TLS Archives - The Silicon Underground

Home » TLS

Why hiding your SSID makes your security worse

Dave Farquhar security January 6, 2016May 10, 2017AES, antenna, good security, Kali Linux, linux, Password, phone, SSID, SSL, tablet, TLS, wifi, wireless, wpa2, WRT

I got a couple of questions about my recommended DD-WRT settings, but I’m going to start with the question about why not to hide the SSID. It actually turns out that hiding your SSID is bad for you, and makes your security worse. I’ll explain.

What the NSA can crack, and how to protect against it

Dave Farquhar security October 20, 2015December 1, 2015AES, Cryptography, hard drives, leaks, NSA, RSA, Russia, SSL, TLS

Ever since the Snowden leaks, there’s been considerable speculation about what cryptography the NSA could break, and why. Finally, there’s a study that goes into deep detail about what it is the NSA probably can break, and why, plus how to protect against it.

Worried about the wrong things? It’s always the wrong thing.

Dave Farquhar War Stories May 6, 2015May 2, 20151990s, Air Force, budget, Credit card, databases, DBA, Guy Wright, Information Assurance, internet providers, ISP, Password, passwords, Patch Tuesday, PC, phone, router, security issues, SSL, TLS

Guy Wright’s piece titled Internet Security: We were worried about the wrong things is a bit old but it’s an important point. Security is a moving target. It’s always a moving target.

I disagree, however, with the assertion that SSL (and its successor, TLS) were a waste of time.

How to use the lock in your web browser’s location bar

Dave Farquhar security February 23, 2015May 31, 20151990s, AES, chrome, cissp, Cryptography, demonstration, encryption, google, lenovo, microsoft, Missouri, Password, RSA, server, servers, SSL, TLS, web browser, web server, yahoo

A commenter asked me last week if I really believe the lock in a web browser means something.

I’ve configured and tested and reviewed hundreds of web servers over the years, so I certainly hope it does. I spend a lot more time looking at these connections from the server side, but it means I understand what I’m seeing when I look at it from the web browser too.

So here’s how to use it to verify your web connections are secure, if you want to go beyond the lock-good, broken-lock-bad mantra.

What is Winshock?

Dave Farquhar security, Windows December 3, 2014December 2, 2014Active Directory, antivirus, code execution, EMET, encryption, excel, exec, execution, Exploit, IBM, ips, microsoft, migration, Patch Tuesday, server, servers, SSL, symantec, TLS, video, vulnerability, windows 7, windows 8, windows 9x, windows nt, Windows Server, Windows XP

So the other day I got blindsided with a question at work: What are we doing about Winshock. Winshock, I asked? I had to go look it up, and I found that’s what they dubbed what I’ve been calling MS14-066, the vulnerability in Schannel, which is Microsoft’s implementation of SSL/TLS for Windows.

Based on that, I’d argue it has more in common with Heartbleed than Shellshock, but I guess “Winshock” is catchier than “Winbleed.”

Then the lead of another team asked me to brief his team on Winshock. I actually managed to anticipate all but three of the questions they asked, too, which was better than I expected. Some of what I shared with them is probably worth sharing further.

More encryption = more safety

Dave Farquhar security November 24, 2014November 23, 2014cisco, EFF, encryption, NSA, SSL, TLS

Mozilla, Akamai, Cisco, the EFF, and Identrust are teaming up for Let’s Encrypt, an effort to make SSL encryption free and easy.

This is important, because it means mundane stuff will get encrypted. When SSL/TLS traffic are no longer flagged as special, security will increase. Read more