In the last day of the year, it’s time to look back at the year and highlight the things that enjoyed in 2018. For reference, here is the list from the last year.

1. Two books: Daemon and Freedom, by Daniel Suarez. Absolutely brilliant, I don’t know how I missed them for so many years. Here’s an excerpt:

The most striking revelation in a long time is about democracy.
Source: https://t.co/0ctn4yDhRW pic.twitter.com/SwEjY7bvVH

— Dorin Moise (@dorinmoise) September 6, 2018

The Code book from Simon Singh was probably the runner-up – a few months ago I ordered the printed version and read it again after 5 years.

2. My new notebook: Huawei Matebook x Pro. Say what you want about Huawei, but they came up with a brilliant device. Miles ahead of the premium-priced Macbooks, it fundamentally changed my workflow. Never been a tablet guy and probably never be, so the combination of an iPhone + an ultrabook like the Matebook works best for me.

3. WorkFlowy: an exponent of the makers (*) culture, WorkFlowy is a dead-simple, cross-platform note-taking app. The hierarchical structure of the notes makes it compatible with mind-mapping and I found myself using it in a variety of ways. For instance, I drafted the outline of this post in WorkFlowy. Others wrote books with it:

(*) the makers culture: Peter Levels https://levels.io/ https://makebook.io/
https://twitter.com/ajlkn https://carrd.co/

4. A place: the Austrian Alps in the summer time. I had the chance to spend about a week in the mountains. The combination of mountains, clean air, outdoor activities and clear blue sky is amazing. Just have a look:

5. Security. There were plenty of security things that I learned in 2018. Went to a few classroom training sessions (CISM, CISSP, TLS), passed some challenging certification exams, and realized that (IT) security is a fascinating domain with a lot of brilliant people.

The IT industry rocks (as one of the security guys that I follow said today), and on top of that, the security aspects make things much more interesting to watch.

6. Simona Halep: not only for finally winning her Grand Slam, but also for having the capacity to remain competitive for a long time: never dropped out of the top 10 for over 5 years and currently number 1 for more than a year (with a brief 4-weeks interruption). Well deserved and very inspirational.

7. Two series: Breaking Bad and Better Call Saul. I enjoyed watching Breaking Bad when it was released on Netflix, and found the Better Call Saul a very good continuation of the series. Now that Better Call Saul is over, I went back to re-watch Breaking Bad – it’s amazing how a few years and another prequel change the perspective.

8. Jurgen Klopp. He joined Liverpool 3 years ago and built an amazing team around him. One can learn a lot about leadership just by listening to his interviews. Humble and determined, he’s a perfect fit for Liverpool and you can sense how everybody around the club loves him.

9. The iPhone X – because the dimensions are finally right, and, more importantly, because its camera allowed me to take some amazing photos throughout the year: https://www.flickr.com/photos/dorin_moise

10. Tesla Model S. Finally, I left this at the end because it offered me some very mixed feelings. As I said in a recent post, the car is really amazing and it offers an experience that you will not find anywhere else. But the quality of the support services is disappointing here in Belgium. I hope that things will improve, even though I’m not holding my breath.

Here’s for a brilliant 2019 and remember, in the end it’s all about getting better.

Again, some notes about the second day of the excellent TLS Training delivered by Scott Helme. 

• symmetric encryption is fast. AES is fast enough for transferring large amounts of encrypted data (ex. streaming)
• asymmetric encryption is slow, therefore it’s only used for the authentication, in the beginning of the secured session 
•  RSA algorithm was actually invented 4 years before: The acronym RSA is made of the initial letters of the surnames of Ron Rivest, Adi Shamir, and Leonard Adleman, who first publicly described the algorithm in 1978. Clifford Cocks, an English mathematician working for the British intelligence agency Government Communications Headquarters (GCHQ), had developed an equivalent system in 1973, but this was not declassified until 1997.
• Hashing: SHA256 (a subset of the SHA-2 family) is considered strong enough. Alternatives for the future are SHA384 and SHA512 (longer digests), but if the SHA-2 is fundamentally broken, then the SHA-3 family (Keccak) comes to the rescue. It’s like a never-ending cat vs mouse game between cryptographers and cryptanalysts. 
• The CAs store their private keys in HSMs and rarely rotate them (a lifetime of a few decades is not uncommon)
• There is a good analogy between digital certificates and passports
• X509 is the standard describing the structure of the digital certificates. Currently at version 3, it introduced extensions (arbitrary metadata of key + values pairs). Example of an extension: the SAN (Subject Alternative Names) – where a number of domains can be given on top of the common name (CN). In fact, Google Chrome only looks at the SAN when parsing a certificate.
• The certificate chain is typically composed of the Root CA certificate, then the Intermediate CA certificate(s) and finally, the end-entity certificate (the leaf). The last intermediate certificate has the ‘path length’ parameter set to 0 (it’s children can only be leaves).
• The Root CA certificates are provided by the client (stored in the browser or OS), while the intermediate CA and end-entity certificates are provided by the server(the intermediate CA cert – for performance reasons)
• It takes on average 5-6 years to become a Root CA. And if you want this, you must work with the following 5 relying parties carrying a set of root keys in their trust store: Apple, Google, Java, Mozilla, Microsoft. Let’s Encrypt started in 2016 and it’s not yet a Root CA; they are currently using another root CA to cross-sign their certificates (IdenTrust). 
• The Web PKI is governed by the CAB Forum – an entity where the  Certificate Authorities and the major browsers are represented.

Some notes after the first day of the TLS training session with Scott Helme

The Best TLS Training once again in London! Next one in November – join us! https://t.co/dk52dJkH4c pic.twitter.com/NMzhadFAnP

— Feisty Duck (@feistyduck) September 6, 2018

——

• the core protocols powering the Internet were not designed with security in mind
• you pwn the cookie, you pwn the user
• the server should not encrypt the cookie contents because there is nothing to hide to the browser
• the submarine cable map is amazing, but the landing sites are possible points of failure when it comes to your privacy
• we’ve reached the HTTPS tipping point – meaning that more than 50% of the Internet traffic is encrypted, but 90% of the sites are still on plain, old HTTP
• the goal of encryption: to encrypt the data for just as long as it’s needed
• when checking into a hotel, we would rather not have running  water than not having wi-fi 🙂
• SSL was initially the Netscape’s baby, but it was renamed to TLS under the pressure of Microsoft
• TLS 1.3 was officially adopted as a standard, and it comes with major performance improvements as well as mandatory forward secrecy. But it will take a couple of years until it will be implemented at large scale by the hardware manufacturers 
• TLS 1.3 should have been really named TLS 2.0 if it was not for some poorly coded, but widely used hardware
• it becomes more and more clear the significant impact of the Snowden revelations on how people look at their privacy and web security (example: Lavabit and forward secrecy)
• the recommended lifespan of a certificate is about 12 months
• common domain validation methods: email challenge, DNS text record or a random HTTP path
• client clock skew: you can change your device time to cheat on Candy Crush, but this can lead to invalid HTTPS certificates for your device only
• if you are a big organisation, you better have a backup CA (or at least one that is ready to issue a new certificate in a matter of minutes, not days)
• cipher suite format: TLS_KX_AUTH_CIPHER_HASH. 
  • Key Exchange (KX): just use ECDHE, or if not supported, DHE. But never use RSA because of the lack of forward secrecy
  • Authentication: RSA is still good enough
  • Symmetric key encryption (used because it’s faster than asymmetric): AES 128 is good enough; AES 256 better but slower
• sometimes, good security practices are followed not because of the security advantages, but because of the performance improvements: ChaCha20
• don’t create a system that relies on the human factor for security (ex. don’t ask the regular user to type https:// in his browser) 
• good: HTTPS, better: HTTPS + HSTS, best: HTTPS + HSTS + preload. But having all the browsers load a static list of websites is not a scalable solution
• BTW – seeing my own domain in the source code of all the modern browsers used by billions of people is cool: transport_security_state_static.json (warning – 6Mb file!) 
• HSTS is a one-way street: you can’t easily go back from HTTPS to HTTP
• people are terrified about changing the cookies standards / specifications
• it looks like the attackers can overwrite your cookies even when using secure cookies over HTTPS. Cookie prefixes are a dirty, but effective solution: you just need to add __Secure- to your cookie name:

Set-Cookie: __Secure-ID=123; Secure; Domain=example.com

“The __Secure- prefix makes a cookie accessible from HTTPS sites only. A HTTP site can not read or update a cookie if the name starts with  __Secure-. “

"Crypto is never broken.
Crypto is always bypassed."@Scott_Helme delivering the best TLS training in the world

— Dorin M. (@dorinmoise) September 6, 2018