Habr

Берём анализы на болезни TLS у Гемотеста

17 июля я сдал анализы крови в компании Гемотест. Спустя полтора дня мне пришёл email с результатами на адрес, который я указал перед сдачей. К счастью, с анализами было всё хорошо: у меня нет ВИЧ, гепатита B, гепатита C, сифилиса, ура! PDF с анализами было заверено приложенной электронной подписью с инструкцией по проверке. Было внутри даже такое: УВЕДОМЛЕНИЕ О КОНФИДЕНЦИАЛЬНОСТИ: Это электронное сообщение и любые документы, приложенные к нему, содержат конфиденциальную информацию. Настоящим уведомляем Вас о том, что если это сообщение не предназначено Вам, использование, копирование, распространение информации, содержащейся в настоящем сообщении, а также осуществление любых действий на основе этой информации, строго запрещено. Если Вы получили это сообщение по ошибке, пожалуйста, сообщите об этом отправителю по электронной почте и удалите это сообщение. А потом ещё и то же самое на английском. Ну кайф. Вроде всё хорошо, можно не волноваться. Но одна вещь всё-таки лишила меня покоя. Замочек. Красный. Перечёркнутый.

habr.com/ru/articles/931246/

#tls #гемотест #шифрование #smtp #персональные_данные #медицина #сертификаты #ssl #почтовый_сервер #email

Берём анализы на болезни TLS у Гемотеста

17 июля я сдал анализы крови в компании Гемотест. Спустя…

Хабр
Himbeertoni

Hallo ich bin #neuhier und melde mich, weil etwas teilen möchte.

Als alter ITler möchte ich ein Skript teilen, dass dem (Home-)Admin das Leben erleichert, wenn wieder mal ein "curl" oder "wget" bei der Verifizierung eines Zertifikats (#SSL / #TLS) scheitert.
Das kommt nicht so oft vor, deswegen hatte ich immer vergessen was zu tun ist, wenn es mal wieder so weit war.

Das Script prüft welche Zertifikate fehlen, lädt sie herunter, so dass man sie ggf. in die Liste der CAs (certification authorities) aufnehmen kann. Wie das geht, steht in meiner dazugehörigen Doku.

Vielleicht einfach mal sehen, ob ihr es brauchen könnt.

Natürlich #opensource, beschrieben auf github.com/himbeer-toni/UserSc, da wäre dann auch ein Downloadlink.

Würde mich freuen, wenn es jemandem hilft!

#opensource #programming #debian #linux #RasPi #sysAdmin #git #github #selfhost #selfhosted #selfhosting
#opensource #foss #homelab #homeserver #software #raspi #RasPi #sysAdmin #TLS #SSL #certificates
@digitalcourage
@linuxnews

UserScripts/fetch-missing-ca.md at main · himbeer-toni/UserScripts

Scripts for Linux user's ~/bin/ directory. Contribute…

GitHub
Jan Schaumann

I put up a few #TLS hybrid key exchange post-quantum cryptography (not "Pavement Quality Concrete"!) proofs of concept to let you test X25519MLKEM768 compatibility:

netmeister.org/blog/pqc-pocs.h

Code here:
github.com/jschauma/pqcpoc/

#pqc

Post-Quantum Cryptography Proof of Concept Implementations

A few quic PQC TLS server implekentations to help you…

www.netmeister.org
Jul 20, 2025, 21:40 · · · 1 · 0
Prof. Dr. Dennis-Kenji Kipker

Auch #Traktoren sind nur #Computer - schlecht programmierte Computer:

Auf der Blackhat ist es Sicherheitsforschern gelungen, vernetzte Traktoren weltweit zu kompromittieren.

Erschütternd ist, dass es an den absoluten Basics für sichere #Software-Entwicklung fehlt: Über einen schlecht gesicherten Mechanismus für over-the-air-Updates können die aus der #Cloud empfangenen Daten einfach ausgetauscht werden, denn es gibt weder eine #TLS-Verschlüsselung noch #Signaturen:

darkreading.com/cloud-security

Ben Hardill

That will be a no.

Which is a shame as I want to use SNI in the back end but also make use of AWS issued certificates and the NLB TLS integration since there is no easy way to get a cert from the AWS Certificate Manager to a EKS Secret

#AWS #TLS #Certificates #SNI

Ben Hardill

Testing a theory on AWS, does a NLB terminating TLS forward the SNI header if the backend is also TLS?

Will know once AWS has finished pulling my test container.

#AWS #TLS #Certificates #SNI

Jul 14, 2025, 12:44 · · · 0 · 0
Kevin Karhan :verified:

@drscriptt granted, we all want 203.0.113.1¹ to have #SSL / #TLS (even if it's just @letsencrypt ) work than not work or have no #encryption.

That is not up for debate!

I just think that this will reward previously standards-violating behaviours when i.e. Xavier Sample Solutions don't get nudged to use i.e. api.solutions.example² but can just use their IP addresses.

Feels like companies take pride in copying #ClownFlare's #EgoTrip who put their #DNS & #domain on 1.1.1.1

¹ Example as per RFC5737
² Example as per RFC2606

RFC 5737: IPv4 Address Blocks Reserved for Documentation

Three IPv4 unicast address blocks are reserved for…

IETF Datatracker
Jul 14, 2025, 05:06 · · · 0 · 0
d0rk ✅

#Apple #Mail.app + #Notes.app still use #STARTTLS #IMAP protocol as a default?

Did a "lsof -i Pn" on my Macbook to learn that Mail used for my providers both port 143 (insecure STARTTLS) + port 993 (#TLS). For sure I didn't explicitly configure this.

The checkbox in Accounts => Advanced and then ~"configure connection preferences automatically" is the culprit. Unchecking that, choose port 993 instead of 143 , restart the Mail.app (and Notes.app) everything is fine.

@ Apple : #wtf ?

Neil Craig

Does anyone know of a table of data which shows PKI CA root certs and which devices/clients they are compatible with? (i.e. which devices/clients include each root cert in their default trust store)

I think I have asked about this in the past. It'd be incredibly useful.

#PKI #TLS #InfoSec #WebDev

Ben Hardill

Anybody worked out if it's possible to access AWS Certificate Manager certs in EKS Kubernetes as a TLS Secret? (I need to terminate in the pod not the LoadBalancer to access SNI)

It feels like it should be possible with the Secrets Store CSI driver with the AWS plugin, but it looks it only has access to AWS Secrets Manager. I don't really want to have to export and import every time they need renewing

#TLS #AWS #EKS #kubernetes #Secrets #k8s

Jul 09, 2025, 12:45 · · · 0 · 0
CybersecKyle

@farshidhakimy @aral Absolutely — you're right, this isn’t a brand-new concept. Cloudflare's cert on 1.1.1.1 is a great example of a legitimate use case for IP-based certificates, especially in infrastructure-focused services like public DNS.

And yes, other CAs have issued certs for IP addresses before Let's Encrypt started doing it — so it’s not unprecedented. The shift here is more about accessibility and scale. Let’s Encrypt offering free certs for public IPs means this capability is now much more widely available, even to actors who previously didn’t have the budget or motivation to go through commercial CAs.

That’s where the risk discussion comes in — not that certs for IPs are inherently bad, but that easier issuance could lower the barrier for phishing kits, command-and-control servers, or shady hosts to appear more “legitimate” with a valid HTTPS padlock, especially in contexts where URLs are masked or shortened.

So yeah, not panic-worthy — just something worth watching as it scales.

#CyberSecurity #TLS #LetsEncrypt

CybersecKyle

@aral Great point — and I agree that most users would be suspicious if they saw an IP address like 89.72.4.2 instead of a familiar domain like mybank.com. The concern raised in the article, though, was more about scenarios where users don’t see the link clearly — such as in emails, PDFs, or messaging apps where URLs may be masked behind anchor text or shortened links. For example, a phishing email might show a link that says “View Invoice” but actually points to https: //203.0.113.10/login.

Experienced users like you and I know to hover over links, check certificate info, or inspect the address bar. But many users don’t do that — or worse, they click links without verifying anything. According to the Verizon DBIR and other phishing studies, this is still one of the top attack vectors today.

Also, I don’t think the article was arguing against IP certs outright — just highlighting that, like with any new capability, there's potential for abuse that the broader public (and infosec community) should be aware of.

#CyberSecurity #Phishing #DigitalTrust #TLS

Jul 07, 2025, 19:41 · · · 0 · 0
Mitex Leo

Big news from Let's Encrypt! Since 2015, there have been requests for certificates for IP addresses—a rare offering among certificate authorities. Today, they've issued their first certificate for an IP address! As announced earlier this year, this feature is now being rolled out gradually to subscribers.

letsencrypt.org/2025/07/01/iss

#letsencrypt #ssl #tls #infosec #selfhosted #security

We've Issued Our First IP Address Certificate

Since Let’s Encrypt started issuing certificates in…

letsencrypt.org
Jul 07, 2025, 02:31 · · · 0 · 0