Fedora: Security Advisory for golang-github-letsencrypt-pebble (FEDORA-2022-ea8f4e232d)

The remote host is missing an update for the SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

[SECURITY] Fedora 36 Update: golang-github-letsencrypt-pebble-2.3.1-6.fc36

A miniature version of Boulder, Pebble is a small RFC 8555 ACME test server n ot suited for a production certificate authority...

Fedora: Security Advisory for golang-github-letsencrypt-pebble (FEDORA-2022-3e1ade35db)

The remote host is missing an update for the Copyright C 2022 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...

[SECURITY] Fedora 35 Update: golang-github-letsencrypt-pebble-2.3.1-5.fc35

A miniature version of Boulder, Pebble is a small RFC 8555 ACME test server n ot suited for a production certificate authority...

Fedora: Security Advisory for golang-github-letsencrypt-pebble (FEDORA-2022-ba365d3703)

The remote host is missing an update for the Copyright C 2022 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...

[SECURITY] Fedora 36 Update: golang-github-letsencrypt-pebble-2.3.1-5.fc36

A miniature version of Boulder, Pebble is a small RFC 8555 ACME test server n ot suited for a production certificate authority...

Let’s Encrypt to revoke “mis-issued” certificates

If you use a Let’s Encrypt SSL/TLS certificate, you may wish to check your account over the coming days. Revocation is coming, and you’ve only got until tomorrow to figure things out. What’s the deal with free certificates? If you’re running a website, you want to make sure that it’s HTTPs. It...

Convincing Google Impersonation Opens Door to MiTM, Phishing

An attack that uses homographic characters to impersonate domain names and launch convincing but malicious websites takes minutes and a bare modicum of skill — while reaping high rates of success in luring victims, according to an independent researcher. Researcher Avi Lumelsky set out to see how...

HackerOne: Missing Certificate Authority Authorization rule

Certificate Authority Authorization supported by LetsEncrypt and other CAs allows a domain owner to specify which Certificate Authorities should be allowed to issue certificates for the domain. All CAA-compliant certificate authorities should refuse to issue a certificate unless they are the CA o...

CLI for Ephemeral Penetration Testing: hideNsneak

This application assists in managing attack infrastructure for penetration testers by providing an interface to rapidly deploy, manage, and take down various cloud services. These include VMs, domain fronting, Cobalt Strike servers, API gateways, and firewalls. hideNsneak provides a simple...

Man-in-the-Middle (MitM)

github.com/letsencrypt/boulder is vulnerable to man-in-the-middle MitM attacks. The application is configured to assign X509 certificates over http, allowing a malicious user to intercept and inject their own certificate...

Non-expiring Signatures

github.com/letsencrypt/boulder is vulnerable to non-expiring signatures. A malicious user can use an old signature and submit it to the application to be authenticated...

Authentication Bypass

github.com/letsencrypt/boulder is vulnerable to authentication bypass. A malicious user can bypass validation by passing an RSA key such that the RSA key matches the signature of a still-provisioned resource on the target domain...

SSL Enabled Basic Auth Credential Harvester: phishery

An SSL Enabled Basic Auth Credential Harvester with a Word Document Template URL Injector Phishery is a Simple SSL Enabled HTTP server with the primary purpose of phishing credentials via Basic Authentication. Phishery also provides the ability easily to inject the URL into a .docx Word document...