June 1, 2022Oh Open Source Supply Chain Security, Where Art Thou?“This is horrifying. But also not surprising.” These are the words of a friend of mine, a security specialist, when I told him what I found out today. But first… What is Open Source Supply Chain? Most applications nowadays use open source libraries, especially for common functionality like e.g. sending web requests, so it is not necessary to re-invent the wheel all the time. This is great! This saves a lot of work, time and money, and usually when a library is widely used, it is rock stable....
April 29, 2021How to Configure a Webserver to Be Less SecureThis question sounds odd. Why would you want a less secure web server? Well, maybe you have to support older clients. e.g. IE 11 on Windows 8.1 or Java 7 (cough) cannot connect to a web server, which only uses modern and secure ciphers. From a Java application, which cannot be updated, but has to work, I got the following exception: Exception in thread "main" javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure at sun....
July 22, 2020How to Audit and Harden an SSH ClientYou probably know how to harden an SSH server, or at least heard of it. e.g. do not offer weak ciphers, or do not allow root login… But did you know you can and also should harden your SSH client? step 1 - auditing your SSH client terminal 1 git clone https://github.com/jtesta/ssh-audit cd ssh-audit python3.8 ssh-audit.py -c # c = client audit; this starts a ssh server on port 2222 terminal 2 ssh localhost -p 2222 Now, switch back to terminal 1 and have a look at the output - it all should be green - but it won’t....