Security

Introduction Earlier this year I looked at switching from Bitwarden (online service) to self hosting Vaultwarden. The post I wrote was fairly high level and focused on different container options. It was a fairly generic deployment that didn’t go into much detail. Configuration and security considerations were woefully neglected in that post. It also didn’t go into detail about how I’d integrate it into the VPS that I use as VPN, DNS, and now password vault server....

Introduction When Lastpass first came on the scene I jumped on it because of how easy it makes syncing passwords between devices. Previously, I was using a local password manager that was only on my computer. Thankfully, mobile logins weren’t nearly as necessary for daily life back then. However, I still needed my computer to log into anything on my phone. Over the years, Lastpass started having security incidents. This isn’t surprising with how big it became....

Comparing strings in C is typically handled with strncmp. This is fine in most cases but if you need to compare sensitive information, such as a message digest, it’s a really bad choice. strncmp is susceptible to timing attacks because it will stop comparing once the first difference is encountered. The overall design of constant time comparison is pretty well known. The OR XOR combo has been reviewed and vetted by crypto researchers....

Recently Amazon.com introduced s2n as a new TLS implementation. The idea is to have a small and simplified TLS library. Looking at it I noticed it’s very Linux centric. It cannot be compiled on Windows. There are patches to make it work on OS X. There is a report that it works on FreeBSD but I didn’t look closely at it to determine if patches were necessary. Amazon is positioning s2n as a replacement for OpenSSL but it can’t work in nearly as many places as OpenSSl....

Recently at work we were looking into Forward Secrecy (FS). We were using Qualys SSL Server Test and noticed that Forward Secrecy was showing as NO. We decided to look into this because we want to use the most robust security we can. What we found was none of the supported cipher suites showed Diffie–Hellman (DH) or Elliptic curve Diffie–Hellman (ECDH) which is required for FS. We had a proper cipher suite in place and we were asking for ciphers that support FS....

I recently purchased a Yubikey from Yubico. What got me to buy it was the discount they’re offering to Security Now! listeners. So far I’m liking it quite a bit and have been looking to use it any way I can. One of the uses I found was to have the presence of they Yubikey unlock and lock Gnome Screen Saver. Toward the end of the forum thread there is a very nice set of udev rules that work perfect for me and are very clean....