TLS Archives

Home » TLS

Why hiding your SSID makes your security worse

Dave Farquhar security January 6, 2016May 10, 2017AES, antenna, SSID, SSL, TLS

I got a couple of questions about my recommended DD-WRT settings, but I’m going to start with the question about why not to hide the SSID. It actually turns out that hiding your SSID is bad for you, and makes your security worse. I’ll explain.

Dave Farquhar

David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.

dfarq.homeip.net

What the NSA can crack, and how to protect against it

Dave Farquhar security October 20, 2015November 27, 2018AES, leaks, NSA, SSL, TLS

Ever since the Snowden leaks, there’s been considerable speculation about what cryptography the NSA could break, and why. Finally, there’s a study that goes into deep detail about what it is the NSA probably can break, and why, plus how to protect against it.

Dave Farquhar

dfarq.homeip.net

Worried about the wrong things? It’s always the wrong thing.

Dave Farquhar War Stories May 6, 2015May 2, 20151990s, DBA, Information Assurance, internet providers, passwords, Patch Tuesday, SSL, TLS

Guy Wright’s piece titled Internet Security: We were worried about the wrong things is a bit old but it’s an important point. Security is a moving target. It’s always a moving target.

I disagree, however, with the assertion that SSL (and its successor, TLS) were a waste of time.

Dave Farquhar

dfarq.homeip.net

How to use the lock in your web browser’s location bar

Dave Farquhar security February 23, 2015May 31, 20151990s, AES, chrome, cissp, demonstration, lenovo, Missouri, SSL, TLS, yahoo

A commenter asked me last week if I really believe the lock in a web browser means something.

I’ve configured and tested and reviewed hundreds of web servers over the years, so I certainly hope it does. I spend a lot more time looking at these connections from the server side, but it means I understand what I’m seeing when I look at it from the web browser too.

So here’s how to use it to verify your web connections are secure, if you want to go beyond the lock-good, broken-lock-bad mantra.

Dave Farquhar

dfarq.homeip.net

What is Winshock?

Dave Farquhar security, Windows December 3, 2014December 2, 2014antivirus, code execution, excel, IBM, ips, Patch Tuesday, SSL, symantec, TLS, vulnerability, windows 7, windows 8, windows 9x, windows nt, Windows Server, Windows XP

So the other day I got blindsided with a question at work: What are we doing about Winshock. Winshock, I asked? I had to go look it up, and I found that’s what they dubbed what I’ve been calling MS14-066, the vulnerability in Schannel, which is Microsoft’s implementation of SSL/TLS for Windows.

Based on that, I’d argue it has more in common with Heartbleed than Shellshock, but I guess “Winshock” is catchier than “Winbleed.”

Then the lead of another team asked me to brief his team on Winshock. I actually managed to anticipate all but three of the questions they asked, too, which was better than I expected. Some of what I shared with them is probably worth sharing further.

Dave Farquhar

dfarq.homeip.net

More encryption = more safety

Dave Farquhar security November 24, 2014November 23, 2014cisco, NSA, SSL, TLS

Mozilla, Akamai, Cisco, the EFF, and Identrust are teaming up for Let’s Encrypt, an effort to make SSL encryption free and easy.

This is important, because it means mundane stuff will get encrypted. When SSL/TLS traffic are no longer flagged as special, security will increase. Read more

Dave Farquhar

dfarq.homeip.net