When issuing certificates for TLS, you have the option of getting one with all of your domain names included, or one individual per domain. Which is better, and when?
There is a very large number of Internext Exchange Points around the world, and a lot of networks are connected to at least one. But what happens when you forget to turn off Layer 2 protocols on the Peering LAN?
On my journey to build a self-hosted Zero Trust environment I had to create TP: a secure proxy that takes care of a lot of the end user connectivity to my "Cloud".
Data breaches happen, and there is need for cleanup after such an incident. But perhaps quickly going to password resets or calls to enable 2FA are not the best advice that should be followed blindly.
MikroTik, with RouterOS 7, added the ability to offload IP Traffic to the hardware, and bypass the low performance CPUs of their products. As this feature is still developed, I put it to the test, using their cheapest device.
Although not by design, ACME is mostly used today to issue TLS Server certificates, for use in the WebPKI. But it's a flexible protocol. An extra field here, a new challenge there. Let's see how far we can push it...
The ACME protocol can be used to obtain TLS certificates, and the most common usecase is definitely the WebPKI. However, it can be used for any type of certificate, including mTLS certs in a private PKI. In this post I am providing information on my design for use of ACME for workload certificates.
OCSP is a protocol that helps clients figure out when X.509 certificates, such as the ones used for TLS, are revoked. However, there aren't many cheap or open implementations, especially ones that can scale. In this post I am building an OCSP Responder using Cloudflare Workers & Cloudflare KV.
IP addresses are frequently geolocated in wrong places, even at the country level. The main reason is the wildly different and imprecise methods to obtain that information in the first place. As it can have a large impact on end-users, ISPs typically want to detect and correct these mistakes. I'm summarizing here the current best practices in fixing this problem.
Apple's AirPrint protocol is by far the easiest method of printing over the network today, so much so that it even made printing on Linux a reality! However, setting it up to work across VLANs or even over the Internet is not easy. In this post I publish how I managed to get it working in a few easy steps.
COSMOTE is an ISP in Greece that offers its landline telephony service over VoIP, terminated to its CPEs. However, it's been possible to request the SIP credentials and use your service on your own PBX. Since I couldn't find any documentation, and the process involved many hours of trying, troubleshooting, and rate limiting, I decided to post this tutorial which will hopefully be helpful.
Radio amateurs around the world have been lucky to secure a large enough IPv4 allocation from the early days of the Internet, 126.96.36.199/8. Since then, it has seen various types of use, on and off the public Internet. In this post I explore the current usage by running some measurements on the hosts that currently live within it, from various vantage points. Somehow, I end up having to map all of IPv4 and IPv6.
In the height of the 2021 cryptocurrency rush, I performed an experiment where I intentionally leaked a number of Bitcoin private keys to thousands of people, and then simply watched to see what happens.
After mapping the Greek Internet, during my visit to 36C3, in Leipzig, I decided to map the event IP Space and create a nice animated GIF of the utilization, at least of devices responding to pings.
Inspired by a discussion I had in a RIPE Meeting, and a blog post I read last year, I set out to create a map of the Greek Internet, using IP, Hilbert Curves, and a lot of images.
An attack was published against Tor users that deanonymized them based on DNS. Here we see how Exit Operators can protect the users from these attacks.
A blog post on how a small group of people organized an educational event with a Capture the Flag contest in AUTh. The story and what I learned.
In this blog post I describe how an attacker got my personal information just by using eBay. It is based on a real story and should not be used as a guide.
Certificate Transparency is a project started by Google in order to allow anyone to verify the practices of all Certificate Authorities. In this post, we take a look.
A blog post about Tor Hidden Services and the announcement of the Official DaKnObNET Hidden Services, which allow visitors to access my websites over the Tor Network, in the form of Hidden Services.
I examine the security of the popular movie and TV series piracy application "Popcorn Time", and find multiple critical vulnerabilities that range from application code execution, all the way to remote code execution, for a full computer compromization, by executing arbitrary shell commands.
In this blog post I talk about password managers, and how security questions can actually reduce your security. All this, over a nice, real life story I had with a customer service representative, who didn't like my first school's name, DzLCMpeyuAhAT>RgTuvJPna2s3K)8dUM^V$(QUNu#omuByCvJ8.
In this blog post I go over the vast gap between math and implementation (software code) in terms of security, by examining the case of online voting. In addition, as an example, I am disclosing some security vulnerabilities found in an online voting software.
In this blog post I attempt to examine what is the current best TLS configuration for your web (or not) server, and why answering this question is really not that simple.
This blog post contains a bug I found in Google Chrome and the Chromium browser in which the software failed to update the GUI of which certificate is used, therefore showing the previous certificate to the user, even in cases where the certificate has actually changed in the server.
During a store visit, I discovered a secure lock that used an RFID access card to limit access. But there was a way to easily bypass it.