Do I need to associate my backend API server with a domain name to get an SSL certificate for it (HTTPS)?

I have developed my DRF back-end API locally, deployed it on an AWS Lightsail instance (with a public static IP) and I now want to secure it with HTTPS.

I understand that in order to use Let’s Encrypt (and not pay for an SSL certificate), I have to have a domain name associated to my instance IP since Let’s Encrypt doesn’t provide certificates for public IPs. As this is my back-end API (and not just a website), I don’t intend to buy a domain specifically for this.

  1. Can I, somehow, associate my Lightsail IP with another domain that I’ve already purchased (and is used to host my company’s landing page)? If yes, will there be any impact on my API’s performance?

  2. Is there any other alternative to obtain an SSL? (Apart from paying another CA to issue this for my public IP?)

Go to Source
Author: kingJulian

What’s the deal with X25519 Support in Chrome/Firefox?

RFC8446/TLSv1.3 Section 9.1 says that “implementations SHOULD support X25519”.

An online list
of software supporting Curve25519 list both Firefox and /Chrome
as supporting it for TLS.

I did an experiment and created a self-signed TLS cert with Ed25519. Both Chromium 84 and Firefox 79 complain
about not being able to negotiate the cipher list/version. I’ve also noticed that they initiate TLSv1.2 handshakes when
connecting to localhost, but use TLSv1.3 handshakes when connecting to google for example. wget on the other hand,
has no problem connecting (I used --no-check-certificate,
but afaik that shouldn’t matter here)

I then looked at the TLSv1.3 handshakes. neither browser offers Ed25519 as a signature in their ClientHello (even when connecting to google via TLSv1.3). Again, wget does offer it
as part of the ClientHello.

Chromium 84.0 TLSv1.3 Supported Signatures

So I figured this might be a platform issue with my distro (Fedora), but this Blog Post also claims that the major browsers don’t supports X25519. While ChromeStatus says it’s been supported since Chrome 50 (I’m assuming chrome and upstream chromium do not differ in this).

I’m totally confused. What’s the current state of X25519 support on major browsers? is it a google chrome vs. upstream chromium issue?

Go to Source
Author: Jim Landy

Is it safe to embed a google form on a website without an SSL Certificate?

I designed a Google Form for a website which does not have an SSL Certificate. I have planned to embed it onto a page using an iframe tag. I am currently testing it and have published a test page with the form, but when I fill out any of the fields Google Chrome says that the page is,

Not Secure

but it is in red unlike the normal grey.

The form is not asking for any information such as credit card numbers, but it is asking for name, email, and some other information.

Is this safe to embed the Google Form or does the site need an SSL Cerficicate?

Go to Source
Author: Vtex

How should I sign a CSR using a signature created in HSM, in C# .NET Core?

I’m exhausted after looking for an answer for 3 days. I don’t know if my suggested flow is wrong or my Google skills have really deteriorated.

My API needs to create a valid certificate from a CSR it received, by signing it with a private key that exists ONLY inside an HSM-like service (Azure KeyVault), which unfortunately doesn’t offer Certificate Authority functions BUT does offer signing data with a key that exists there. My CA certificate’s private key is stored in the HSM. I’m using ECDSA.

My suggested flow:

  1. Client generates Key Pair + CSR and sends CSR to API
  2. API creates a certificate from the CSR
  3. API asks HSM to sign the CSR data and receives back a signature
  4. API appends the signature to the certificate and returns a signed (and including CA in chain) certificate to the Client

Flow

I’m using C# .NET Core and would like to keep it cross-platform (as it runs in Linux containers), so I have to keep it as native as possible or using Bouncy Castle (which I’m still not sure if runs in Linux .NET Core).

I really appreciate your help!

Go to Source
Author: NOP-MOV

BREACH attack in HTTPS

Ref: http://www.breachattack.com/

This attack is old and works against HTTP compression like gzip.
This is possible when an attacker can find a secret in HTTP response when the server accepts a query parameter and reflect back in response, and calculating gzip size.

But, how can the attacker calculate the size? Can domain a.com raise a request to b.com and measure the size of gzip response when same origin policy is in place?

If the attacker has to calculate the gzip size by doing MITM, then the TLS in HTTPS will prevent that. What am I missing here?

Go to Source
Author: Arul Anand M

Malformed packets for OpenVPN

I have setup OpenVPN on pfsense 2.4.5, and captured sample data for my OpenVPN traffic. However, I observed that most of packets captures for OpenVPN is malformed.

What are the possible reasons? I have placed a sample of the captures in this link for your reference. Any suggestion is helpful!

Thanks!
Openvpn Sample Capture

Go to Source
Author: meta_warrior

metasploit payload

metasploit payload

I’m use the ms f venom to make a payload app for android and i share the app to may another phone with it own network then i install the app but there was no reaction in my listener phone
for host i use my listener IP that was in the info of phone
what IP i have to use and the payload has to be on – t c p – or HTTP
when i use the same network for my phones payload is worked
thanks for Ur react .

Go to Source
Author: Sith fiLe