meta_pixel
Tapesearch Logo
Log in
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

ISC StormCast for Tuesday, June 28th, 2022

SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

SANS ISC Handlers

Tech News, News, Technology

4.9696 Ratings

🗓️ 28 June 2022

⏱️ 7 minutes

🔗️ Recording | iTunes | RSS

🧾️ Download transcript

Summary

Daily 5 min cyber security news summary. News, patches, vulnerabilities and trends in information and network security. Encrypted Client Hello; Jenkins Patches; Instagram Age Verification; CodeSys Vuln

Transcript

Click on a timestamp to play from that location

0:00.0

Hello, welcome to the Tuesday, June 28, 2022 edition of the Sands and at Storm Center's Stormcast. My name is Johannes Ulrich, and I'm recording from Stockholm, Germany.

0:13.7

Today, I took a little bit of closer look at an emerging standard. It's actually an IATF draft officially at this point, encrypted client

0:22.6

hellos. The first data packet being sent by a client to a server in order to negotiate a TLS

0:29.8

connection is the client hello. And it has been sort of the weak point of TLS privacy in many ways. First of all, the server name is usually passed along

0:42.1

in the clear. Now, there was an earlier standard that just encrypted the server name

0:48.2

indication field, which is the server name. That standard hasn't really taken off and actually sort of has been

0:56.4

deprecated in favor of encrypting the entire most of the declined hello, which also avoids

1:05.3

some fingerprinting issues. Now, one question I was wondering is, is anybody actually using it? There are a couple

1:12.8

browsers that at least have the option to implement it. And what I noticed is the DNS record

1:19.6

that goes with this feature. There are actually two sort of specific DNS records that were

1:26.6

introduced for this feature.

1:28.7

One in particular, HDPS is a DNS resource record type that is sort of used for encrypted client.

1:37.3

I noticed that clients actually sent the record, but so far I don't see any servers actually responding and supporting

1:48.0

it, which then of course means it falls back to the good old way to do client hellos.

1:54.0

Now, these emerging standards, of course, will affect the efficacy of your network monitoring

1:59.3

solutions, and that's why you definitely should keep an eye on

2:03.2

whether or not these standards are being used in the network, and whether or not you may be

2:10.1

missing some data if you no longer can, for example, pull host names out of these client hellos.

2:19.4

And of course, as usual, more details in the post.

2:24.6

And Jenkins released an update fixing a number of different vulnerabilities.

2:31.3

Many of them cross-ed scripting, some CS-serve vulnerabilities, but also, for example,

2:38.3

a few plugins that do store credentials like passwords in the clear. Most of the vulnerabilities

...

Please login to see the full transcript.

Previous episode | Next episode

Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.

Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.

Copyright © Tapesearch 2025.