Posts

Showing posts from March, 2018

What is HSTS - HTTP Strict Transport Security

Image
HSTS stands for HTTP Strict Transport Security. In essence it is actually a mitigation technique for SSL-Stripping attack. In practice one may encounter message when accessing websites (see below details) Various attacks attempt to remove the use of Secure Socket Layer/Transport Layer Security (SSL/TLS) altogether by modifying unencrypted protocols that request the use of TLS, specifically modifying HTTP traffic and HTML pages as they pass on the wire. These attacks are known collectively as " SSL Stripping " (a form of the more generic "downgrade attack") and were first introduced by Moxie Marlinspike [SSL-Stripping].  In the context of Web traffic, these attacks are only effective if the client initially accesses a Web server using HTTP.  A commonly used mitigation is HTTP Strict Transport Security (HSTS) [RFC6797]. HSTS is now supported in all leading browsers - Chrome, Firefox, Safari, Edge, IE. One of the several new features in Chrome is the addition o...

User Authentication with OAuth 2.0

Image
This (original) article has been taken from OAuth protocol website. (https://oauth.net/articles/authentication/) and highlighted text has been added for better explanation and clarity. It provides information on the OAuth protocol which deals with only delegated authorization. Often it is assumed and misused to include authentication. OAuth protocol does not include authentication .  And to complete the stack, OpenID Connect has been built on top of OAuth which provides for authentication (however, OpenID Connect is not the focus of this post. It was mentioned to bring the relationship between these two protocols) User Authentication with OAuth 2.0 The  OAuth 2.0  specification defines a  delegation  protocol that is useful for conveying  authorization decisions  across a network of web-enabled applications and APIs. ( This means that OAuth is a HTTP based protocol ) OAuth is used in a wide variety of applications, including providing mechanism...

Oracle Access Manager OAM 12c release - 12.2.1.3.0

Latest Release of OAM is now 12.2.1.4.0 In 12c release, Oracle suite for Identity and Access Management is now called as Oracle Identity Management 12c.  The latest 12c release is now 12.2.1.4.0 also called as 12c PS4. The latest release of 12c is now 12c PS4 available for download here .  The certification matrix is available here .  Enterprise Deployment Guide for Oracle Identity and Access Management is available here .  Integration Guide for Oracle Identity Management Suite is here High Availability and Multi Datacenter deployment guides references are here and here The 12c release is now 12c PS4 i.e 12.2.1.4.0. The previous release was 12c PS3 , i.e 12.2.1.3.0 (The earlier version were 11gR2 PS3 or 11.1.2.3 from the 11gR2 series/versions  - 11gR1, 11gR2 PS1, 11gR2 PS2 and 11gR2 PS3.) The 12c release, 12c PS4 and PS3, comprises of the 3 main components Identity Governance Access Manager Directory Services (1)  Identity Governance  ( ...