Should I invest my time in making my site HTTPS-only?
I’m building a Django website that does not need to have registration/authentication.
tls
What is the significance of the version field in a TLS 1.1+ ClientHello message?
I am trying to add TLS 1.1 and 1.2 support to a packet capture product which already has TLS 1.0 support.
Is there a way to mitigate BEAST without disabling AES completely?
It seems that the easiest way to protect users against the BEAST attack on TLS <= 1.0 is to prefer RC4 or even disable all other (CBC) cipher suites altogether, e.g. by specifying something like
Can URLs be sniffed when using SSL?
The question: I know that http requests can be sniffed, so sniffer can see the requested URL from the victim. So 2 days ago I my bank made me a web-account to see, send money etc… The thing I saw is my session id is always on my URL.. I copy/pasted it on another browser … Read more
BREACH – a new attack against HTTP. What can be done?
Following on from CRIME, now we have BREACH to be presented at Black Hat in Las Vegas Thursday (today). From the linked article, it suggests that this attack against compression will not be as simple to turn off as was done to deter CRIME. What can be done to mitigate this latest assault against HTTP?
Expired SSL Certificate Implications
What are the security implications of an expired SSL certificate? For example if an SSL certificate from a trusted CA has expired will the communication channel continue to remain secure?
Can someone explain what exactly is accomplished by generation of DH parameters?
I’m setting up a node.js server:
Advantages of client certificates for client authentication?
I’m no security expert, so please just ask in a comment if I haven’t made my question clear enough for an answer.
TLS reliance on System Time
I’m interested to know if there is any reliance on system time (as defined by Linux or windows) when initiating a secure handshake. I’m aware that TCP typically uses a random number (RFC 1323) to provide a time stamp for message ordering, however I’m not sure of the TLS utilisation of system time. You can imagine this question being applicable to two system wishing to establish a secure connection but don’t share a synchronised time.
Can an HTTPS site be malicious or unsafe?
I know it’s possible for a computer to be infected just by visiting a website. I also know that HTTPS websites are secure.