Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

TLS allows for a lot of configuration. Which encryption algorithms and key exchanges that can be used, hashing algorithms and more. The author of this post asks if this is the proper user experience. Their claim is that many admins "fix" (notice the double quotes) by changing the ciphers, only to make the situation worse. For instance, when BEAST and POODLE attacks were in the news people were changing to RC4. Sadly, RC4 had its own issues that nobody really knew about it.

The author claims that checkboxs are better than cryptic strings. These checkboxes could contain items like FIPS 140-3 approved or post-quantum or negative options like disable TLS 1.0. Each checkbox is a union of items to perform. A set of simple presets would be very useful too.

Why is this nice? Compared to the cryptic strings, this contains future-proof algs, easy-to-understand algorithms, and super-easy compliance. To do this correctly, the creators of the checkboxes would need to be very careful about the mappings.

Sometimes, the real strings are necessary. FIPS 140-3 requires NIST-approved algorithms, which aren't always possible. Forward secrecy may be a requirement that may not be doable on the checkbox approach. There are likely other edge cases as well. Overall, it's a great post on making defaults more secure.