0th Root Secure Network

Default certificate chain to include an expired root certificate

Photo by Taylor Vick on Unsplash

Let’s Encrypt is a Certificate Authority run by Internet Security Research Group (ISRG) that provides free and automated TLS certificates for secure communication over the Internet. In the context of the web, whenever the browser connects to a website over https, the browser verifies the TLS certificate of the website to make sure the communication is secure.

This process of verifying a TLS certificate requires the web browser, or the operating system, to maintain a trusted database of root certificates. …


0TH ROOT SECURE NETWORK (0SNET)

A look at the newer version of TLS protocol and updates to its predecessor

Photo by Paweł Czerwiński on Unsplash

When a new version of software is released, it could be to patch security vulnerabilities, fix bugs, provide new features and enhancements. Similarly, every few years newer versions of protocols are released. These newer versions largely retain the same goals but incorporate new requirements and challenges.

Some protocols such as SMTP are not even versioned and will likely never have a newer version, while TLS — Transport Layer Security protocol will always will. A fine balance of usability, compatibility and security is maintained in TLS protocol. …


0th Root Secure Network (0SNet)

A simple TLS extension to support different applications on a single port

Photo by Julius Jansson on Unsplash

The Internet protocol suite which forms the basis for modern Internet allows for different services to be provided by a single host. These services are assigned a port number and any connection to the port is assumed to be for that service. To give an example, the services http and https use the port numbers 80 and 443 respectively.

This allowed for good visibility on the network traffic, and its management. However, a new port number need to be used if protocol used by the service has changed and is not backward compatible. …


0th Root Secure Network (0SNet)

Information that is leaked and efforts to secure them

Photo by Vincent van Zalinge on Unsplash

Browsing the web was originally insecure allowing eavesdroppers to see exactly what the user was doing. This is no longer possible due to the use of Transport Layer Security (TLS) underneath to encrypt all of the web traffic. However, before the data becomes encrypted, the client and server negotiate the parameters for encryption in the form of Hello messages.

This initial negotiation to establish a secure session happens in cleartext. It involves a handshake mechanism with a Hello message sent by the client (ClientHello) and a Hello response by the server (ServerHello).

A few basics on the TLS protocol (Version…


Its use in domain validation and email security

Photo by Jens Johnsson on Unsplash

Did you know ? Well-Known URIs are those that begin with /.well-known/ in its path, and are of the format /.well-known/<suffix>. It is defined by RFC 8615. They are used in discovery of information, policies and domain validation, among other things. The proposed standard reserves the use of path prefix /.well-known/ in HTTP, HTTPS, WS and WSS schemes.

Section 1: To address these uses, this memo reserves a path prefix in HTTP, HTTPS, WebSocket (WS), and Secure WebSocket (WSS) URIs for these “well-known locations”, “/.well-known/”. …


What it takes to run your own CA

Photo by Matthew Henry on Unsplash

Certificate Authorities (CA) are those who manage one or more root certificates securely, that are used directly or indirectly for the signing of certificate requests. The private key corresponding to root certificates are safe guarded to ensure the integrity of the signing process and issued certificates. There are Certificate Authorities for different purposes. The TLS Certificate Authorities issue X.509 certificates used for establishing TLS connections.

TLS Certificate Authorities are a core part of securing the web, whose certificates are used in almost every HTTPS connection made. The HTTPS client has the root certificate of Certificate Authority while the server has…


Nginx configuration and HTTP/2 coalescing

Photo by Gene Gallin on Unsplash

Server Name Indication or SNI is a TLS extension originally designed for a single web server to serve multiple HTTPS sites configured with different TLS certificates. For example, when www.example.com uses TLS Certificate-A and www.example.net uses a different TLS Certificate-B, the web server can identify the domain with the help of SNI and establish a TLS session with correct certificate to serve the corresponding website.

Since the server name is in clear, ie., not encrypted, web server is able to choose the TLS certificate to establish a secure session. …


Attack surface reduction at a system level

Photo by Patrick Hodskins on Unsplash

Publicly accessible web servers receive requests from both legitimate and malicious users. It is important to recognize them both and take appropriate actions to process only those requests that should be processed, and serve only those content that should be served.

In simpler terms, there are two distinct types of attacks against web servers, one that is targeted towards an organization or a domain, and other that is non-targeted which attempts to compromise any publicly accessible web server. A targeted attack might compromise the web application hosted, rather than the server software itself.

Hardening

When we talk about non targeted, the…


A detailed look on what changes and what remains the same

Photo by Marcus Dall Col on Unsplash

OpenSSH is an implementation of the SSH 2 protocol by developers of the OpenBSD project. It is ubiquitous, and is the most widely deployed SSH software on servers. In the original SSH 2 protocol (RFC 4253), SHA1 was the recommended hashing algorithm. Since then, over the years through various updates, SHA2 is now recommended for Data Integrity Algorithms (RFC 6668), Key Exchange Algorithms (RFC 8268) and Public Key Algorithms (RFC 8332). While OpenSSH has added support for newer algorithms based on SHA2, it has to deprecate the older SHA1 based algorithms at some point. OpenSSH will be deprecating the public…


An introduction to the model and a quick way to deploy it

Credit: Image

As the word implies, in a zero-trust security model, no device or user is trusted. And, every request received by the system goes through the validation and authentication steps. This essentially means, no device or user enters the private network of the organization, and only the application hosted on the edge provides access to them.

This is in contrast to the model of the trusted device, where on successful authentication, the device is trusted and is allowed access to the private network, such as in the case of Enterprise VPNs. The downside to this model is, when the trusted device…

Dorai Ashok S A

Bulding 0th Root | SSHBI | 0th Root Secure Network

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store