Could not create SSL/TLS secure channel
The request was aborted: Could not create SSL/TLS secure channel.Description: An unhandled exception occurred during the execution of the current web request.
Category Archives: Technical Journal
Top 10 things to do to secure a web application.
When starting a new project, it is best to do the following security related items as soon as possible, otherwise it will be terribly difficult to add at a later stage.
WS-Federation, Session Token not removed from cache after signing out.
I recently implemented a centralized security token cache and observed that although the user signs-out and the session cookie is removed from the browser the session token was never removed from the SecurityTokenCache. This is something I would never have observed if I did not implement this cache.
Cybersecurity Conference Directory
Found this amazing online cyber security directory. Lists 500+ conference events around the globe all to do with cyber security. Must keep an eye on this!
The authentication schemes configured on the host (‘IntegratedWindowsAuthentication’)
The authentication schemes configured on the host (‘IntegratedWindowsAuthentication’) do not allow those configured on the binding ‘WS2007HttpBinding’ (‘Anonymous’). Please ensure that the SecurityMode is set to Transport or TransportCredentialOnly. Additionally, this may be resolved by changing the authentication schemes for this application through the IIS management tool, through the ServiceHost.Authentication.AuthenticationSchemes property, in the application configuration… Read More »
ID4243: Could not create a SecurityToken. A token was not found in the token cache and no cookie was found in the context.
ID4243: Could not create a SecurityToken. A token was not found in the token cache and no cookie was found in the context.
OWASP Vulnerability scanner
This post is more of a note to myself so I can remember the name of this tool and how to configure it. The OWASP Zed Attack Proxy (ZAP) can crawl through a site and test a site for the current OWASP top 10.
What is OWIN?
A few posts back I was looking at OAuth and I stumbled onto some posts with references to this thing called OWIN. Initially I thought it was a framework that wrapped OAuth to make it easier to use but it turned out to be a hosting solution with support for middleware.
Could not load file or assembly ‘Owin
First day of trying the understand OWIN, I follow the steps from the microsoft site and are greeted by this error message. Could not load file or assembly ‘Owin, Version=1.0.0.0, Culture=neutral, PublicKeyToken=f0ebd12fd5e55cc5’ or one of its dependencies. The located assembly’s manifest definition does not match the assembly reference. (Exception from HRESULT: 0x80131040) There are possible… Read More »
Retrieving the twitter identity
In the previous article I showed how to use OAuth to connect to twitter. At this point all the authentication and authorization has been done and we are busy with the last step to retrieve the Identity information from twitter specifically.
Authenticating with OAuth
Last time I looked at Oauth I was simply looking at the steps involved with it, today I am doing a small POC. I will be using twitter as my identity provider.
Secure HTTP without HSTS
In the previous post I showed how to enable HSTS so that all HTTP traffic to a website is secured. As cool as that is, the unfortunate reality is that it is not always possible to secure all HTTP traffic for a website especially when dealing with some legacy technology.
Secure HTTP with HSTS in IIS
HTTP Strict Transport Security or HSTS is a header that instructs a browser not to downgrade a secure https connection to a unsecure HTTP connection for a specified domain.
How to disable insecure cipher suits.
There is a vulnerability in SSL3 called POODLE, it is documented in detail here by Google. SSL2 & 3 needs to be disabled in the client browser and on the web server. Below is a registry file that can be copied and run on a Microsoft IIS web servers to disable SSL 2 & 3… Read More »
Enable secure cookies over HTTPS.
It is important to realize that although a website might be running under HTTPS it does not guarantee that the session information is not accessible from normal HTTP requests. When a session cookie is generated it is important to make sure that the cookie can only be transmitted over a secure HTTP connection (HTTPS).