PaloAlto Captive Portal XSS Attack

PaloAlto has issued a patch for a XSS attack on the captive portal that I disclosed a few months back. The official advisory can be found here: (Detail taken from The attack has been given a CVSS score of 6.1: (Screenshot taken from IBM X-Force: Below follows the original report submitted to PaloAlto … Continue reading PaloAlto Captive Portal XSS Attack

Signing GMail Messages with the Estonian eID PKI Card (Part 2)

In a previous blog post we explored how to sign messages using the Estonian eID card. In this video, we demonstrate how a receiver who got a signed email message would be able to verify that the email really did come from the advertised sender. I have uploaded the revised code to github, please … Continue reading Signing GMail Messages with the Estonian eID PKI Card (Part 2)

Proxy re-encryption

What is proxy re-encryption? Proxy re-encryption lets Alice send Bob a message (M) via a semi-trusted proxy, without revealing Alice's private key to either the proxy or Bob, and without revealing the secret message to the proxy. As Wikipedia puts it: "Proxy re-encryption schemes are cryptosystems which allow third parties (proxies) to alter a ciphertext … Continue reading Proxy re-encryption

Signing GMail Messages with the Estonian eID PKI Card (Part 1)

After reading several articles about the Estonian eID, such as this one: "I’m now an Estonian e-resident, but I still don’t know what to do with it" it becomes clear that there needs to be a bit more use cases around the eID ecosystem. Cyrus Farivar (the author of the above article) already mentions how he used … Continue reading Signing GMail Messages with the Estonian eID PKI Card (Part 1)

Common operations using Estonian eID (Linux)

Assumptions: Using Ubuntu with OpenSC Installation Tip: Make sure to have installed OpenSC from source, rather than using the Ubuntu repositories (in other words, follow the instructions here [1] rather than using apt-get install opensc). This is necessary to avoid the "failed: Invalid arguments Decrypt failed: Invalid arguments " error as outlined in this OpenSC … Continue reading Common operations using Estonian eID (Linux)

Using Let’s Encrypt manual mode

Let's Encrypt is a service sponsored by web giants such as Facebook, Google Chrome, and Cisco ( Let's Encrypt has recently gone into public beta and is extremely easy to use. It has some modules already built in to integrate directly with popular webservers like Apache. In my case, I had two use cases where … Continue reading Using Let’s Encrypt manual mode

ELK : exporting to CSV

Note: the following requires the "jq" json parser, available from: 1. Run the desired query through the Kibana WebUI 2. Expand the additional options pane by clicking on the arrow underneath the graph as indicated in the below screenshot: 3. Select “Request” and copy the request displayed: 4. Open a linux terminal and use the … Continue reading ELK : exporting to CSV