Security – SQL Server does not use TLS, but the connection is secure. How is that possible?

I am connecting to SQL Server 2017 via ODBC and MSSMS. The connection does not use TLS. I checked it with openssl s_client. However, the DBA assures me that the connection is secure.

What else common or typical Methods / protocols could be used to make such a connection secure if not TLS? The connection is not established via an SSH tunnel or a VPN.

Certificate authentication "The request was canceled: A secure SSL / TLS channel could not be created."

We have imported a PFX certificate under Personal Business. It creates a root, intermediate and client certificate in Personal Business.

This certificate is used to authenticate to an API that is working properly at this time.

As soon as we try to view the properties of the client certificate from the Personal Store, a copy of is created

  • Intermediate certificate in Trusted Root Certification Authorities business
  • Root certificate in Trusted Root Certification Authorities and Third-Party Root Certificate Authorities business

Now when we try to access the API, the following error is thrown

The request was canceled: A secure SSL / TLS channel could not be created.

We have to manually remove the certificate from additional stores for the API to work again.

  1. Why are root and intermediate certificates copied to additional stores?
  2. How can we configure the certificates so that the API can authenticate and run stably?

tls – Diffie-Hellman in https: how are prime numbers selected?

I'm trying to understand https because https uses the Diffie-Hellman method for key exchange and then AES for encryption.

But Diffie-Hellman needs two prime numbers, where do they come from?

tls – How to reduce credential disclosure in middle attack people

I have the following scenario and am looking for a safe solution.

There is a web application hosted on IIS. The connection is established and encrypted using TLS 1.2.

So the steps are
1. The client connects to the server using SSL
2. The client sends the user name and password (as well as the xsrf token).
3. The server authenticates the user and creates an encrypted cookie that goes back and forth.

Assume that we are in a corporate environment in which all communication takes place via a proxy server (e.g. when using SSL Inspection). If the inspector is compromised (which is very likely on this basis), the user is vulnerable to the theft of credentials.

I've read about the crypto binding solution, but this only protects us from the MITM so we can't keep the connection going after the client stops creating traffic.

Is there any way to secure the user's passwords if ssl has been compromised this way?

tls – Do CAs issue an intermediate certificate for each new certificate request?

The certificate that the CA problem is a simple confirmation that the public key you sent to CA in the Cerfiticate request really belongs to you (otherwise everyone could claim to be the owner of the google.com or amazon domain .com). Because the certificate contains Your public keycannot be prepared in advance. In addition, the response time depends on the type of certificate you requested. Generating simple certificates that confirm that the requester (you) really owns a domain takes little time. Typically, CA sends you a link to an email from your domain, such as admin@yourdomain.org, You click the link and confirm that you are the owner. CA then generates a certificate and sends it to you.

However, other types of certificates involve much more verification, e.g. CA needs to verify that your company really exists and is properly registered, that your company is located at the address, etc. It can take a much longer time, days or weeks to verify. It takes a lot of effort, so the price is correspondingly higher. But the certificate also confirms much more than other certificates.

In addition to domain certificates, there are other types of certificates such as S / MIME: To sign your e-mails, the recipient can rely on the fact that the e-mail really came from you. It can also be a user for email encryption. The verification and generation of such certificates takes even less than with domain certificates. There are certificates for code signing, etc.

You can find more details on the websites of the certification bodies (I prefer not to advertise any of them here).

How to sign certificates:

CA has a root certificate. It is the most important element in the certificate hierarchy. Therefore it is saved with a lot of security. It is impractical for practical use. For this reason, CA uses the root certificate (whose validity is usually 10 years or more) to issue some signature certificates with a shorter validity, e.g. B. 3 to 5 years. Shorter validity means less exposure and therefore less risk of compromise.

To the question: Yes, such signature certificates are created in advance.

tls – How does VPN prevent man in the middle at ISP level?

When man-in-the-middle is at the ISP level (or even before ISP), it seems they can do the handshake. Swap keys provide a forged or copied certificate. The only thing you wouldn't know is the private key. But it seems like they are the client for the endpoint server and the server for the victim, they could create two encryption / decryption chains and two shared secrets, and nobody would be wiser. I think I get it wrong because people say that a VPN would protect against it. So the basic question is how an HTTPS website certificate at ISP level protects from people in the middle.

tls – Why are DNS requests displayed when DNS is enabled over HTTPS?

Firefox 73 was launched today and includes a new DNS option called NextDNS. I thought about trying it and clicked "Enable DNS over HTTPS" and chose "NextDNS".

My understanding of HTTPS is that it encrypts traffic (to ensure confidentiality) and prevents tampering (to check integrity). However, when I started searching my own traffic with tcpdump, I found entries like this:

root@Sierra ~ % tcpdump dst port 53

00:16:18.598111 IP 192.168.1.102.57991 > 192.168.1.1.domain: 15871+ A? detectportal.firefox.com. (42)
00:16:18.601087 IP 192.168.1.102.55182 > 192.168.1.1.domain: 44174+ A? www.goodreads.com. (35)
00:16:18.602982 IP 192.168.1.102.57991 > 192.168.1.1.domain: 63750+ AAAA? detectportal.firefox.com. (42)
00:16:18.855488 IP 192.168.1.102.34760 > 192.168.1.1.domain: 7245+ A? mozilla.org. (29)
00:16:18.855976 IP 192.168.1.102.34570 > 192.168.1.1.domain: 17221+ A? mozilla.org. (29)
00:16:18.855998 IP 192.168.1.102.34570 > 192.168.1.1.domain: 24136+ AAAA? mozilla.org. (29)
00:16:18.856830 IP 192.168.1.102.42346 > 192.168.1.1.domain: 52531+ A? detectportal.firefox.com. (42)
00:16:24.097262 IP 192.168.1.102.35499 > 192.168.1.1.domain: 38286+ A? mozilla.org. (29)
00:16:24.097448 IP 192.168.1.102.35499 > 192.168.1.1.domain: 44461+ AAAA? mozilla.org. (29)
00:16:24.451349 IP 192.168.1.102.40330 > 192.168.1.1.domain: 60808+ A? s.gr-assets.com. (33)
00:16:24.456921 IP 192.168.1.102.48310 > 192.168.1.1.domain: 6906+ A? i.gr-assets.com. (33)
00:16:29.106318 IP 192.168.1.102.39619 > 192.168.1.1.domain: 54705+ AAAA? mozilla.org. (29)
00:16:33.269314 IP 192.168.1.102.43004 > 192.168.1.1.domain: 3958+ A? mozilla.org. (29)
00:16:42.515778 IP 192.168.1.102.53688 > 192.168.1.1.domain: 33887+ A? sync-580-us-west-2.sync.services.mozilla.com. (62)
00:16:42.516330 IP 192.168.1.102.59568 > 192.168.1.1.domain: 62418+ A? api.accounts.firefox.com. (42)
00:16:42.889225 IP 192.168.1.102.48174 > 192.168.1.1.domain: 41105+ A? sync-580-us-west-2.sync.services.mozilla.com. (62)
00:16:43.453717 IP 192.168.1.102.60703 > 192.168.1.1.domain: 44380+ A? d3cv4a9a9wh0bt.cloudfront.net. (47)

Apparently it doesn't look encrypted. When I changed my DNS server to Cloudflare, I could only see the entries for Cloudflare's DNS server (which I expect from DoH). So what's up with NextDNS? How is NextDNS different from unencrypted DNS? And am I missing something here?