Saturday 24 March 2018
Friday 23 March 2018
The End of Special Sequences - Removal of Trigraphs in C++17
A trigraph is a three-character sequence interpreted as a single character, as per a programming language's specification. (Digraph is a similar concept for two-character sequences).
Keyboard limitations spurred their use i.e. lack of sufficient buttons to encompass the full character set of a language.
The concept of trigraph was initially invented by the ANSI C committee. IBM have historically opposed the removal of trigraphs from C++.
Keyboard limitations spurred their use i.e. lack of sufficient buttons to encompass the full character set of a language.
The concept of trigraph was initially invented by the ANSI C committee. IBM have historically opposed the removal of trigraphs from C++.
Friday 9 March 2018
A Review of SSL/TLS - Preventing POODLE Attacks (Revealed by Google in 2014)
WJ has talked about this before in the context of IIS but it's always good to revise basic security concepts pertinent to the Windows world. These concepts are becoming increasingly important as programmers are expected to become more cyber-conscious.
SSL is the (now largely legacy) Secure Sockets Layer created in the mid 1990s (the first public version was released in 1995), designed for cryptographically secure data transport (now known not to be so secure). It is technically prohibited by the IETF. The first version was pioneered by Netscape.
TLS is the successor for SSL.
TLS is recommended above SSL due to the POODLE attack (impacting SSLv3) discovered by Google researchers (and publicised October 2014, when SSLv3 was already nearly 18 years old) allowing padding data at the end of the block cipher to be exploited, to iteratively degrade security. It also exploits the tendency of browsers to fall back on earlier protocols when connections fail.
The follow on recommendation was to advise against use of SSLv3.
The POODLE attack is an abbreviation for "Padding Oracle on Downgraded Legacy Encryption" and is a man-in-the-middle exploit.
Padding oracle attacks are associated with block ciphers, which encrypt information in blocks, and may incorporate "padding bits". The attack relies on the presence of a "padding oracle" that responds to answer whether a cryptographic message is correctly padded or not.
Some random facts on TLS, what it stands for etc.
TLS (Version 1.0) was first defined in January 1999. Tim Dierks is one of the original authors.
SSL is the (now largely legacy) Secure Sockets Layer created in the mid 1990s (the first public version was released in 1995), designed for cryptographically secure data transport (now known not to be so secure). It is technically prohibited by the IETF. The first version was pioneered by Netscape.
TLS is the successor for SSL.
TLS is recommended above SSL due to the POODLE attack (impacting SSLv3) discovered by Google researchers (and publicised October 2014, when SSLv3 was already nearly 18 years old) allowing padding data at the end of the block cipher to be exploited, to iteratively degrade security. It also exploits the tendency of browsers to fall back on earlier protocols when connections fail.
The follow on recommendation was to advise against use of SSLv3.
The POODLE attack is an abbreviation for "Padding Oracle on Downgraded Legacy Encryption" and is a man-in-the-middle exploit.
Padding oracle attacks are associated with block ciphers, which encrypt information in blocks, and may incorporate "padding bits". The attack relies on the presence of a "padding oracle" that responds to answer whether a cryptographic message is correctly padded or not.
Some random facts on TLS, what it stands for etc.
TLS (Version 1.0) was first defined in January 1999. Tim Dierks is one of the original authors.
Subscribe to:
Posts (Atom)