Category Archives: Networking

HTTPS + CT SCT TLS extension on my blog

Finally, I managed to enable HTTPS on my own blog!

I opted for a quick-and-dirty solution based on a self-compiled version of HAProxy in front of WordPress, statically linked to OpenSSL 1.0.2, in order to serve Certificate Transparency information during the TLS setup.

blog.pierky.com-SCT

Read more …

RIPE Atlas Tracepath v0.3.0

I released a new version of my web application RIPE Atlas Tracepath: v0.3.0. It reads results from RIPE Atlas traceroute measurements and shows Autonomous Systems that probes go through to reach the target.

UPDATE: new versions have been released since this post, with new features and bug fixes: please take a look at the project’s page on GitHub.

In the beginning it was a simple Python script/CGI; the new release has been totally rewritten, it’s now based on the D3.js visualization library and uses a more elegant Python backend based on Flask/WSGI.

Among the new features, probes are also displayed and linked to their origin AS; for those that completed the traceroute toward the target the avg RTT is also rendered in form of a scale of colors. Multiple Autonomous Systems can now be selected and moved together on the graph, in order to obtain the layout that best describes the analyzed scenario.

A demo can be found here. It only shows results from measurement ID 1674977, a traceroute from 50 probes all over the world toward www.ripe.net:

Graph of traceroute to www.ripe.net

More details can be found on the GitHub page; feel free to use/edit/fork/improve it as you whish!

Certificate Transparency: manually verify SCT with openssl

The recent OpenSSL 1.0.2 version added support for Certificate Transparency (CT) RFC6962 by implementing one of the methods that allow TLS clients to receive and verify Signed Certificate Timestamp during the TLS handshake, that is the OCSP response extension. My goal here is to show how to use another method, the signed_certificate_timestamp TLS extension, to gain the same result.

Certificate Transparency - SCT via TLS Extension

Read more …

Italian Government mail servers STARTTLS support

After reading Antonio Prado’s Reverse DNS lookup for Italian Government’s mail exchangers post I got intrigued by the idea of checking how many of those Italian Government’s MX mail servers support STARTTLS.

STARTTLS “offers a way to upgrade a plain text connection to an encrypted (TLS or SSL) connection” (Wikipedia) and, when it’s implemented on the MX SMTP server, it allows a STARTTLS-aware user’s outbound mail server to encrypt the traffic toward the recipient’s server.

STARTTLS User to MX mail server

Read more …

DNSSEC: ECDSA-aware resolvers seen by RIPE Atlas

A couple of days ago CloudFlare announced its public alpha release of their DNSSEC implementation. Since they are using the “recent” Elliptic Curve ECDSA P-256 (RFC6605) I wondered how many resolvers can have problems with signatures validation so I wanted to take a peek at the current situation as seen by the RIPE Atlas probes network.

Read more …