Month: August 2018

Framework Misconfiguration Analysis with RIPS

65 New Issue Types Added In the latest release of our RIPS Code Analysis solution we added a new Preparser. The Preparser is able to detect different types of configurations and to check whether they ensure a secure state of the web application. Each framework has its own configuration files, parameters, keys and formats. In order to provide recommendations for a secure configuration of your application, our Preparser recognizes popular frameworks and libraries and checks their custom settings.
Broad Support for Let’s Encrypt SSL Digital Certificates

Broad Support for Let’s Encrypt SSL Digital Certificates

Broad Support for Let’s Encrypt SSL Digital Certificates 1With all of our paid hosting platforms, R4L provides you a free digital digital certificate called Let’s Encrypt.  The web is quickly moving towards requiring sites to use encryption.  When you order an paid hosting plan with R4L, the SSL cert is automatically installed and maintained for you, allowing your website and email to be fully encrypted.

As posted on the news last week on the website Slashdot, the Let’s Encrypt open source SSL Certificate is now recognized by all major root certificates, including:

  • Microsoft,
  • Google,
  • Apple,
  • Mozilla,
  • Oracle, and
  • Blackberry

Let’s encrypt has been trusted by almost all borwsers, it had done so thoruh an intermediate certificate from a vendor called IdenTrust.  With Let’s Encrypt now being directly recognized and trusted, there is no longer a third party involved.  If ever in the future there were a problem with IdenTrust (we’re not saying that’s likely), Let’s Encrypt would continue to be trusted without a problem.  A problem similar to this did happen to Symantec certs when they were untrusted by Google and Mozilla.

Let’s Encrypt is now directly trusted by all major browsers and operating systems.

What is Phar Deserialization

Summary The security researcher Sam Thomas from Secarma found a new exploitation technique that can lead to critical PHP object injection vulnerabilities – without using the PHP function unserialize(). The new technique was announced at the BlackHat USA conference in his talk It’s a PHP Unserialization Vulnerability Jim, but Not as We Know It1. It can enable attackers to escalate the severity of file related vulnerabilities to remote code execution.