At Akamai, we're launching a blog post series on various topics relating to post-quantum cryptography. The first post is by @rsalz, discussing some related IETF initiatives, including the two #TLS drafts he co-authored:

https://www.akamai.com/blog/trends/building-quantum-safe-internet-ietf-plan-tls

#pqc

A recent research has exposed more than 40 * 10³ IoT cameras happily showing their feed _and_ location to anyone who can browse and use search engines specialized in the indexing of the misconfigured devices.

More than 14 * 10³ are localised in the USA.

Read more here.

Note:
I know that there are more than a million of these cameras world wide misconfigured an open on just port 80 http not even TLS 443, with admin / admin as credentials 🪪

https://www.theregister.com/2025/06/10/40000_iot_cameras_exposed/

#Infosec #nightmare #not #news #IoT #cameras #security #misconfigured #streaming #TLS #HTTP

Alt...

The image shows a screenshot of a news article from The Register website. The article is titled "Peep show: 40K IoT cameras worldwide stream secrets to anyone with a browser." The headline is in white text on a black background, with the word "RESEARCH" in white above it. The article mentions that the majority of exposures are located in the US, including datacenters, healthcare facilities, factories, and more. The author of the article is Connor Jones, and it was published on Tuesday, June 10, 2025, at 10:00 UTC. The article states that security researchers managed to access the live feeds of 40,000 internet-connected cameras worldwide. The website's URL is visible at the bottom of the screen, and there are 16 comments on the article. The screenshot also shows the time as 21:59, with a battery level of 85%.

Alt...

The image shows a screenshot of a news article from "The A Register" displayed on a mobile device. The article discusses a cybersecurity issue, highlighting that the US was the most affected region with around 14,000 feeds streaming from the country. These feeds provide access to various facilities, including datacenters, healthcare facilities, factories, hotels, gyms, construction sites, retail premises, and residential areas. Bitsight, a cybersecurity firm, warns that these feeds could be used for espionage, mapping blind spots, and stealing trade secrets. The article also mentions that monitoring typical patterns of activity in retail stores could be useful for petty criminals. The screenshot includes the website's logo, a red banner with the text "The A Register," and a navigation bar at the bottom with three dots, a circle, and a left arrow. The device's status bar at the top shows the time as 22:00, a battery level of 85%, and various connectivity icons. Ovis2-8B 🌱 Energy used: 0.889 Wh

More interesting progress trying to make #swad suitable for very busy sites!

I realized that #TLS (both with #OpenSSL and #LibreSSL) is a *major* bottleneck. With TLS enabled, I couldn't cross 3000 requests per second, with somewhat acceptable response times (most below 500ms). Disabling TLS, I could really see the impact of a #lockfree queue as opposed to one protected by a #mutex. With the mutex, up to around 8000 req/s could be reached on the same hardware. And with a lockfree design, that quickly went beyond 10k req/s, but crashed. 😆

So I read some scientific papers 🙈 ... and redesigned a lot (*). And now it finally seems to work. My latest test reached a throughput of almost 25k req/s, with response times below 10ms for most requests! I really didn't expect to see *this* happen. 🤩 Maybe it could do even more, didn't try yet.

Open issue: Can I do something about TLS? There *must* be some way to make it perform at least a *bit* better...

(*) edit: Here's the design I finally used, with a much simplified "dequeue" because the queues in question are guaranteed to have only a single consumer: https://dl.acm.org/doi/10.1145/248052.248106

Alt...

Throuput curve of my latest stress test of swad (with ramp-up and ramp-down phase)

Alt...

Response times in percentiles. 97% stay below 10ms!

Solved! 🥳

This was a pretty "interesting" bug. Remember when I invented a way to implement #async / #await in #C, for jobs running on a threadpool. Back then I said it only works when completion of the task resumes execution on the *same* pool thread.

Trying to improve overall performance, I found the complex logic to identify the thread job to put on a pool thread a real deal-breaker. Just having one single MPMC queue with a single semaphore for all pool threads to wait on is a lot more efficient. But then, a job continued after an awaited task will resume on a "random" thread.

It theoretically works by making sure to restore the CORRECT context (the original one of the pool thread) every time after executing a job, whether partially (up to the next await) or completely.

Only it didn't, at least here on #FreeBSD, and I finally understood the reason for this was that I was using #TLS (thread-local storage) to find the context to restore.

Well, most architectures store a pointer to the current thread metadata in a register. #POSIX user #context #switching saves and restores registers. I found a source claiming that the #Linux (#glibc) implementation explicitly does NOT include the register holding a thread pointer. Obviously, #FreeBSD's implementation DOES include it. POSIX doesn't have to say anything about that.

In short, avoiding TLS accesses when running with a custom context solved the crash. 🤯

Found and fixed two more bugs affecting only #TLS with #swad, so here's yet another "bugfix release":

https://github.com/Zirias/swad/releases/tag/v0.9

One of these bugs was always there and I never noticed (just ignoring intermediate certificates) because many clients cope well with this, but not all.

The other bug is yet another regression from earlier performance improvements. 😞

So, lots of releases these last days. I'll have to remember to do very thorough regression testing whenever "optimizing" things in existing code 🙈

In a nutshell: 0.8 was finally fine again without TLS, but if you need TLS, better use this new 0.9.

TIL: Chrome and Firefox disable X25519MLKEM768 to localhost. As best as I can tell that's not documented anywhere and just cost me debugging cycles.

#PQC #TLS

So it's official: TLS certificate lifetimes will reduce from the current max of 398 days to:
* 200 days in March 2026
* 100 days in March 2027
* 47 days in March 2029

For web servers/proxies etc. it's reasonably simple, at least for smaller orgs but for e.g. network kit it might be more of a challenge. Having a timeframe to aim at definitely focusses the mind!

Via @riskybiz / https://risky.biz/risky-bulletin-ca-b-forum-approves-47-day-tls-certs/

#TLS #PKI #InfoSec #WebDev

Released: #swad v0.1 🥳

Looking for a simple way to add #authentication to your #nginx reverse proxy? Then swad *could* be for you!

swad is the "Simple Web Authentication Daemon", written in pure #C (+ #POSIX) with almost no external dependencies. #TLS support requires #OpenSSL (or #LibreSSL). It's designed to work with nginx' "auth_request" module and offers authentication using a #cookie and a login form.

Well, this is a first release and you can tell by the version number it isn't "complete" yet. Most notably, only one single credentials checker is implemented: #PAM. But as pam already allows pretty flexible configuration, I already consider this pretty useful 🙈

If you want to know more, read here:
https://github.com/Zirias/swad

System Administration

Week 8, HTTPS & TLS

After discussing HTTP in the previous week and seeing how we used STARTTLS in the context of #SMTP, we are now quickly reviewing HTTPS, TLS, and the WebPKI. While we don't have a video segment for this, here are slides, including this handy diagram illustrating the CSR process:

https://stevens.netmeister.org/615/08-https.pdf

#SysAdmin #SRE #DevOps #TLS

System Administration

Week 8, The Simple Mail Transfer Protocol, Part II

In this video, we observe the incoming mail on our MTA, look at how STARTTLS can help protect information in transit, how MTA-STS can help defeat a MitM performing a STARTTLS-stripping attack, and how DANE can be used to verify the authenticity of the mail server's certificate.

https://youtu.be/RgEiAOKv640

#SysAdmin #SRE #DevOps #smtp #tls