repos git : https://github.com/lgarron/badssl.com
Test TLS de vos navigateurs (en fonction du user-agent)
Firefox about:config
security.ssl3.dhe_rsa_aes_128_sha = false
security.ssl3.dhe_rsa_aes_256_sha = false
Réponse à "arguments against DNSSEC" (https://shaarli.cafai.fr/?fkzN7w || http://sockpuppet.org/blog/2015/01/15/against-dnssec/) et Questions and Answers from "Against DNSSEC" (http://sockpuppet.org/stuff/dnssec-qa.html).
There are two ways that you might wish to use DANE in a web browser: either to block a certificate that would normally be considered valid, or to bless a certificate that would normally be rejected. The first, obviously, requires that DANE information always be obtained—if a lookup failure was ignored, a network attacker with a bad certificate would just simulate a lookup failure. But requiring that browsers always obtain DANE information (or a proof of absence) is nearly implausible
PhantomJS is a headless WebKit scriptable with a JavaScript API. It has fast and native support for various web standards: DOM handling, CSS selector, JSON, Canvas, and SVG. // Phantom is head and shoulders above any other headless browser. Here are some alternatives : http://slimerjs.org/ (Slimer use Gecko) http://zombie.labnotes.org/ http://sahi.co.in/ http://casperjs.org/ http://jeanphix.me/Ghost.py/
DNSSEC/TLSA Validator is a web browser add-on which allows you to check the existence and validity of DNS Security Extensions (DNSSEC) records and Transport Layer Security Association (TLSA) records related to domain names in the address-bar in your browser. The results of these checks are displayed using icons and information texts in the page’s address-bar or tool-bar. Currently, Internet Explorer (IE), Mozilla Firefox (MF) and Google Chrome (GC) web browsers are supported.
Previous research on password managers has focused on the cryptographic protections of the passwords themselves in particular environments such as mobile devices. This research instead focuses on browser specific integrations and mechanisms to remotely compromise credentials. Four of the most popular password managers were examined: LastPass, OneLastPass, 1Password, and MaskMe.
I got to wondering one day how difficult it would be to find the crypto keys used by my browser and a web server for TLS sessions. I figured it would involve a memory dump, volatility, trial and error and maybe a little bit of luck. So I started looking around and like so many things in life….all you have to do is ask. Really. Just ask your browser to give you the secrets and it will! As icing on the cake, Wireshark will read in those secrets and decrypt the data for you. Here’s a quick rundown of the steps:
Set up an environment variable called SSLKEYLOGFILE that points to a writable flat text file. Both Firefox and Chrome (relatively current versions) will look for the variable when they start up. If it exists, the browser will write the values used to generate TLS session keys out to that file.
Tracking is one of the things that Internet users are exposed to no matter where they go. Websites use analytics software to track them, advertising companies use tracking to make more money because of targeted ads, and social media sites too may know where you have been almost at all times because of buttons and scripts that are installed on the majority of websites.[...] One option that Firefox users have for that is the Firegloves extension. It has not been updated in a year but it is still working fine. It changes settings to common values so that your browser's fingerprint turns out to be less unique than it actually would be without.
For this post, I'll be analyzing the following browsers on a Windows 8 machine. Here's a table of contents for this post to help you skip to whatever browser you're interested in:
Chrome 27.0.1453.110
IE 10
Firefox 21.0
This websites gives you information on the SSL cipher suites your browser supports for securing HTTPS connections.