Client Side Encryption (CSE) across multiple clients

Working on 2 layer security in the cloud (AWS). Have multiple clients pushing files to S3 document storage which are then retrieved by one EC2 instance.

Multiple external customers each requiring their own encryption (PUT files to S3). Have 1 internal instance that must be able to GET files from S3 and decrypt.

How can we manage multiple keys in an easy way?
3 legs of our problem

  1. Transport encrypted – solved via SSL
  2. Encrypt at rest – solved via S3 SSE
  3. Client side encryption

Is it possible for each client to encrypt (CSE), transport and then decrypt by S3 which then encrypts (SSE)? Any other thoughts or references that might help?

Kerberos – TCP client wants 1195725856 bytes, cap is 1048572

I’m having some difficulties debugging this error. I’m running nginx as an api gateway built to make a sub-request to kerberos whenever an endpoint gets called using the SPNEGO method. But whenever I attempt to make a requests with TGS ticket in the header I get the error TCP client 192.168.112.4.51658 wants 1195725856 bytes, cap is 1048572 then the connection closes.

I’ve tried printf "\xff\xff\xff\xff" | netcat krb_address 88 and it triggers the above error and if an instance of \xff is removed then no error.

What I’m struggling with figuring out is:

  1. What exactly is the message being sent to kerberos that is breaking the cap constraint?
  2. What kind of configuration changes need to be made to meet the cap requirement?

I’ve never worked with nginx and kerberos before so not sure of any better questions I could be asking other then the basics.

Some insight into previous experience with this error or perhaps some additional techniques I could use to uncover some more insights into what is causing the error would be very much appreciated!

How to force a browser when connecting to a specific domain to be https only using only the client machine?

Is it possible to force a client (browser or host machine or etc) to only make https connections to a specific URL/domain?

(preferably non-admin/root fixes if possible)

Here is a fabricated scenario:

Lets say someone hosted a website, and they didn’t put in an http -> https redirect and the web-server is serving requests on both 80/443 http/https respectively.

We are the client machine we work at a company and they wont fix the web-server for one reason or another. We do not have other machines to use as a proxy and have no control over the network. Now we could just make a bookmark (or other form of workflow that forces our actions to always reach https) but there has to be a way built in to browsers that can, say, “Do not connect to this domain/url unless using this protocol”.

This would be my preferred approach if possible.

This is very frustrating for people who are security focused as accidentally hitting the http version will leak your session ID and if you login there RIP password.

I searched online but surprisingly found nothing.

Is using a Google Drive client together with a sync tool a good or bad idea?

I have an employer-provided Google Drive account with almost 1 TB of data on. Basically everything I work on is on the Google Drive. It functions as a sort of live backup. Also, I’m running Ubuntu.

Now, back in the days on Windows, there was a Google Drive client that synced selected folders to my hard drive, which worked great, because I didn’t have to wait for the client to download every single file when opening them.

Currently on Ubuntu, I’m using google-drive-ocamlfuse which is real steady, but extremely slow.

So I was thinking about using a syncing tool, e.g. unison, to sync files from my google-drive-ocamlfuse folder to a regular folder, so I can access files on the fly, but still have them uploaded to my Google Drive “live”.

Is this a great idea, or a prescription for disaster?

How can Ettercap act as a client instead of a gateway?

I am trying to execute an attack that requires a full-duplex MiTM position. This is the reason why I choose to use Ettercap. I have picked DHCP spoofing as the attack of choice.

The problem that I am facing is that Ettercap executes the attack as half-duplex, meaning that I can only intercept messages coming from the client. I also want to intercept the messages coming the other way i.e. I need a full-duplex MiTM.

From what I understand, Ettercap acts as a gateway router in this scenario. The client thinks that I am the gateway so it sends me a request whose destination is not on the subnetwork, expecting that I will forward the layer 3 packet appropriately. Ettercap does this. However, when the response is received by the actual gateway router, it sends it immediately to the client (victim) because that is where the request packet originated from (source IP). This is shown in Figure 1.

What I basically want is to stop Ettercap from doing anything after the initial DHCP spoofing attack. Then I will add my own script that will make the same request as the client did, effectively acting like a forward proxy. This way, when the response is received by the actual gateway router, it will be sent to me. Then I can change things as I like and forward the changed response to the client. This is shown in Figure 2.

enter image description here

I hope that everyone understands what I meant to say. Does anyone know how this can be achieved?

Thank you! Cheers.

Form validation or model based verification on client side

I’m actually wondering what are the pros and cons of these two ways to handle client side validations / verifications.

Let’s imagine an application where there is a contact form that needs these information:

  • An email address (with a specific format)
  • A postal address (with a specific postal code format)

I have in mind two ways to handle these format verifications:

At the form level

The “usual” way to handle this: we put some verifications based on user inputs and validate / invalidate the information.

Concretely, on the change (or submit, anyway) event of the input we verify the field value with some regexp and modify the current component state to display an error accordingly.

The “backend DDD” way

The idea is to rely on the following statement:

When creating an object, it should always be in a good and consistent shape so that you don’t have to tweak for specific computations everywhere in the app

The idea is to enforce the verifications using schemas and to always rely on consistent objects that we don’t have to tweak in multiple places like modifying one of its internal attributes by hand (implying multiple sanity verifications etc…).

In a concrete world, I would simply rely on a Email.create(rawInputValue) that may throw an error concerning a bad format exception or something like this. Email would be a class definition that owns information on how to build a valid email address.


After this bit of context, I’m wondering what are the pros / cons of these system? Which one do you use and why?

Apache 2.4 mutual authentication – AH01797: client denied by server configuration

So I’m trying to set up Apache 2.4 mutual authentication on a virtual host configuration.

Given the below environment, what am I missing?

Server is: Slackware 14.2 x64, Apache 2.4.39, OpenSSL 1.0.2r

Client is: Windows 8.1 x64, Firefox Quantum 66.0.3 (64-bit)

So far I have:

  • Generated a self-signed root certificate (CA).
  • Generated a server key pair, signed by CA.
  • Generated a client key pair, signed by CA.
  • Generated a client .p12 certificate from client key pair and CA.
  • Added CA to /usr/local/share/ca-certificates/, and ran # update-ca-certificates -v
  • In Firefox, imported CA under Certificate Manager, Authorities.
  • In Firefox, imported .p12 certificate under Certificate Manager, Your Certificates.
  • Configure Apache to use server certificates. Yay, that’s working.

To test certificates I ran:

# openssl s_client -connect www.example.com:443 \   -cert ./client.crt \   -key ./client.key \   -CAfile ./CA/ca.crt \   -state -debug 

Witch ends with Verify return code: 0 (ok) but with no sign of client certificate in the output.
Full output later.

All this resulted in an error: AH01797: client denied by server configuration

Apache VirtualHost Configuration:

<VirtualHost www.example.com:443>      ServerName www.example.com     ServerAdmin webmaster@example.com      DocumentRoot "/home/username/local/www/php-dev"      ErrorLog /home/username/local/www/log/example.com-username.error.log     TransferLog /home/username/local/www/log/example.com-username.access.log      SSLEngine on     #SSLVerifyClient none     SSLCertificateFile      "/etc/httpd/certs/www.example.com.crt"     SSLCertificateKeyFile   "/etc/httpd/certs/www.example.com.key"     #SSLCACertificatePath   "/etc/httpd/certs"     SSLCertificateChainFile "/etc/httpd/certs/ca.crt"     SSLCACertificateFile    "/etc/httpd/certs/ca.crt"      <Directory "/home/username/local/www/php-dev">         Options +Indexes +FollowSymLinks +MultiViews -Includes          #RewriteEngine on         #RewriteBase /          AllowOverride None         #AllowOverride AuthConfig          Order allow,deny         Require all granted          # require a client certificate which has to be directly         # signed by our CA certificate in ca.crt         SSLVerifyClient         optional         SSLVerifyDepth          1         SSLOptions              +FakeBasicAuth         #SSLRequire             (%{SSL_CLIENT_S_DN_Email} eq "hostmaster@example.com")          # Use this option to match on DNS (This is working)         #Require                    forward-dns client.example.com         #Require                    valid-user      </Directory>  </VirtualHost> 

OpenSSL test output:

# openssl s_client -connect www.example.com:443 -cert ssl-ca/acer-64bit-firefox-auth.crt -key ssl-ca/acer-64bit-firefox-auth.key -state -debug CONNECTED(00000003) SSL_connect:before/connect initialization write to 0x1cdb1a0 [0x1dcc6e0] (305 bytes => 305 (0x131)) 0000 - 16 03 01 01 2c 01 00 01-28 03 03 0f 0b 13 4d 54   ....,...(.....MT ( **CUT** ) 0120 - 03 01 03 02 03 03 02 01-02 02 02 03 00 0f 00 01   ................ 0130 - 01                                                . SSL_connect:SSLv2/v3 write client hello A read from 0x1cdb1a0 [0x1dd1c40] (7 bytes => 7 (0x7)) 0000 - 16 03 03 00 42 02 00                              ....B.. read from 0x1cdb1a0 [0x1dd1c4a] (64 bytes => 64 (0x40)) 0000 - 00 3e 03 03 3e 28 62 eb-32 a9 4d 87 b7 93 f9 f1   .>..>(b.2.M..... ( **CUT** ) 0030 - 0b 00 04 03 00 01 02 00-23 00 00 00 0f 00 01 01   ........#....... SSL_connect:SSLv3 read server hello A read from 0x1cdb1a0 [0x1dd1c43] (5 bytes => 5 (0x5)) 0000 - 16 03 03 07 23                                    ....# read from 0x1cdb1a0 [0x1dd1c48] (1827 bytes => 1827 (0x723)) 0000 - 0b 00 07 1f 00 07 1c 00-03 da 30 82 03 d6 30 82   ..........0...0. 0010 - 03 3f a0 03 02 01 02 02-01 1a 30 0d 06 09 2a 86   .?........0...*. ( **CUT** ) 0700 - bb 65 62 8d a1 03 94 54-5a f8 23 07 ed 35 c8 36   .eb....TZ.#..5.6 0710 - 06 a4 35 82 54 22 76 b7-8d c0 c7 e5 4c ee 17 b9   ..5.T"v.....L... 0720 - 43 2a 58                                          C*X depth=1 C = DK, ST = Denmark, L = Copenhagen, O = Company Name, OU = Certification Services Division, CN = Company Name Root CA, emailAddress = hostmaster@example.com verify return:1 depth=0 C = DK, ST = Denmark, L = Copenhagen, O = Company Name, OU = Secure Server, CN = www.example.com, emailAddress = hostmaster@example.com verify return:1 SSL_connect:SSLv3 read server certificate A read from 0x1cdb1a0 [0x1dd1c43] (5 bytes => 5 (0x5)) 0000 - 16 03 03 01 4d                                    ....M read from 0x1cdb1a0 [0x1dd1c48] (333 bytes => 333 (0x14D)) 0000 - 0c 00 01 49 03 00 17 41-04 dc 35 93 bc 84 e3 52   ...I...A..5....R 0010 - 7a c8 fa 92 fe 6f b3 23-fe 6d d6 fe 3b 07 d9 3a   z....o.#.m..;..: ( **CUT** ) 0130 - a8 67 ac 50 95 4f 85 1a-48 cd 8b 86 c3 8a 38 b6   .g.P.O..H.....8. 0140 - 6c 2e b8 0c b2 a6 a8 6b-3f c1 c0 82 47            l......k?...G SSL_connect:SSLv3 read server key exchange A read from 0x1cdb1a0 [0x1dd1c43] (5 bytes => 5 (0x5)) 0000 - 16 03 03 00 04                                    ..... read from 0x1cdb1a0 [0x1dd1c48] (4 bytes => 4 (0x4)) 0000 - 0e 00 00 00                                       .... SSL_connect:SSLv3 read server done A write to 0x1cdb1a0 [0x1ddbae0] (75 bytes => 75 (0x4B)) 0000 - 16 03 03 00 46 10 00 00-42 41 04 37 fa 53 36 d6   ....F...BA.7.S6. ( **CUT** ) 0040 - 34 dd e5 bc 6d 93 d8 40-81 d5 71                  4...m..@..q SSL_connect:SSLv3 write client key exchange A write to 0x1cdb1a0 [0x1ddbae0] (6 bytes => 6 (0x6)) 0000 - 14 03 03 00 01 01                                 ...... SSL_connect:SSLv3 write change cipher spec A write to 0x1cdb1a0 [0x1ddbae0] (45 bytes => 45 (0x2D)) 0000 - 16 03 03 00 28 9d 77 45-e7 4f 6b 4d 6c 93 9c 74   ....(.wE.OkMl..t 0010 - 46 b5 a0 ba e2 e2 1a c8-67 ab 7e 64 27 2c 40 9d   F.......g.~d',@. 0020 - 1b ed 20 7f d2 e7 a9 a3-e3 d1 12 3c 2b            .. ........<+ SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data read from 0x1cdb1a0 [0x1dd1c43] (5 bytes => 5 (0x5)) 0000 - 16 03 03 00 ca                                    ..... read from 0x1cdb1a0 [0x1dd1c48] (202 bytes => 202 (0xCA)) 0000 - 04 00 00 c6 00 00 01 2c-00 c0 b8 fc d9 d3 b5 2e   .......,........ 0010 - d2 59 2a 66 46 e8 c6 bd-b3 de ea 93 78 d8 11 9f   .Y*fF.......x... ( **CUT** ) 00b0 - ca 8b 37 58 77 18 57 0c-b7 3e 20 43 a0 a3 25 25   ..7Xw.W..> C..%% 00c0 - 2e 3a a9 da 07 b4 a7 e6-9e 59                     .:.......Y SSL_connect:SSLv3 read server session ticket A read from 0x1cdb1a0 [0x1dd1c43] (5 bytes => 5 (0x5)) 0000 - 14 03 03 00 01                                    ..... read from 0x1cdb1a0 [0x1dd1c48] (1 bytes => 1 (0x1)) 0000 - 01                                                . read from 0x1cdb1a0 [0x1dd1c43] (5 bytes => 5 (0x5)) 0000 - 16 03 03 00 28                                    ....( read from 0x1cdb1a0 [0x1dd1c48] (40 bytes => 40 (0x28)) 0000 - 77 ac ab 69 7c e6 7f e7-04 47 6d 1d 0b 21 0d 37   w..i|....Gm..!.7 0010 - 5e a5 9a 8b 2b f7 40 9b-b3 f1 e4 53 18 4e ef 84   ^...+.@....S.N.. 0020 - 2b ad dc 68 07 b7 cc 28-                          +..h...( SSL_connect:SSLv3 read finished A --- Certificate chain  0 s:/C=DK/ST=Denmark/L=Copenhagen/O=Company Name/OU=Secure Server/CN=www.example.com/emailAddress=hostmaster@example.com    i:/C=DK/ST=Denmark/L=Copenhagen/O=Company Name/OU=Certification Services Division/CN=Company Name Root CA/emailAddress=hostmaster@example.com  1 s:/C=DK/ST=Denmark/L=Copenhagen/O=Company Name/OU=Certification Services Division/CN=Company Name Root CA/emailAddress=hostmaster@example.com    i:/C=DK/ST=Denmark/L=Copenhagen/O=Company Name/OU=Certification Services Division/CN=Company Name Root CA/emailAddress=hostmaster@example.com --- Server certificate -----BEGIN CERTIFICATE----- MIID1jCCAz+gAwIBAgIBGjANBgkqhkiG9w0BAQsFADCBwzELMAkGA1UEBhMCREsx EDAOBgNVBAgTB0Rlbm1hcmsxEzARBgNVBAcTCkNvcGVuaGFnZW4xGDAWBgNVBAoT ( **CUT** ) h6Bxy9YXljo0WbpKbr97MC7N8KzG9WWNyRWrhMdCqz5prL4wIzjoGK2Kmn+EMueF 7B2ok8wsc6HVpaPfS+K4EMlEMosdwRnbZiU= -----END CERTIFICATE----- subject=/C=DK/ST=Denmark/L=Copenhagen/O=Company Name/OU=Secure Server/CN=www.example.com/emailAddress=hostmaster@example.com issuer=/C=DK/ST=Denmark/L=Copenhagen/O=Company Name/OU=Certification Services Division/CN=Company Name Root CA/emailAddress=hostmaster@example.com --- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 2508 bytes and written 431 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session:     Protocol  : TLSv1.2     Cipher    : ECDHE-RSA-AES256-GCM-SHA384     Session-ID: 454F4761410ECE47B266860E6F300E9AA9D27AF747B280C7030480CE73B9447C     Session-ID-ctx:      Master-Key: 9EC9F06ADA02FAB9EC1B7A43D15047730A93DF8DAA322F92134A9673D6B8BC059AF1E7EF39FAF1F254C27BEA0C920203     Key-Arg   : None     PSK identity: None     PSK identity hint: None     SRP username: None     TLS session ticket lifetime hint: 300 (seconds)     TLS session ticket:     0000 - b8 fc d9 d3 b5 2e d2 59-2a 66 46 e8 c6 bd b3 de   .......Y*fF.....     0010 - ea 93 78 d8 11 9f 3d be-63 6b 18 d4 36 73 75 18   ..x...=.ck..6su.     ( **CUT )     00a0 - c4 9a eb d2 04 19 ca 8b-37 58 77 18 57 0c b7 3e   ........7Xw.W..>     00b0 - 20 43 a0 a3 25 25 2e 3a-a9 da 07 b4 a7 e6 9e 59    C..%%.:.......Y      Start Time: 1555651633     Timeout   : 300 (sec)     Verify return code: 0 (ok) --- read from 0x1cdb1a0 [0x1dd1c43] (5 bytes => 5 (0x5)) 0000 - 15 03 03 00 1a                                    ..... read from 0x1cdb1a0 [0x1dd1c48] (26 bytes => 26 (0x1A)) 0000 - 77 ac ab 69 7c e6 7f e8-30 5b 8e cd fb b6 90 69   w..i|...0[.....i 0010 - 01 5e 7f 48 f2 e2 58 c1-ab 7c                     .^.H..X..| SSL3 alert read:warning:close notify closed write to 0x1cdb1a0 [0x1dd6193] (31 bytes => 31 (0x1F)) 0000 - 15 03 03 00 1a 9d 77 45-e7 4f 6b 4d 6d 8a df 5a   ......wE.OkMm..Z 0010 - a5 3d 1b ac b5 12 3f cb-fb 9d 1a 2b 1c 07 30      .=....?....+..0 SSL3 alert write:warning:close notify