Security

Practical web security: SSL/TLS and certificates, vulnerabilities and CVEs, hardening, and keeping sites trustworthy without the hand-waving.

227 posts on Security.

2026-06

2026-06-06 The ghost domain problem in DNS, and what we're doing about it
2026-06-04 Running HTTP/3 with Caddy in 2026: it just works
2026-06-03 QUIC and HTTP/3 in 2026: from Google experiment to IETF standard
2026-06-02 Caching get_certificate lookups in Caddy

2020-11

2020-11-23 OpenSSL pkg-config not found
2020-11-23 Could not find directory of OpenSSL installation

2020-05

2020-05-25 What else can you stuff in a certificate chain?
2020-05-05 Creating a 2-of-3 multisig with raw transactions on EOSIO

2020-04

2020-04-21 Someone, somewhere, is trying to break into your app
2020-04-10 How to run HTTP/3 with Caddy 2
2020-04-10 Migrating to Caddy 2

2019-11

2019-11-20 How to prevent content-spoofing in Apache's 404 error pages
2019-11-08 Disable HTTP sessions in Laravel to speed up your API

2019-10

2019-09

2019-09-19 How we used Caddy and Laravel’s subdomain routing to serve our status pages

2019-07

2019-07-09 There’s more than one way to write an IP address

2019-05

2019-05-04 Enable the RPC JSON API with password authentication in Bitcoin Core

2019-04

2019-04-22 Requesting certificates with Let’s Encrypt’s official certbot client
2019-04-03 The end of Extended Validation certificates

2019-01

2019-01-23 Remote Code Execution in apt/apt-get

2018-10

2018-10-17 The convincing Bitcoin scam e-mail extorting you
2018-10-02 Find the public key belonging to a private key

2018-09

2018-09-24 ssh error: unable to negotiate with IP: no matching cipher found

2018-05

2018-05-14 Remote Desktop error: CredSSP encryption oracle remediation

2018-04

2018-04-30 Certificate Transparency logging now mandatory

2018-03

2018-03-28 Drupal core – Highly critical – Remote Code Execution – SA-CORE-2018-002
2018-03-22 Upcoming Drupal 7 and 8 core highly critical security release: March 28th
2018-03-19 The security footgun in etcd

2018-02

2018-02-24 Announcing “Oh Dear!”: a new innovative tool to monitor your websites
2018-02-19 Show IDN punycode in Firefox to avoid phishing URLs
2018-02-09 Chrome will mark all HTTP sites as “not secure”

2018-01

2017-11

2017-11-28 Root login without password allowed by default on Mac OSX High Sierra

2017-10

2017-10-30 Staat der Nederlanden CA might be revoked from Mozilla Policy?
2017-10-16 KRACK Attacks: Breaking WPA2

2017-09

2017-09-21 Due to CAA records, unable to issue TLS certs for names in private.cam.ac.uk
2017-09-20 DNS Research: using SPF to query internal DNS resolvers
2017-09-18 A proposal for cryptocurrency addresses in DNS
2017-09-17 Chrome & Firefox now force .dev domains to HTTPS via preloaded HSTS
2017-09-14 Presentation: Code Obfuscation, PHP shells & more
2017-09-11 cron.weekly issue #97: kernel 4.13, TLS, LLVM, Yarn, Vagrant, AWX, Nginx & more
2017-09-10 Coming soon: Oh Dear! – Monitoring for the encrypted web
2017-09-09 CAA record checking now mandatory for Certificate Authorities

2017-08

2017-08-28 Restore one-click certificate viewing in Chrome
2017-08-23 Removing root-owned files as a non-root user
2017-08-01 RHEL & CentOS 7.4 restores HTTP/2 functionality on Nginx

2017-07

2017-05

2017-05-24 Samba CVE-2017-7494: Remote Code Execution in Samba 3.5.0 and upwards
2017-05-19 CentOS 7.4 to ship with TLS 1.2 + ALPN
2017-05-19 (Dutch) Tech45 podcast #341: Technologica & WannaCry ransomware
2017-05-18 WordPress starts Bug Bounty program on HackerOne
2017-05-15 Ways in which the WannaCry ransomware could have been much worse
2017-05-08 Chrome to restore one-click certificate viewing in browser
2017-05-04 NIST recommendation: remove periodic password change requirements
2017-05-02 How to enable TLS 1.3 on Nginx
2017-05-02 Remote security exploit in all 2008+ Intel platforms

2017-04

2017-04-28 Top 5 security checks for secure, unhackable web applications
2017-04-08 CAA checking becomes mandatory for SSL/TLS certificates

2017-03

2017-02

2017-02-28 Mitigating PHP's long standing issue with OPCache leaking sensitive data
2017-02-24 Cloudbleed: Cloudflare Reverse Proxies have Dumped Uninitialized Memory
2017-02-23 Announcing the first SHA1 collision
2017-02-22 Linux kernel: CVE-2017-6074 – local privilege escalation in DCCP
2017-02-18 Security is Hard: Where Do I Start?
2017-02-12 PHP 7.2 to get modern cryptography into its standard library
2017-02-09 Introducing Docker Secrets Management
2017-02-06 cron.weekly issue #66: Git Filesystem, Security, JVM, Fission, Habitat, TLS 1.3
2017-02-02 Stop Disabling SELinux: A Real-World guide

2017-01

2017-01-28 Look before you paste from a website to terminal
2017-01-23 Return of the Unauthenticated, Unfirewalled protocols
2017-01-19 Create a SOCKS proxy on a Linux server with SSH to bypass content filters
2017-01-17 Despite revoked CA’s, StartCom and WoSign continue to sell certificates
2017-01-16 Google Infrastructure Security Design Overview
2017-01-16 WordPress to get secure, cryptographic updates
2017-01-11 Staying Safe Online – A short guide for non-technical people

2016-12

2016-12-28 Mac OSX keeps prompting SSH key passphrase, does not use KeyChain

2016-11

2016-10

2016-10-30 Run Nginx proxy in Docker container for HTTP/2

2016-08

2016-08-26 Podcast: Application Security, Cryptography & PHP
2016-08-16 TCP vulnerability in Linux kernels pre 4.7: CVE-2016-5696

2016-07

2016-07-22 vsftpd on linux: 500 OOPS: vsftpd: refusing to run with writable root inside chroot()
2016-07-13 Highly Critical Remote Code Execution patch for Drupal (PSA-2016-001)
2016-07-11 How To Get Pokémon Go on iPhone Outside US

2016-05

2016-05-14 The day Google Chrome disables HTTP/2 for nearly everyone: May 31st, 2016
2016-05-06 Podcast: Devops, SSL & HTTP2 op HTTP Café
2016-05-04 Security week: 2x High Severity OpenSSL vulnerability & critical ImageMagick flaw

2016-04

2016-04-26 Nginx 1.10 brings HTTP/2 support to the stable releases
2016-04-19 Staying up-to-date on open source announcements & security issues via Twitter
2016-04-17 Bash on Windows: a hidden bitcoin goldmine?
2016-04-12 What happens when you run “rm -fr /” on a Linux machine?
2016-04-01 ssh fatal: Access denied for user by PAM account configuration [preauth]

2016-03

2016-03-28 certdiff
2016-03-16 The “.well-known” directory on webservers (aka: RFC 5785)
2016-03-15 Remote Code Execution in all git versions (client + server) < 2.7.4: CVE-2016-2324, CVE-2016‑2315
2016-03-01 OpenSSL vulnerabilities: DROWN attack and CacheBleed

2016-02

2016-02-16 Critical glibc buffer overflow vulnerability in getaddrinfo() on Linux (CVE-2015-7547 & CVE-2015-5229)

2015-11

2015-11-16 Create a password-protected ZIP file on Mac OSX
2015-11-16 Chrome drops NPN support for HTTP/2, ALPN only

2015-10

2015-09

2015-09-24 Terminal escape sequences – the new XSS for Linux sysadmins
2015-09-22 Enable HTTP/2 in Nginx

2015-08

2015-08-17 Apache 2.4: Unknown Authz provider: ip
2015-08-13 Nginx SSL Certificate Errors: PEM_read_bio_X509_AUX, PEM_read_bio_X509, SSL_CTX_use_PrivateKey_file
2015-08-12 Apple’s DYLD_PRINT_TO_FILE vulnerability: from zero to root in 2 seconds
2015-08-11 Bind/Named Crash: REQUIRE(*name == ((void *)0)) failed, CVE-2015-5477
2015-08-10 How To Read The SSL Certificate Info From the CLI
2015-08-09 Block User-Agent in htaccess for Apache Webserver
2015-08-08 Effectively Using and Detecting The Slowloris HTTP DoS Tool
2015-08-06 How To Use A Jumphost in your SSH Client Configurations
2015-08-06 How To Create A Self-Signed SSL Certificate With OpenSSL

2015-07

2015-07-23 Critical Cross-Site Scripting Vulnerability in WordPress < 4.2.2
2015-07-13 Enable click-to-play for Flash & Java in Chrome, Firefox & Safari
2015-07-09 Rethinking Security Advisory Severities
2015-07-09 OpenSSL CVE-2015-1793: Man-in-the-Middle Attack

2015-06

2015-06-27 The Broken State of Trust In Root Certificates
2015-06-26 RFC 7568: SSL 3.0 Is Now Officially Deprecated
2015-06-15 uBlock Origin Now Blocking Access To SourceForge

2015-05

2015-05-19 Stunt Hacking: The Sad State of Our Security Industry
2015-05-10 Scan Your WordPress For Security Vulnerabilities With WPScan
2015-05-07 In Defence Of WordPress
2015-05-06 uBlock Origin
2015-05-05 French Law Forces Backdoors On ISPs
2015-05-05 Security In Medical Equipment
2015-05-02 248 days

2015-04

2015-04-27 Drupal EngineHack Detection Website
2015-04-21 Using JavaScript To Read L3 CPU Cache
2015-04-21 Magento eCommerce PHP Remote Code Execution
2015-04-07 Chrome Version 42 Starts Marking SHA-1 SSL Certificates As Insecure
2015-04-05 The Irony of Random Passwords For Each Service
2015-04-03 Mozilla Blocking CCNIC’s CA Too
2015-04-02 Google’s War on China

2015-03

2015-03-19 OpenSSL CVE-2015-0291 and CVE-2015-0286
2015-03-16 Forthcoming OpenSSL releases
2015-03-09 Drupal engine_ssid_ And engine_ssl_ cookies: You've Been Hacked
2015-03-06 Bundling Software Installs With Adware

2015-02

2015-02-19 Tearing Down Lenovo’s Superfish Statement
2015-02-01 Ntimed: an NTPD replacement

2015-01

2015-01-30 Running a Tor relay: lessons learned
2015-01-29 Quick tests for GHOST gethostbyname () vulnerability (CVE-2015-0235)
2015-01-27 Modeling Package Manager Dependencies In Config Management
2015-01-27 GHOST: critical glibc update (CVE-2015-0235) in gethostbyname() calls
2015-01-20 Security Panel Lands In Firefox 37
2015-01-08 Recent OpenSSL Security Advisories Are a Good Thing
2015-01-02 PHP’s CVE vulnerabilities are irrelevant

2014-12

2014-12-23 The Surprising Mixed Content Handling on SSL/HTTPS Enabled Websites
2014-12-22 Replacing Software Stacks Is Never The Solution
2014-12-16 Force Redirect From HTTP to HTTPs On A Custom Port in Nginx
2014-12-16 Enable SPDY in Nginx on CentOS 6
2014-12-14 Combine Apache’s HTTP authentication with X-Forwarded-For IP whitelisting in Varnish
2014-12-13 Chrome To Explicitly Mark HTTP Connections As Non-Secure
2014-12-08 The Real Cost of the “S” in HTTPS
2014-12-02 On Timing Attacks in PHP

2014-11

2014-11-24 Remote Code Execution via ‘less’ on Linux Boxes
2014-11-19 Yet Another Microsoft Windows CVE: Local Privilege Escalation MS14-068
2014-11-18 A Certificate Authority to Encrypt the Entire Web
2014-11-17 Remove a single iptables rule
2014-11-16 Running Kali Linux as a Vagrant Box (virtual machine)
2014-11-12 Benchmarking the performance of ‘Wordfence’, a WordPress plugin
2014-11-12 Microsoft SSL/TLS vulnerability MS14-066
2014-11-10 A collection of PHP exploit scripts

2014-10

2014-10-15 Patch your webservers for the SSLv3 POODLE vulnerability (CVE-2014-3566)

2014-07

2014-07-28 HTTPd: Cannot load mod_status.so into server: undefined symbol: ap_copy_scoreboard_worker

2014-05

2014-05-13 CVE-2014-0185: PHP-FPM sockets unavailable after updating PHP
2014-05-03 OpenSSL: validate that certificate matches / signs the private key

2014-04

2014-04-10 Scan your network for Heartbleed vulnerabilities with Nmap
2014-04-08 Patch against the heartbleed OpenSSL bug (CVE-2014-0160)

2014-03

2014-03-31 Presentation: Code Obfuscation, PHP shells & more: what hackers do once they get passed your code

2012-08

2012-08-10 Now stop using dsbl.org blacklisting: it’s offline

2012-03

2012-03-22 What are the ‘encrypted_search_terms’ hits on your website/wordpress blog?

2012-02

2012-02-28 SSH logins or rsync’s without using a password prompt
2012-02-24 Nginx: password protect a directory
2012-02-21 The hidden images within PHP
2012-02-18 Letting memcached only listen on localhost on CentOS/RHEL
2012-02-05 The infamous /w00tw00t.at.ISC.SANS.DFind GET requests in your access logs

2011-11

2011-11-19 Plesk: show all FTP accounts and passwords

2011-05

2011-05-26 Plesk Password retrieval via the command line (Linux / Windows)

2011-04

2011-04-03 WikiLeaks Mirror Hosting Page now offline

2011-03

2010-12

2010-12-06 WikiLeaks’ mirrors: where are they hosted?
2010-12-01 Tracking root cause of Apache spawned processes: shell scripts / daemons

2010-11

2010-11-23 Introducing the ‘Decoder, Encoder & Obfuscator’

2010-08

2010-08-26 Exclude Local Networks Via Juniper NetScreen-Remote VPN

2010-07

2010-07-12 Implementing & Maintaining DNSSEC On Bind9 Nameservers

2010-04

2010-04-06 IPv6 And Security: What You Probably Don’t Know

2010-03

2010-03-29 Don't Upgrade OpenSSL If You're Using Plesk (= Broken Controlpanel)

2010-02

2010-02-17 Top 25 Most Dangerous Programming Errors

2010-01

2010-01-13 BackTrack 4 Final Release

2009-12

2009-12-27 NetBIOS exploiting

2009-09

2009-09-19 MetaData: I’ll Bet You Thought That Was Private?

2009-06

2009-06-21 Slowloris HTTP DoS: Be Afraid, Be Very Afraid

2009-03

2009-03-03 Reverse Shell Implementation in PHP5

2009-02

2009-02-23 FTP & SELinux: 500 OOPS: cannot change directory
2009-02-07 Input Validation: Using filter_var() Over Regular Expressions

2009-01

2009-01-14 Using Plesk’s SMTP Server: DNS Blacklist Prevents Sending

2008-11

2008-11-03 How Do I Reset My Admin Password Of Plesk (Linux CLI)
2008-11-01 Securing The Internet – Google’s Obfuscated TCP

2008-10

2008-10-23 How To Reset A (Administrator) Password On A Windows Server 2003
2008-10-17 Australia To Become The New China – Internet Censorship
2008-10-03 How To Allow Empty Passwords In Remote Desktop (RDP – WinXP/2000/2003)
2008-10-01 How To Bypass Windows 98’s Security System

2008-09

2008-09-22 Top Tools For Penetration Testing (Security Analysis/Hacking)
2008-09-15 Enable DNS Blackhole Lists & SPF Checks In Plesk’s Spamassassin
2008-09-09 A Recipe For Disaster: XSS, Google-Analytics.com And DNS Cache Poisoning
2008-09-09 Simple Apache Security Trick – ServerTokens & ServerSignature

2008-08

2008-08-28 There Are HTTP Headers, And Then There Are HTTP Headers
2008-08-27 Why Is Mail Being Blocked By A Spamfilter?
2008-08-23 The Right SQL User, For The Right Job
2008-08-15 How To Identify Hidden Processes In Windows (Rootkits)
2008-08-13 Is Your GMail Notifier Suddenly Broken?
2008-08-12 Common Security Flaws In PHP Applications
2008-08-08 How To Identify The Bad Processes On A Hacked Linux Box
2008-08-05 DNS Poisoning Attack, How Safe Am I?
2008-08-05 Remote Code Execution Through Intel CPU Bugs

2008-07

2008-07-21 Controlling the San Fransisco Computer Network – The Powers Of A SysAdmin
2008-07-15 Domain theft at a new height
2008-07-09 Keeping control of airline passengers

2008-06

2008-06-08 Some terrible (truely terrible) captcha’s
2008-06-05 Germany to invade your home (computer)