/tags/security/ Recent content in Security on Ctrl + Champagne Hugo en-us Sun, 16 Feb 2025 13:45:56 +0000 /posts/vulnscan/ Sun, 16 Feb 2025 13:45:56 +0000 /posts/vulnscan/ <h2 id="automated-vulnerability-scanning-for-dependencies--packages">Automated Vulnerability Scanning for Dependencies &amp; Packages</h2> <h3 id="do-we-need-to-explain-why">Do we need to explain why?</h3> <p>🔥💥💣🚨⚡☠️🧨</p> <p>That&rsquo;s what I thought.</p> <h3 id="configure-your-pipeline-with-snyk">Configure your pipeline with Snyk</h3> <p>There is a plethora of tools available out there for security scans and/or vulnerable dependencies - Dependabot, Trivy, sonarQube/Lint, Anchore, etc. Most of which can be integrated into your IDE or CI/CD.</p> <p>For this use case, Snyk has been selected. Snyk is able to scan code, open-source dependencies, container images, and infrastructure as code configurations to helps developers prioritize and fix security vulnerabilities. The free version comes with a max limit scans per month.</p> /posts/digitcert/ Tue, 11 Feb 2025 13:45:56 +0000 /posts/digitcert/ <h2 id="kubernetes-cert-manager-for-letsencrypt-certificates">Kubernetes cert-manager for LetsEncrypt certificates</h2> <h3 id="digital-certificates-raison-dêtre-and-usage">Digital Certificates raison d&rsquo;être and usage</h3> <p>Certificates are exchanged as part of the TLS handshake. This allows the client to ensure the entity it is trying to establish a connection with is authentically the <em>genuine</em> server.</p> <p>Note: see other posts under this tag for a few words on TLS handshakes and mentions of the attacks it protects against.</p> <p>A certificate contains: the issuer details, its expiration date, the entity&rsquo;s public key for asymmetric encryption and a signature (encrypted server&rsquo;s public key).</p> /posts/quic/ Mon, 10 Feb 2025 13:45:56 +0000 /posts/quic/ <h2 id="the-fast-alternative-to-tcptls">The <em>fast</em> alternative to TCP+TLS</h2> <h3 id="what-is-quic">What is QUIC?</h3> <p>The Quick UDP Internet Connection (QUIC) protocol is an encrypted connection protocol operating on the Layer 4 - Transport Layer of the OSI model.</p> <p>Developed at Google around 2012, it has only been adopted as a standard by IETF in 2021.</p> <p>The current and widely used solution of HTTPS using TLS is built is on top of the TCP protocol. The <a href="https://en.wikipedia.org/wiki/Transmission_Control_Protocol">TCP handshake</a> and the <a href="https://en.wikipedia.org/wiki/Transport_Layer_Security">TLS handshake</a> need to be completed to establish a path to communicate between a server and a client. As a result, multiple rounds trips to initiate a connection and negotiate the encryption parameters are required - two at the very least, depending on the TLS version used.</p> /posts/hsts/ Sat, 08 Feb 2025 13:45:56 +0000 /posts/hsts/ <h2 id="a-brief-overview-of-hsts-protocol-or-why-i-chose-the-dev-domain">A brief overview of HSTS protocol or why I chose the .dev domain</h2> <h3 id="quick-intro">Quick intro</h3> <p>What happens when you&rsquo;re back from a family weekend in a cabin in the woods with no internet?</p> <p>I&rsquo;d probably check my dog&rsquo;s instagram account first. On the browser: instagram.com and &hellip; my browser is making a call to <code>http://instagram.com</code></p> <p>Exactly! I haven&rsquo;t explicitly used <code>https</code>, so where does this leave me? Exposed to all sorts of man-in-the-middle attacks that wikipedia can list for us in a scary way - <a href="https://en.wikipedia.org/wiki/Session_hijacking%22">session hijacking</a>, <a href="https://en.wikipedia.org/wiki/Downgrade_attack">protocol downgrade attack</a>, etc.</p>