Clarification Needed on SSL/TLS Certificate Verification Process

You’re absolutely right, @Gregory Childers. While SSL was deprecated in 2015, it’s still commonly referenced due to legacy systems, brand recognition, and its interchangeability with TLS in everyday usage. Since TLS evolved from SSL, many continue to use "SSL" as a blanket term, even though TLS is the correct and more secure protocol.

I passed the CompTIA DataSys+

Thank you, Rick!

I took it from home, and it took me a loooong time to get the Pearson onvue website to work. For some reason the website wouldn't work on my phone no matter which browser I used. So I had to use an external web cam to take pictures of my license, myself, and my desk. That took about 45 minutes, I was a little scared that I would miss my window, but everything worked out just in time. I would have just driven to a test site, but I live about an hour away from the nearest one.

I enjoyed the exam content. I was able to go through the questions pretty quickly. I've been working in data for about five years, and I've recently been studying for Data+ That helped a bunch. I think I'll sit the Data+ soon while everything is still fresh in my brain.
Very nice. I'm a OnVUE hater; always deferring to the ol' test center for my testing - since my preferred one is run by people I know and like, I'd rather they get the money for the testing.

I've done Databasing in one form or another for...sheesh...25 years? The cloud bits and NoSQL architectures are newer to me, so I'm putting more time in that.

I got a bit behind on the CompTIA cadence, as I've been working on Azure SC stuff. But hopefully here soon.

But congrats again on your win and good luck on Data+!

/r
  • Love
Reactions: TraceyO

Clarification Needed on SSL/TLS Certificate Verification Process

Hello everyone,

I hope you’re all doing well! I wanted to share a recent teaching experience related to SSL/TLS certificate verification and seek your insights on a particular point of confusion that came up in class.

During a session on secure communications, I had my students test the SSL/TLS configuration of a web server using OpenSSL. We used the following command to retrieve and display the certificate details:

openssl s_client -connect 192.168.100.30:443 -showcerts

This command successfully connected to the server and displayed the server’s certificate chain. However, one student asked about the process of verifying whether the certificate is valid and trusted, particularly regarding the role of Certificate Authorities (CAs).

To clarify, I explained that the verification process involves checking several factors, including:
  1. Whether the certificate is signed by a trusted CA.
  2. The certificate’s expiration date.
  3. The certificate's revocation status, often checked through OCSP (Online Certificate Status Protocol).

However, I realized I could provide more depth on how to perform these checks effectively. For example, we can check the certificate expiration date using:

openssl x509 -in certificate.crt -noout -dates

I’d love to hear your suggestions on the following:
  1. How can I effectively demonstrate the entire SSL/TLS verification process in class, including checking the certificate’s revocation status?
  2. Are there any additional tools or techniques you recommend for teaching about certificate verification and the role of CAs in ensuring secure communications?

Thank you for your insights!

Official Instructor Guide for DataX

Strange. Should be there. Did you not sit the Data+ TTT?
Yep, I attended the DataX recently. I got access to the Test out CertMaster Perform. However, when I go under the "resources" tab I don't see an instructor guide listed. It got me wondering if the book is being replaced with CertMaster materials, or if there will be one released down the road. Screenshot 2024-10-14 100835.png
  • Like
Reactions: precious

I passed the CompTIA DataSys+

Nice job, Tracy...how did it go for you? I'm working on it now, actually - I think I'll take a shot at it around Thanksgiving...
Thank you, Rick!

I took it from home, and it took me a loooong time to get the Pearson onvue website to work. For some reason the website wouldn't work on my phone no matter which browser I used. So I had to use an external web cam to take pictures of my license, myself, and my desk. That took about 45 minutes, I was a little scared that I would miss my window, but everything worked out just in time. I would have just driven to a test site, but I live about an hour away from the nearest one.

I enjoyed the exam content. I was able to go through the questions pretty quickly. I've been working in data for about five years, and I've recently been studying for Data+ That helped a bunch. I think I'll sit the Data+ soon while everything is still fresh in my brain.

Tips: "on controls to mitigate attacks and software vulnerabilities" If You Come Across... Verify For...

1. Cross-Site Scripting (XSS)​

  • If you come across: User input fields (like comments or search bars)
    • Verify for:
      • Reflected XSS: Injecting scripts in the input to see if they are executed in the user's browser.
      • Persistent XSS: Checking if scripts are stored on the server and reflected back to users.
    • Prevention: Implement input validation, output encoding, and Content Security Policy (CSP).

2. Overflow Vulnerabilities​

  • If you come across: User input or data handling that may exceed allocated memory
    • Verify for:
      • Buffer Overflow: Sending oversized inputs to trigger memory corruption.
      • Integer Overflow: Providing inputs that exceed maximum integer values.
      • Heap Overflow: Manipulating dynamic memory allocation to corrupt memory.
      • Stack Overflow: Causing the call stack to exceed its limit.
    • Prevention: Use safe coding practices, input validation, and memory management techniques.

3. Data Poisoning​

  • If you come across: User-modifiable data inputs
    • Verify for: Manipulating data to affect the application's behavior or outcomes.
    • Prevention: Validate inputs and implement strong data integrity checks.

4. Broken Access Control​

  • If you come across: User permissions or roles within the application
    • Verify for: Accessing restricted resources or functions without proper authorization.
    • Prevention: Enforce strict role-based access control (RBAC) and regularly audit access permissions.

5. Cryptographic Failures​

  • If you come across: Data stored or transmitted securely (e.g., passwords, personal data)
    • Verify for: Weak encryption algorithms or improper key management.
    • Prevention: Use strong encryption protocols and ensure proper key storage and lifecycle management.

6. Injection Flaws​

  • If you come across: Input fields that interact with databases or APIs
    • Verify for:
      • SQL Injection: Manipulating SQL queries through input fields.
      • Command Injection: Executing arbitrary commands on the server.
    • Prevention: Use parameterized queries, prepared statements, and input validation.

7. Cross-Site Request Forgery (CSRF)​

  • If you come across: Forms that perform state-changing actions
    • Verify for: Unauthenticated requests being accepted by the application.
    • Prevention: Implement anti-CSRF tokens and validate the origin of requests.

8. Directory Traversal​

  • If you come across: File upload or retrieval functions
    • Verify for: Accessing restricted directories using path traversal techniques.
    • Prevention: Validate and sanitize file paths and restrict access to sensitive directories.

9. Insecure Design​

  • If you come across: Flaws in the application's architecture
    • Verify for: Design weaknesses that expose the application to various attacks.
    • Prevention: Follow secure design principles and perform threat modeling.

10. Security Misconfiguration​

  • If you come across: Default settings in applications or services
    • Verify for: Misconfigured security settings or unused features being enabled.
    • Prevention: Regularly review and harden security configurations, and conduct security audits.

11. End-of-Life or Outdated Components​

  • If you come across: Use of libraries or software that are no longer supported
    • Verify for: Known vulnerabilities associated with outdated components.
    • Prevention: Regularly update and patch software components and replace end-of-life software.

12. Identification and Authentication Failures​

  • If you come across: Login or authentication mechanisms
    • Verify for: Weak password policies, account enumeration, or failure to implement multi-factor authentication.
    • Prevention: Enforce strong password policies and implement multi-factor authentication.

13. Server-Side Request Forgery (SSRF)​

  • If you come across: Applications making backend requests based on user input
    • Verify for: Manipulating requests to access internal services.
    • Prevention: Validate and sanitize user inputs, and restrict server-side requests.

14. Remote Code Execution (RCE)​

  • If you come across: User inputs that are executed by the server
    • Verify for: Ability to execute arbitrary code on the server.
    • Prevention: Validate all inputs and use language features to limit code execution.

15. Privilege Escalation​

  • If you come across: Role or permissions settings
    • Verify for: Users gaining unauthorized access to higher privilege levels.
    • Prevention: Implement the principle of least privilege and regularly review user roles.

16. Local File Inclusion (LFI) / Remote File Inclusion (RFI)​

  • If you come across: File inclusion functionalities
    • Verify for: Ability to include local or remote files that could compromise the application.
    • Prevention: Validate and sanitize file paths and restrict the inclusion of sensitive files.

SHARE WITH US YOUR TIPS
Thanks for Sharing @precious this is such amazing control to put in place!!!
  • Love
Reactions: precious

Filter