Skip to main content

Posts

Showing posts from April, 2012

Phil Zimmerman's Latest Project

Phil Zimmerman of PGP Encryption fame is launching a new project, Silent Circle -  The idea is an application suite complete with encrypted VOIP, email and IM. Exciting stuff! Lets hope it works out better than Hushmail !

Random Number Generation

Latest Update from Basement Dweller News: A great primer on random number generation from a few smart cookies at Intel, by way of IEEE: http://spectrum.ieee.org/computing/hardware/behind-intels-new-randomnumber-generator/0 On a very related note, let's keep our eyes on systemic issues with encryption keys in the wild: http://eprint.iacr.org/2012/064.pdf I have yet to formalize an opinion as to the validity of any systemic key issues intrinsic to RSA (because I was a "D" math student I have to wait for the grown-ups to weigh in on these Deep Thoughts. I would like to see larger keys in use standardized and don't see any good reason not to) A compelling critique of the survey, urging for additional data before judgment is reached: http://dankaminsky.com/2012/02/14/ronwhit/

Websockets and IIS7

So its been about 5 months since the IETF released the RFC 6455 proposal for websockets: http://tools.ietf.org/html/rfc6455 The websocket API is a protocol that allows for the bidirectional transfer of http/https data. This breaks down to a single initial handshake and then autonomous communication from both the server and client concurrently. With it comes a significant performance improvement (as only one handshake is needed, and client-side implementation gets much simpler) and a number of practical applications - I always think chat clients, but the applications are endless for web driven applications that require real time data transfer (HTML5 games that don't suck!) Its no secret that websockets will not work with a standard IIS7 implementation. Http.sys is a greedy bugger, and gobbles up all connections listening on port 80. Even with WCF, there is no formally recognized workaround besides "wait for 8" and the native websocket/SOAP functionality that it...

Same Domain, Multiple Machines, SSL?

I saw a lot of misinformation about this on the inter-tubes recently, some of it intentional misleading of customers, some of it unintentional, so it might be remedial for a lot of readers but posting a clarification here because its worth it to help clear up the confusion. Here are some facts that should help people when first making the leap to securing multiple server environments: Servers are domain and private key specific. They are not machine specific. You are welcome to generate multiple SSL certificates for the same domain to host on separate servers. Think for a bit, this *has* to be true. When everyone goes to https://google.com, are they hitting the same web server or SSL caching server? Of course not.* The most common scenario where this would be valuable is with a load balanced web cluster, but I recently came across this in a deployment with web and mail component where the mail admin neglected to give their MTA a unique FQDN *and* the organization is using SSL/TLS f...