HTTP/2 is a major revision of HTTP protocol. RFC of HTTP/2 was published in May 2015. Currently most client-server communications is done via HTTP/1.1. In practice, HTTP is de facto transport layer for almost all application-level network traffic - even for non-web-applications. HTTP/2 specifies some fundamental changes to the protocol. Hence, once HTTP/2 will be widely adopted, these changes may reflect on all software development, and also security which is in focus in this article. This is not a low-level protocol analysis, but a high-level overview of practical security concerns related to HTTP/2.
This is an article I’ve meant to write for last two years. Getting TLS right seems to be a major challenge for many admins. And I do not mean only some random startup company websites, but also large commercial web services and Fortune 500 companies.
The problem is not only poorly configured servers and expired certificates, but in many cases the whole concept of TLS is misunderstood. I try to be here short and clear, and state what TLS is and what TLS is not. Later on, I provide some tips and links to resources that I’ve found useful.
Recently I stumbled into an interesting paper. This paper introduces a bug / vulnerability called “Rowhammer.js”. In short: Rowhammer.js enables hardware-level memory corruption (bit flips) via web browser. Yes, it sounds insane, it is insane, and yet it seems to be a real thing. I believe this may become a major client-side web security issue.
Italian based company Hacking Team suffered a major security breach earlier this week. Hacking Team provides offensive cyber security capabilities mainly for governments and law enforcement. Web is already full of analysis and stories about this case. I summary here some of the most important and interesting points.
This is a vulnerability report for Zyxe lP-870H-51A V2 ADSL2 modem (multiple vulnerabilities).
Helsingin Sanomien uutispäällikkö Jussi Pullinen julkaisi maanantaina ansiokkaan kolumnin, jossa julisti Internetin olevan rikki. Kirjoituksessa on paljon hyviä pointteja, ja monelta osin allekirjoitan sen sanoman. Kolumnissa oli kuitenkin joitakin väitteitä, jossa ei mielestäni ollut otettu huomioon muutamia Internetin toimintaan ja tietotekniikkaan liittyviä lainalaisuuksia. Tämä on toki ymmärrettävää, sikäli jos kirjoittaja ei ole taustaltaan tekninen henkilö. Kommentoin tässä muutamia kohtia kolumnista.
I recently bought a new home router, Asus RT-N56U. It is a consumer level basic wireless router with some “advanced” features, such as file sharing and print server. Actually I am pretty happy with the features of the router. Security is the problem. Or lack of security, to be more precise.
For some time, I have had to write down some of my thoughts about this NSA/PRISM/Network surveillance/spying case. For me, the most interesting question is what NSA can do in practice, and what they can not. This blog post by professor Matthew Green is pretty complete, and it sums up my thoughts and assumption about this case quite comprehensively.