105 matches found
Why Did the OpenSSL Punycode Vulnerability Happen
Some room-temperature takes on yesterdays not-quite-RCE vulnerabilities in OpenSSL 3.0, and on what there is to learn about safe cryptography engineering. A recap Yesterday OpenSSL published version 3.0.7, which was pre-announced to contain a fix for a CRITICAL vulnerability, the first one since...
A secure captive portal browser with automatic DNS detection
Captive portals are the worst. Flaky detection. The OS and browser try to detect these annoying network features but fail quite often, leaving you with broken connections. DID YOU KNOW that probe-based captive portal detection really doesn't work very well, with 30% FP and 30% FN rate in Chrome? ...
Efficient Go APIs with the mid-stack inliner
A common task in Go API design is returning a byte slice. In this post I will explore some old techniques and a new one that became possible in Go 1.12 with the introduction of the mid-stack inliner. Returning a fresh slice The most natural approach is to return a fresh byte slice, like...
Finding Ticketbleed
Ticketbleed CVE-2016-9244 is a software vulnerability in the TLS stack of certain F5 products that allows a remote attacker to extract up to 31 bytes of uninitialized memory at a time, which can contain any kind of random sensitive information, like in Heartbleed. If you suspect you might be...
Cleaning up my GOPATH with Homebrew
tl;dr: use the script at the bottom to go get into the Homebrew "Cellar" and keep your GOPATH clean. I personally like GOPATH and import paths, but while trying to reduce my laptop to a thin reproducible client, I felt the pain of keeping track of the hundreds of repositories that end up in there...
mkcert: valid HTTPS certificates for localhost
or for any other names The web is moving to HTTPS, preventing network attackers from observing or injecting page contents. But HTTPS needs TLS certificates, and while deployment is increasingly a solved issue thanks to the ACME protocol and Let's Encrypt, development still mostly ends up happenin...
restic cryptography
tl;dr: this is not an audit and I take no responsibility for your backups, but I had a quick look at the crypto and I think I'm going to use restic for my personal backups. I keep hearing good things about restic. I am redoing my storage solution, and restic seems to tick all the boxes for my...
Using Ed25519 signing keys for encryption
@Benjojo12 and I are building an encryption tool that will also support SSH keys as recipients, because everyone effectively already publishes their SSH public keys on GitHub. For RSA keys, this is dangerous but straightforward: a PKCS1 v1.5 signing key is the same as an OAEP encryption key...
A secure captive portal browser with automatic DNS detection
Captive portals are the worst. Flaky detection. The OS and browser try to detect these annoying network features but fail quite often, leaving you with broken connections. DID YOU KNOW that probe-based captive portal detection really doesnt work very well, with 30% FP and 30% FN rate in Chrome? -...
Finding Ticketbleed
Ticketbleed CVE-2016-9244 is a software vulnerability in the TLS stack of certain F5 products that allows a remote attacker to extract up to 31 bytes of uninitialized memory at a time, which can contain any kind of random sensitive information, like in Heartbleed. If you suspect you might be...
A Go implementation of Poly1305 that makes sense
Poly1305 is a Message Authentication Code--a cryptographic primitive for authenticating a message with a shared secret key, like HMAC. Although its really a fraction of the complexity of e.g. elliptic curves, most of the implementations Ive read look decidedly like magic, mysteriously multiplying...
DSA Is Past Its Prime
I want to start by acknowledging that tech is not the most important thing happening around me at the moment. Its critical to understand our role in fixing the issues in the system we are part of. I found that Russ Cox captured that message very well in a recent email to golang-nuts, you should...
My age+YubiKeys Password Management Solution
Password managers are in the news, and its the holidays, so its as good a time as ever to describe my password and secret management setup. Its very much not for everyone, but its minimal, simple, and has some interesting security properties: even if my laptop were compromised, it would take an...
Replace PGP With an HTTPS Form
I asked my Twitter followers what I should talk about in this issue, and those trolls picked PGP and security vulnerability reporting, so here goes nothing. As you probably know, the school of modern cryptography thinking I subscribe to says that tools and protocols should be small, simple, and...
rustgo: calling Rust from Go with near-zero overhead
русский Go has good support for calling into assembly, and a lot of the fast cryptographic code in the stdlib is carefully optimized assembly, bringing speedups of over 20 times. However, writing assembly code is hard, reviewing it is possibly harder, and cryptography is unforgiving. Wouldn't it ...
Touch-to-operate password-store with YubiKey 4
There are dozens of tutorials on how to fight GnuPG to use YubiKeys for everything, but my favorite overlooked feature of the YubiKey 4 is "touch to operate", where each cryptographic operation takes a physical touch of the gold surface. That pairs particularly well with password-store, a PGP...
Live streaming Cryptopals
tl;dr: I'm livecoding the Cryptopals in Go on Twitch, one set every Sunday. The recordings are on YouTube. Oh, wow. I love the idea. Would anyone here seriously watch 20 to 40 hours of me doing crypto, math and Go? Mic, screen, and everything. -- Filippo Valsorda @FiloSottile October 16, 2016...
Install Go tools from modules with brew-gomod
As of Go 1.14, modules are ready for production. Compared to GOPATH, they make it much easier to keep workspaces clean by managing dependencies out of sight, and by letting you clone projects anywhere. However, there is no good way to simply install a Go binary from source, yet. The core reason f...
Avoid The Randomness From The Sky
This is a plea for cryptography specification authors. If your protocol uses randomness, please make it a deterministic function that takes a fixed-size string of random bytes , and publish known-answer tests for it. This whole issue could really be just the paragraph above, but I feel like I nee...
Playing with kernel TLS in Linux 4.13 and Go
Linux 4.13 introduces support for nothing less than... TLS! The 1600 LoC patch allows userspace to pass the kernel the encryption keys for an established connection, making encryption happen transparently inside the kernel. The only ciphersuite supported is AES-128-GCM as per RFC 5288, meaning it...
Hacking together a USB-C charger for a cheap Chromebook
The era of USB-C has come. The other day I threw all other cables into a box, and bought a set of USB-C to USB-C, Lightning, and microUSB cables. USB-C chargers around the house, USB-C PD power bank, even a nice small USB-C dock that works with the Nintendo Switch if the charger can do the right...
age and Authenticated Encryption
age is a file encryption format, tool, and library. It was made to replace one of the last remaining GnuPG use cases, but it was not made to replace GnuPG because in the last 20 years we learned that cryptographic tools work best when they are specialized and opinionated instead of flexible Swiss...
The scrypt parameters
The recommended scrypt parameters in the Go docs were recently brought up for discussion given they haven't changed since 2009. Even if at this point I memorized the three numbers N=16384, r=8, p=1 I only have a vague understanding of their meaning, so I took some time to read the scrypt paper...
An overview of TLS 1.3
I presented TLS 1.3 to the CloudFlare London office. Why it's faster, how it works, why it's safer, what's clever about it. The talk is recorded and comes with colored diagrams. There's a transcript on the CloudFlare blog. Update: you might want to watch my 33c3 talk on the same topic instead. An...
Planning Go 1.20 Cryptography Work
As you might know, I left Google in spring to try and make the concept of a professional Open Source maintainer a thing. Im staying on as a maintainer of the Go cryptography standard library, and I am going to seek funding from companies that rely on it, want to ensure its security and reliabilit...
KEMs and Post-Quantum age
Theyre here! NIST selected a first batch of post-quantum cryptographic key exchange and signature algorithms. The report is a nice read that explains a lot of the goals, candidates, selections, and rationales. I recommend Sections 2, 3.3, and 4.1. For key exchange, NIST selected only...
Enough Polynomials and Linear Algebra to Implement Kyber
I was once talking with a mathematician and trying to explain elliptic curve cryptography. Eventually, something clicked and they went "oh, that! I think there was a chapter about it in the book. You made a whole field out of it?" Yes, in cryptography we end up focusing on a very narrow slice of...
Announcing the $12k NIST Elliptic Curves Seeds Bounty
The NIST elliptic curves that power much of modern cryptography were generated in the late '90s by hashing seeds provided by the NSA. How were the seeds generated? Rumor has it that they are in turn hashes of English sentences, but the person who picked them, Dr. Jerry Solinas, passed away in ear...
A Wide Reduction Trick
In line with the original spirit of Cryptography Dispatches, this is a quick1 issue to talk about a neat bit of cryptography engineering I encountered. The structure of an ECC implementation Elliptic curve cryptography implementations all roughly share the following structure: theres a base field...
Go 1.20 Cryptography
The first second release candidate of Go 1.20 is out!1 This is the first release I participated in as an independent maintainer, after leaving Google to become a professional Open Source maintainer. By the way, thats going great, and Im going to write more about it here soon! Im pretty happy with...
I’m Now a Full-Time Professional Open Source Maintainer
or, "Holy shit, it works!" Last May I left my job on the Go team at Google to experiment with more sustainable paths for open-source maintainers. I held on to my various maintainer hats Go cryptography, transparency tooling, age, mkcert, yubikey-agent…, iterated on the model since September, and ...
ssh whoami.filippo.io
I updated the whoami.filippo.io dataset over the holidays, so it should be pretty accurate at least for a little while. If you already know what Im talking about, below are some tidbits about how I fetched the new dataset and how its stored. If you dont, stop reading, and run this. Ill wait. $ ss...
So I lost my OpenBSD FDE password
The other day I set up a new OpenBSD instance with a nice RAID array, encrypted with Full Disk Encryption. And promptly proceeded to forget part of the passphrase. We know things get interesting when I lose a password. I did a weak attempt at finding some public bruteforce tool, and found nothing...
My Maintenance Policy
I wrote a short document describing how I maintain open source projects, to link it from my global CODEOFCONDUCT, CONTRIBUTING, and SECURITY files. It talks about how I prefer issues to PRs, how I work in batches, and how I'm trigger-happy with bans. It's all about setting expectations. It got so...
Why We Don’t Generate Elliptic Curves Every Day
With all the talk recently of how the NIST curve parameters were selected, a reasonable observer could wonder why we all use the same curves instead of generating them along with keys, like we do for Diffie-Hellman parameters. You might have memories of waiting around for openssl dhparam to run a...
Setting a custom FileVault (macOS FDE) passphrase
FileVault 2 is the full-disk encryption system of macOS. Normally, it's turned on from System Preferences, and locks the disk with the passwords of all the users allowed to unlock the machine. Overloading the login/unlock/sudo password is an understandable UX simplicity choice, but makes it very...
Easy Windows and Linux cross-compilers for macOS
tl;dr: you can install cross-compiler toolchains to compile C/C++ for Windows or Linux from macOS with these two Homebrew Formulas. brew install FiloSottile/musl-cross/musl-cross brew install mingw-w64 Cross-compiling C and C++ is dreadful. While in Go you just need to set an environment variable...
Live streaming Cryptopals
tl;dr: Im livecoding the Cryptopals in Go on Twitch, one set every Sunday. The recordings are on YouTube. Oh, wow. I love the idea. Would anyone here seriously watch 20 to 40 hours of me doing crypto, math and Go? Mic, screen, and everything. -- Filippo Valsorda @FiloSottile October 16, 2016 Almo...
The Most Backdoor-Looking Bug I’ve Ever Seen
This is the story of a bug that was discovered and fixed in Telegrams self-rolled cryptographic protocol about seven years ago. The bug didnt get any press, and no one seems to know about it, probably because it was only published in Russian. To this day, its the most backdoor-looking bug Ive eve...
Making a Gmail bot with Apps Script and TypeScript
Google Apps Script is one of the best hidden features of Gmail. Did you ever want just a bit more flexibility from a filter? Maybe the ability to remove a label, or match on a header, or just decide the order they are applied in. Apps Script can do all that and then some. They are simple JavaScri...
PINs for Cryptography with Hardware Secure Elements
I’m a big fan of technologies that enable otherwise impossible security properties and user experiences, like cryptography often can. One such technology is hardware secure elements. Here’s a thing you can’t do with cryptography: encrypt data securely with a low-entropy secret, like a PIN. If a...
Post-quantum Cryptography for the Go Ecosystem
filippo.io/mlkem768 is a pure-Go implementation of ML-KEM-768 optimized for correctness and readability. ML-KEM formerly known as Kyber, renamed because we can't have nice things is a post-quantum key exchange mechanism in the process of being standardized by NIST and adopted by most of the...
mkcert: valid HTTPS certificates for localhost
or for any other name The web is moving to HTTPS, preventing network attackers from observing or injecting page contents. But HTTPS needs TLS certificates, and while deployment is increasingly a solved issue thanks to the ACME protocol and Lets Encrypt, development still mostly ends up happening...
git fixup: --amend for older commits
Everyone knows and loves to use git commit --amend to change the latest commit. But what if you want to correct a older commit? The flow in that case involves an interactive rebase with a edit step. But that's kludgy. Here's an alias that using a couple of nifty git features makes it one command...
A Cryptographic Near Miss
Go 1.20.2 fixed a small vulnerability in the crypto/elliptic package. The impact was minor, to the point that I don't think any application was impacted, but the issue was interesting to look at as a near-miss, and to learn from. Fundamentally, a scalar multiplication function was returning the...
Planning Go 1.21 Cryptography Work
As most of you are tired to hear by now, I am a professional, full-time open-source maintainer, and a lot of my time is spent maintaining the Go cryptography standard libraries. Go's development follows a fixed calendar with two development windows and two releases every year. I try to write abou...
OpenSSH 8.2 Just Works with U2F/FIDO2 Security Keys
OpenSSH is on a roll. In February, OpenSSH 8.2 introduced first-class support for FIDO2 nee U2F security keys, making hardware backed keys accessible for less than $20. This is not some complicated PAM setup, or some janky cryptographic trick, but a proper public key type, where the private key i...
Go Time #32 - Hellogopher, whosthere?
I joined Erik St. Martin, Carlisia Pinto and Brian Ketelsen for episode 32 of the Go Time podcast to chat about Hellogopher, whosthere whoami.filippo.io, $GOPATH, TLS 1.3, Cloudflare's secret reverse proxy, and more. Go Time 32 — Hellogopher, whosthere? with Filippo Valsorda hellogopher — "just...
Analyzing Go Vendoring with BigQuery
GitHub published a snapshot of all the public open-source repositories to BigQuery and Francesc used it to draw some cool statistics about Go projects. I used the same dataset to analyze how the Go ecosystem does vendoring. Disclosure: there's some ego stroking here, as I'm the author of gvt. Try...
Playing with kernel TLS in Linux 4.13 and Go
Linux 4.13 introduces support for nothing less than... TLS! The 1600 LoC patch allows userspace to pass the kernel the encryption keys for an established connection, making encryption happen transparently inside the kernel. The only ciphersuite supported is AES-128-GCM as per RFC 5288, meaning it...