in a VMware ESXi 5.5 environment with not problems, at the moment it is running with 3Gb of memory at that is not enough. The swap is already used for 35% and it is only running the Gaia portal, management – and log server no active connections from Smart Console users or logging from gateways.

Check Point R80 release notes.

By

May 21 2015

The Logjam Attack

https-security-attackLoglam Attack.

Well-known cryptography professor Matthew Green has discovered a new SSL vulnarability.

Diffie-Hellman key exchange is a popular cryptographic algorithm that allows Internet protocols to agree on a shared key and negotiate a secure connection. It is fundamental to many protocols including HTTPS, SSH, IPsec, SMTPS, and protocols that rely on TLS.

We have uncovered several weaknesses in how Diffie-Hellman key exchange has been deployed:

  • Logjam (CVE-2015-4000) Attack against the TLS Protocol. The Logjam attack allows a man-in-the-middle attacker to downgrade vulnerable TLS connections to 512-bit export-grade cryptography. This allows the attacker to read and modify any data passed over the connection. The attack is reminiscent of the FREAK attack, but is due to a flaw in the TLS protocol rather than an implementation vulnerability, and attacks a Diffie-Hellman key exchange rather than an RSA key exchange. The attack affects any server that supports DHE_EXPORT ciphers, and affects all modern web browsers. 8.4% of the Top 1 Million domains were initially vulnerable.
  • Threats from state-level adversaries. Millions of HTTPS, SSH, and VPN servers all use the same prime numbers for Diffie-Hellman key exchange. Practitioners believed this was safe as long as new key exchange messages were generated for every connection. However, the first step in the number field sieve—the most efficient algorithm for breaking a Diffie-Hellman connection—is dependent only on this prime. After this first step, an attacker can quickly break individual connections.We carried out this computation against the most common 512-bit prime used for TLS and demonstrate that the Logjam attack can be used to downgrade connections to 80% of TLS servers supporting DHE_EXPORT. We further estimate that an academic team can break a 768-bit prime and that a nation-state can break a 1024-bit prime. Breaking the single, most common 1024-bit prime used by web servers would allow passive eavesdropping on connections to 18% of the Top 1 Million HTTPS domains. A second prime would allow passive decryption of connections to 66% of VPN servers and 26% of SSH servers. A close reading of published NSA leaks shows that the agency’s attacks on VPNs are consistent with having achieved such a break.

Source: WeakDH

By • Tags: , ,

1 2 3 4 5