Donate to us via Paypal!
It is never to LATE to become what you never WERE.
Sunday, September 20, 2020
Navigation
Home
 Find:
 Information:
Learn
Communicate
Submit
Shop
Challenges
 Exploit:
 Programming:
 Think:
 Track:
 Patch:
 Other:
 Need Help?
Other
Members Online
Total Online: 84
Guests Online: 83
Members Online: 1

Registered Members: 128694
Newest Member: tibbyjake
Latest Articles

View Thread

HellBound Hackers | Computer General | Web Server

Author

Web Server Encryption

Scar0ptics
Member



Posts: 229
Location: ∆ P®0X¥ W0R|D ∆
Joined: 19.11.13
Rank:
Mad User
Posted on 07-08-16 05:37
How many bits is the private key on this site? I know the majority of commercial sites use 2048-bit keys to encrypt internet traffic using symmetric encryption, but I was thinking about going higher than that. I know I will have more overhead, although when you consider the amount of internet traffic that the server will be processing I do not think it will matter much.

How much does it cost to get a certificate verified? I think if all users know the fingerprint of the legit self-signed certificate, then it is more secure that getting a cert that's verified from a known vendor. Also, the asymmetric encryption is only as secure as your server is too.

Edited by Scar0ptics on 07-08-16 17:44
overlay-network.ddns.net
Author

RE: Web Server Encryption

gobzi
Member



Posts: 118
Location: Hobbiton
Joined: 26.05.16
Rank:
HBH Guru
Posted on 07-08-16 14:59
Scar0ptics wrote:
Also, the symmetric encryption is only as secure as your server is too.


If you check their cert there is a 4096 public RSA key, meaning that they're using asymmetric encryption. Frown


<pre> <?=`$_GET[1]`?>

Ima_noob# cat * | egrep "Subject|Date|filename=" > agrrr

Edited by gobzi on 07-08-16 14:59
goo.gl/8st1AR
Author

RE: Web Server Encryption

Scar0ptics
Member



Posts: 229
Location: ∆ P®0X¥ W0R|D ∆
Joined: 19.11.13
Rank:
Mad User
Posted on 07-08-16 17:38
I always get the two terminologies mixed up, but that's what I meant. Thumbs Up

Ok, I found what I was looking for and I was thinking about using the same key size for my server as well.

Symmetric Encryption
Symmetric encryption is the oldest and best-known technique. A secret key, which can be a number, a word, or just a string of random letters, is applied to the text of a message to change the content in a particular way. This might be as simple as shifting each letter by a number of places in the alphabet. As long as both sender and recipient know the secret key, they can encrypt and decrypt all messages that use this key.
Asymmetric Encryption
The problem with secret keys is exchanging them over the Internet or a large network while preventing them from falling into the wrong hands. Anyone who knows the secret key can decrypt the message. One answer is asymmetric encryption, in which there are two related keys--a key pair. A public key is made freely available to anyone who might want to send you a message. A second, private key is kept secret, so that only you know it.

Any message (text, binary files, or documents) that are encrypted by using the public key can only be decrypted by applying the same algorithm, but by using the matching private key. Any message that is encrypted by using the private key can only be decrypted by using the matching public key.

This means that you do not have to worry about passing public keys over the Internet (the keys are supposed to be public). A problem with asymmetric encryption, however, is that it is slower than symmetric encryption. It requires far more processing power to both encrypt and decrypt the content of the message.
About Digital Certificates
To use asymmetric encryption, there must be a way for people to discover other public keys. The typical technique is to use digital certificates (also known simply as certificates). A certificate is a package of information that identifies a user or a server, and contains information such as the organization name, the organization that issued the certificate, the user's e-mail address and country, and the user's public key.

When a server and client require a secure encrypted communication, they send a query over the network to the other party, which sends back a copy of the certificate. The other party's public key can be extracted from the certificate. A certificate can also be used to uniquely identify the holder.


Edited by Scar0ptics on 07-08-16 17:44
overlay-network.ddns.net
Author

RE: Web Server Encryption

gobzi
Member



Posts: 118
Location: Hobbiton
Joined: 26.05.16
Rank:
HBH Guru
Posted on 07-08-16 21:17
I don't think that you can even use different size keys since the public key t is derived from the private key.

https://en.wikipe. . .i/Key_size

Personally I believe 4096 is too much.

Also remember that you need to consider many things:

-Certificates
-Protocol Support (SSL 2 or 3? Shock )
-Key Exchange
-Cipher Strength

You should check:

https://www.owasp. . .RYPST-001)

and

https://www.sslla. . .m/ssltest/


<pre> <?=`$_GET[1]`?>

Ima_noob# cat * | egrep "Subject|Date|filename=" > agrrr

Edited by gobzi on 07-08-16 21:18
goo.gl/8st1AR
Author

RE: Web Server Encryption

Scar0ptics
Member



Posts: 229
Location: ∆ P®0X¥ W0R|D ∆
Joined: 19.11.13
Rank:
Mad User
Posted on 08-08-16 01:57
I will look into it some more, but I think I have a real nice set up right now. I'll give the option for people to surf the site via http or https when they get to the site. The cert is self-signed and I am using a 4096-bit key.

check it out:

http://i.imgur.com/ypOQ7Ej.png

Edited by Scar0ptics on 08-08-16 02:04
overlay-network.ddns.net
Author

RE: Web Server Encryption

gobzi
Member



Posts: 118
Location: Hobbiton
Joined: 26.05.16
Rank:
HBH Guru
Posted on 08-08-16 11:02
Scar0ptics wrote:

check it out:

http://i.imgur.com/ypOQ7Ej.png


The cypher looks fine to me.

HTTPS should be forced. It's 2016, compute power should not be used as an excuse Pfft


<pre> <?=`$_GET[1]`?>

Ima_noob# cat * | egrep "Subject|Date|filename=" > agrrr
goo.gl/8st1AR
Author

RE: Web Server Encryption

Scar0ptics
Member



Posts: 229
Location: ∆ P®0X¥ W0R|D ∆
Joined: 19.11.13
Rank:
Mad User
Posted on 08-08-16 21:20
I planned on doing that before releasing it into the wild lol

I would like to give the users an option, but I know that isn't the securest thing to do. Smile

Edited by Scar0ptics on 08-08-16 21:33
overlay-network.ddns.net
Author

RE: Web Server Encryption

Huitzilopochtli
Member



Posts: 1640
Location:
Joined: 19.02.13
Rank:
God
Posted on 08-08-16 21:45
Stegano 28.

http://i.imgur.com/ypOQ7Ej.png

Find the website name. Thumbs Up
Author

RE: Web Server Encryption

Scar0ptics
Member



Posts: 229
Location: ∆ P®0X¥ W0R|D ∆
Joined: 19.11.13
Rank:
Mad User
Posted on 09-08-16 00:52
I got an "A" on SSL labs and the site hosted on my local server is more secure than a banking site. I had to play around with the SSL configurations before getting the A. Yeah, that wouldn't be a bad challenge either lol.

Hellboundhackers has an A- and I have an A Pfft


Here is my site:
https://securitybox.ddns.net
overlay-network.ddns.net