|
||||
Featured Articles           After 8 years, I've decided to transition from my original GPG key and replace it with one that uses a stronger master key that meets NIST guidelines. Michael Altfield Hi, I’m Michael Altfield. I write articles about opsec, privacy, and devops ➡ About Michael Today I discovered how to validate the Public Key Algorithm that's used for a given gpg key. Unfortunately, it's extremely unintuitive & took quite a bit of digging to figure out how. So I'm leaving this here in hopes it helps someone in their future searches. Michael Altfield Hi, I’m Michael Altfield. I write articles about opsec, privacy, and devops ➡ About Michael This post describes how to generate a few backup public key hashes to add to your HTTP Public Key Pinning (HPKP) config that might save you from bricking your domain if Let's Encrypt ever gets untrusted like StartCom did. If you have a healthy distrust of the X.509 PKI trust model, then you've probably heard of HPKP (and probably also HSTS & CAA). Website certificate pinning was a trend first started by google, who hard-coded a pin of their certificates in their Chrome browser. Eventually, google helped build a more standardized pinning method under RFC 7469. And today, it's supported by Chrome, Firefox, and Opera. Pinning is a great TOFU improvement to https, but--if misconfigured--you could "brick" your domain--making it so that your client's browsers will refuse to let them access your site for months or years (interestingly, this has also caused some security experts to think of how HPKP could be abused in ransom-ware). Therefore, it's a good idea to follow a few HPKP Best Practices. Michael Altfield Hi, I’m Michael Altfield. I write articles about opsec, privacy, and devops ➡ About Michael As some mega websites deploy APIs that are used nearly ubiquitously on most of the Internet's websites (I'm looking at you Facebook & Google), I've begun to compartmentalize my browsers to "jail" specific website usage to a single, sandboxed browser (profile). This is sometimes referred to as a Site-Specific Browser (SSB). Besides making sure that your SSB is isolated in that it cannot access your regular browser's data (a configuration I plan to document in the future), it's essential to block all network traffic from/to your SSB and all websites, except a whitelist. Unfortunately, getting block-all-then-whitelist functionality in uBlock Origin was annoyingly not documented, so I decided to publish it. If you want uBlock Origin to block all traffic, add the following line to the textbox in your "My filters" tab of uBlock's Dashboard. *.* Michael Altfield Hi, I’m Michael Altfield. I write articles about opsec, privacy, and devops ➡ About Michael This post will describe how to route outgoing traffic in a python script running on TAILS first through Tor, then through a SOCKS proxy created with an ssh tunnel. This is helpful when you want to use the anonymizing capabilities of tor, but you need to access a website that explicitly blocks tor exit nodes (common with sites running CloudFlare on default settings). Michael Altfield Hi, I’m Michael Altfield. I write articles about opsec, privacy, and devops ➡ About Michael This article describes the correct way to use pycurl over Tor, such that both DNS lookup data and HTTP(S) traffic is sent through Tor's SOCKS5 proxy. If you google "pycurl tor", one of the first results is a stackoverflow post that describes how to configure pycurl using the pycurl.PROXYTYPE_SOCKS5 setting. Indeed, even the tutorial To Russia With Love on the Tor Project's Official Website describes how to pass pycurl through Tor using the pycurl.PROXYTYPE_SOCKS5 setting. However, using pycurl.PROXYTYPE_SOCKS5 will leak DNS queries associated with your HTTP requests outside of the Tor network! Instead you should use pycurl.PROXYTYPE_SOCKS5_HOSTNAME. The --socks5-hostname argument was added to libcurl v7.26.0. The pycurl.PROXYTYPE_SOCKS5_HOSTNAME argument wasn't added to pycurl until pycurl v7.19.5.1, which (at the time of writing) was less than 2 months ago! This article will describe how to install pycurl v7.19.5.1 onto the latest version of TAILS at the time of writing, which is TAILS v1.2.3. Michael Altfield Hi, I’m Michael Altfield. I write articles about opsec, privacy, and devops ➡ About Michael This post attempts to answer the following question: If an evesdropper intercepts a message encrypted with gpg, how much information will they be able to extract from the message without a decryption key? I will show the unencrypted metadata added to a GPG-encypted message, and I will present commands that can be used to extract this unencrypted metadata. Michael Altfield Hi, I’m Michael Altfield. I write articles about opsec, privacy, and devops ➡ About Michael So, I got into a discussion with a friend of mine in my Computer Security class at UCF about this script. I'm posting this for historical and educational purposes only. As always, I never condone the implementation of any of my content for malicious intent. Moreover, this script has flaws that * would make it useless in such a scenario. Don't do it! Here's a script I hacked up last semester when I was playing with MITM attacks and packet eavesdropping with ettercap:. This scripts will automatically: fake its MAC Address get a new IP Address collect a list of hosts on the same subnet as itself iterate through and ARP poison: each of these hosts one at a time for 5 minutes each save all data collected in host-specific files in a timestamped directory repeat until the hard drive is full Michael Altfield Hi, I’m Michael Altfield. I write articles about opsec, privacy, and devops ➡ About Michael Jesus. It's only the second week of school and I've already pulled my first all-nighter. This time, however, it was not for school. I was determined to get my OpenVPN server properly setup so that I could finally browse the web securely from the dorms. I only expected this to take a few minutes, but I ended up spending over 7 hours of research, troubleshooting, and configuration changes. This post will contain a slew of information about smoothwall, zerina, openvpn, and iptables. I'm mostly just going to throw all of my findings here without much of any logical flow. Michael Altfield Hi, I’m Michael Altfield. I write articles about opsec, privacy, and devops ➡ About Michael |
|
|||
|
Copyright © 2024 Michael Altfield's Tech Blog - All Rights Reserved Powered by WordPress & Atahualpa |
||||
