diff --git a/.trivyignore.yaml b/.trivyignore.yaml
index 8b13789..e69de29 100644
--- a/.trivyignore.yaml
+++ b/.trivyignore.yaml
@@ -1 +0,0 @@
-
diff --git a/content/classes/_index.md b/content/classes/_index.md
index a8df4f1..8d77ed7 100644
--- a/content/classes/_index.md
+++ b/content/classes/_index.md
@@ -5,3 +5,5 @@ layout: list
---
## By type
+
+A list of groups (classes) that security vulnerabilities targeting SSL/TLS fit into, by name.
diff --git a/content/learning/_index.md b/content/learning/_index.md
index cc5f793..b01389a 100644
--- a/content/learning/_index.md
+++ b/content/learning/_index.md
@@ -4,4 +4,10 @@ description: What do the results mean?
layout: list
---
+## Overview
+
+Instead of only telling you **WHAT** is wrong with a website, we also want to educate about **WHY** something is a problem, and **HOW** you can go about fixing it.
+
+If you feel that something is missing, or we can explain something better, please [create an issue](https://github.com/northwood-labs/devsec-tools/issues) and let us know!
+
## How does this stuff work?
diff --git a/content/learning/http-version.md b/content/learning/http-version.md
index 1b75dc2..fa09075 100644
--- a/content/learning/http-version.md
+++ b/content/learning/http-version.md
@@ -42,6 +42,38 @@ docs:
nginx:
docs: "https://www.slingacademy.com/article/enable-http2-http3-nginx/"
+learn_more:
+ - text: 'HTTP Working Group'
+ url: https://httpwg.org
+ source: Official
+
+ - text: 'HTTP/2 vs. HTTP/1.1: How do they affect web performance?'
+ url: https://www.cloudflare.com/learning/performance/http2-vs-http1.1/
+ source: Cloudflare
+
+ - text: 'What is HTTP/3?'
+ url: https://www.cloudflare.com/learning/performance/what-is-http3/
+ source: Cloudflare
+
+ - text: 'HTTP/2'
+ url: https://en.wikipedia.org/wiki/HTTP/2
+ source: Wikipedia
+
+ - text: 'HTTP/3'
+ url: https://en.wikipedia.org/wiki/HTTP/3
+ source: Wikipedia
+
+ - text: 'Evolution of HTTP'
+ url: https://developer.mozilla.org/en-US/docs/Web/HTTP/Evolution_of_HTTP
+ source: Mozilla Developer Network
+
+ - text: 'Comparison of the usage statistics of HTTP/2 vs. HTTP/3 for websites'
+ url: https://w3techs.com/technologies/comparison/ce-http2,ce-http3
+ source: W3Techs
+
+ - text: 'HTTP/2 and HTTP/3 explained'
+ url: https://alexandrehtrb.github.io/posts/2024/03/http2-and-http3-explained/
+
---
## Summary
@@ -62,25 +94,6 @@ Nobody is left out, and modern software is able to take advantage of modern conn
According to [w3techs.com](https://w3techs.com/technologies/comparison/ce-http2,ce-http3) (in research [cited by Mozilla](https://developer.mozilla.org/en-US/docs/Web/HTTP/Evolution_of_HTTP#http2_–_a_protocol_for_greater_performance)), approximately 37% of the top million websites support HTTP/3, and approximately 32% of **all** websites have added support.
-## Learn more about HTTP…
-
-* [HTTP Working Group](https://httpwg.org) (Official)
-* [HTTP/2 vs. HTTP/1.1: How do they affect web performance?](https://www.cloudflare.com/learning/performance/http2-vs-http1.1/) (Cloudflare)
-* [What is HTTP/3?](https://www.cloudflare.com/learning/performance/what-is-http3/) (Cloudflare)
-* [HTTP/2](https://en.wikipedia.org/wiki/HTTP/2) (Wikipedia)
-* [HTTP/3](https://en.wikipedia.org/wiki/HTTP/3) (Wikipedia)
-* [Evolution of HTTP](https://developer.mozilla.org/en-US/docs/Web/HTTP/Evolution_of_HTTP) (Mozilla Developer Network)
-* [Comparison of the usage statistics of HTTP/2 vs. HTTP/3 for websites](https://w3techs.com/technologies/comparison/ce-http2,ce-http3) (W3Techs)
-* [HTTP/2 and HTTP/3 explained](https://alexandrehtrb.github.io/posts/2024/03/http2-and-http3-explained/)
-
-## Learn more about QUIC…
-
-* [QUIC Working Group](https://quicwg.org) (Official)
-* [QUIC, a multiplexed transport over UDP](https://www.chromium.org/quic/) (Chromium)
-* [Introducing QUIC support for HTTPS load balancing](https://cloud.google.com/blog/products/gcp/introducing-quic-support-https-load-balancing) (Google Cloud Platform)
-* [The Road to QUIC](https://blog.cloudflare.com/the-road-to-quic/) (Cloudflare)
-* [QUIC](https://en.wikipedia.org/wiki/QUIC) (Wikipedia)
-
[HTTP/1.0]: https://datatracker.ietf.org/doc/html/rfc1945
[HTTP/1.1]: https://datatracker.ietf.org/doc/html/rfc9112
[HTTP/2]: https://datatracker.ietf.org/doc/html/rfc9113
diff --git a/content/learning/recommended-cipher-suites.md b/content/learning/recommended-cipher-suites.md
new file mode 100644
index 0000000..24e20d3
--- /dev/null
+++ b/content/learning/recommended-cipher-suites.md
@@ -0,0 +1,54 @@
+---
+title: Recommended cipher suites
+description: Reduce the attack surface of your website by enabling secure handshakes
+layout: learn-single
+---
+
+## Overview
+
+In {{% year %}}, there are only two configurations which are considered fully secure, and both should be offered to end-users:
+
+## TLS versions
+
+* {{% svg-check %}} TLS 1.3+ {{% svg-check %}} TLS 1.2
+
+* {{% svg-x %}} TLS 1.1, {{% svg-x %}} TLS 1.0, {{% svg-x %}} SSLv3, and {{% svg-x %}} SSLv2
+
+## TLS 1.3 cipher suites
+
+In order to simplify configuration and increase security, [TLS 1.3] _only defines_ three cipher suites which are meant to be non-configurable.
+
+1. {{% svg-check %}} TLS_AES_128_GCM_SHA256
+
+1. {{% svg-check %}} TLS_AES_256_GCM_SHA384
+
+1. {{% svg-check %}} TLS_CHACHA20_POLY1305_SHA256
+
+## TLS 1.2 cipher suites with _Forward Secrecy_
+
+### Recommended
+
+[TLS 1.2] carried-forward the habit of allowing administrators to configure which cipher suites to support, which led to _several_ security vulnerabilies being exposed during the 2010s.
+
+As a result, these are the only cipher suites with no known vulnerabilities left, and are likely to work with most server software.
+
+1. {{% svg-check %}} TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+
+1. {{% svg-check %}} TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+
+1. {{% svg-check %}} TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
+
+These are equivalent to the cipher suite identifiers used in **TLS 1.3**. The only difference being that they specify the key exchange (`ECDHE`) and the authenticating signing mechanism (`ECDSA`), whereas the TLS 1.3 cipher suites do not.
+
+### Tolerable
+
+The following cipher suites are **also secure**, and you can add them **in addition to** the _Recommended_ cipher suites. However they aren't **recommended** because _RSA Authentication Signing_ with keys over 2048 bits can have a notable impact to performance.
+
+1. {{% svg-check %}} TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+
+1. {{% svg-check %}} TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+
+1. {{% svg-check %}} TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
+
+[TLS 1.2]: https://datatracker.ietf.org/doc/html/rfc5246
+[TLS 1.3]: https://datatracker.ietf.org/doc/html/rfc8446
diff --git a/content/learning/tls/3des.md b/content/learning/tls/3des.md
index 03e6ba7..64d28dd 100644
--- a/content/learning/tls/3des.md
+++ b/content/learning/tls/3des.md
@@ -28,12 +28,12 @@ The best way to avoid vulnerabilities is to _only_ allow TLS 1.2 (with recommend
## Information
-| Field | Value |
-|--------------|----------------------|
-| Kind | Encryption algorithm |
-| Invented | 1981 |
-| Cracked | 2016 |
-| Related tech | [EMV] |
+| Field | Value |
+|--------------|--------------------|
+| Kind | {{% param-kind %}} |
+| Invented | 1981 |
+| Cracked | 2016 |
+| Related tech | [EMV] |
[EMV]: https://en.wikipedia.org/wiki/EMV
[Triple-DES]: https://en.wikipedia.org/wiki/Triple_DES
diff --git a/content/learning/tls/_index.md b/content/learning/tls/_index.md
index 2787e25..e31efba 100644
--- a/content/learning/tls/_index.md
+++ b/content/learning/tls/_index.md
@@ -26,55 +26,6 @@ In [TLS Vulnerabilities]({{% relref "vulns" %}}), we list a number of known vuln
Rather than continuing to allow access to older cipher suites with outdated security in order to allow older clients and web browsers to connect, the lessons from the 2010s taught us that it's the _future or bust_.
-In {{% year %}}, there are only two configurations which are considered fully secure, and both should be offered to end-users:
-
-## Recommended settings
-
-### TLS versions
-
-* {{% svg-check %}} TLS 1.3+ {{% svg-check %}} TLS 1.2.
-
-* {{% svg-x %}} TLS 1.1, {{% svg-x %}} TLS 1.0, {{% svg-x %}} SSLv3, and {{% svg-x %}} SSLv2.
-
-### TLS 1.3 cipher suites
-
-In order to simplify configuration and increase security, [TLS 1.3] has _only_ three cipher suites which are meant to be non-configurable.
-
-1. {{% svg-check %}} TLS_AES_128_GCM_SHA256
-
-1. {{% svg-check %}} TLS_AES_256_GCM_SHA384
-
-1. {{% svg-check %}} TLS_CHACHA20_POLY1305_SHA256
-
-### TLS 1.2 cipher suites with _Forward Secrecy_
-
-#### Recommended
-
-[TLS 1.2] carried-forward the habit of allowing administrators to configure which cipher suites to support, which led to _several_ security vulnerabilies being exposed during the 2010s.
-
-As a result, these are the only cipher suites with no known vulnerabilities left, and are likely to work with most server software.
-
-1. {{% svg-check %}} TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
-
-1. {{% svg-check %}} TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
-
-1. {{% svg-check %}} TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
-
-These are equivalent to the cipher suite identifiers used in **TLS 1.3**. The only difference being that they specify the key exchange (`ECDHE`) and the authenticating signing mechanism (`ECDSA`).
-
-#### Tolerable
-
-The following cipher suites are also **secure**, and you can add them **in addition to** the _Recommended_ cipher suites. However they aren't **recommended** because _RSA Authentication Signing_ with keys over 2048 bits can have a notable impact to performance.
-
-1. {{% svg-check %}} TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
-
-1. {{% svg-check %}} TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
-
-1. {{% svg-check %}} TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
-
## Parts of a cipher suite
If any one part of a cipher suite has an issue, it can compromise the integrity of the entire cipher suite.
-
-[TLS 1.2]: https://datatracker.ietf.org/doc/html/rfc5246
-[TLS 1.3]: https://datatracker.ietf.org/doc/html/rfc8446
diff --git a/content/learning/tls/aes.md b/content/learning/tls/aes.md
index dd673c1..f8ca765 100644
--- a/content/learning/tls/aes.md
+++ b/content/learning/tls/aes.md
@@ -15,7 +15,7 @@ The [Advanced Encryption Standard][AES] (AES), also known as _Rijndael_, is a sy
| Field | Value |
|--------------|-------------------------------------------------------------------------------------------------|
-| Kind | Encryption algorithm |
+| Kind | {{% param-kind %}} |
| Invented | 1998 |
| Cracked | - |
| Related tech | [FIPS-197], [ISO 18033-3], [FileVault 2], [Linux Crypto], [Libsodium], [VeraCrypt], [BitLocker] |
diff --git a/content/learning/tls/anon.md b/content/learning/tls/anon.md
index 0501a86..df71a53 100644
--- a/content/learning/tls/anon.md
+++ b/content/learning/tls/anon.md
@@ -20,8 +20,8 @@ Any cipher suite with `anon` in the name should be avoided.
## Information
-| Field | Value |
-|-------|----------------------|
-| Kind | Encryption algorithm |
+| Field | Value |
+|-------|--------------------|
+| Kind | {{% param-kind %}} |
[MITM]: https://en.wikipedia.org/wiki/Man-in-the-middle_attack
diff --git a/content/learning/tls/aria.md b/content/learning/tls/aria.md
index 90073e2..f7d4864 100644
--- a/content/learning/tls/aria.md
+++ b/content/learning/tls/aria.md
@@ -15,11 +15,11 @@ It is derived from [AES]({{% relref "AES" %}}), and the [source code of its refe
## Information
-| Field | Value |
-|----------|----------------------|
-| Kind | Encryption algorithm |
-| Invented | 2003 |
-| Cracked | - |
+| Field | Value |
+|----------|--------------------|
+| Kind | {{% param-kind %}} |
+| Invented | 2003 |
+| Cracked | - |
[ARIA]: https://en.wikipedia.org/wiki/ARIA_(cipher)
[RFC6209]: https://datatracker.ietf.org/doc/html/rfc6209
diff --git a/content/learning/tls/camellia.md b/content/learning/tls/camellia.md
new file mode 100644
index 0000000..abaa0e8
--- /dev/null
+++ b/content/learning/tls/camellia.md
@@ -0,0 +1,53 @@
+---
+title: Camellia
+description: ✅ Secure encryption algorithm
+layout: learn-single
+
+tls_part: encryption-algo
+
+learn_more:
+ - text: 'Official English-Language Camellia Homepage'
+ url: https://info.isl.ntt.co.jp/crypt/eng/camellia/
+ source: NTT
+
+ - text: 'A Description of the Camellia Encryption Algorithm'
+ url: https://datatracker.ietf.org/doc/html/rfc3713
+ source: IETF
+
+ - text: 'Addition of the Camellia Cipher Suites to Transport Layer Security (TLS)'
+ url: https://datatracker.ietf.org/doc/html/rfc6367
+ source: IETF
+
+ - text: 'Camellia source code'
+ url: https://embeddedsw.net/Cipher_Reference_Home.html#CAMELLIA
+
+---
+
+## Summary
+
+[Camellia] is a symmetric key block cipher developed by _Mitsubishi Electric_ and _NTT of Japan_, approved for use by [ISO/IEC][ISO 18033-3], [NESSIE], and [CRYPTREC].
+
+It is considered a modern, safe cipher with security levels comparable to [AES]({{% relref "AES" %}}). Camellia has been adopted in various security libraries, protocols, and applications, including TLS, IPsec, Kerberos, and OpenPGP.
+
+It became an international standard in [ISO 18033-3].
+
+## Information
+
+| Field | Value |
+|--------------|---------------------------------------------------------------|
+| Kind | {{% param-kind %}} |
+| Invented | 2000 |
+| Cracked | - |
+| Ephemeral | _Yes_ |
+| Related tech | [IPsec], [Kerberos], [PGP], [PKCS #11], [S/MIME], [VeraCrypt] |
+
+[Camellia]: https://en.wikipedia.org/wiki/Camellia_(cipher)
+[CRYPTREC]: https://en.wikipedia.org/wiki/CRYPTREC
+[IPsec]: https://en.wikipedia.org/wiki/IPsec
+[ISO 18033-3]: https://www.iso.org/standard/54531.html
+[Kerberos]: https://en.wikipedia.org/wiki/Kerberos_(protocol)
+[NESSIE]: https://en.wikipedia.org/wiki/NESSIE
+[PGP]: https://pgpkeys.org/docs/pgpfaq.html#HDPK
+[PKCS #11]: https://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/pkcs11-curr-v2.40.html
+[S/MIME]: https://datatracker.ietf.org/doc/html/rfc8551
+[VeraCrypt]: https://en.wikipedia.org/wiki/VeraCrypt
diff --git a/content/learning/tls/cbc.md b/content/learning/tls/cbc.md
index c803895..c979eea 100644
--- a/content/learning/tls/cbc.md
+++ b/content/learning/tls/cbc.md
@@ -7,8 +7,10 @@ tls_part: encryption-algo
vulns:
- beast
+ - goldendoodle
- lucky-13
- poodle
+ - zombie-poodle
---
@@ -20,10 +22,10 @@ Any cipher suite with `CBC` in the name should be avoided.
## Information
-| Field | Value |
-|----------|----------------------|
-| Kind | Encryption algorithm |
-| Invented | 1976 |
-| Cracked | 2011 |
+| Field | Value |
+|----------|--------------------|
+| Kind | {{% param-kind %}} |
+| Invented | 1976 |
+| Cracked | 2011 |
[CBC]: https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Cipher_block_chaining_(CBC)
diff --git a/content/learning/tls/des.md b/content/learning/tls/des.md
index 80c3363..71db596 100644
--- a/content/learning/tls/des.md
+++ b/content/learning/tls/des.md
@@ -20,12 +20,12 @@ Any cipher suite with `DES` in the name should be avoided.
## Information
-| Field | Value |
-|--------------|----------------------|
-| Kind | Encryption algorithm |
-| Invented | 1972 |
-| Cracked | 1997 |
-| Related tech | [FIPS-46] |
+| Field | Value |
+|--------------|--------------------|
+| Kind | {{% param-kind %}} |
+| Invented | 1972 |
+| Cracked | 1997 |
+| Related tech | [FIPS-46] |
[cracked]: https://web.archive.org/web/20170507231657/https://w2.eff.org/Privacy/Crypto/Crypto_misc/DESCracker/HTML/19980716_eff_des_faq.html
[DES]: https://en.wikipedia.org/wiki/Data_Encryption_Standard
diff --git a/content/learning/tls/dh.md b/content/learning/tls/dh.md
index cf51853..93635ab 100644
--- a/content/learning/tls/dh.md
+++ b/content/learning/tls/dh.md
@@ -30,13 +30,13 @@ The newer [elliptic-curve][ECC] (ECDHE) key exchange algorithms are more secure
## Information
-| Field | Value |
-|--------------|--------------|
-| Kind | Key exchange |
-| Invented | 1976 |
-| Cracked¹ | 2015 |
-| Ephemeral | _No_ |
-| Related tech | [PGP] |
+| Field | Value |
+|--------------|--------------------|
+| Kind | {{% param-kind %}} |
+| Invented | 1976 |
+| Cracked¹ | 2015 |
+| Ephemeral | _No_ |
+| Related tech | [PGP] |
¹ While not strictly "cracked", research has shown that the hacking agencies of nation-states can afford the compute resources required to crack these types of encrypted messages — up through 1024-bit keys. 2048-bit keys are, at present, still strong enough to make cracking mathematically impossible (pre-Quantum computing).
diff --git a/content/learning/tls/dhe.md b/content/learning/tls/dhe.md
index 9ca4abf..9d4039c 100644
--- a/content/learning/tls/dhe.md
+++ b/content/learning/tls/dhe.md
@@ -31,13 +31,13 @@ The newer [elliptic-curve][ECC] (ECDHE) key exchange algorithms are more secure
## Information
-| Field | Value |
-|--------------|--------------|
-| Kind | Key exchange |
-| Invented | 1976 |
-| Cracked¹ | 2015 |
-| Ephemeral | _Yes_ |
-| Related tech | [PGP] |
+| Field | Value |
+|--------------|--------------------|
+| Kind | {{% param-kind %}} |
+| Invented | 1976 |
+| Cracked¹ | 2015 |
+| Ephemeral | _Yes_ |
+| Related tech | [PGP] |
¹ While not strictly "cracked", research has shown that the hacking agencies of nation-states can afford the compute resources required to crack these types of encrypted messages — up through 1024-bit keys. 2048-bit keys are, at present, still strong enough to make cracking mathematically impossible (pre-Quantum computing).
diff --git a/content/learning/tls/dss.md b/content/learning/tls/dss.md
index d484868..87e0587 100644
--- a/content/learning/tls/dss.md
+++ b/content/learning/tls/dss.md
@@ -17,12 +17,12 @@ Any cipher suite with `DSS` in the name should be avoided. `ECDSA` signing shoul
## Information
-| Field | Value |
-|--------------|------------------------|
-| Kind | Authentication signing |
-| Invented | 1991 |
-| Deprecated | 2023 |
-| Related tech | [FIPS-186] |
+| Field | Value |
+|--------------|--------------------|
+| Kind | {{% param-kind %}} |
+| Invented | 1991 |
+| Deprecated | 2023 |
+| Related tech | [FIPS-186] |
[announced]: https://www.nist.gov/news-events/news/2023/02/nist-revises-digital-signature-standard-dss-and-publishes-guideline
[DSA]: https://en.wikipedia.org/wiki/Digital_Signature_Algorithm
diff --git a/content/learning/tls/ecdsa.md b/content/learning/tls/ecdsa.md
index 3bf9236..0d7529b 100644
--- a/content/learning/tls/ecdsa.md
+++ b/content/learning/tls/ecdsa.md
@@ -36,11 +36,11 @@ Well-known cryptographers (including [Bruce Schneier]) have expressed doubts abo
## Information
-| Field | Value |
-|------------|------------------------|
-| Kind | Authentication signing |
-| Proposed | 1992 |
-| Deprecated | - |
+| Field | Value |
+|------------|--------------------|
+| Kind | {{% param-kind %}} |
+| Proposed | 1992 |
+| Deprecated | - |
[backdoors]: https://www.theguardian.com/us-news/2015/feb/23/nsa-director-defends-backdoors-into-technology-companies
[Bruce Schneier]: https://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html
diff --git a/content/learning/tls/export.md b/content/learning/tls/export.md
index 38c33d7..b84baa1 100644
--- a/content/learning/tls/export.md
+++ b/content/learning/tls/export.md
@@ -21,8 +21,8 @@ Any cipher suite with `EXPORT` in the name should be avoided.
## Information
-| Field | Value |
-|-------|----------------------|
-| Kind | Encryption algorithm |
+| Field | Value |
+|-------|--------------------|
+| Kind | {{% param-kind %}} |
[EXPORT]: https://en.wikipedia.org/wiki/Export_of_cryptography_from_the_United_States
diff --git a/content/learning/tls/gost-r.md b/content/learning/tls/gost-r.md
new file mode 100644
index 0000000..5281fb9
--- /dev/null
+++ b/content/learning/tls/gost-r.md
@@ -0,0 +1,53 @@
+---
+title: GOST R
+description: ❌ Insecure specification
+layout: learn-single
+
+tls_part: encryption-algo
+
+learn_more:
+ - text: 'Official English-Language Camellia Homepage'
+ url: https://info.isl.ntt.co.jp/crypt/eng/camellia/
+ source: NTT
+
+ - text: 'A Description of the Camellia Encryption Algorithm'
+ url: https://datatracker.ietf.org/doc/html/rfc3713
+ source: IETF
+
+ - text: 'Addition of the Camellia Cipher Suites to Transport Layer Security (TLS)'
+ url: https://datatracker.ietf.org/doc/html/rfc6367
+ source: IETF
+
+ - text: 'Camellia source code'
+ url: https://embeddedsw.net/Cipher_Reference_Home.html#CAMELLIA
+
+---
+
+## Summary
+
+[Camellia] is a symmetric key block cipher developed by _Mitsubishi Electric_ and _NTT of Japan_, approved for use by [ISO/IEC][ISO 18033-3], [NESSIE], and [CRYPTREC].
+
+It is considered a modern, safe cipher with security levels comparable to [AES]({{% relref "AES" %}}). Camellia has been adopted in various security libraries, protocols, and applications, including TLS, IPsec, Kerberos, and OpenPGP.
+
+It became an international standard in [ISO 18033-3].
+
+## Information
+
+| Field | Value |
+|--------------|---------------------------------------------------------------|
+| Kind | {{% param-kind %}} |
+| Invented | 2000 |
+| Cracked | - |
+| Ephemeral | _Yes_ |
+| Related tech | [IPsec], [Kerberos], [PGP], [PKCS #11], [S/MIME], [VeraCrypt] |
+
+[Camellia]: https://en.wikipedia.org/wiki/Camellia_(cipher)
+[CRYPTREC]: https://en.wikipedia.org/wiki/CRYPTREC
+[IPsec]: https://en.wikipedia.org/wiki/IPsec
+[ISO 18033-3]: https://www.iso.org/standard/54531.html
+[Kerberos]: https://en.wikipedia.org/wiki/Kerberos_(protocol)
+[NESSIE]: https://en.wikipedia.org/wiki/NESSIE
+[PGP]: https://pgpkeys.org/docs/pgpfaq.html#HDPK
+[PKCS #11]: https://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/pkcs11-curr-v2.40.html
+[S/MIME]: https://datatracker.ietf.org/doc/html/rfc8551
+[VeraCrypt]: https://en.wikipedia.org/wiki/VeraCrypt
diff --git a/content/learning/tls/rc2.md b/content/learning/tls/rc2.md
index ef2132a..08f4aeb 100644
--- a/content/learning/tls/rc2.md
+++ b/content/learning/tls/rc2.md
@@ -22,7 +22,7 @@ Any cipher suite with `RC2` in the name should be avoided.
| Field | Value |
|--------------|----------------------------|
-| Kind | Encryption algorithm |
+| Kind | {{% param-kind %}} |
| Invented | 1987 |
| Cracked | 1997 |
| Related tech | [RSA], Comparable to [DES] |
diff --git a/content/learning/tls/rc4.md b/content/learning/tls/rc4.md
index 84d87be..60776f9 100644
--- a/content/learning/tls/rc4.md
+++ b/content/learning/tls/rc4.md
@@ -36,7 +36,7 @@ Any cipher suite with `RC4` in the name should be avoided.
| Field | Value |
|--------------|---------------------------------|
-| Kind | Encryption algorithm |
+| Kind | {{% param-kind %}} |
| Invented | 1987 |
| Cracked | 2015 |
| Related tech | [RSA], [WEP], [WPA], [WPA-TKIP] |
diff --git a/content/learning/tls/rsa-kex.md b/content/learning/tls/rsa-kex.md
index 01e8756..e28f879 100644
--- a/content/learning/tls/rsa-kex.md
+++ b/content/learning/tls/rsa-kex.md
@@ -5,17 +5,44 @@ layout: learn-single
tls_part: key-exchange
+vulns:
+ - bleichenbacher
+ - robot
+
+learn_more:
+ - text: 'A Method for Obtaining Digital Signatures and Public-Key Cryptosystems'
+ url: https://web.archive.org/web/20230127011251/http://people.csail.mit.edu/rivest/Rsapaper.pdf
+ source: MIT
+
+ - text: 'RSA Security Releases RSA Encryption Algorithm into Public Domain'
+ url: https://web.archive.org/web/20071120112201/http://www.rsa.com/press_release.aspx?id=261
+ source: RSA
+
+ - text: 'Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1'
+ url: https://datatracker.ietf.org/doc/html/rfc3447
+ source: IETF
+
+ - text: 'Gambling with Secrets: 8/8 (RSA Encryption)'
+ url: https://www.youtube.com/watch?v=vgTtHV04xRI
+ source: YouTube
+
---
## Summary
-@TODO
+The term [RSA] has two different contexts: (a) the key exchange, and (b) the authentication signature. This is about **RSA, the key exchange**.
+
+Using RSA for key exchange (starts with `TLS_RSA`) was cracked in 2017. For TLS 1.2, only `ECDHE` key exchanges should be used.
## Information
-| Field | Value |
-|--------------|--------------|
-| Kind | Key exchange |
-| Invented | |
-| Deprecated | |
-| Related tech | |
+| Field | Value |
+|--------------|--------------------|
+| Kind | {{% param-kind %}} |
+| Invented | 1977 |
+| Cracked | 2017 |
+| Related tech | [PGP], [SSH] |
+
+[PGP]: https://pgpkeys.org/docs/pgpfaq.html#HDPK
+[RSA]: https://en.wikipedia.org/wiki/RSA_(cryptosystem)
+[SSH]: https://en.wikipedia.org/wiki/Secure_Shell
diff --git a/content/learning/tls/rsa-sig.md b/content/learning/tls/rsa-sig.md
index 53c77e9..d8cb365 100644
--- a/content/learning/tls/rsa-sig.md
+++ b/content/learning/tls/rsa-sig.md
@@ -5,17 +5,42 @@ layout: learn-single
tls_part: auth-sig
+learn_more:
+ - text: 'A Method for Obtaining Digital Signatures and Public-Key Cryptosystems'
+ url: https://web.archive.org/web/20230127011251/http://people.csail.mit.edu/rivest/Rsapaper.pdf
+ source: MIT
+
+ - text: 'RSA Security Releases RSA Encryption Algorithm into Public Domain'
+ url: https://web.archive.org/web/20071120112201/http://www.rsa.com/press_release.aspx?id=261
+ source: RSA
+
---
## Summary
-@TODO
+The term [RSA] has two different contexts: (a) the key exchange, and (b) the authentication signature. This is about **RSA, the authentication signature**.
+
+As noted by [Veritas]:
+
+> **Slow processing speed:** The RSA algorithm has a slow processing speed compared to other encryption algorithms when dealing with large data amounts. It is not always suitable for applications like those requiring regular encryption and decryption of large data amounts
+>
+> **Large key size:** RSA cryptography requires the use of large key sizes for security. Therefore, it requires more computational power, resource, and storage.
+
+Longer RSA keys (e.g., 3072-bit, 4096-bit) are more secure compared to RSA 2048-bit, but become increasingly slow to calculate, making it less suitable to use for TLS connections. Modern `ECDSA` authentication signatures are faster and cheaper to calculate compared to RSA authentication signatures, and retain a high degree of cryptographic security.
+
+It continues to be part of [FIPS-186], published by U.S. NIST.
## Information
-| Field | Value |
-|--------------|------------------------|
-| Kind | Authentication signing |
-| Invented | |
-| Deprecated | |
-| Related tech | |
+| Field | Value |
+|--------------|--------------------------|
+| Kind | {{% param-kind %}} |
+| Invented | 1977 |
+| Cracked | - |
+| Related tech | [FIPS-186], [PGP], [SSH] |
+
+[FIPS-186]: https://csrc.nist.gov/pubs/fips/186-5/final
+[PGP]: https://pgpkeys.org/docs/pgpfaq.html#HDPK
+[RSA]: https://en.wikipedia.org/wiki/RSA_(cryptosystem)
+[SSH]: https://en.wikipedia.org/wiki/Secure_Shell
+[Veritas]: https://www.veritas.com/information-center/rsa-encryption
diff --git a/content/vulns/_index.md b/content/vulns/_index.md
index 8b981c0..600ff92 100644
--- a/content/vulns/_index.md
+++ b/content/vulns/_index.md
@@ -6,4 +6,4 @@ layout: list
## By name
-A list of known security vulnerabilities, by name.
+A list of known security vulnerabilities targeting SSL/TLS, by name.
diff --git a/content/vulns/beast.md b/content/vulns/beast.md
index a884e8b..4d4fb4c 100644
--- a/content/vulns/beast.md
+++ b/content/vulns/beast.md
@@ -33,7 +33,7 @@ learn_more:
The [BEAST] attack targets a security vulnerability in SSL 3.0 and TLS 1.0 protocols, focusing on their use of CBC (Cipher Block Chaining) encryption. It details an attack capable of decrypting encrypted HTTPS requests and obtaining sensitive information such as authentication tokens or cookies. This attack exploits the predictable chaining of initialization vectors (IVs) in CBC mode, allowing an attacker to recover plaintext efficiently by manipulating and observing ciphertext blocks.
-The best way to avoid this vulnerability is to _only_ allow TLS 1.2 (with [recommended cipher suites]({{% relref "tls" %}})) and TLS 1.3.
+The best way to avoid this vulnerability is to _only_ allow TLS 1.2 (with [recommended cipher suites]({{% relref "recommended-cipher-suites" %}})) and TLS 1.3.
## Information
diff --git a/content/vulns/bleichenbacher.md b/content/vulns/bleichenbacher.md
new file mode 100644
index 0000000..22e9196
--- /dev/null
+++ b/content/vulns/bleichenbacher.md
@@ -0,0 +1,49 @@
+---
+title: Bleichenbacher’s Oracle
+description: 'Attack against RSA Encryption Standard PKCS #1'
+layout: vuln
+
+aliases:
+ - /learning/vulns/bleichenbacher
+
+year: 1998
+classes:
+ - Data leakage
+
+learn_more:
+ - text: 'Bleichenbacher Attack Explained'
+ url: https://medium.com/@c0D3M/bleichenbacher-attack-explained-bc630f88ff25
+ source: Medium
+
+ - text: 'Bleichenbacher’s “Million message attack” on RSA in Python'
+ url: https://github.com/duesee/bleichenbacher
+ source: GitHub
+
+ - text: 'Practical Padding Oracle Attacks on RSA'
+ url: https://web.archive.org/web/20240910161606/http://secgroup.dais.unive.it/wp-content/uploads/2012/11/Practical-Padding-Oracle-Attacks-on-RSA.html
+ source: Ca' Foscari University of Venice
+
+ - text: 'PKCS #1'
+ url: https://en.wikipedia.org/wiki/PKCS_1
+ source: Wikipedia
+
+---
+
+## Overview
+
+[Bleichenbacher’s Oracle] is an adaptive chosen-ciphertext attack exploiting weaknesses in the RSA encryption standard PKCS #1.
+
+By leveraging an attack vector which reveals whether a ciphertext conforms to PKCS formatting, attackers can decrypt messages or forge signatures incrementally through carefully chosen ciphertexts. This vulnerability arises from inadequate integrity checks, error messages, or timing discrepancies in cryptographic protocols, notably affecting SSL v3.0 implementations.
+
+The original research paper highlights experimental successes with millions of ciphertexts and recommends plaintext-aware encryption schemes and immediate post-decryption integrity checks to mitigate such risks.
+
+The best way to avoid this vulnerability is to _only_ allow TLS 1.2 (with [recommended cipher suites]({{% relref "recommended-cipher-suites" %}})) and TLS 1.3.
+
+## Information
+
+| Field | Value |
+|--------------------------|---------------------|
+| Vulnerability discovered | {{% param-year %}} |
+| Vulnerability class | {{% param-class %}} |
+
+[Bleichenbacher’s Oracle]: https://web.archive.org/web/20241211201343/https://archiv.infsec.ethz.ch/education/fs08/secsem/Bleichenbacher98.pdf
diff --git a/content/vulns/dheatattack.md b/content/vulns/dheatattack.md
index 0b4a448..6ddafc1 100644
--- a/content/vulns/dheatattack.md
+++ b/content/vulns/dheatattack.md
@@ -3,6 +3,9 @@ title: DHEat Attack
description: Triggering Diffie-Hellman to eat the CPU
layout: vuln
+aliases:
+ - /learning/vulns/dheatattack
+
year:
- 2002
- 2022
@@ -29,7 +32,7 @@ While the bug was identified in 2002, a proof-of-concept was created in 2022.
It impacts systems with DHE enabled for backward compatibility or forward secrecy. Its unauthenticated, low-cost exploitability make this a notable vulnerability. While the protocol flaw is unfixable, mitigation includes disabling DHE in favor of ECDHE, applying rate-limiting techniques, and updating server configurations.
-The best way to avoid this vulnerability is to _only_ allow TLS 1.2 (with [recommended cipher suites]({{% relref "tls" %}})) and TLS 1.3.
+The best way to avoid this vulnerability is to _only_ allow TLS 1.2 (with [recommended cipher suites]({{% relref "recommended-cipher-suites" %}})) and TLS 1.3.
## Information
diff --git a/content/vulns/drown.md b/content/vulns/drown.md
index 24a4136..0bb87be 100644
--- a/content/vulns/drown.md
+++ b/content/vulns/drown.md
@@ -25,7 +25,7 @@ learn_more:
The [DROWN] attack is a vulnerability affecting HTTPS and other services using SSL and TLS, allowing attackers to decrypt sensitive communications. The attack exploits SSLv2, a deprecated protocol, to compromise modern TLS connections, even if SSLv2 is not directly used. Server operators must disable SSLv2 or ensure private keys are not used on any SSLv2-supporting servers to mitigate the risk.
-The best way to avoid this vulnerability is to _only_ allow TLS 1.2 (with [recommended cipher suites]({{% relref "tls" %}})) and TLS 1.3.
+The best way to avoid this vulnerability is to _only_ allow TLS 1.2 (with [recommended cipher suites]({{% relref "recommended-cipher-suites" %}})) and TLS 1.3.
## Information
diff --git a/content/vulns/freak.md b/content/vulns/freak.md
index e152a42..f52b490 100644
--- a/content/vulns/freak.md
+++ b/content/vulns/freak.md
@@ -35,7 +35,7 @@ The [FREAK] attack is known as a _downgrade attack_, which targets handshake mes
Researchers uncovered that many TLS implementations allow authentication message skipping, making them susceptible to these attacks, especially when using compromised code bases or outdated OpenSSL versions. To mitigate risks, organizations should conduct SKIP-TLS risk audits, patch web browsers, and avoid sensitive activities on unsecured networks.
-The best way to avoid this vulnerability is to _only_ allow TLS 1.2 (with [recommended cipher suites]({{% relref "tls" %}})) and TLS 1.3.
+The best way to avoid this vulnerability is to _only_ allow TLS 1.2 (with [recommended cipher suites]({{% relref "recommended-cipher-suites" %}})) and TLS 1.3.
diff --git a/content/vulns/goldendoodle.md b/content/vulns/goldendoodle.md
index be0b808..88fc8a6 100644
--- a/content/vulns/goldendoodle.md
+++ b/content/vulns/goldendoodle.md
@@ -1,6 +1,6 @@
---
title: GOLDENDOODLE
-description:
+description: TLS padding oracle vulnerability against CBC
layout: vuln
year: 2019
@@ -16,6 +16,10 @@ learn_more:
url: https://www.tripwire.com/state-of-security/tls-cbc-padding-oracles
source: Tripwire
+ - text: 'ZOMBIE POODLE and GOLDENDOODLE ATTACKS'
+ url: https://medium.com/@hemparekh1596/poodle-and-goldennoodle-attacks-6d9651e140ac
+ source: Medium
+
- text: 'TLS CBC Padding Oracle Checker'
url: https://github.com/Tripwire/padcheck
source: GitHub
@@ -28,7 +32,7 @@ The [GOLDENDOODLE] attack is a type of TLS CBC padding oracle vulnerability (lik
GOLDENDOODLE can be used to hijack authenticated TLS sessions if the server reveals the padding validity of application data records in such a way that a Man-in-the-Middle (MITM) attacker can recognize well-formed padding independently of a valid Message Authentication Code (MAC).
-The best way to avoid this vulnerability is to _only_ allow TLS 1.2 (with [recommended cipher suites]({{% relref "tls" %}})) and TLS 1.3.
+The best way to avoid this vulnerability is to _only_ allow TLS 1.2 (with [recommended cipher suites]({{% relref "recommended-cipher-suites" %}})) and TLS 1.3.
## Information
diff --git a/content/vulns/logjam.md b/content/vulns/logjam.md
index 67f198b..bb642e3 100644
--- a/content/vulns/logjam.md
+++ b/content/vulns/logjam.md
@@ -31,7 +31,7 @@ The [Logjam] attack exposes critical vulnerabilities in the widely used Diffie-H
Through precomputation techniques, and exploiting reused/standardized or weak parameters, the cost of large-scale attacks is significantly reduced. The findings of the official research report underline the urgency for transitioning to stronger cryptographic methods, like elliptic curve Diffie-Hellman (ECDHE) and/or larger key sizes, to protect against such attacks and ensure better security practices across the internet.
-The best way to avoid this vulnerability is to _only_ allow TLS 1.2 (with [recommended cipher suites]({{% relref "tls" %}})) and TLS 1.3.
+The best way to avoid this vulnerability is to _only_ allow TLS 1.2 (with [recommended cipher suites]({{% relref "recommended-cipher-suites" %}})) and TLS 1.3.
## Information
diff --git a/content/vulns/lucky-13.md b/content/vulns/lucky-13.md
index 57334fb..1d92cb2 100644
--- a/content/vulns/lucky-13.md
+++ b/content/vulns/lucky-13.md
@@ -22,7 +22,7 @@ learn_more:
The [Lucky 13] attack exploits a flaw in the TLS and DTLS record protocols, allowing attackers to recover plaintext from encrypted connections. The attacks, which affect all compliant TLS and DTLS implementations using CBC-mode encryption, can be mitigated by switching to AEAD (AES-GCM) ciphersuites.
-The best way to avoid this vulnerability is to _only_ allow TLS 1.2 (with [recommended cipher suites]({{% relref "tls" %}})) and TLS 1.3.
+The best way to avoid this vulnerability is to _only_ allow TLS 1.2 (with [recommended cipher suites]({{% relref "recommended-cipher-suites" %}})) and TLS 1.3.
## Information
diff --git a/content/vulns/nomore.md b/content/vulns/nomore.md
index de286de..7f0540c 100644
--- a/content/vulns/nomore.md
+++ b/content/vulns/nomore.md
@@ -24,7 +24,7 @@ learn_more:
The [RC4 NOMORE] attack significantly reduces the time required to decrypt sensitive data secured by RC4. The attack exploits statistical biases in the keystream, making it possible to decrypt repeated plaintext-like cookies within 75 hours. While mitigations can slow down attacks, the only effective countermeasure is to stop using RC4 altogether.
-The best way to avoid this vulnerability is to _only_ allow TLS 1.2 (with [recommended cipher suites]({{% relref "tls" %}})) and TLS 1.3.
+The best way to avoid this vulnerability is to _only_ allow TLS 1.2 (with [recommended cipher suites]({{% relref "recommended-cipher-suites" %}})) and TLS 1.3.
## Information
diff --git a/content/vulns/poodle.md b/content/vulns/poodle.md
index e7cdc44..2506168 100644
--- a/content/vulns/poodle.md
+++ b/content/vulns/poodle.md
@@ -36,7 +36,7 @@ The [POODLE] attack is a security vulnerability in the obsolete SSL 3.0 protocol
This occurs through weaknesses in SSL 3.0’s block cipher padding, particularly in CBC mode, which can be exploited via a padding oracle attack when a man-in-the-middle attacker manipulates network transmissions.
-The best way to avoid this vulnerability is to _only_ allow TLS 1.2 (with [recommended cipher suites]({{% relref "tls" %}})) and TLS 1.3.
+The best way to avoid this vulnerability is to _only_ allow TLS 1.2 (with [recommended cipher suites]({{% relref "recommended-cipher-suites" %}})) and TLS 1.3.
## Information
diff --git a/content/vulns/robot.md b/content/vulns/robot.md
index 56442b1..4c769a0 100644
--- a/content/vulns/robot.md
+++ b/content/vulns/robot.md
@@ -34,7 +34,7 @@ Despite decades of advancements, a comprehensive analysis revealed its prevalenc
ROBOT demonstrated novel side-channel methods and executed proof-of-concept attacks, such as signing a certificate for Facebook, highlighting widespread implementation gaps. The research underscores the necessity of retiring insecure standards like RSA PKCS #1 v1.5 in favor of robust alternatives and deploying meticulous testing frameworks to prevent similar vulnerabilities in the future.
-The best way to avoid this vulnerability is to _only_ allow TLS 1.2 (with [recommended cipher suites]({{% relref "tls" %}})) and TLS 1.3.
+The best way to avoid this vulnerability is to _only_ allow TLS 1.2 (with [recommended cipher suites]({{% relref "recommended-cipher-suites" %}})) and TLS 1.3.
## Information
diff --git a/content/vulns/sweet32.md b/content/vulns/sweet32.md
index f35badf..87f6be4 100644
--- a/content/vulns/sweet32.md
+++ b/content/vulns/sweet32.md
@@ -28,7 +28,7 @@ learn_more:
This vulnerability is exacerbated by the widespread use of these ciphers in protocols like TLS and OpenVPN, despite their known weaknesses.
-The best way to avoid this vulnerability is to _only_ allow TLS 1.2 (with [recommended cipher suites]({{% relref "tls" %}})) and TLS 1.3.
+The best way to avoid this vulnerability is to _only_ allow TLS 1.2 (with [recommended cipher suites]({{% relref "recommended-cipher-suites" %}})) and TLS 1.3.
## Information
diff --git a/content/vulns/zombie-poodle.md b/content/vulns/zombie-poodle.md
new file mode 100644
index 0000000..16a52f5
--- /dev/null
+++ b/content/vulns/zombie-poodle.md
@@ -0,0 +1,44 @@
+---
+title: Zombie POODLE
+description: TLS padding oracle vulnerability against CBC
+layout: vuln
+
+year: 2019
+classes:
+ - Data leakage
+
+learn_more:
+ - text: 'Introducing Zombie POODLE and GOLDENDOODLE'
+ url: https://www.tripwire.com/state-of-security/zombie-poodle-goldendoodle
+ source: Tripwire
+
+ - text: 'TLS CBC Padding Oracles in 2019'
+ url: https://www.tripwire.com/state-of-security/tls-cbc-padding-oracles
+ source: Tripwire
+
+ - text: 'ZOMBIE POODLE and GOLDENDOODLE ATTACKS'
+ url: https://medium.com/@hemparekh1596/poodle-and-goldennoodle-attacks-6d9651e140ac
+ source: Medium
+
+ - text: 'TLS CBC Padding Oracle Checker'
+ url: https://github.com/Tripwire/padcheck
+ source: GitHub
+
+---
+
+## Overview
+
+The [Zombie POODLE] attack is a resurrection of the [POODLE]({{% relref "POODLE" %}}) TLS attack. Zombie POODLE exploits server stacks that behave differently when receiving TLS records with valid Message Authentication Code (MAC) but invalid padding. The difference between POODLE TLS and Zombie POODLE is that Zombie POODLE generically refers to the exploitation of various _implementation errors_ which create this valid-MAC/invalid-pad oracle.
+
+Zombie POODLE can be used to hijack authenticated TLS sessions if the server reveals the padding validity of application data records in such a way that a Man-in-the-Middle (MITM) attacker can recognize well/ill-formed padding independently of a valid/invalid Message Authentication Code (MAC).
+
+The best way to avoid this vulnerability is to _only_ allow TLS 1.2 (with [recommended cipher suites]({{% relref "recommended-cipher-suites" %}})) and TLS 1.3.
+
+## Information
+
+| Field | Value |
+|--------------------------|---------------------|
+| Vulnerability discovered | {{% param-year %}} |
+| Vulnerability class | {{% param-class %}} |
+
+[Zombie POODLE]: https://www.tripwire.com/state-of-security/zombie-poodle
diff --git a/list.txt b/list.txt
index e7914c8..7ec44e7 100644
--- a/list.txt
+++ b/list.txt
@@ -1,12 +1,13 @@
+gost-r
+
# Kex
-CAMELLIA
-ECCPWD
-ECDH
-ECDHE
-KRB5
-PSK
-SRP
-GOSTR341112
+eccpwd
+ecdh
+ecdhe
+krb5
+psk
+srp
+
# Enc
CCM
diff --git a/themes/dst2024 b/themes/dst2024
index 350429b..efdc748 160000
--- a/themes/dst2024
+++ b/themes/dst2024
@@ -1 +1 @@
-Subproject commit 350429b4acd28e68aa28bfa19aabdf18d33db393
+Subproject commit efdc7489cd9a62fa234114ae11ab4592bc9b531a