Category Archives: Security

Good MANRS for IXPs route servers made easier

Now, more than ever, we need a more resilient Internet.

This is the first sentence that shows up on the website of MANRS, a global project that aims to improve the security of Internet routing. Every network is in a good position to actively pursue such an important goal, and MANRS helps them by offering different programmes with guidelines and suggestions based on industry best practices, focused on the role of each network: ISPs, CDNs, Internet Exchange Points (IXPs).

In this post I’ll focus on the IXP programme, and I’ll share some thoughts on how ARouteServer, a tool I’ve been working on for several years, can help IXP operators to easily deploy and operate secure route servers and meet MANRS requirements.

Read more …

HTTPS + CT SCT TLS extension on my blog

Finally, I managed to enable HTTPS on my own blog!

I opted for a quick-and-dirty solution based on a self-compiled version of HAProxy in front of WordPress, statically linked to OpenSSL 1.0.2, in order to serve Certificate Transparency information during the TLS setup.

blog.pierky.com-SCT

Read more …

Certificate Transparency: manually verify SCT with openssl

The recent OpenSSL 1.0.2 version added support for Certificate Transparency (CT) RFC6962 by implementing one of the methods that allow TLS clients to receive and verify Signed Certificate Timestamp during the TLS handshake, that is the OCSP response extension. My goal here is to show how to use another method, the signed_certificate_timestamp TLS extension, to gain the same result.

Certificate Transparency - SCT via TLS Extension

Read more …

Italian Government mail servers STARTTLS support

After reading Antonio Prado’s Reverse DNS lookup for Italian Government’s mail exchangers post I got intrigued by the idea of checking how many of those Italian Government’s MX mail servers support STARTTLS.

STARTTLS “offers a way to upgrade a plain text connection to an encrypted (TLS or SSL) connection” (Wikipedia) and, when it’s implemented on the MX SMTP server, it allows a STARTTLS-aware user’s outbound mail server to encrypt the traffic toward the recipient’s server.

STARTTLS User to MX mail server

Read more …

RIPE68: Content blocking methods and their impacts

Today, in Warsaw, during the RIPE68 morning session reserved for the Cooperation Working Group, Olaf Kolkman kindly presented my work about Content blocking methods and their impacts.

Olaf’s presentation was the first in a series of 3, all about censorship and censorship circumvention.

Content Blocking Methods And Their Impacts

Read more …