Simon Willison’s Weblog

Subscribe

9 items tagged “ssl”

2018

Over the last twenty years, publishing systems for content on [BBC] News pages have come and gone, having been replaced or made obsolete. Although newer content is published through dynamic web applications that can be readily modified, what lies beneath this sometimes resembles layers of sedimentary rock.

James Donohue # 6th July 2018, 11:02 pm

Protecting Against HSTS Abuse (via) Any web feature that can be used to persist information will eventually be used to build super-cookies. In this case it’s HSTS—a web feature that allows sites to tell browsers “in the future always load this domain over HTTPS even if the request specified HTTP”. The WebKit team caught this being exploited in the wild, by encoding a user identifier in binary across 32 separate sub domains. They have a couple of mitigations in place now—I expect other browser vendors will follow suit. # 19th March 2018, 10:21 pm

2017

SSL Issuer Popularity. The impressive growth of Let’s Encrypt in one graph: from 4.87% of TLS-enabled domains in May 2016 to 36.68% in November 2017. # 21st November 2017, 2:44 pm

2010

Side-Channel Leaks in Web Applications. Interesting new security research. SSL web connections encrypt the content but an attacker can still see the size of the HTTP requests going back and forward—which can be enough to extract significant pieces of information, especially in applications that make a lot of Ajax requests. # 23rd March 2010, 4:24 pm

2008

Researchers Show How to Forge Site Certificates. Use an MD5 collision to create two certificates with the same hash, one for a domain you own and another for amazon.com. Get Equifax CA to sign your domain’s certificate using the outdated “MD5 with RSA” signing method. Copy that signature on to your home-made amazon.com certificate to create a fake certificate for Amazon that will be accepted by any browser. # 30th December 2008, 3:27 pm

the tls report (via) Clever service that analyses a web server’s SSL implementation and grades it based on things like the protocols, certificates, ciphers and key lengths it supports. Includes public reports on the top and bottom 20 sites. # 10th June 2008, 11:49 pm

2007

MyOpenID relaunches. Now with a handsome redesign and support for SSL client certificates as a secure alternative to passwords. # 17th April 2007, 3:40 pm

prooveme.com. An OpenID provider that uses SSL client certificates (which you install in your browser) for authentication. # 22nd February 2007, 12:01 pm

2002

Windows SSL support in Python

Adding SSL support to Python on Windows is as easy as dropping a couple of DLLs and a .pyd file in to your Python DLLs directory. Grab the zip file from this page and off you go. I haven’t tried it out yet but it appears to work—the socket.ssl function miraculously appeared when I installed the new files. Why is this useful? Because it opens the way for secure XML-RPC calls from Python applications...

[... 95 words]