-
DNSSEC made easy: Converting an existing DNS zone to Inline signing with BIND
DNSSEC — the security extensions to the trusty Domain Name System (DNS) upon which almost all Internet transactions rely — is often considered hard to set up. My own setup has been very dated, using complicated scripts which needed to run after every change to the zone file. There was time to change this. Modern…
-
DDoS: What we can do to prevent it
Distributed Denial of Service, DDoS for short, is the shooting star in today’s Internet nightmare gallery. Here is a quick overview over what each and everyone of us can do to prevent his. And some hints at manufacturers and researchers.
-
Interoperable Chat in Your Web Browser: JSXC 3.0 released
Open, standards-compliant and interoperable chat sounds like a boon. However, proprietary and closed systems (WhatsApp, Facebook chat, Google Hangouts, …) are often easier to deploy, as they are nicely integrated in existing ecosystems. The freshly-released JSXC 3.0 shows that this is not necessary.
-
DNSSEC for .ch domains
This year, all owners of .ch domains need to switch from the DNS registry SWITCH to a new registrar. Getting an overview over these registrars is hard. Thankfully, Marc Wäckerlin has started the road to transparency with a price comparison of Swiss .ch domain registrars. Here, I extend his results with a survey of DNSSEC…
-
Boost DNS Privacy, Reliability, and Efficiency with opDNS Safe Query Elimination
-
JSXC: Adding Encrypted Chat with 3 Lines of Code
-
DANE: The CA game changer
Securing the Internet is important. However, many design decisions are broken: For example, encrypted web pages are considered less secure than unencrypted pages, even outright dangerous, unless you regularly pay a lot of money to certificate authorities, which have shown to make the Internet less secure. The new kid on the block, DANE (DNS-based Authentication…
-
Disable client certificate requests for Cyrus IMAP
Cyrus IMAPd always asks for a client certificate. This can be unnerving for users running Thunderbird as their mail client which have a user certificate installed and are thus always asked whether they want to send it. (There is no way to tell Thunderbird not to send a client certificate, you can only select which…
-
Using TLS Interposer with OpenSSL 0.9.8g (Debian Lenny)
Older installations, such as trusty Debian Lenny, come with versions of OpenSSL 0.9.8. The default cipher suite used by TLS Interposer is very restrictive, on purpose. For OpenSSL 0.9.8g, the only remaining cipher is RC4-SHA. Especially when configuring XMPP servers such as ejabberd to use TLS Interposer, RC4-SHA alone can be not enough (e.g., when…
-
SIEGE: Service-Independent Enterprise-GradE protection against password scans
