In detail: SCRAM with channel binding

Visualising the process, discussing its shortcomings

In January, I asked whether TLS channel binding with strong authentication was the solution to defend against MITM or proxy style phishing attacks. The answer was “yes, but also no”. I will look beyond SCRAM soon, but first I want to fulfil a promise to go into more detail about how SCRAM works, especially with channel binding.

[Read More]

Channel Binding: Should you be using it?

Stopping phishing in its tracks... maybe

Authentication and in particular passwords are the bugbear of many cybersecurity professionals. For all the encryption, firewalls, IDS and other defences we put in place, if authentication doesn’t do its job properly, or a user’s credentials get stolen, a compromise is very likely. In the future, we might embrace password-less authentication, relying instead on biometrics, tokens and smart devices in various combinations. Indeed, some platforms do this already, but not all. [Read More]

Meep Meep! A story of certificate (un)verification 🔏📜🔍❌

ACME clients seldom check the certificates they receive

This article discusses the lack of certificate checking done by ACMEv2 clients, as well as the lack of provision in the ACMEv2 protocol specification to encourage any checking. This article explores the implications of this, and demonstrate why we should probably being doing some additional checks in our ACMEv2 clients. The project is called “Meep Meep”, because that’s the sound a roadrunner makes. The author couldn’t think of a cleverer name for something related to ACME. [Read More]