Clik here to view.
Salsa20 and UMAC in TLS
Lately while I was implementing and deploying an SSL VPN server, I realized that even for a peer-to-peer connections the resources taken for encryption on the two ARM systems I used were quite...
View ArticleInside an SSL VPN protocol
Some time ago when trying to provide a way to interconnect the routers of the company I was working on, I attempted to evaluate the various secure VPN solutions available as free software. As I was...
View ArticleClik here to view.
software has bugs... now what?
The recent bugs uncovered in TLS/SSL implementations, were received in the blogo-sphere with a quest for the perfectly secure implementations, that have no bugs. That is the modern quest for perpetual...
View ArticleWhat about POODLE?
Yesterday POODLE was announced, a fancy named new attack on the SSL 3.0 protocol, which relies on applications using a non-standard fallback mechanism, typically found in browsers. The attack takes...
View ArticleA quick overview of GnuTLS development in 2014
2014 was a very interesting year in the development of GnuTLS. On the development side, this year we have incorporated patches with fixes or enhanced functionality from more than 25 people according to...
View ArticleSoftware Isolation in Linux
Starting from the assumption that software will always have bugs, we need a way to isolate and neutralize the effects of the bugs. One approach is by isolating components of the software such that a...
View ArticleAn overview of GnuTLS 3.4.x
This April GnuTLS 3.4.0 was released, as our stable-next branch, i.e., the branch to replace the current stable branch of GnuTLS (which as of today is the 3.3.x branch). During that time, we also...
View ArticleWhy do we need SSL VPNs today?
One question that has been bothering me for quite a while, is why do we need SSL VPNs? There is an IETF standardized VPN type, IPSec, and given that, why do SSL VPNs still get deployed? Why not just...
View ArticleAn overview of the new features in GnuTLS 3.5.0
Few minutes ago I've released GnuTLS 3.5.0. This is the stable-next branch of GnuTLS which will replace the stable GnuTLS 3.4.x branch within a year. It is fully backwards compatible and comes with...
View ArticleRestricting the scope of CA certificates
The granting of an intermediate CA certificate to a surveillance firm generated quite some fuss. Setting theories aside, the main reason behind that outcry, is the fact that any intermediate CA...
View ArticleA brief look at the Linux-kernel random generator interfaces
Most modern operating systems provide a cryptographic pseudo-random number generator (CPRNG), as part of their OS kernel, intended to be used by applications involving cryptographic operations. Linux...
View ArticleUsing the Nitrokey HSM with GnuTLS applications
The Nitrokey HSM is an open hardware security module, in the form of a smart card token, which is used to isolate a server's private key from the application. That is, if you have an HTTPS server, such...
View ArticleClik here to view.
Improving by simplifying the GnuTLS PRNG
One of the most unwanted baggages for crypto implementations written prior to this decade is the (pseudo-)random generator, or simply PRNG. Speaking for GnuTLS, the random generator was written at a...
View ArticleThe mess with internationalized domain names
While internationalized domain names (DNS names) are not common in the English speaking world, they exist and their use was standardized by IETF's IDNA standards. I first found out the existence of...
View ArticleAn overview of GnuTLS 3.6.0
The new 3.6.0 GnuTLS release contains several new features, back-end changes and clean ups. This is a release which re-spins the so-called 'stable-next' branch, meaning that once considered stable...
View ArticleGnuTLS and TLS 1.3
GnuTLS already contains support for the latest TLS 1.3 draft (draft-ietf-tls-tls13-26) on its master git branch. TLS 1.3 will be included and enabled by default in the upcoming 3.6.3 release, once the...
View Article