WirelessPhreak.com

I like to travel, f*ck with technology, and partake in the occasional tropical drink.
I am also a co-host on The NBD Show podcast.
Follow Me
Showing posts with label Internet. Show all posts
Showing posts with label Internet. Show all posts
Mutual authentication or two-way authentication refers to two parties authenticating each other at the same time. Below is an excerpt from the Wikipedia page, they did a nice job explaining what mutual authentication is.

By default the TLS protocol only proves the identity of the server to the client using X.509 certificate and the authentication of the client to the server is left to the application layer (for example, username and passwords.) TLS also offers client-to-server authentication using client-side X.509 authentication. As it requires provisioning of the certificates to the clients and involves less user-friendly experience, it's rarely used in end-user applications. But at a small scale or proof of concept this is completely reasonable.

Mutual TLS authentication (mTLS) is much more widespread in business-to-business (B2B) applications, where a limited number of programmatic and homogeneous clients are connecting to specific web services, the operational burden is limited, and security requirements are usually much higher as compared to consumer environments. The factor that impacts scaling of this design is not the technology, devices are built to handle millions of SSL transactions, but the policy and procedures around the certificate management and client on-boarding. 

In this example a client will be connecting to an Apache web server and authenticate using mutual TLS authentication.

First you must build the web server running SSL. You can find a lot of step by step articles online about how to build an Apache web server preferably on Linux. Also take a look at Lets Encrypt, it's a free SSL certificate issuer that is freaking awesome.

Once you have your web server up and running you will want your client to generate a certificate. This can be done using OpenSSL the de facto for everything SSL on the internet. There are some awesome guides on how to build out the mutual SSL authentication and the accompanying Apache config. The best one I found was on stefanocapitanio.com they do a great job of outlining each step that makes up the mutual TLS authentication. In this example I will Jump ahead to the certificate creation,

This will generate your private key and certificate. You will need to answer the following questions when prompted this makes up the attributes of your client certificate.
openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
Here is an example what it will look like.
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:US
State or Province Name (full name) []:State 
Locality Name (eg, city) []:City
Organization Name (eg, company) []:Anything
Organizational Unit Name (eg, section) []:Anything
Common Name (eg, fully qualified host name) []:Username
Email Address []:youremail

Next we will combine the Key and Certificate in PKCS#12 file:
openssl pkcs12 -inkey client-key.pem -in client-certificate.pem -export -out bundle-certificate.p12
This file will be the private key and certificate combined with a secure password. This is what you will install on your OS or browser (such as firefox) to encrypt your data and issue to the server as your identity.

Once you have generated and installed your client certificate you will want to send ONLY THE PUBLIC CERTIFICATE, in this case client-certificate.pem to the server admin. Your public certificate will be what is used to identify your machine when it attempts to connect tot he web server. Read up on the Apache man pages about he SSLVerifyClient options there is quit a but out there. This is a very basic config.

The server admin will place your certificate in their certificate store and configure Apache.
<VirtualHost *:443>
  ServerName secure.example.com
  DocumentRoot "/var/www/html"
  ServerAdmin [email protected]
  SSLEngine on
  SSLCertificateFile /home/sempla1/ssl/server-cert.pem
  SSLCertificateKeyFile /home/sempla1/ssl/private/server-key.pem

  SSLVerifyClient require
  SSLVerifyDepth 10
  SSLCACertificateFile /home/sempla1/ssl/client-certificate.pem
</VirtualHost>

Once the server has been configured you can attempt to connect. Normally you will be prompted to provide your client certificate if it is working. This is apache asking for your public certificate to validate it is the same one that Apache was configured with. In firefox you can go into Preferences then Security and Privacy and tell the browser to automatically issue that certificate if you like.

That's it I had a good time playing with this I hope you do as well.


For some reason I thought to myself it would be cool to have an emoji URL for my site. So I searched the web to see if anyone had done it before and, sure enough, an app developer named Panic registered 💩.la in 2011. After that, emoji URLs never really picked up steam.  There were a few tutorials - none of which worked. Then on February 23rd The Washington Post wrote an article about Coke's ad campaign in Puerto Rico using Emoji URLs. In response to The Washington Post article Kaleigh Rogers at Motherboard wrote a post outlining the brief history of  emoji URLs and how to register one.  The only thing she left out was which registrars allowed non Latin character URLs.  I tested Go Daddy and Hover neither of which would allow me to register my fancy new emoji URL.  Finally after searching the web I found a legit Domain Registrar that would allow the unicode URL: name.com.  There may be others but name.com was painless and simple.  Finding the Domain Registrar was the most difficult part of the process.

My Fancy new Emoji URL

Here are the steps to getting your own Emoji URL, surprisingly there are a few still out there:
  1. Go to punycoder.com and generate the unicode that you are going to register.
    • The Unicode will be translated by the browser and present the emoji if your device and browser support it.
    2.  Go to Name.com and search for the unicode string, example "xn--bw8h.tk" and register it.

Done!

Whether you think he's a hero or a traitor Edward Snowden's revelations have generated an import conversation around privacy.  Here is his first Video from exile at South by South West.


Let us know what you think of Snowden



With the prevalence of cloud computing and companies growing dependencies, environments such as Amazon Web Services have become a huge points of failure.  The interdependency on web service companies and cloud infrastructure has created a complicated and confusing web.  The average Joe  knows Netflix doesn't work, but there is no way for him to find out why it doesn't work.  Some companies are proactive and do a pretty decent job updating clients on outages, but a majority of them are happy with keeping their customers in the dark.  The goal of this post is to give some helpful links that may give you some visibility into this mysterious haze they call The Cloud.

Amazon does a pretty good job here is there AWS Service Health Dashboard:
AWS Amazon Service Health Dashoard
AWS Twitter Feed

Netflix which runs almost exclusivaly on AWS:
Netflix Twitter Feed

Many other companies leverage the Amazon Cloud such as Reddit, Coursera, Flipboard, FastCompany, Foursquare, Pinterest, Airbnb, and more.

Google Apps Status, this page breaks out many of Google core services:
App Status Dashboard

Apple Services such as iCloud, iMessage, Siri, etc.:
Apple Support System Status 

 Rackspace Cloud Status:
Cloud Status







Living where I do I have two choices, AT&T which is cool if I wasn't 3+ miles from their central office, and Comcast. So when I saw that Kansas City residents where pre registering for fiber I was a bit jealous. Gig up and down,  fiber to their homes for 70 dollars a month, or TV and Internet for $120 dollars, sign me up.  Plus I doubt they will steadily see their bills increase like Comcast tends to do.  Oh ya and no data cap....  Hopefully this is the direction we are moving playing catchup with allot of the world.  I want to see our country succeed and lead the world by example not ruin what we helped create, by censoring the internet and letting companies like Comcast do what they do.



Here is a link to Google's fiber page so you can read all about it for your self.


Please urge Congress to oppose the Internet Blacklist Legislation, known as the PROTECT-IP Act in the Senate and the Stop Online Piracy Act (SOPA) in the House. This legislation seeks to give the executive branch power to conduct slash-and-burn campaigns against websites that allegedly host – or even link to – content that infringes on intellectual property rights. That would “disappear” whole domain names, fundamentally undermining Internet security, and/or choke off their financial support. The Internet Blacklist Legislation puts more sites than ever at risk, effectively upending the DMCA safe harbors that have been crucial to the growth of Internet innovation and creativity.

Sadly, these short-sighted and dangerous bills won’t do much to stop online infringement – but they will jeopardize our ability to speak and read online with the kind of freedom we cherish in the offline world. Deep-pocketed Hollywood lobbyists are aggressively pushing to control and censor the open Internet, willing to sacrifice free speech and our Internet culture in hopes of controlling how people view their movies and products.

We need to stop this bill before it goes any further. Will you contact your representatives in Congress and urge them to oppose the Internet Blacklist Legislation? Visit: https://eff.org/r.C8A