Secure browser-to-proxy communication - again

2014-09-21, Categories: security, network

I've previously blogged about a secure connection between browser and proxy. Unfortunately that doesn't work on Android yet, since except if you use Google for Work (an enterprise offering) you can't set Proxy Auto-Config.

This post shows you how to get that working for Android. Also it skips the stunnel hop since it doesn't add value and only makes Squid not know your real address. I'm here also using username and password to authenticate to the proxy instead of client certificates, to make it easier to set up.

Read the rest of this entry »

Colour calibration in Linux

2014-09-19, Categories: unix

This is just a quick note on how to create .icc colour profiles in Linux. You need a colour calibrator (piece of hardware) for this to be useful to you.

#!/bin/sh
NAME=$1
COLOR=$2
DESC="Some random machine"
QUALITY=h   # or l for low, m for medium
set -e

dispcal -m -H -q $QUALITY -y l -F -t $COLOR -g 2.2 $NAME
targen -v -d 3 -G -e 4 -s 5 -g 17 -f 64 $NAME
dispread -v -H -N -y l -F -k $NAME.cal $NAME
colprof -v -D $DESC -q m -a G -Z p -n c $NAME
dispwin -I $NAME.icc

Read the rest of this entry »

Another way to protect your SSH keys

2014-06-18, Categories: security, network, unix

Let's say you don't have a TPM chip, or you hate them, or for some other reason don't want to use it to protect your SSH keys. There's still hope! Here's a way to make it possible to use a key without having access to it. Meaning if you get hacked the key can't be stolen.

Read the rest of this entry »

Don't forget to restart all your OpenSSL binaries

2014-04-21, Categories: security

The wonder of UNIX is that you can delete running binaries and loaded shared libraries. The drawback is that you get no warning that you're still actually running old versions. E.g. old heartbleed-vulnerable OpenSSL.

Server binaries are often not forgotten by upgrade scripts, but client binaries almost certainly are. Did you restart your irssi? PostgreSQL client? OpenVPN client?

Find processes running with deleted OpenSSL libraries:

$ sudo lsof | grep DEL.*libssl
apache   17179      root  DEL       REG        8,1               24756 /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0

Read the rest of this entry »

How TPM-protected SSH keys work

2013-12-01, Categories: security, unix, hsm

In my last blog post I described how to set up SSH with TPM-protected keys. This time I'll try to explain how it works.

Read the rest of this entry »

TPM chip protecting SSH keys - properly

2013-11-27, Categories: security, hsm, tpm, unix

Not long after getting my TPM chip to protect SSH keys in a recent blog post, it started to become obvious that OpenCryptoKi was not the best solution. It's large, complicated, and, frankly, insecure. I dug in to see if I could fix it, but there was too much I wanted to fix, and too many features I didn't need.

So I wrote my own. It's smaller, simpler, and more secure. This post is about this new solution.

Read the rest of this entry »

Should I generate my keys in software or hardware?

2013-11-26, Categories: security, tpm, hsm

A Hardware Security Module (HSM) is any hardware that you can use for crypto operations without revealing the crypto keys. Specifically I'm referring to the Yubikey NEO and TPM chips, but it should apply to other kinds of special hardware that does crypto operations. I'll refer to this hardware as the "device" as the general term, below.

Read the rest of this entry »

TPM chip protecting SSH keys

2013-11-13, Categories: security, hsm, tpm, unix

STOP! There is a better way. this post explains a simpler and more secure way.

Update 2: I have something I think will be better up my sleeve for using the TPM chip with SSH. Stay tuned. In the mean time, the below works.

Finally, I found out how to use a TPM chip to protect SSH keys. Thanks to Perry Lorier. I'm just going to note down those same steps, but with my notes.

I've written about hardware protecting crypto keys and increasing SSH security before:

but this is what I've always been after. With this solution the SSH key cannot be stolen. If someone uses this SSH key that means that the machine with the TPM chip is involved right now. Right now it's not turned off, or disconnected from the network.

Update: you need to delete /var/lib/opencryptoki/tpm/your-username/*.pem, because otherwise your keys will be migratable. I'm looking into how to either never generating these files, or making them unusable by having the TPM chip reject them. Update to come.

Read the rest of this entry »

Fixing high CPU use on Cisco 7600/6500

2013-10-27, Categories: cisco, network

Recently some time ago (this blog post has also been lying in draft for a while) someone came to me with a problem they had with a Cisco 7600. It felt sluggish and "show proc cpu" showed that the weak CPU was very loaded.

This is how I fixed it.

Read the rest of this entry »

Next-hop resolution and point-to-point

2013-10-26, Categories: network

I had this blog post lying around as a draft for a long time. I didn't think it was was "meaty" enough yet, but since I'm no longer a network consultant I don't think it'll become any meatier. So here it goes.

Here I will describe the process of L3-to-L2 mapping, or next-hop resolution and how it works with point-to-point circuits like PPP, ATM and Frame relay. It's the process of finding out what to actually do with a packet once the relevant routing table entry has been identified.

It's deceptively simpler than on a LAN segment, but since people generally learn Ethernet before they learn point-to-point nowadays I'm writing it anyway.

Read the rest of this entry »
Older posts