Hardening Web Server
Total Page:16
File Type:pdf, Size:1020Kb
Load more
Recommended publications
-
Measuring the Rapid Growth of HSTS and HPKP Deployments
Measuring the Rapid Growth of HSTS and HPKP Deployments Ivan Petrov∗ Denis Peskov∗ Gregory Coard∗ Taejoong Chungy David Choffnesy Dave Levin∗ Bruce M. Maggsz Alan Mislovey Christo Wilsony ∗ University of Maryland yNortheastern University zDuke University & Akamai Technologies ABSTRACT version of the website, thereby exposing future commu- A basic man-in-the-middle attack to bypass HTTPS strips nication to the MiTM attacker, as well. Second, if an the “s” off of an “https://” URL, thereby forcing the client attacker is able to have a certificate created in someone to effectively downgrade to an insecure connection. To ad- else's name, the attacker can impersonate that victim dress such crude attacks, the HSTS (HTTP Strict Transport domain. Security) protocol was recently introduced, which instructs Both of these attacks completely sidestep the protec- clients to preemptively (or at time of first acquire) load a tions that TLS seeks to provide to its users. To address list of domains to whom to connect strictly via HTTPS. In a these concerns, two recent additions to HTTPS have similar vein, the HPKP (HTTP Public Key Pinning) protocol been introduced. We describe them in detail in Sec- has clients obtain a set of public keys; if in future visits to tion 2, but at a high level: the website the certificate chain does not include any of those • HTTP Strict Transport Security public keys, the client is supposed to reject the connection. (HSTS) [10] addresses SSL stripping attacks by Both HSTS and HPKP are relatively new additions to the informing clients which domains it should connect web’s PKI that have seen a sudden surge in deployment in to strictly over HTTPS (i.e., if presented with an the last couple of years (we observe an order of magnitude http URL to one of these domains, they should greater deployment than a 2015 study of HSTS/HPKP). -
Comptia Security+ 501
CompTIA Security+ 501 CompTIA Security+ SY0-501 Instructor: Ron Woerner, CISSP, CISM CompTIA Security+ Domain 6 – Cryptography & PKI 6.4 Given a scenario, implement public key infrastructure Cybrary - Ron Woerner 1 CompTIA Security+ 501 6.4 Public-Key Infrastructure (PKI) ● Components ● Types of certificates ○ Public / Private Key ○ User ○ Certificate ○ Root ○ CA ○ Wildcard ○ CRL ○ SAN ○ Code signing ● Concepts ○ Self-signed ○ Online vs Offline CA ○ Machine/computer ○ Stapling ○ Domain validation ○ Pinning ○ Trust model ● Certificate formats ○ Key escrow ○ Certificate chaining Public and Private Keys ● Encrypt a document with the recipient’s public key. Only their private key needs to be kept secret and only it can decrypt the message ● The sender’s private key is used to sign the message Cybrary - Ron Woerner 2 CompTIA Security+ 501 PKI Components Public Key Infrastructure ● Solves the issues with key management ● A set of roles, policies, and procedures needed to manage public- key(asymmetric) encryption ● The process of creating, managing, distributing, storing, using, and revoke keys and digital certificates. ● Public Key Infrastructure X.509 (PKIX) is the working group formed by the IETF to develop standards and models PKI PKI Components - Digital Certificate ● A digitally signed block of data used to prove the ownership of a public key issued by a Certificate Authority ● Includes ○ information about the key, ○ information about the identity of its owner (called the subject), ○ and the digital signature of an entity that has verified the certificate's contents (called the issuer) ● X.509 v3 standard defines the certificate formats and fields for public keys. Cybrary - Ron Woerner 3 CompTIA Security+ 501 Digital Certificate Components X.509 Certificate Types ● Root certificates: for root authorities. -
Knowledge Management Enviroments for High Throughput Biology
Knowledge Management Enviroments for High Throughput Biology Abhey Shah A Thesis submitted for the degree of MPhil Biology Department University of York September 2007 Abstract With the growing complexity and scale of data sets in computational biology and chemoin- formatics, there is a need for novel knowledge processing tools and platforms. This thesis describes a newly developed knowledge processing platform that is different in its emphasis on architecture, flexibility, builtin facilities for datamining and easy cross platform usage. There exist thousands of bioinformatics and chemoinformatics databases, that are stored in many different forms with different access methods, this is a reflection of the range of data structures that make up complex biological and chemical data. Starting from a theoretical ba- sis, FCA (Formal Concept Analysis) an applied branch of lattice theory, is used in this thesis to develop a file system that automatically structures itself by it’s contents. The procedure of extracting concepts from data sets is examined. The system also finds appropriate labels for the discovered concepts by extracting data from ontological databases. A novel method for scaling non-binary data for use with the system is developed. Finally the future of integrative systems biology is discussed in the context of efficiently closed causal systems. Contents 1 Motivations and goals of the thesis 11 1.1 Conceptual frameworks . 11 1.2 Biological foundations . 12 1.2.1 Gene expression data . 13 1.2.2 Ontology . 14 1.3 Knowledge based computational environments . 15 1.3.1 Interfaces . 16 1.3.2 Databases and the character of biological data . -
Computerized Patient Record System (CPRS) Setup Guide
Computerized Patient Record System (CPRS) Setup Guide June 2021 Department of Veterans Affairs Health Data Systems Computerized Patient Record System Product Line Revision History Project Technical Date Patch Page Change Manager Writer 6/17/2021 OR*3*0*547 30 Added row to GUI Parameters SHRPE SHRPE Menu Options for OTH: GUI Add/Edit Local Message for OTH Button. Added Subsection for GUI 37-38 Add/Edit Local Message for OTH Button 10/16/2019 OR*3.0*397 All Added Revision dated REDACTED REDACTED 3/25/2019 (see below). Checked for 508 Compliance. Removed extra space between some pages. Removed extra Table of Contents from Pharmacy Packages section (G). 07/31/2019 OR*3.0*510 88 Added two NOTE: REDACTED REDACTED 3/25/2019 OR*3.0*397 21 Added ORSUPPLY Key REDACTED REDACTED 08/20/2018 XU*8.0*679 28 Added note regarding Electronic REDACTED REDACTED Signature Block restrictions. 03/30/2011 OR*3.0*272 5, 77, Changed references from REDACTED REDACTED 79, Duplicate Drug Class to 81, Duplicate Drug Therapy. 82, 93, 01/25/2007 OR*3.0*245 123 – Added information about the REDACTED REDACTED 125 new option, ORCM QUICK ORDERS BY USER 11/27/06 OR*3.0*242 182 Added information about the REDACTED REDACTED new way to edit items for the Nature of Order file. 12/30/04 36 Added new information about REDACTED REDACTED document templates. Computerized Patient Record System (CPRS) ii June 2021 Setup Guide Project Technical Date Patch Page Change Manager Writer 10/14/98 138 Added information about ORMTIME 10/15/98 14 Added explanation of global journaling 10/20/98 -
An Empirical Analysis of Email Delivery Security
Neither Snow Nor Rain Nor MITM . An Empirical Analysis of Email Delivery Security Zakir Durumeric† David Adrian† Ariana Mirian† James Kasten† Elie Bursztein‡ Nicolas Lidzborski‡ Kurt Thomas‡ Vijay Eranti‡ Michael Bailey§ J. Alex Halderman† † University of Michigan ‡ Google, Inc. § University of Illinois, Urbana Champaign {zakir, davadria, amirian, jdkasten, jhalderm}@umich.edu {elieb, nlidz, kurtthomas, vijaye}@google.com [email protected] ABSTRACT tolerate unprotected communication at the expense of user security. The SMTP protocol is responsible for carrying some of users’ most Equally problematic, users face a medium that fails to alert clients intimate communication, but like other Internet protocols, authen- when messages traverse an insecure path and that lacks a mechanism tication and confidentiality were added only as an afterthought. In to enforce strict transport security. this work, we present the first report on global adoption rates of In this work, we measure the global adoption of SMTP security SMTP security extensions, including: STARTTLS, SPF, DKIM, and extensions and the resulting impact on end users. Our study draws DMARC. We present data from two perspectives: SMTP server from two unique perspectives: longitudinal SMTP connection logs configurations for the Alexa Top Million domains, and over a year spanning from January 2014 to April 2015 for Gmail, one of the of SMTP connections to and from Gmail. We find that the top mail world’s largest mail providers; and a snapshot of SMTP server providers (e.g., Gmail, Yahoo, -
Introduction À La Sécurité Des Systèmes D'informations
Université de Paris Saclay Polytech Paris Saclay – Département d’informatique Introduction à la sécurité des systèmes d’informations Document réalisé par : Polytech Paris Saclay Département d’informatique Université Paris Saclay Maison de l'Ingénieur Bâtiment 620 91405 Orsay Cedex Gilles Soufflet, Ingénieur Système Version janvier 2020 Université de Paris Saclay Sécurité informatique Polytech Paris Saclay – Département d’informatique Table des matières 1 Avant-propos ________________________________________________________________ 7 2 Notions de cryptographie _____________________________________________________ 10 2.1 Introduction _________________________________________________________________ 10 2.1.1 Principe de Kerckhoffs _______________________________________________________________ 10 2.2 Fonctions de hachage __________________________________________________________ 11 2.2.1 MD5 _____________________________________________________________________________ 11 2.2.2 SHA-1 ____________________________________________________________________________ 12 2.2.3 SHA-2 ____________________________________________________________________________ 12 2.2.4 SHA-3 ____________________________________________________________________________ 13 2.2.5 Whirpool __________________________________________________________________________ 13 2.3 Cryptographie à masque jetable _________________________________________________ 13 2.4 Cryptographie symétrique ou à clé secrète ________________________________________ 14 2.4.1 Chiffrement par bloc _________________________________________________________________ -
Acme As an Interactive Translation Environment
Acme as an Interactive Translation Environment Eric Nichols and Yuji Matsumoto {eric-n,matsu} ߞatߞ is.naist.jp Computational Linguistics Laboratory Nara Institute of Science and Technology ABSTRACT Translation is challenging and repetitive work. Computer-aided transla tion environments attempt to ease the monotony by automating many tasks for human translators, however, it is difficult to design user inter faces that are easy to use but that can also be adapted to a dynamic workflow. This is often a result of a lack of connection between the inter face and the tasks that the user wants to carry out. A better correspon dence between task and interface can be achieved by simplifying how software tools are named. One way of accomplishing this to embrace text as the interface. By providing a simple and consistent semantics for interpreting text as commands, the Acme text editor [1] makes it possible to build a system with a text-centered interface. In this paper we explore the implications this has for translation aid software. 1. Motivation Translation is an essential and important part of human communication. However, it is a very challenging task, requiring the translator to have a complete understanding of and a deep familiarity with the source and target languages. This difficulty is not eased by the fact that fundamentally it is an inherently repetitive task, consisting of looking up unfamiliar words and doing large amounts of editing to produce a good translation. Given these demands, computers provide a good way to ease this repetitiveness by automating lookup and editing; by converting resources like dictionaries, other transla tions, and collections of example sentences to a computer-readable format, lookups can be performed much faster. -
State of the SSL/ TLS Industry Where Are We Today / Future Trends & Changes by Jay Schiavo
State of the SSL/ TLS Industry Where Are We Today / Future Trends & Changes By Jay Schiavo © 2016 Entrust Datacard Corporation. All rights reserved. AGENDA • SSL/TLS History • State of the Industry Today • Technologies to Consider • Questions? 2 © 2016 Entrust Datacard Corporation. All rights reserved. SSL/TLS History 3 © 2016 Entrust Datacard Corporation. All rights reserved. SSL MARKET HISTORY 1998 2005 2012 2016 • VeriSign, Entrust, • VeriSign (acquired • Symantec (acquired • Symantec (acquired Thawte, GlobalSign Thawte), Entrust, Thawte and Thawte and GeoTrust, Comodo, GeoTrust), Entrust, GeoTrust), Entrust, • OV SSL GoDaddy Comodo, GoDaddy, Comodo, GoDaddy, Digicert, GlobalSign Digicert, GlobalSign, • E-Commerce • OV SSL, DV SSL Let’s Encrypt, AWS • EV SSL, OV SSL, DV • No governance • E-Commerce and SSL, Multi-Domain • EV SSL, OV SSL, DV protecting sensitive SSL, Cert Mgmt SSL, Multi-Domain data SSL, Cert Mgmt, • E-Commerce and Other Services • CA/Browser Forum protecting sensitive data, Logins, • Encryption Webmail everywhere • EV & SSL Baseline • Browsers enforcing Reqs proper SSL issuance and deployment © Entrust Datacard Corporation. All rights reserved. CHANGING TECHNOLOGIES Endured three certificate-based migrations 1. MD2 and MD5 to SHA-1 2. Small RSA keys to 2048-bit keys or larger 3. SHA-1 to SHA-256 • Additionally: – Encryption levels have changed from 40 bit to 128 bit to 256 bit – SSL protocol to TLS protocol (current version is 1.2) • SSL 2.0 and 3.0 no longer supported in modern browsers • TLS 1.0 and 1.1 are showing some cracks • TLS 1.2 is most secure protocol • TLS 1.3 has not yet been released • What’s next – ECC, RSA 3072, CT for all TLS/SSL © Entrust Datacard Corporation. -
Header Manipulation Rules Resource Guide
Oracle® Communications Session Border Controller Header Manipulation Rules Resource Guide Release S-CZ8.0 September 2017 Oracle Communications Session Border Controller Header Manipulation Rules Resource Guide, Release S-CZ8.0 Copyright © 2014, 2017, Oracle and/or its affiliates. All rights reserved. This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited. The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing. If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, then the following notice is applicable: U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, delivered to U.S. Government end users are "commercial computer software" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, use, duplication, disclosure, modification, and adaptation of the programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, shall be subject to license terms and license restrictions applicable to the programs. -
Protected Database Configuration Guide
Zero Data Loss Recovery Appliance Protected Database Configuration Guide Release 12.2 E88069-06 January 2019 Zero Data Loss Recovery Appliance Protected Database Configuration Guide, Release 12.2 E88069-06 Copyright © 2014, 2019, Oracle and/or its affiliates. All rights reserved. Contributing Authors: Glenn Maxey, Terence Buencamino, Padmaja Potineni Contributors: Andrew Babb, Anand Beldalker, Jin-Jwei Chen, Tim Chien, Sean Connelly, Donna Cooksey, Sam Corso, Steve Fogel, Muthu Olagappan, Jony Safi, Daniel Sears, Lawrence To, Steve Wertheimer This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited. The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing. If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, then the following notice is applicable: U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, delivered to U.S. Government end users are "commercial computer software" pursuant to the applicable Federal Acquisition Regulation and agency- specific supplemental regulations. -
Oracle CSM-SBC with Broadworks.Pdf
Oracle Communications Core Session Manager SCZ 7.1.5m1p1 and Oracle Communications Session Border Controller SCZ 7.2.0 with Broadworks Platform R19SP1 Technical Application Note Disclaimer The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle. 2 Table of Contents INTENDED AUDIENCE ...................................................................................................................................................... 5 DOCUMENT OVERVIEW .................................................................................................................................................. 5 INTRODUCTION ................................................................................................................................................................. 6 AUDIENCE ............................................................................................................................................................................................. 6 REQUIREMENTS ................................................................................................................................................................................... 6 ARCHITECTURE -
Let's Encrypt
Let’s Encrypt Die neue Sicherheit für Jeden Inhaltsverzeichnis 1 Let’s Encrypt 1 1.1 Überblick ............................................... 1 1.2 Beteiligte ............................................... 1 1.3 Technik ................................................ 2 1.3.1 Protokoll ........................................... 2 1.3.2 Server-Implementierung ................................... 2 1.3.3 Clients ............................................ 2 1.4 Geschichte und Zeitplan ....................................... 3 1.5 Siehe auch .............................................. 4 1.6 Weblinks ............................................... 4 1.7 Quellen ................................................ 4 2 Extended-Validation-Zertifikat 6 2.1 Motivation .............................................. 7 2.2 Benutzerschnittstelle ......................................... 7 2.2.1 Browserunterstützung .................................... 7 2.3 Vergabekriterien ........................................... 7 2.4 Weblinks ............................................... 8 2.5 Einzelnachweise ............................................ 8 3 X.509 9 3.1 Geschichte .............................................. 9 3.2 Zertifikate ............................................... 9 3.2.1 Struktur eines X.509-v3-Zertifikats ............................. 9 3.2.2 Erweiterungen ........................................ 10 3.2.3 Dateinamenserweiterungen für Zertifikate .......................... 11 3.3 Beispiel für ein X.509-Zertifikat ..................................