This morning, while I was trying to proxy traffic to this site in Burpsuite, I ran across an SSL handshake error. Googling the issue returned this helpful article that got me started on the right path. The crux of the problem was that the JRE didn’t have the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy files installed. However, since this article was published, Portswigger began bundling the JRE with Burpsuite itself. ...
In a previous post I discussed the complicated process of configuring S3 to use Letsencrypt to obtain a TLS certificate. That post served as a reference for me to re-implement Letsencrypt every 90 days. Since then, my 90-day Letsencrypt certificate expired, and I was at a loss for how to re-instate it. Using my own post as a reference didn’t help me with the arcane letsencrypt errors I was encountering. It was a pain in the ass trying to remember how to configure and use a combination of letsencrypt, awscli, virtual machines to run them in (letsencrypt has since implemented a docker option for running on OSX), et cetera, et cetera. I was hoping to get all of this done during a brief lull in my workday. Nope.jpg I’m chalking my experience up to the non-standard use case of using letsencrypt to generate a TLS certificate for a site hosted on S3. Perhaps in the future there will be native support for S3/Cloudfront sites in letsencrypt, but it’s not there yet. ...
It’s early 2016, and there are a multitude of content management systems and blog platforms out there: Wikipedia’s List of Content Management Systems The security blog I contribute to, Penetrate.IO runs on the venerable Wordpress and requires constant updates to stay one step ahead of attackers. This becomes tiresome after a while, especially since the only thing I’m interested in hosting is a series of articles. These don’t require server-side computation, simply hosting. It’s a little like web development from the late 90’s - I only require simple HTTP hosting. ...