Intermediate certificates are often a topic of confusion. It’s understandable. We pay a lot of attention to root certificates as they require a lot of active management on the client. Leaf certificates on the endpoint are the star of the show – they’re what we’re trying to validate in the first place. But intermediate certificates? Unless something goes horribly wrong we often don’t think about them. Why… [read more →]
FTPS has always been a topic of much confusion among systems administrators. It has also largely fallen out of favor in deference to SFTP which has fewer networking requirements. But what is the difference between FTPS and SFTP? What about FTPS is so complicated? FTP (File Transfer Protocol) is simply FTP over SSL/TLS. Remember, SSL/TLS is protocol agnostic, and any communication protocol… [read more →]
Instant Messaging is a popular method of communication both at home and in the workplace. It is not always easy however to ensure that communication remains private. One of the best ways to guarantee message privacy is to both self-host the infrastructure, and encrypt communications in-transit. Today we will be installing a free and open source (FOSS) package, ejabberd, and connect to it with a… [read more →]
Usually we focus on SSL/TLS and its role in encryption in-transit. However, equally worth understanding is encryption at-rest. While encryption in-transit (also called in-flight) focuses on secure transmission via an insecure channel, both the sending and receiving endpoint have access to the information in the clear. In contrast, encryption at-rest encrypts data sitting on a hard drive. This… [read more →]
This is perhaps one of the most abstract uses of an HSM, so let’s start with a real-world scenario. Your IT department recently read the last article in this series and wants to setup an offline root CA whose private key is stored on the Nitrokey HSM. Just like any hardware, the NitroKey has the potential to be a single-point-of-failure. Nitrokey’s backup model allows for backups to be taken tha… [read more →]
In our last article, we have covered getting started with the NitroKey HSM. Today we will go through the process of setting up an entire internal PKI backed by the security guarantee the HSM provides. First, we will generate a root CA with a private key living on the HSM’s hardware. Then, we will generate an Intermediate CA, whose private key will live secured by file system permissions in Linux. T… [read more →]
SSL/TLS relies on a public/private keypair in order to keep data secure in transit. If a private key is no longer private, the communication is no longer secure. For most organisations, simply making sure to generate private keys on the server where they will be used is reasonably secure. It is a much more difficult and expensive proposition to protect against even the server itself being… [read more →]
Microsoft’s .NET framework is a collection of tools and libraries accessible from various “.NET Programming Languages” used by developers to build applications on the Windows Platform. ASP.NET, which runs natively on IIS (Microsoft’s web server bundled with Windows Server), Visual Basic .NET, C# .NET and Windows Powershell are all examples of languages which can natively take advantage of the abstrac… [read more →]
There are a lot of reasons why you might inherit a network. Maybe the person who handled SSL/TLS left abruptly, or perhaps you’re doing a favor for a friend. Whatever the reason, it can be overwhelming to get a handle on the sorts of care and feeding a computer system requires from an SSL/TLS standpoint. This is understandable. It’s a lot of responsibility to ensure that a system keeps running wit… [read more →]
Wireshark is an extremely powerful tool for analyzing the conversations your computer is having over the network. When an application’s logs come up empty, Wireshark is often the best way to figure out what’s going with software. When troubleshooting issues with SSL/TLS, Wireshark is invaluable. Have you ever gotten an error message complaining about secure negotiation? Most Sysadmins have. Where is … [read more →]