I’m building a Django website that does not need to have registration/authentication.
I am trying to add TLS 1.1 and 1.2 support to a packet capture product which already has TLS 1.0 support.
It seems that the easiest way to protect users against the BEAST attack on TLS <= 1.0 is to prefer RC4 or even disable all other (CBC) cipher suites altogether, e.g. by specifying something like
The question: I know that http requests can be sniffed, so sniffer can see the requested URL from the victim. So 2 days ago I my bank made me a web-account to see, send money etc… The thing I saw is my session id is always on my URL.. I copy/pasted it on another browser … Read more
Following on from CRIME, now we have BREACH to be presented at Black Hat in Las Vegas Thursday (today). From the linked article, it suggests that this attack against compression will not be as simple to turn off as was done to deter CRIME. What can be done to mitigate this latest assault against HTTP?
What are the security implications of an expired SSL certificate? For example if an SSL certificate from a trusted CA has expired will the communication channel continue to remain secure?
I’m setting up a node.js server:
I’m no security expert, so please just ask in a comment if I haven’t made my question clear enough for an answer.
I’m interested to know if there is any reliance on system time (as defined by Linux or windows) when initiating a secure handshake. I’m aware that TCP typically uses a random number (RFC 1323) to provide a time stamp for message ordering, however I’m not sure of the TLS utilisation of system time. You can imagine this question being applicable to two system wishing to establish a secure connection but don’t share a synchronised time.
I know it’s possible for a computer to be infected just by visiting a website. I also know that HTTPS websites are secure.