meta_pixel
Tapesearch Logo
Log in
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

SANS Stormcast Thursday, July 10th, 2025: Internal CA with ACME; TapJacking on Android; Adobe Patches;

SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

SANS ISC Handlers

Tech News, News, Technology

4.9696 Ratings

🗓️ 10 July 2025

⏱️ 5 minutes

🧾️ Download transcript

Summary


Setting up Your Own Certificate Authority for Development: Why and How.
Some tips on setting up your own internal certificate authority using the smallstep CA.
https://isc.sans.edu/diary/Setting%20up%20Your%20Own%20Certificate%20Authority%20for%20Development%3A%20Why%20and%20How./32092
Animation-Driven Tapjacking on Android
Attackers can use a click-jacking like trick to trick victims into clicking on animated transparent dialogs opened from other applications.
https://taptrap.click/usenix25_taptrap_paper.pdf
Adobe Patches
Adobe patched 13 different products yesterday. Most concerning are vulnerabilities in Coldfusion that include code execution and arbitrary file disclosure vulnerabilities.
https://helpx.adobe.com/security/security-bulletin.html

Transcript

Click on a timestamp to play from that location

0:00.0

Hello and welcome to the Thursday, July 10, 2025 edition of the Sands and then at Storm Center's Stormcast.

0:08.2

My name is Johannes Ulrich and this episode brought you by the Sands.edu graduate certificate program in instance.

0:16.1

Response is recorded in Jacksonville, Florida.

0:20.4

In Diaries today, I just did a quick write-up about setting up your own certificate authority

0:25.0

sort of for development purposes.

0:27.0

So this particular write-up doesn't focus on how to do it super secure, but how to do it

0:33.6

convenient and integrated well with various development tools and development websites

0:39.2

that you may have, which in particular means also integrating it with the ACMI protocol.

0:44.9

The ACMI protocol, you may be familiar with it from tools like SERD bot that are commonly used

0:51.0

to retrieve certificates from Let's Encrypt.

0:54.7

But if you set up your own server authority, well, you want to stay simple and

1:00.4

use tools like that, well, and you actually can use certbot.

1:04.5

There is an open source set of authority from Small Step that implements the AcMI protocol relatively straightforward to set up.

1:13.6

They also have commercial products, but this particular product is free and open source,

1:20.6

and also well documented and not really all that difficult to set up.

1:25.6

One thing to particular note if you are using your own internal set of authority

1:30.6

is that you're not bound by any of the constraints of some of the public server authorities.

1:36.7

Like, for example, the certificate lifetime.

1:39.7

You can create longer, shorter certificates, whatever you would like.

1:46.0

You just have to add that certificate authority manually to your operating system or to your browser's list of trusted certificate authorities.

1:54.8

Also, keep in mind that when you're doing this, your certificates will not show up in certificate transparency lists.

2:03.6

That's actually a big advantage for development websites,

...

Please login to see the full transcript.

Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.

Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.

Copyright © Tapesearch 2025.