Tweaking content.

.pre-commit-config.yaml

@@ -5,8 +5,8 @@ default_language_version:
   python: python3.10
 
 default_stages:
-  - commit
-  - push
+  - pre-commit
+  - pre-push
 
 fail_fast: false
 
@@ -59,21 +59,21 @@ repos:
         description: Double-check editorconfig compliance
         entry: bash -c 'editorconfig-checker'
         language: system
-        stages: [commit, push]
+        stages: [pre-commit, pre-push]
 
       - id: trufflehog
         name: TruffleHog
         description: Detect secrets in your data.
         entry: bash -c 'trufflehog git file://. --since-commit HEAD --only-verified --fail --json 2>/dev/null | jq "."'
         language: system
-        stages: [commit, push]
+        stages: [pre-commit, pre-push]
 
       - id: trivy-vuln
         name: Trivy (Vulnerabilities)
         description: Check for security vulnerabilities. (https://trivy.dev)
         entry: bash -c 'trivy fs --config trivy-vuln.yaml --ignorefile .trivyignore.yaml .'
         language: system
-        stages: [commit, push]
+        stages: [pre-commit, pre-push]
         # Troubleshooting: https://aquasecurity.github.io/trivy/latest/docs/references/troubleshooting/#denied
 
       - id: yamlfmt
@@ -83,7 +83,7 @@ repos:
           bash -c '(find . -type f -iname "*.yaml" | xargs -I% yamlfmt "%") && \
             (find . -type f -iname "*.yml" | xargs -I% yamlfmt "%")'
         language: system
-        stages: [commit, push]
+        stages: [pre-commit, pre-push]
   # goplicate-end:always
 
   # ----------------------------------------------------------------------------

Makefile

@@ -213,6 +213,7 @@ serve:
 	HUGO_ENV=development hugo serve \
 		--buildDrafts \
 		--cleanDestinationDir \
+		--disableFastRender \
 		--enableGitInfo \
 		--environment development \
 		--forceSyncStatic \

config/_default/taxonomies.toml

@@ -1,3 +1 @@
-series   = "series"
-tag      = "tags"
-category = "categories"
+vuln = 'vulns'

content/learning/tls/3des.md

@@ -0,0 +1,17 @@
+---
+title: Triple Data Encryption Standard (3DES)
+description: Vulnerable key exchange
+layout: learn-single
+
+vulns:
+  - lucky-13
+
+---
+
+## Summary
+
+Although [Triple-DES] (3DES) has not yet been fully broken, it suffers from several vulnerabilities, making it a _weak_ cipher.
+
+Any cipher suite with `3DES` in the name should be avoided.
+
+[Triple-DES]: https://en.wikipedia.org/wiki/Triple_DES

content/learning/tls/_index.md

@@ -0,0 +1,55 @@
+---
+title: TLS and Cipher Suites
+description: ...
+# layout: learn-single
+layout: list
+
+good_better_best:
+  1abysmal:
+    title: Not secure at all
+    description: '<span class="ui-badge-error-wrap">SSLv2</span> <span class="ui-badge-error-wrap">SSLv3</span>'
+  2better:
+    title: Security broken
+    description: '<span class="ui-badge-alert-wrap">TLS 1.0</span> <span class="ui-badge-alert-wrap">TLS 1.1</span>'
+  3best:
+    title: Safe and secure
+    description: '<span class="ui-badge-success-wrap">TLS 1.2</span>+ <span class="ui-badge-success-wrap">TLS 1.3</span>'
+
+---
+
+## Summary
+
+Security never stands still. As soon as new methods are designed to secure data on the internet, there is someone working on ways to crack-open that security. Things that were secure 20 years ago are not secure today.
+
+In {{% year %}}, there are only two configurations which are considered fully secure, and both should be offered to end-users:
+
+### TLS 1.3
+
+[TLS 1.3] is the most modern version of _Transport Layer Security_. The specification shipped in August 2018, and defines 3 cipher suites which are non-configurable.
+
+### TLS 1.2 with _Forward Secrecy_
+
+[TLS 1.2] is the next-oldest version. The specification shipped in August 2008, and defines several configurable cipher suites — most of which are _no longer_ secure, but there are still a good number that are compatible for the open web.
+
+## Parts of a cipher suite
+
+_Broadly_ speaking, there are four components to a cipher suite (as used in TLS):
+
+* Key exchange
+* Authentication signature
+* Encryption algorithm
+* Hashing function
+
+If any one part of a cipher suite has an issue, it can compromise the integrity of the entire cipher suite.
+
+## Known issues in classes of cipher suites
+
+Security vulnerabilities can impact _classes_ of cipher suites.
+
+[depr-sslv2]: https://datatracker.ietf.org/doc/html/rfc6176
+[depr-sslv3]: https://datatracker.ietf.org/doc/html/rfc7568
+[SSLv3]: https://datatracker.ietf.org/doc/html/rfc6101
+[TLS 1.0]: https://datatracker.ietf.org/doc/html/rfc2246
+[TLS 1.1]: https://datatracker.ietf.org/doc/html/rfc4346
+[TLS 1.2]: https://datatracker.ietf.org/doc/html/rfc5246
+[TLS 1.3]: https://datatracker.ietf.org/doc/html/rfc8446

content/learning/tls/anon.md

@@ -0,0 +1,14 @@
+---
+title: Anonymous Key Exchanges
+# description:
+layout: learn-single
+
+---
+
+## Summary
+
+Anonymous key exchanges are generally vulnerable to [Man-in-the-Middle attacks][MITM].
+
+Any cipher suite with `anon` in the name should be avoided.
+
+[MITM]: https://en.wikipedia.org/wiki/Man-in-the-middle_attack

content/learning/tls/cbc.md

@@ -0,0 +1,18 @@
+---
+title: Cipher Block Chaining
+description: Vulnerable key exchange
+layout: learn-single
+
+vulns:
+  - beast
+  - lucky-13
+
+---
+
+## Summary
+
+The [CBC] encryption algorithm suffers from a handful of vulnerabilites, namely alongside SSLv3 and TLS 1.0, making it a _weak_ cipher. GCM encryption should be preferred over CBC.
+
+Any cipher suite with `CBC` in the name should be avoided.
+
+[CBC]: https://en.wikipedia.org/w/index.php?title=Block_cipher_mode_of_operation#CBC

content/learning/tls/des.md

@@ -0,0 +1,23 @@
+---
+title: Data Encryption Standard (DES)
+description: Vulnerable key exchange
+layout: learn-single
+
+vulns:
+  - freak
+
+---
+
+## Summary
+
+The [DES] algorithm was [developed at IBM in 1972][IBM], then [became a _Federal Information Processing Standard_ (FIPS) in 1977][FIPS-46].
+
+It was [cracked in 1997][cracked], and was [removed from U.S. NIST standards (FIPS 46-3) in 2005][FIPS 46-3]. It is no longer considered secure.
+
+Any cipher suite with `DES` in the name should be avoided.
+
+[cracked]: https://web.archive.org/web/20170507231657/https://w2.eff.org/Privacy/Crypto/Crypto_misc/DESCracker/HTML/19980716_eff_des_faq.html
+[DES]: https://en.wikipedia.org/wiki/Data_Encryption_Standard
+[FIPS-46]: https://csrc.nist.gov/pubs/fips/46/final
+[FIPS 46-3]: https://csrc.nist.rip/news/2005/withdrawal-of-fips-46-3-fips-74-and-fips-81
+[IBM]: https://ieeexplore.ieee.org/document/5389567

content/learning/tls/dh.md

@@ -0,0 +1,27 @@
+---
+title: Diffie-Hellman (DH)
+description: Vulnerable key exchange
+layout: learn-single
+
+vulns:
+  - logjam
+  - raccoon
+
+learn_more:
+  - text: 'Diffie-Hellman problem'
+    url: https://en.wikipedia.org/wiki/Diffie–Hellman_problem
+    source: Wikipedia
+
+  - text: 'Deprecating Obsolete Key Exchange Methods in TLS 1.2'
+    url: https://datatracker.ietf.org/doc/html/draft-ietf-tls-deprecate-obsolete-kex/
+    source: IETF
+
+---
+
+## Summary
+
+The older [Diffie-Hellman] (DH, DHE) key exchange algorithms are vulnerable to a handful of security vulnerabilities. The newer _elliptic-curve_ (ECDHE) key exchange algorithms are more secure and should be strongly preferred.
+
+This is the non-ephemeral version, which… @TODO
+
+[Diffie-Hellman]: https://en.wikipedia.org/wiki/Diffie–Hellman_key_exchange

content/learning/tls/dhe.md

@@ -0,0 +1,28 @@
+---
+title: Diffie-Hellman, Ephemeral (DHE)
+description: Vulnerable key exchange
+layout: learn-single
+
+vulns:
+  - dheatattack
+  - logjam
+  - raccoon
+
+learn_more:
+  - text: 'Diffie-Hellman problem'
+    url: https://en.wikipedia.org/wiki/Diffie–Hellman_problem
+    source: Wikipedia
+
+  - text: 'Deprecating Obsolete Key Exchange Methods in TLS 1.2'
+    url: https://datatracker.ietf.org/doc/html/draft-ietf-tls-deprecate-obsolete-kex/
+    source: IETF
+
+---
+
+## Summary
+
+The older [Diffie-Hellman] (DH, DHE) key exchange algorithms are vulnerable to a handful of security vulnerabilities. The newer _elliptic-curve_ (ECDHE) key exchange algorithms are more secure and should be strongly preferred.
+
+This is the ephemeral version, which… @TODO
+
+[Diffie-Hellman]: https://en.wikipedia.org/wiki/Diffie–Hellman_key_exchange

content/learning/tls/rc2.md

@@ -0,0 +1,20 @@
+---
+title: Rivest Cipher 2 (RC2)
+description: Vulnerable key exchange
+layout: learn-single
+
+learn_more:
+  - text: 'A Description of the RC2(r) Encryption Algorithm'
+    url: https://datatracker.ietf.org/doc/html/rfc2268
+    source: IETF
+
+---
+
+## Summary
+
+The [RC2] algorithm was [cracked in 1997]. It is no longer considered secure.
+
+Any cipher suite with `RC2` in the name should be avoided.
+
+[cracked in 1997]: https://www.schneier.com/wp-content/uploads/2016/02/paper-relatedkey.pdf
+[RC2]: https://en.wikipedia.org/wiki/RC2

content/learning/tls/rc4.md

@@ -0,0 +1,48 @@
+---
+title: Rivest Cipher 4 (RC4)
+description: Vulnerable key exchange
+layout: learn-single
+
+vulns:
+  - NOMORE
+
+learn_more:
+  - text: 'Attacks against RC4'
+    url: https://en.wikipedia.org/wiki/Transport_Layer_Security#RC4_attacks
+    source: Wikipedia
+
+  - text: 'Killing RC4: The Long Goodbye'
+    url: https://blog.cloudflare.com/killing-rc4-the-long-goodbye/
+    source: Cloudflare
+
+  - text: 'End of the road for RC4'
+    url: https://blog.cloudflare.com/killing-rc4-the-long-goodbye/
+    source: Cloudflare
+
+  - text: 'On the Security of RC4 in TLS and WPA'
+    url: https://www.isg.rhul.ac.uk/tls/index.html
+
+---
+
+## Summary
+
+The [RC4] algorithm was [cracked in 2013][Qualys], was [prohibited from being part of TLS][RFC-7465] in 2015, and was [removed from all major web browsers][DigiCert] in 2016. It is no longer considered secure.
+
+Any cipher suite with `RC4` in the name should be avoided.
+
+## Information
+
+| Field        | Value                    |
+|--------------|--------------------------|
+| Invented     | 1987                     |
+| Cracked      | 2015                     |
+| Ephemeral    | _No_                     |
+| Related tech | [WEP], [WPA], [WPA-TKIP] |
+
+[DigiCert]: https://www.digicert.com/blog/major-browsers-announce-rc4-deprecation
+[Qualys]: https://blog.qualys.com/product-tech/2013/03/19/rc4-in-tls-is-broken-now-what
+[RC4]: https://en.wikipedia.org/wiki/RC4
+[RFC-7465]: https://datatracker.ietf.org/doc/html/rfc7465
+[WEP]: https://en.wikipedia.org/wiki/Wired_Equivalent_Privacy
+[WPA]: https://en.wikipedia.org/wiki/Wi-Fi_Protected_Access
+[WPA-TKIP]: https://en.wikipedia.org/wiki/Temporal_Key_Integrity_Protocol

content/vulns/_index.md

@@ -0,0 +1,9 @@
+---
+title: Vulnerabilities
+description: Known security vulnerabilities.
+layout: list
+---
+
+## By name
+
+A list of known security vulnerabilities, by name.

content/vulns/beast.md

@@ -0,0 +1,37 @@
+---
+title: BEAST
+description: Browser Exploit Against SSL/TLS
+layout: term
+
+learn_more:
+  - text: 'Lucky 13, BEAST, CRIME,… Is TLS dead, or just resting?'
+    url: https://www.ietf.org/proceedings/89/slides/slides-89-irtfopen-1.pdf
+    source: IETF
+
+  - text: 'Here Come The ⊕ Ninjas'
+    url: https://web.archive.org/web/20220308133400/http://netifera.com/research/beast/beast_DRAFT_0621.pdf
+    source: Netifera
+
+  - text: 'Prevent SSL BEAST attacks'
+    url: https://docs.veracode.com/r/prevent-ssl-beast
+    source: Veracode
+
+  - text: 'Proof Of Concept of the BEAST attack against SSL/TLS CVE-2011-3389'
+    url: https://github.com/mpgn/BEAST-PoC
+    source: GitHub
+
+  - text: 'Encryption - CBC Mode IV: Secret or Not?'
+    url: https://defuse.ca/cbcmodeiv.htm
+
+---
+
+## Overview
+
+@TODO
+
+## Information
+
+| Field               | Value        |
+|---------------------|--------------|
+| Cracked             | 2011         |
+| Vulnerability class | Data leakage |

content/vulns/breach.md

@@ -0,0 +1,27 @@
+---
+title: BREACH
+description: Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext
+layout: term
+
+learn_more:
+  - text: 'BREACH Attack'
+    url: https://www.breachattack.com
+
+  - text: 'BREACH PoC'
+    url: https://github.com/nealharris/BREACH
+    source: GitHub
+
+---
+
+## Overview
+
+@TODO
+
+## Information
+
+| Field               | Value              |
+|---------------------|--------------------|
+| Cracked             | 2013               |
+| Vulnerability class | Compression attack |
+
+[BREACH]: https://en.wikipedia.org/wiki/BREACH