We need to protect our Internet communication - from basic web surfing to IP telephony, E-mail and Internet of things. This presentation gives some background and introduces one of the core security protocols - TLS, Transport Layer Security. This presentation is licensed under the Creative Commons Attribution-ShareAlike 4.0 International License.
Update: See http://www.slideshare.net/oej/morecrypto-with-tis-version-20
My talk at Voip2day 2016 in Madrid (organised by Avanzada 7 in Malaga).
This talks cover recent trends in realtime communication, from VoIP to WebRTC and Internet of Things
This document discusses the challenges of evolving mature programming languages like Java. It outlines design principles like encouraging desirable practices, isolating the language from specific APIs, and preferring readability over conciseness. Short-term goals include regularizing the existing language through improvements to generics, type inference, string switches, and catch clauses. Long-term goals include further language features like reification, control abstraction, and concurrency support.
Andrew Kennedy presented on Clocker 1.0.0, an open source project for deploying and managing containers across platforms. Clocker uses Docker containers and supports deployment to virtual machines, bare metal, and multiple clouds. It utilizes Calico for networking and plans to further integrate with Docker Swarm, Compose, and other Docker technologies for orchestration and management of container workloads in the future.
"Media Temporalities: Genre, Queer Space, and Digital Archives in Transition"
Media in Transition 6 - MIT
April 25, 2009
A part of the above panel. I moderated; this is not my own presentation!
Surveillance and Self-Presentation: Foucault’s Arts of Existence in the Digital Archive
Anne Kustritz
Anne Kustritz is a Visiting Assistant Professor in the Women’s, Gender, and Sexuality Studies Department at Macalester College where she teaches media anthropology, sexual citizenship, and queer and feminist theory. Her research centers on cyberethnography, queer citizenship, the public sphere, and slash fan fiction and other fan creative practices. Her essays appear in the Journal of American Culture, Refractory, Transformative Works and Cultures, and Flow, and her book manuscript is titled "Multiplying Sex, Sociability, and Civics: Slash Fan Fiction's Publics."
The document outlines objectives and activities for increasing communications around the eTwinning program, which aims to increase the number of schools involved in collaborative projects. It discusses producing a multi-year communications strategy and annual plans to disseminate the impact of eTwinning through events, publications, and other materials. It also proposes forming five working groups to focus on key communications areas like tools, events, recruiting new teachers, campaigns, and links to other programs.
There are three main ways to share your strengths on CPDReflect: 1) Rate yourself as innovating by selecting the innovating box which will add you to a list of local experts; 2) Provide an example of your interesting practice by completing an online form with details about your example and submitting it; 3) Share your reflections with colleagues by selecting "Share my CPD", choosing how much you want to share, and saving your sharing settings.
A person learned to crawl at 9 months old, walk at 13 months, ride a bike at 4 years old, and swim and do rollerblading at 6 and 7 years old respectively. The document emphasizes that sports require consistent and continuous effort.
The document lists 5 things that CPD coordinators might want to know about resources from CPDScotland including: 1) CPDFind to search for CPD opportunities, 2) CPD Update with recent news and updates, 3) CPDReflect for recording reflections, 4) opportunities to do CPD online and connect with professional communities, and 5) the CPDScotland website for additional information and resources.
The document discusses how credit unions have an advantage in appealing to Generation Y members based on member satisfaction surveys. It also defines consumer-generated media as any content posted online by consumers, including opinions, experiences, and advice. Consumer-generated media is an important technology for credit unions to engage with Generation Y members.
The document discusses clustered architecture patterns for delivering scalability and availability. It describes using network attached memory and JVM-level clustering to eliminate bottlenecks. This allows state to be shared across multiple servers for improved performance and reliability. An example application called HelloClusteredWorld is provided to demonstrate how state can be clustered in memory across multiple JVMs. Configuring Hibernate and enabling its second level cache can further reduce database load.
This document discusses the importance of using more encryption on the Internet to increase privacy and security. It makes the following key points:
1) The Internet has become too easy to monitor as we have built it without sufficient security protections by default. More encryption needs to be implemented across Internet services and protocols to make eavesdropping more difficult.
2) Developers should enable encryption by default for all new Internet protocols. Opportunistic encryption techniques can provide some protections even without full authentication.
3) Individuals can help push for more encryption by requiring encrypted connections when using services and enabling tools like HTTPS Everywhere on their browsers. Transitioning to encrypted connections wherever possible raises the bar for surveillance.
TLS provides confidentiality, identity, and integrity for internet communication. It is used for HTTPS web pages and applications on computers and phones. TLS is based on SSL and uses asymmetric encryption where the server sends a public key to set up the secure connection. The client then challenges the server, which responds using its private key to prove its identity. Certificates bind a public key to an identity and are signed by a Certification Authority. They contain information like the key, owner identity, and validity period.
Morecrypto in the world of SIP - the Session Initiation Protocol
The Internet is under attack and we need more encryption everywhere. This applies to the world of realtime communication too. This talk briefly goes through what can be done today and what needs to be done in the future. Originally delivered at Kamailio World 2014 in Berlin.
Some thoughts on a small step to make the Internet harder to monitor, to raise the cost of listening in to how we use services and how we communicate with each other on the net.
The document provides an overview of encryption, digital signatures, and SSL certificates. It discusses how public key encryption uses a private key and public key to encrypt messages. Digital signatures authenticate the identity of the sender and ensure messages remain intact. SSL certificates allow browsers and servers to establish an encrypted connection by containing a public key and verifying identity with a Certificate Authority. The client's browser verifies the server's certificate with the CA to trust the secure connection.
SSL Certificate is a very common term that we definitely heard but there is only limited number of people who know it is meaning or what is it? Actually SSL stands for Secure Socket Layer Protocol which helps to secure more safety in the internet world. it was developed by Netscape and issued by the Certificate Authorities.
The tools at our disposal today for deploying HTTPS are tremendously powerful, and easy to use. Initiatives like Let's Encrypt offer certificates, and new security policies like HSTS and HPKP allow you to protect against extremely powerful attacks. HTTPS, Here and Now!
This was an invited talk at the ICT Security Happening, organized by the VDAB Competence Center in Leuven.
This document provides an overview of SSL/TLS including:
1. Why SSL/TLS is important for secure connections between systems and applications.
2. An explanation of public/private key encryption and how digital certificates and certificate authorities work to establish trust.
3. A demonstration of how SSL/TLS protects data in transit using encryption.
4. Examples of vulnerabilities in older SSL/TLS versions and how protocols have evolved over time to improve security.
5. Details of a compromise of the DigiNotar certificate authority that resulted in distrust of its certificates.
This document provides an overview of SSL/TLS (Secure Sockets Layer/Transport Layer Security) and how it works to secure data transmission over the internet. It discusses why SSL is important for encrypting data and verifying identities. It then explains the basic process of how SSL works, including how a client encrypts requests using a server's public key and how the server decrypts with its private key. The document outlines the requirements to implement SSL, including generating a key and obtaining a certificate. It differentiates between self-signed and authorized certificates. Finally, it provides steps to create a certificate using OpenSSL and configure the Apache web server to use SSL.
This document discusses network security and the Kerberos authentication protocol. It provides an introduction to Kerberos, describing how it works to allow users and services to authenticate over a network. Kerberos uses secret key cryptography and issues tickets to allow users to securely access remote services without sending passwords over the network in clear text. The document outlines the initialization process when a user requests a ticket-granting ticket from the Kerberos server, and how that ticket is then used to request and access remote services. It also discusses some of the limitations of Kerberos and enhancements being made.
The document discusses SSL/TLS, how it works to securely transmit data between endpoints, and potential vulnerabilities. It provides an overview of SSL/TLS protocols and how data is encrypted and transmitted. It then outlines several common endpoint issues that can compromise SSL/TLS, such as inconsistent DNS configurations, self-signed certificates, incomplete certificates, and mixing plain text and encrypted sessions. Exploiting these issues allows man-in-the-middle attacks that can intercept and decrypt encrypted traffic.
Certificate pinning is a security mechanism where an app specifies certificates from trusted authorities and only accepts connections signed by those certificates. This prevents man-in-the-middle attacks. The document discusses implementing certificate pinning in Android apps by configuring the network security configuration file or using third party libraries like OkHttp that have CertificatePinner classes to restrict which certificates an app will accept. It also describes how to retrieve a server's public key hashes to include in the pinning configuration.
This document discusses SSL/TLS protocols and how to set up your own certificate authority (CA) or use Let's Encrypt for free SSL certificates.
It provides a brief history of SSL and TLS protocols, outlines the key differences between versions, and lists common TLS implementations like OpenSSL. It then explains how to set up your own CA by generating root and intermediate certificates and signing server/client certificates.
Finally, it introduces Let's Encrypt as a free and automated CA that aims to promote SSL security. It explains how Let's Encrypt validates domain ownership and issues certificates to ensure communications are private, integrity is maintained, and parties can be trusted.
PKI(Public Key Infrastructure) is used for security mechanism on internet.SSL(Secure Socket Layer).The SSL protocol is an internet protocol for secure exchange of information between a web browser and web server.
Virtual private networks (VPNs) allow users to securely access resources on a private network over a public network like the internet. VPNs use encryption, authentication, and security protocols to ensure only authorized parties can access the private network. Common VPN implementations include IPsec VPNs at the transport layer and SSL VPNs at the application layer. VPNs are useful for remote access to private networks from home or public locations and can replace dedicated private networks between offices or business partners.
Virtual private networks (VPNs) allow users to securely access resources on a private network over a public network like the internet. VPNs use encryption, authentication, and security protocols to ensure only authorized parties can access the private network. Common VPN implementations include IPsec VPNs at the transport layer and SSL VPNs at the application layer. VPNs are useful for remote access to private networks from home or public locations and can replace dedicated private networks between offices or business partners.
Webinar: Bring Web Content into the Modern Era with Ephox's EditLive! 9 Rich ...Tiny
Application developers and content authors will love the new user experience of Ephox’s rich text editor, EditLive! 9. Developers get the latest HTML5, open standards and WCAG 2.0 support. And, non-technical content authors can easily embed audio, video and images from their favorite social media sites, plus preview how content will look like on mobile devices. And, much more!
Proxecto de recuperación do río Corgo nos Salgueiriñosbng.compostela
El documento describe un plan para recuperar una zona verde alrededor del río Corgo en Salgueiriños, Santiago de Compostela. El plan tiene como objetivos restaurar el espacio del río, mejorar la calidad ambiental y paisajística, y crear un espacio multifuncional para el aparcamiento, mercado y ocio. El plan propone intervenciones como la creación de zonas verdes, senderos peatonales y plazas, así como el mantenimiento de usos existentes como la feria semanal.
My talk at Voip2day 2016 in Madrid (organised by Avanzada 7 in Malaga).
This talks cover recent trends in realtime communication, from VoIP to WebRTC and Internet of Things
This document discusses the challenges of evolving mature programming languages like Java. It outlines design principles like encouraging desirable practices, isolating the language from specific APIs, and preferring readability over conciseness. Short-term goals include regularizing the existing language through improvements to generics, type inference, string switches, and catch clauses. Long-term goals include further language features like reification, control abstraction, and concurrency support.
Andrew Kennedy presented on Clocker 1.0.0, an open source project for deploying and managing containers across platforms. Clocker uses Docker containers and supports deployment to virtual machines, bare metal, and multiple clouds. It utilizes Calico for networking and plans to further integrate with Docker Swarm, Compose, and other Docker technologies for orchestration and management of container workloads in the future.
"Media Temporalities: Genre, Queer Space, and Digital Archives in Transition"
Media in Transition 6 - MIT
April 25, 2009
A part of the above panel. I moderated; this is not my own presentation!
Surveillance and Self-Presentation: Foucault’s Arts of Existence in the Digital Archive
Anne Kustritz
Anne Kustritz is a Visiting Assistant Professor in the Women’s, Gender, and Sexuality Studies Department at Macalester College where she teaches media anthropology, sexual citizenship, and queer and feminist theory. Her research centers on cyberethnography, queer citizenship, the public sphere, and slash fan fiction and other fan creative practices. Her essays appear in the Journal of American Culture, Refractory, Transformative Works and Cultures, and Flow, and her book manuscript is titled "Multiplying Sex, Sociability, and Civics: Slash Fan Fiction's Publics."
The document outlines objectives and activities for increasing communications around the eTwinning program, which aims to increase the number of schools involved in collaborative projects. It discusses producing a multi-year communications strategy and annual plans to disseminate the impact of eTwinning through events, publications, and other materials. It also proposes forming five working groups to focus on key communications areas like tools, events, recruiting new teachers, campaigns, and links to other programs.
There are three main ways to share your strengths on CPDReflect: 1) Rate yourself as innovating by selecting the innovating box which will add you to a list of local experts; 2) Provide an example of your interesting practice by completing an online form with details about your example and submitting it; 3) Share your reflections with colleagues by selecting "Share my CPD", choosing how much you want to share, and saving your sharing settings.
A person learned to crawl at 9 months old, walk at 13 months, ride a bike at 4 years old, and swim and do rollerblading at 6 and 7 years old respectively. The document emphasizes that sports require consistent and continuous effort.
The document lists 5 things that CPD coordinators might want to know about resources from CPDScotland including: 1) CPDFind to search for CPD opportunities, 2) CPD Update with recent news and updates, 3) CPDReflect for recording reflections, 4) opportunities to do CPD online and connect with professional communities, and 5) the CPDScotland website for additional information and resources.
The document discusses how credit unions have an advantage in appealing to Generation Y members based on member satisfaction surveys. It also defines consumer-generated media as any content posted online by consumers, including opinions, experiences, and advice. Consumer-generated media is an important technology for credit unions to engage with Generation Y members.
The document discusses clustered architecture patterns for delivering scalability and availability. It describes using network attached memory and JVM-level clustering to eliminate bottlenecks. This allows state to be shared across multiple servers for improved performance and reliability. An example application called HelloClusteredWorld is provided to demonstrate how state can be clustered in memory across multiple JVMs. Configuring Hibernate and enabling its second level cache can further reduce database load.
This document discusses the importance of using more encryption on the Internet to increase privacy and security. It makes the following key points:
1) The Internet has become too easy to monitor as we have built it without sufficient security protections by default. More encryption needs to be implemented across Internet services and protocols to make eavesdropping more difficult.
2) Developers should enable encryption by default for all new Internet protocols. Opportunistic encryption techniques can provide some protections even without full authentication.
3) Individuals can help push for more encryption by requiring encrypted connections when using services and enabling tools like HTTPS Everywhere on their browsers. Transitioning to encrypted connections wherever possible raises the bar for surveillance.
TLS provides confidentiality, identity, and integrity for internet communication. It is used for HTTPS web pages and applications on computers and phones. TLS is based on SSL and uses asymmetric encryption where the server sends a public key to set up the secure connection. The client then challenges the server, which responds using its private key to prove its identity. Certificates bind a public key to an identity and are signed by a Certification Authority. They contain information like the key, owner identity, and validity period.
Morecrypto in the world of SIP - the Session Initiation ProtocolOlle E Johansson
The Internet is under attack and we need more encryption everywhere. This applies to the world of realtime communication too. This talk briefly goes through what can be done today and what needs to be done in the future. Originally delivered at Kamailio World 2014 in Berlin.
Some thoughts on a small step to make the Internet harder to monitor, to raise the cost of listening in to how we use services and how we communicate with each other on the net.
The document provides an overview of encryption, digital signatures, and SSL certificates. It discusses how public key encryption uses a private key and public key to encrypt messages. Digital signatures authenticate the identity of the sender and ensure messages remain intact. SSL certificates allow browsers and servers to establish an encrypted connection by containing a public key and verifying identity with a Certificate Authority. The client's browser verifies the server's certificate with the CA to trust the secure connection.
SSL Certificate is a very common term that we definitely heard but there is only limited number of people who know it is meaning or what is it? Actually SSL stands for Secure Socket Layer Protocol which helps to secure more safety in the internet world. it was developed by Netscape and issued by the Certificate Authorities.
The tools at our disposal today for deploying HTTPS are tremendously powerful, and easy to use. Initiatives like Let's Encrypt offer certificates, and new security policies like HSTS and HPKP allow you to protect against extremely powerful attacks. HTTPS, Here and Now!
This was an invited talk at the ICT Security Happening, organized by the VDAB Competence Center in Leuven.
This document provides an overview of SSL/TLS including:
1. Why SSL/TLS is important for secure connections between systems and applications.
2. An explanation of public/private key encryption and how digital certificates and certificate authorities work to establish trust.
3. A demonstration of how SSL/TLS protects data in transit using encryption.
4. Examples of vulnerabilities in older SSL/TLS versions and how protocols have evolved over time to improve security.
5. Details of a compromise of the DigiNotar certificate authority that resulted in distrust of its certificates.
This document provides an overview of SSL/TLS (Secure Sockets Layer/Transport Layer Security) and how it works to secure data transmission over the internet. It discusses why SSL is important for encrypting data and verifying identities. It then explains the basic process of how SSL works, including how a client encrypts requests using a server's public key and how the server decrypts with its private key. The document outlines the requirements to implement SSL, including generating a key and obtaining a certificate. It differentiates between self-signed and authorized certificates. Finally, it provides steps to create a certificate using OpenSSL and configure the Apache web server to use SSL.
This document discusses network security and the Kerberos authentication protocol. It provides an introduction to Kerberos, describing how it works to allow users and services to authenticate over a network. Kerberos uses secret key cryptography and issues tickets to allow users to securely access remote services without sending passwords over the network in clear text. The document outlines the initialization process when a user requests a ticket-granting ticket from the Kerberos server, and how that ticket is then used to request and access remote services. It also discusses some of the limitations of Kerberos and enhancements being made.
Introduction to SSL and How to Exploit & SecureBrian Ritchie
The document discusses SSL/TLS, how it works to securely transmit data between endpoints, and potential vulnerabilities. It provides an overview of SSL/TLS protocols and how data is encrypted and transmitted. It then outlines several common endpoint issues that can compromise SSL/TLS, such as inconsistent DNS configurations, self-signed certificates, incomplete certificates, and mixing plain text and encrypted sessions. Exploiting these issues allows man-in-the-middle attacks that can intercept and decrypt encrypted traffic.
Certificate pinning in android applicationsArash Ramez
Certificate pinning is a security mechanism where an app specifies certificates from trusted authorities and only accepts connections signed by those certificates. This prevents man-in-the-middle attacks. The document discusses implementing certificate pinning in Android apps by configuring the network security configuration file or using third party libraries like OkHttp that have CertificatePinner classes to restrict which certificates an app will accept. It also describes how to retrieve a server's public key hashes to include in the pinning configuration.
This document discusses SSL/TLS protocols and how to set up your own certificate authority (CA) or use Let's Encrypt for free SSL certificates.
It provides a brief history of SSL and TLS protocols, outlines the key differences between versions, and lists common TLS implementations like OpenSSL. It then explains how to set up your own CA by generating root and intermediate certificates and signing server/client certificates.
Finally, it introduces Let's Encrypt as a free and automated CA that aims to promote SSL security. It explains how Let's Encrypt validates domain ownership and issues certificates to ensure communications are private, integrity is maintained, and parties can be trusted.
PKI(Public Key Infrastructure) is used for security mechanism on internet.SSL(Secure Socket Layer).The SSL protocol is an internet protocol for secure exchange of information between a web browser and web server.
Virtual private networks (VPNs) allow users to securely access resources on a private network over a public network like the internet. VPNs use encryption, authentication, and security protocols to ensure only authorized parties can access the private network. Common VPN implementations include IPsec VPNs at the transport layer and SSL VPNs at the application layer. VPNs are useful for remote access to private networks from home or public locations and can replace dedicated private networks between offices or business partners.
Virtual private networks (VPNs) allow users to securely access resources on a private network over a public network like the internet. VPNs use encryption, authentication, and security protocols to ensure only authorized parties can access the private network. Common VPN implementations include IPsec VPNs at the transport layer and SSL VPNs at the application layer. VPNs are useful for remote access to private networks from home or public locations and can replace dedicated private networks between offices or business partners.
Steam Learn: HTTPS and certificates explainedinovia
You've seen it somewhere, you already know about it, maybe without even knowing it... that's embarrassing, it is. If you don't understand what I'm saying, it doesn't matter, have a look at the presentation and you'll understand how credit card information is secured.
e-Xpert Gate / Reverse Proxy - WAF 1ere générationSylvain Maret
The document discusses e-Xpert Gate, a web-based secure access solution that allows users to access internal applications from any device with a web browser. It provides strong authentication using RSA SecurID or SSL client certificates to securely access intranet resources through a firewall. The solution uses SSL/TLS to encrypt traffic and authenticate users, preventing direct unsecured access to internal servers and networks.
More and more IoT vulnerabilities are found and showcased at security events. From connected thermostats to power plants!
Insecurity became the favorite subject for creating catchy IoT headlines: "Connected killer toaster", "Fridges changed into spamming machines","Privacy concerns around connected home".
We will explore the five challenges one has to face when building a secure IoT solution:
- hardware security: how to avoid rogue firmwares and keep your security keys safe?
- upgrade strategy: you can't secure what you can't update!
- secure transport: no security without secure transports.
- security credentials distribution: how to distribute security keys to a fleet with millions of devices?
- cloud vulnerability mitigation, how to keep your fleet of devices safe from the next Heartbleed?
Current enterprise infrastructure provides solutions for handling application security but are they really matching the IoT challenge? Could running a PKI client on a low power wireless sensor node be an option?
Despite those difficulties, we will show how a modern IoT device management standard like Lightweight M2M with DTLS is the way for building a secur-first IoT solutions. It provides a solution for upgrading your device, distributing your security keys and comes with a full range of cryptography cipher suites, from PSK algorithm for very constrained devices to high level of security using X.509 certificates.
Furthermore for adding security to your solution we will present you ready to use opensource libraries for implementing secure IoT servers and devices. The way for quickly releasing your next catchy connected product.!
Ultimately we will showcase Wakaama and Leshan, the Eclipse IoT Lightweight M2M implementation maybe your next best friend in the troubled water of Internet-Of-Things security!
Security+ Guide to Network Security Fundamentals, 3rd Edition, by Mark Ciampa
Knowledge and skills required for Network Administrators and Information Technology professionals to be aware of security vulnerabilities, to implement security measures, to analyze an existing network environment in consideration of known security threats or risks, to defend against attacks or viruses, and to ensure data privacy and integrity. Terminology and procedures for implementation and configuration of security, including access control, authorization, encryption, packet filters, firewalls, and Virtual Private Networks (VPNs).
CNIT 120: Network Security
http://samsclass.info/120/120_S09.shtml#lecture
Policy: http://samsclass.info/policy_use.htm
Many thanks to Sam Bowne for allowing to publish these presentations.
Similar to #Morecrypto 1.8 - with introduction to TLS (20)
Cybernode.se: Securing the software supply chain (CRA)Olle E Johansson
The document discusses the Cybersecurity Resilience Act (CRA) and its implications for software development. The CRA aims to improve software supply chain security and vulnerability management. It requires companies to implement processes for identifying vulnerabilities, reporting them, and informing customers. Companies will need to provide documentation like a Software Bill of Materials (SBOM) and regularly assess dependencies for vulnerabilities to comply with the new regulations. The CRA is intended to help secure software and transparency to customers.
This document summarizes a vulnerability handling process. It describes classifying vulnerabilities using identifiers like CVE and CVSS. It outlines steps to receive reports, verify issues, remediate problems by fixing or mitigating, then publishing information. The process emphasizes communicating with reporters, updating customers, and retrospective learning to improve processes.
Introduction to the proposed EU cyber resilience act (CRA)Olle E Johansson
A short introduction to the proposed EU Cyber Resilience Act. It's a large document to parse, so please don't take my words as a truth, just indications of what will come. The CRA will impact everyone that distributes software and connected devices on the EU market, so it's important to stay up to date with this regulation.
This document discusses the history and future of telecommunications networks as the traditional telephone network (PSTN) declines. It notes that in 2050, efforts will still be underway to improve security in SIP and create new open source projects. Small independent communication networks may emerge if federation between networks breaks down as the PSTN dies. Key questions are how users can maintain a global identity, how sessions can be trusted without federation, and whether networks can survive without interconnecting.
WebRTC and Janus intro for FOSS Stockholm January 2019Olle E Johansson
This document discusses WebRTC and how it allows audio and video communication directly in the browser without plugins. It describes how WebRTC can be used for more than just calls, including games, dating sites, and more. It also summarizes how WebRTC uses secure protocols for media transfer and network discovery. Janus is introduced as a WebRTC gateway that can connect WebRTC applications to other protocols and services like SIP and RTSP. Examples of WebRTC applications are given and directions provided on how to connect to and use the Janus gateway.
A talk about me discovering new architectures, new ways of building scalable realtime platforms #SIP #WebRTC #Kamailio #MQTT #NODERED
Watch it live at https://www.youtube.com/watch?v=BbfUXUWtxIg
This document discusses how a public radio broadcaster in Sweden transitioned to using open source software like Kamailio, Baresip, Asterisk, and Homer for their IP-based broadcast infrastructure. It describes their journey from using proprietary ISDN equipment to building a flexible system using SIP, RTP, and IP that supports live broadcasting from mobile devices. The broadcaster is now working to share their work through the open source IRIS Broadcast project to help other public broadcasters transition to open standards and share best practices.
WebRTC allows browsers to communicate directly through peer-to-peer connections without plugins. It uses protocols like SRTP for secure media, ICE for network traversal, and SDP for session description. Signaling can be done through any protocol that supports SDP exchange. WebRTC addresses issues like NAT traversal using STUN, TURN servers, and trickle ICE. RTP bundling allows multiple media streams to be multiplexed over a single port.
Realtime communication over a dual stack networkOlle E Johansson
Fosdem 2017: A short talk about dual stack (IPv4 and IPv6) issues when using SIP, WebRTC, XMPP and other realtime platforms in a dual stack world - where both client and server is connecting to the new and the old Internet.
Side note: Uploads to slide share doesn't work on IPv6-only networks.
A presentation covering work that needs to happen. We jokingly came up with a non-existing organisation that maintains a reference profile for SIP. While the organisation is just a joke, the work is quite serious.
Sips must die, die, die - about TLS usage in the SIP protocolOlle E Johansson
SIPS: is problematic because it implies end-to-end security that cannot be guaranteed or verified. TLS usage is preferable but SIPS: has led some developers to see it as the only solution. RFC 5630 deprecates SIPS: and outlines using TLS for all hops instead of just the last hop. Removing SIPS: and focusing on TLS for the first hop under a client's control may be better approaches. End-to-end security remains an open issue that solutions like S/MIME could potentially address if its challenges were re-examined.
This document discusses problems with SIP outbound and proposes a "half-outbound" approach to allow connection reuse for SIP over TLS. It notes that SIP UAs often use TCP for TLS or mobile networks, but this prevents servers from reusing connections for outbound requests. A half-outbound approach would allow the client to indicate support for connection reuse after a TLS connection is established, and the server could then reuse that connection for outbound SIP requests associated with the registration. This would simplify connection reuse compared to full SIP outbound while still addressing issues with SIP over TLS.
The document discusses updates needed for SIP to work effectively in modern environments. It recommends: 1) requiring support for SIP Outbound and TLS/DTLS key exchange to address challenges of NAT and encryption; 2) requiring full support for Opus codec and RTCP feedback to optimize media; and 3) supporting IETF work on standards like STIR, SIPCORE, and stronger authentication. The document also outlines upcoming SIP features from the IETF and SIP Forum around improved identities, dual-stack support, and TLS in SIPConnect 2.0.
2015 update: SIP and IPv6 issues - staying Happy in SIPOlle E Johansson
What's the state of SIP and IPv6?
- An update I gave at the Netnod spring Meeting 2015.
Nothing much is happening, despite the fact that we have proven real issues with dual stacks in SIP.
A quick introduction to Kamailio - the leading Open Source SIP server (based on OpenSER and SER). Kamailio is quite different than Asterisk, FreeSwitch and many other VoIP platforms - why is that and how do you start getting your head around Kamailio?
SIP and DNS - federation, failover, load balancing and moreOlle E Johansson
SIP use DNS to find a server for a specific URI, like sip:alice@example.com. With DNS a SIP service can provide failover, load balancing and much more. SIP without DNS is a broken solution. SIP and DNS rocks!
Understanding Insider Security Threats: Types, Examples, Effects, and Mitigat...Bert Blevins
Today’s digitally connected world presents a wide range of security challenges for enterprises. Insider security threats are particularly noteworthy because they have the potential to cause significant harm. Unlike external threats, insider risks originate from within the company, making them more subtle and challenging to identify. This blog aims to provide a comprehensive understanding of insider security threats, including their types, examples, effects, and mitigation techniques.
Implementations of Fused Deposition Modeling in real worldEmerging Tech
The presentation showcases the diverse real-world applications of Fused Deposition Modeling (FDM) across multiple industries:
1. **Manufacturing**: FDM is utilized in manufacturing for rapid prototyping, creating custom tools and fixtures, and producing functional end-use parts. Companies leverage its cost-effectiveness and flexibility to streamline production processes.
2. **Medical**: In the medical field, FDM is used to create patient-specific anatomical models, surgical guides, and prosthetics. Its ability to produce precise and biocompatible parts supports advancements in personalized healthcare solutions.
3. **Education**: FDM plays a crucial role in education by enabling students to learn about design and engineering through hands-on 3D printing projects. It promotes innovation and practical skill development in STEM disciplines.
4. **Science**: Researchers use FDM to prototype equipment for scientific experiments, build custom laboratory tools, and create models for visualization and testing purposes. It facilitates rapid iteration and customization in scientific endeavors.
5. **Automotive**: Automotive manufacturers employ FDM for prototyping vehicle components, tooling for assembly lines, and customized parts. It speeds up the design validation process and enhances efficiency in automotive engineering.
6. **Consumer Electronics**: FDM is utilized in consumer electronics for designing and prototyping product enclosures, casings, and internal components. It enables rapid iteration and customization to meet evolving consumer demands.
7. **Robotics**: Robotics engineers leverage FDM to prototype robot parts, create lightweight and durable components, and customize robot designs for specific applications. It supports innovation and optimization in robotic systems.
8. **Aerospace**: In aerospace, FDM is used to manufacture lightweight parts, complex geometries, and prototypes of aircraft components. It contributes to cost reduction, faster production cycles, and weight savings in aerospace engineering.
9. **Architecture**: Architects utilize FDM for creating detailed architectural models, prototypes of building components, and intricate designs. It aids in visualizing concepts, testing structural integrity, and communicating design ideas effectively.
Each industry example demonstrates how FDM enhances innovation, accelerates product development, and addresses specific challenges through advanced manufacturing capabilities.
UiPath Community Day Kraków: Devs4Devs ConferenceUiPathCommunity
We are honored to launch and host this event for our UiPath Polish Community, with the help of our partners - Proservartner!
We certainly hope we have managed to spike your interest in the subjects to be presented and the incredible networking opportunities at hand, too!
Check out our proposed agenda below 👇👇
08:30 ☕ Welcome coffee (30')
09:00 Opening note/ Intro to UiPath Community (10')
Cristina Vidu, Global Manager, Marketing Community @UiPath
Dawid Kot, Digital Transformation Lead @Proservartner
09:10 Cloud migration - Proservartner & DOVISTA case study (30')
Marcin Drozdowski, Automation CoE Manager @DOVISTA
Pawel Kamiński, RPA developer @DOVISTA
Mikolaj Zielinski, UiPath MVP, Senior Solutions Engineer @Proservartner
09:40 From bottlenecks to breakthroughs: Citizen Development in action (25')
Pawel Poplawski, Director, Improvement and Automation @McCormick & Company
Michał Cieślak, Senior Manager, Automation Programs @McCormick & Company
10:05 Next-level bots: API integration in UiPath Studio (30')
Mikolaj Zielinski, UiPath MVP, Senior Solutions Engineer @Proservartner
10:35 ☕ Coffee Break (15')
10:50 Document Understanding with my RPA Companion (45')
Ewa Gruszka, Enterprise Sales Specialist, AI & ML @UiPath
11:35 Power up your Robots: GenAI and GPT in REFramework (45')
Krzysztof Karaszewski, Global RPA Product Manager
12:20 🍕 Lunch Break (1hr)
13:20 From Concept to Quality: UiPath Test Suite for AI-powered Knowledge Bots (30')
Kamil Miśko, UiPath MVP, Senior RPA Developer @Zurich Insurance
13:50 Communications Mining - focus on AI capabilities (30')
Thomasz Wierzbicki, Business Analyst @Office Samurai
14:20 Polish MVP panel: Insights on MVP award achievements and career profiling
Comparison Table of DiskWarrior Alternatives.pdfAndrey Yasko
To help you choose the best DiskWarrior alternative, we've compiled a comparison table summarizing the features, pros, cons, and pricing of six alternatives.
Blockchain technology is transforming industries and reshaping the way we conduct business, manage data, and secure transactions. Whether you're new to blockchain or looking to deepen your knowledge, our guidebook, "Blockchain for Dummies", is your ultimate resource.
INDIAN AIR FORCE FIGHTER PLANES LIST.pdfjackson110191
These fighter aircraft have uses outside of traditional combat situations. They are essential in defending India's territorial integrity, averting dangers, and delivering aid to those in need during natural calamities. Additionally, the IAF improves its interoperability and fortifies international military alliances by working together and conducting joint exercises with other air forces.
Quantum Communications Q&A with Gemini LLM. These are based on Shannon's Noisy channel Theorem and offers how the classical theory applies to the quantum world.
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-InTrustArc
Six months into 2024, and it is clear the privacy ecosystem takes no days off!! Regulators continue to implement and enforce new regulations, businesses strive to meet requirements, and technology advances like AI have privacy professionals scratching their heads about managing risk.
What can we learn about the first six months of data privacy trends and events in 2024? How should this inform your privacy program management for the rest of the year?
Join TrustArc, Goodwin, and Snyk privacy experts as they discuss the changes we’ve seen in the first half of 2024 and gain insight into the concrete, actionable steps you can take to up-level your privacy program in the second half of the year.
This webinar will review:
- Key changes to privacy regulations in 2024
- Key themes in privacy and data governance in 2024
- How to maximize your privacy program in the second half of 2024
Best Practices for Effectively Running dbt in Airflow.pdfTatiana Al-Chueyr
As a popular open-source library for analytics engineering, dbt is often used in combination with Airflow. Orchestrating and executing dbt models as DAGs ensures an additional layer of control over tasks, observability, and provides a reliable, scalable environment to run dbt models.
This webinar will cover a step-by-step guide to Cosmos, an open source package from Astronomer that helps you easily run your dbt Core projects as Airflow DAGs and Task Groups, all with just a few lines of code. We’ll walk through:
- Standard ways of running dbt (and when to utilize other methods)
- How Cosmos can be used to run and visualize your dbt projects in Airflow
- Common challenges and how to address them, including performance, dependency conflicts, and more
- How running dbt projects in Airflow helps with cost optimization
Webinar given on 9 July 2024
Sustainability requires ingenuity and stewardship. Did you know Pigging Solutions pigging systems help you achieve your sustainable manufacturing goals AND provide rapid return on investment.
How? Our systems recover over 99% of product in transfer piping. Recovering trapped product from transfer lines that would otherwise become flush-waste, means you can increase batch yields and eliminate flush waste. From raw materials to finished product, if you can pump it, we can pig it.
Support en anglais diffusé lors de l'événement 100% IA organisé dans les locaux parisiens d'Iguane Solutions, le mardi 2 juillet 2024 :
- Présentation de notre plateforme IA plug and play : ses fonctionnalités avancées, telles que son interface utilisateur intuitive, son copilot puissant et des outils de monitoring performants.
- REX client : Cyril Janssens, CTO d’ easybourse, partage son expérience d’utilisation de notre plateforme IA plug & play.
1. #MoreCrypto
A small step to make it harder
to listen to IP based activity.
V1.8 TLS - oej@edvina.net - slideshare.net/oej
Ⓒ Olle E. Johansson, Stockholm, Sweden 2014.
This work is licensed under
2014-02-09
2. The problem
We have built an information network
that is too easy to monitor. We simply
trusted everyone too much in a naive way.
Sadly, we can’t do
that any more.
3. The Internet mirrors society
When the Internet was small, there was a select group
of people using it. They felt is was a safe place.
#MoreCrypto
4. As the Internet grew and reflects more of society,
we forgot to harden it. It’s time now.
#MoreCrypto
5. The engineers are working
The IETF is the organisation that defined
most of the standards we use today to
The IETF recently decided to focus a lot of
energy to add more confidentiality and
security in general to the technology
we use every day.
communicate.
#MoreCrypto
7. Changing the Internet
is too hard.
We are not using the
security tools we have in the
way they are meant to be
used today. In some cases, like e-mail and
IP telephony, most of us do not
use any security tools at all.
#MoreCrypto
8. How do we change?
The users must require change. Otherwise,
very few things happen. It is up to you and me.
#MoreCrypto
9. What needs to be done?
More crypto Easy to use authentication
Enhanced privacy Stronger confidentiality
A lot of changes needs to be done in how we build
services, operate them and use them.
#MoreCrypto
…and much more
10. TLS is an important tool
#MoreCrypto
TLS
Transport
Layer
Security
TLS provides confidentiality, identity
and integrity to Internet communication.
TLS is used in HTTPS:// web pages, but can also be
used from applications on a computer as well as a cell
phone.
TLS is based on SSL, that was a provider-specific
technology. TLS is maintained by the IETF and is still
being improved.
The second part
covers this!
11. Start simple.
Use connection encryption
wherever possible.
Use HTTPS and serve
information over HTTPS
#MoreCrypto
In short:
#MoreCrypto
12. Why?
More crypto on the Internet
raise the cost of listening in to
our information flows, our
conversations. It does not solve all the issues,
we have a lot of work
#MoreCrypto
ahead of us.
Using more TLS is not very
complicated and can be used in
most applications today.
13. Starting points.
Enable HTTPS for Facebook,
Google and other services
when you can.
Use EFF HTTPS ANYWHERE
in your web browser.
If you are a sysadmin, enable
TLS and follow new advice on
choice of algorithms.
#MoreCrypto
14. What does TLS give you?
Browser Confidential path Server
Other people in the same network (or IT management)
can see where you go (server address), but not what you do.
#MoreCrypto
Example:
Hotel staff can’t see what you write
or read on Facebook.
15. What about VPN tunnelling?
Computer Confidential path
Example: Other people in the same
network (or IT management)
can see that you are using a VPN,
VPN
server
#MoreCrypto
but not what you do.
Web
Server
Mail
Server
VPN = Virtual private network
On the other side of the VPN
server your connections become
visible again - unless you are using TLS.
Example:
Hotel staff can’t see which web
sites you are connecting to.
16. The work continues
#MoreCrypto
Mobile
apps
Web
IP
Telephony
E-mail
Cloud
Services
Internet of
things
The Digital
home
Chat
Video
Services
Require
#MoreCrypto!
17. NEW!
OPPURTUNISTIC
SECURITY
Secure network traffic, regardless of what the user says.
Do whatever you can to make it harder to listen in.
20. TLS is an important tool
#MoreCrypto
TLS
Transport
Layer
Security
TLS provides confidentiality, identity
and integrity to Internet communication.
TLS is used in HTTPS:// web pages, but can also be
used from applications on a computer as well as a cell
phone.
TLS is based on SSL, that was a provider-specific
technology. TLS is maintained by the IETF and is still
being improved.
21. Encryption
SYMMETRIC ASYMMETRIC
Using the same key for
encryption and decryption
Using the different keys for
encryption and decryption
Simple for the CPU,
supports streaming data
More computations,
easier for data blocks
#MoreCrypto
22. Using a private
and a public key
• TLS use a keypair to set up a secure connection
• Assymetric encryption
• The server sends the public key at connection
• The client challenges the server
• The server responds to the challenge using the
server private key
• Now the client knows that the server has the
private key that matches the public key
private
23. TLS Usage
• TLS is used for
• authentication of servers and
clients
• initiating encryption of a session
• digital signatures on messages to
ensure integrity and provide
authentication
Authentication
Who are you? Prove it!
Encryption
Providing confidentiality
Integrity
Making sure that the
receiver get what the
sender sent
24. Adding a certificate
to the mix
• A certificate is nothing more complicated than a
passport or an ID card
• It contains the public key and some administrative
data
• And is signed (electronically) by someone you
might trust ... or not.
• This is part of the complex structure called PKI,
which you might want or just disregard
• A PKI is not needed to get encryption for the
signalling path!
• You can however use a PKI to only set up
connections that you trust
25. The X.509v3 certificate
• An X.509 certificate is the standardised way to
bind a public key to an identity
• The certificate is issued by a
Certification Authority (CA)
• The most important component of the PKI?
• An X.509 certificate is an
electronic document with a specific layout
!
• Standard: documented in IETF PKIX RFC:s
Version
Serial number
Issuer identity
Validity period
User identity
Public key
Extension fields
26. X509.v3
contents
• Version number
• Certificate serial number
Used for validation
• Identity of the issuer
• Validity period
• Identity of the public key owner
• Public key
• Extension fields
• A digital signature, created by the issuer
Internet
Explorer
Certificate
Manager
27. Example: SIP certificates
• SubjectAltName contains a list of
identities that are valid for this
certificate
• RFC 5922 outlines a SIP event package
to distribute and manage certificates
• This is based on the Authentication
Service in SIP identity (RFC 4474)
• The domain cert is used to sign the
NOTIFY payload
TLS is more than the
world wide web!
28. x.509 cert for SIP
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
01:08:00:79:00:15:00:43
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=California, L=San Jose, O=sipit, OU=Sipit Test Certificate Authority
Validity
Not Before: Sep 16 17:17:00 2009 GMT
Not After : Sep 15 17:17:00 2012 GMT
Subject: C=US, ST=California, L=San Jose, O=sipit, CN=tls6.test.sipit.net
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:a7:96:65:6e:b6:ba:3a:48:a1:bd:a3:ae:21:dc:
a8:92:97:3c:43:ea:24:e6:9f:93:2f:61:7e:d3:2d:
30:1e:21:42:b9:d6:59:87:f1:b1:f8:c8:39:8e:43:
64:9a:31:2c:18:3d:cd:d8:03:64:bb:14:38:44:05:
20:30:d8:e1:db:a7:4d:c3:47:a2:49:73:d1:10:ed:
2f:cf:74:26:57:91:64:af:b0:f2:5d:3f:88:9f:df:
65:6c:ba:65:3f:66:99:52:6b:20:d2:0e:e3:65:18:
b1:8e:3d:ca:f2:4a:45:c5:4d:85:ef:82:54:f8:54:
54:db:96:90:9b:c5:1b:2a:1e:60:3c:43:71:55:60:
30:93:8f:fd:d8:d9:3d:a1:32:e3:56:4b:e2:73:b6:
cc:18:93:8a:d8:8b:68:81:c7:fd:cd:d5:dc:4c:a2:
86:61:9f:ad:d0:b1:d3:3c:4c:6c:07:54:b2:43:b4:
a7:0a:0a:f2:e3:6d:12:43:16:70:63:c9:e9:1a:78:
66:9d:ee:30:94:7b:ab:f2:e9:67:4a:66:6d:8c:ed:
a8:a4:98:51:77:0b:a7:60:55:73:85:87:4a:57:6b:
24:fe:27:00:02:79:70:da:5a:45:ad:aa:3d:d5:40:
5b:5c:85:63:93:56:af:c7:e8:e3:b6:1a:25:b6:a2:
2d:37
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:test.sipit.net, DNS:tls6.test.sipit.net, URI:sip:tls6.test.sipit.net
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
27:F7:A9:96:F5:B2:8F:0B:5E:A9:C7:F5:0F:AC:3D:AB:3D:8D:F0:30
Signature Algorithm: sha1WithRSAEncryption
1a:fe:1f:af:86:99:82:e5:14:97:8d:64:9a:d1:5c:ea:6c:96:
f5:c6:0c:7d:20:5f:4e:70:05:24:3a:de:b5:b9:cf:66:8d:4c:
74:d5:6a:a9:52:74:17:bc:b4:79:a0:58:32:78:a9:70:7c:6a:
15:ac:07:29:77:13:06:55:53:3f:0b:4c:3d:da:55:6e:ad:74:
56:01:55:c8:4c:19:8d:06:0b:f3:4c:04:d5:9a:6f:44:ad:7a:
fd:3b:aa:e8:4b:84:6e:f1:c4:34:f4:a0:6a:f6:81:ae:74:b4:
46:6e:b9:2f:a6:59:f1:02:e9:58:7c:a1:8d:08:31:2b:39:ee:
eb:7e
Subject: C=US, ST=California, L=San Jose, O=sipit, CN=tls6.test.sipit.net
X509v3 Subject Alternative Name:
DNS:test.sipit.net, DNS:tls6.test.sipit.net, URI:sip:tls6.test.sipit.net
Notice the URI in the certificate!
29. Process for a server
Generate
Keys
Pack public key
in CSR
Send CSR
to CA
CA validate
process
CA issues
Certificate
Install cert
in server with
private key
30. Client connection
Open TCP
connection
Server sends
certificate
Client
challenge server
Server answers
challenge
Client validates
certificate
Server can issue
cert request
Client and server
produce session key
Symmetric encryption
starts
31. Issues
Certificate can validate correctly
with the CA store, but still be the
wrong certificate.
Certificate private key can be
copied and certificate
revocated.
DNS was spoofed, so we
reached the wrong service
Something new and even more
scary than Heartbleed.
32. Protocol specifics
• Given a protocol request - how do we match the
request address to a certificate
• SIP Uri, E-mail address, HTTPS uri
33. TLS and SSL
SSL v1.0 - 2.0
Created by Netscape
Communications
Deemed insecure.
SSL v3.0
Last version. No support for
extensions and not for modern
crypto algorithms. Deemed
insecure.
#MoreCrypto
TLS 1.x
Open standard defined by the
IETF. Keeps being updated.
It’s time to try to stop
using SSL.
34. Man in the middle
Client MITM Server
• How do we prevent and discover TLS proxys?
• Quite commonly used
35. Certificate Fingerprinting
Certificates have a fingerprint, a
checksum of the cert and key.
Embed last, current and next
certificate fingerprint in the code
Verify that you are talking with
the expected server.
TLS verification may work with a
bad server cert too.
Client Server
Client MITM Server
#MoreCrypto
36. Trust on first use
Save certificate fingerprint on
first connection
If another certificate shows up,
warn the user
Don’t block, the first connection
could be bad
Certificates gets updates
so save expiry time and
accept new.
Client Server
Client MITM Server
#MoreCrypto
37. DANE - using DNSsec
Save cert in DNS, signed by
Client DNS
DNS query
Client Server
#MoreCrypto
DNSsec
If another certificate shows up,
do not continue. Disconnect.
Certificates that expired or was
revoked has no NS records
TLS connection
Client MITM Server
38. User specifics
• Which CAs do we trust?
• How do we check validity of certificate, even if
we trust the CA?
• Do we have time for validation?
39. New solutions
• Anchoring the certificate in DNS
• Validating the certificate in DNS
• No certificate - bare keys
• Oppurtunistic Security with TLS
DNSsec
40. Advice:
• Use encrypted communication by default
• Authenticated sessions are better than non-authenticated
• If you really need confidentiality, check ciphers
and checksum algorithms
#MoreCrypto
41. Heartbleed
• Programming error in OpenSSL
• OpenSSL is used in too many
places
• Opened up for private key
distribution and a lot of other
in-memory data.
42. Security is a process
• There will be other issues with
TLS libraries, protocols and
implementations
• Having these is better than
having no security, integrity,
privacy or confidentiality
43. To-do list
Always build secure platforms. Encrypt all communication. 1.
Integrate IPv6 in every single project. 2.
Sign your DNS data. DNS is the foundation for all of Internet. 3.
#MoreCrypto
SECURITY:
IPv6:
DNSsec:
46. Join us!
• IETF peerpass mailing list, UTA working group
and more.
• Hashtag #MoreCrypto
• http://internetsociety.org
47. #MoreCrypto
Feedback?
• Feedback and suggestions for improvements to this presentation is
more than welcome! Send to oej@edvina.net!
• Feel free to use this presentation yourself - Notice the Creative
commons license on this presentation!
• Please tell me if you use it! It’s always fun to know.
Olle E. Johansson
Author: oej@edvina.net - slideshare.net/oej
Ⓒ Olle E. Johansson, Stockholm, Sweden 2014.
This work is licensed under