Take action before September 30, 2021 to avoid problems — TL;DR — For TLS certificates issued by Let’s Encrypt, the root certificate (DST Root CA X3) in the default chain expires on September 30, 2021. Due to their unique approach, the expired certificate will continue to be part of the certificate chain till 2024. This affects OpenSSL 1.0.2k …

Authenticity of TLS certificate issued by a Public CA is no longer sufficient — In TLS — Transport Layer Security, the client establishes a connection with the server and negotiates a TLS session to ensure confidentiality of the communication. However, this confidentiality is not guaranteed if the server is not verified. While one may decide to use TLS to ensure the connection is encrypted…

Default certificate chain to include an expired root certificate — Let’s Encrypt is a Certificate Authority run by Internet Security Research Group (ISRG) that provides free and automated TLS certificates for secure communication over the Internet. …

A look at the newer version of TLS protocol and updates to its predecessor — When a new version of software is released, it could be to patch security vulnerabilities, fix bugs, provide new features and enhancements. Similarly, every few years newer versions of protocols are released. These newer versions largely retain the same goals but incorporate new requirements and challenges. Some protocols such as…

A simple TLS extension to support different applications on a single port — The Internet protocol suite which forms the basis for modern Internet allows for different services to be provided by a single host. These services are assigned a port number and any connection to the port is assumed to be for that service. …

Information that is leaked and efforts to secure them — Browsing the web was originally insecure allowing eavesdroppers to see exactly what the user was doing. This is no longer possible due to the use of Transport Layer Security (TLS) underneath to encrypt all of the web traffic. …

Its use in domain validation and email security — Did you know ? Well-Known URIs are those that begin with /.well-known/ in its path, and are of the format /.well-known/<suffix>. It is defined by RFC 8615. They are used in discovery of information, policies and domain validation, among other things. The proposed standard reserves the use of path prefix…

Nginx configuration and HTTP/2 coalescing — Server Name Indication or SNI is a TLS extension originally designed for a single web server to serve multiple HTTPS sites configured with different TLS certificates. For example, when www.example.com uses TLS Certificate-A and www.example.net …

Attack surface reduction at a system level — Publicly accessible web servers receive requests from both legitimate and malicious users. It is important to recognize them both and take appropriate actions to process only those requests that should be processed, and serve only those content that should be served. In simpler terms, there are two distinct types of…