Security

A small HTTP debug server in Go

Posted on August 31, 2018

Lately, I found myself to work on an application that was communicating via SOAP with a server. My goal was to understand how this application worked with the SOAP server to emulate its behavior. Even if I had access to the source code of the application, I thought it would have been easier, faster and more fun to do the work without actually reading the code. It’s important to note that actually, the application is fairly small and self-contained.

Read More

Why you should bundle the root CAs in your image

Posted on July 13, 2018

If you have ever used Docker or any other Linux OCI container system, you inevitably have incurred in the following error: x509: failed to load system roots and no roots provided This message is remembering you that you forgot to provide Root Certificate Authorities to your application. There are two different ways to solve this: mount the /etc/ssl/certs folder from the machine where the container is running bundling the root CAs in your image As you may imagine from the title, I believe that the second option is by far better than the first one.

Read More

Why SMS should never be used as second factor

Posted on June 27, 2018

Lately, all website are urging their users to enable second-factors. The push for multi-factor logins is a good thing from my point of view, since the people are putting more and more details of their life online and is a good thing that companies start to understand the security implication of this and are trying to teach their users good security practices. The real problem is what is defined as second-factor.

Read More

Walkthrough a PEM file in Go

Posted on December 21, 2017

A few months ago, I posted how to create a PKI in Go. Today I’d like to add share a useful function (at least from my point of view) that I found myself to write. The problem arose when I had a function that required as input a *pem.Block of the public key, but all I had was the PEM file containing, as you can imagine: the Private Key the Public Key the CA Public Key I think this is a typical situation, and for this, I’d like to share a function I wrote to extract it.

Read More

SSH with Yubikey

Posted on November 3, 2017

Authentication factors One of the common way to create more secure authentication in systems is adding more “factors”, creating in this way a Multi-Factor Authentication (MFA). The idea behind MFA is that there are many different ways to authenticate a user, and those can be split in different “categories” based on the kind of challenge we require. Generally speaking, it’s common to divide the authentication methods in mainly three categories:

Read More

Create a PKI in GoLang

Posted on June 5, 2017

Lately I have been programming quite a bit and - for the first time - I have used Golang doing so. Go is a very nice language and really helped me with the development. One of the reasons why I have enjoyed this much Go is the standard library, which is amazing. I would like to share today the easiness of creating a basic Certificate Authority and signed certificates in Go.

Read More

The Wireshark Field Guide by Robert J. Shimonski (Elsevier)

Posted on April 2, 2014

I usually don’t start with this, but lately I had some time constraints that made me wondering if is right to use so much time reading books. The Wireshark Field Guide Analyzing and Troubleshooting Network Traffic by Robert J. Shimonski is only 149 pages long (if we cut the introduction, indexes, etc. it boils down to 128 pages). This is a really short book and I have really appreciated this fact.

Read More

Practical Anonymity, by Peter Loshin (Elsevier/Syngress)

Posted on May 7, 2013

The anonymity on the web is probably one of the most debated topics on the web. Is possible to be completely anonymous? The short answer is no. This book tries to help the read to improve its anonymity, staying is the “real world”, as the “Practical” world in the title suggests. In this book you will not find anything that is too complex for an average user. Whether this is good or bad, depends on you expectations.

Read More