Why Passthrough Tokens are an Anti-Pattern in MCP

🎯 DNS Security: The Foundation of Your Digital Infrastructure Your DNS records are the roadmap to your online presence. When they're compromised or lost, everything stops. Here's what every IT professional should know: The Risk is Real: - 47% of organizations have experienced DNS-related downtime - Average cost of DNS downtime: $5,000+ per hour - Recovery without backups can take days, not minutes Best Practices for DNS Protection: 1️⃣ Automate Your Backups - Manual processes fail when you need them most 2️⃣ Test Recovery Regularly - Backups are only as good as your ability to restore them 3️⃣ Monitor Changes - Get instant notifications when DNS records are modified 4️⃣ Maintain Version History - Track what changed, when, and by whom Why Users Across All Major Providers Choose DNS Backup: ✅ Multi-provider support - Cloudflare, Namecheap, DigitalOcean ✅ Seamless API integration - Works with all supported platforms ✅ Zero-downtime recovery - Restore to any supported provider ✅ Complete audit trails - Track changes across all your domains ✅ Enterprise-grade encryption - Your data stays secure Protect what powers your business. Your DNS deserves the same attention as your other critical infrastructure. See https://dnsbackup.co.uk #DNSSecurity #Cloudflare #ITBestPractices #CyberResilience #TechLeadership

🔒 What Makes HTTPS “Secure”? (TLS Handshake in 6 Steps) Most people know the little “s” in https:// stands for secure, but what actually makes it secure? The answer: TLS (Transport Layer Security) — the protocol that encrypts your connection and keeps your data private. Here’s the TLS 1.2 handshake, simplified: 1️⃣ TCP Handshake – First, your browser sets up a reliable connection with the server (SYN → SYN-ACK → ACK). 2️⃣ ClientHello – Your browser says hello, sharing supported TLS versions, cipher suites, and extras like SNI/ALPN. 3️⃣ ServerHello + Certificate – The server replies with its chosen cipher suite and sends a digital certificate with its public key. 4️⃣ Certificate Validation – Your browser checks that the certificate is signed by a trusted CA and hasn’t been tampered with. 5️⃣ Key Exchange – Your browser generates a pre-master secret, encrypts it with the server’s public key, and sends it over. 6️⃣ Session Key Generation – Both sides independently generate session keys from the shared secret. Now, all communication is encrypted (fast, symmetric encryption). 💡 Next time you see the 🔒 icon, remember — your browser and the server just did this entire handshake in milliseconds to keep your data safe. See the full article https://lnkd.in/gM9Y_qmc

'𝐇𝐓𝐓𝐏𝐒' 𝐞𝐧𝐬𝐮𝐫𝐞𝐬 𝐭𝐡𝐞 𝐬𝐞𝐜𝐮𝐫𝐢𝐭𝐲. For example in Oggy's case, Server (LinkedIn) → CA (DigiCert). For easy understanding : 🔴 Private key 🟢 Public key Step 1: Server Setup Server generates public Key 🟢 and private Key 🔴. Then sends public Key 🟢 to CA. The CA uses its private key 🔴 to digitally sign the server’s certificate and sends back to the server. The certificate contains the server’s public key 🟢 and information like the domain name, validity dates and CA details. Step 2: Connecting Client (Oggy's PC) → DNS: Requests LinkedIn’s IP. DNS → Client: Returns IP. Client → Server: Opens TCP connection. Step 3: TLS Handshake Start Client → Server: TLS ClientHello. Server → Client: TLS ServerHello + Certificate with Public Key 🟢. Step 4: Certificate Verification Client checks certificate using its OS’s built in list of trusted CAs and verifies certificate validity, domain, and CA signature with CA’s public key 🟢 Step 5: Secure Handshake Client: Creates session key, encrypts it with server’s Public Key 🟢. Server: Uses Private Key 🔴 to decrypt. Now both share the session key. Step 6: Secure Login Client → Server: Encrypted credentials. Server → Client: Encrypted response & session cookie. Step 7: Session End Connection closes and session key discarded but the private Key 🔴 stays secret. So conclusion?? Client (Oggy's PC) → DNS → Server → CA → Server sends certificate (Public Key 🟢) → Client verifies via OS CA list → Handshake → Secure encrypted login. Hopefully this makes sense to Oggy now and has got the answers! #dataprivacy #networksecurity #encryption #learning

🛡️ Protecting Your DNS Records Has Never Been Easier As businesses increasingly rely on DNS providers like Cloudflare, Namecheap, and DigitalOcean for their infrastructure, the risk of losing critical DNS records grows. One misconfiguration, one accidental deletion, and your entire online presence could be at risk. That's why thousands of users across multiple DNS providers trust DNS Backup for: ✅ Automated backups - Set it and forget it ✅ Instant recovery - Get back online fast ✅ Enterprise-grade security - Your data stays protected ✅ Multi-provider support - Cloudflare, Namecheap, DigitalOcean 🚀 Lightning Fast Sync - Real-time synchronization keeps your backups current 🔒 Enterprise Security - SOC 2 compliance and secure API key management 📊 Advanced Analytics - Track changes and monitor backup health Don't wait for disaster to strike. Protect your DNS infrastructure today - regardless of your provider. https://dnsbackup.co.uk #DNS #DNSBackup #Cloudflare #Namecheap #DigitalOcean #CyberSecurity #ITManagement #BusinessContinuity

We ran a security audit on a public company's MCP server. Here's what we found: - Implemented the OAuth spec wrong. Incorrect WWW-authenticate header response and Protected Resource Metadata. - Users are getting exposed to tools they aren't authorized to. - Does not offer granular scopes in OAuth token. Users are given full privileges by default. - Tools use 17k tokens (9% of Claude 4.5's context window). Their competitor's MCP server uses half. - Typically uses 3X the amount of tools for a single workflow compare to their competitors. This means workflows take 3 times longer to run, and many times more likely to hallucinate resulting in a failed execution. This is a glimpse of what we found, the entire audit is 20+ pages long. Our proposal will help theme adhere to best OAuth and security practices, and increase the performance (accuracy + execution time) of their MCP server by 60%. We're helping teams audit their MCP servers. Message me if you'd find this helpful for your production MCP server! https://www.mcpjam.com/ #MCP

Until now the security risk of LLMs was acceptable - but with MCP, no more! It’s the servers, tokens, and supply chain you bolt on with MCP. LLMs take input and return output in a contained flow. MCP extends them with servers and integrations running on developer endpoints that connect to Slack, Gmail, GitHub and any tools you give it access to. But here’s how MCP risks differ from LLM-only: - Supply chain risk from downloading and running untrusted MCP servers locally. - Secrets exposure when third-party code holds API keys and tokens. - Prompt-injection can cause data exfiltration or harm as agents read untrusted data. - Little visibility or audit over who connected what, and when. - API keys are stored in configuration files in plaintext. If you’re adopting MCP, centralize server hosting, enforce least-privilege scopes, secure secret storage, and require a protocol-aware gateway with auditing across endpoints. Make security the default before productivity scales.

Firewall Ports for AD CS Certificate Enrollment If you’re designing or securing Active Directory Certificate Services (AD CS), knowing which network ports to open between Domain Controllers (DCs), Certificate Authorities (CAs), and clients is essential. Here’s a concise port map to ensure smooth certificate requests and template lookups. --- Client → CA (Certificate Request & Enrollment) - TCP 135 – RPC Endpoint Mapper - TCP 49152–65535 – RPC Dynamic Ports (DCOM RPC Enrollment) - TCP 443 – Certificate Enrollment Web Services (CEP/CES) (optional) - TCP 88 – Kerberos Authentication --- CA → Domain Controller (Template Retrieval) - TCP 389 / 636 – LDAP / LDAPS (certificate template queries) - TCP 3268 / 3269 – Global Catalog / Global Catalog over SSL (enterprise templates) - TCP 88 – Kerberos Authentication - TCP 445 - Server Message Block RPC Named Pipes --- Client → Domain Controller (DC Locator & Auth) - TCP 389 / 636 – LDAP / LDAPS (DC locator; Kerberos pre-auth) - TCP 88 – Kerberos Authentication --- Pro Tips - If you exclusively use Web Enrollment, you can limit traffic to port 443. - Ensure your CA has Line-of-Sight to a Global Catalog for reading enterprise templates. References https://lnkd.in/gbpbt6Ee https://lnkd.in/gQnrNwNS https://lnkd.in/gDXQfmBQ #PKI #ActiveDirectory #ADCS #Firewall #WindowsServer #CertificateEnrollmen #ITInfrastructure

If Diffie-Hellman can securely exchange keys, why do we need Digital/TLS/SSL certificates? Diffie-Hellman (DH) can provide secure key exchange between a client and a server. However, it’s possible that an attacker could sit in between the client and the server — acting as a middleman. In that case, the client might securely communicate with the attacker, and the attacker would then securely communicate with the server. Client <----encrypted----> Attacker <----encrypted----> Server Even though both communications are encrypted, the entire connection is compromised because the attacker can read or modify the messages in between. Now, let’s see how digital certificates solve this problem. A TLS certificate contains the server’s public key and is signed by a trusted Certificate Authority (CA). When the client’s browser connects to the server, the server presents its certificate. The browser then verifies and validates this certificate using the CA’s signature. Once verified, the browser ensures that it’s communicating securely with the genuine server — not an attacker. #DH #Encryption #TLS #DigitalCert

🚨 Your Workstation (aka Local) #mcp servers can give malicious actors access to all your local files, access tokens, API keys and corporate network. I'm still seeing lots of people explaining how they've deployed Workstation MCPs with no containerization, no sandboxing. Maybe they're simply unaware of how risky this is, or they like living on the edge? 🤘 👉 Here's a quick PSA: Always lock down your Workstation MCP servers in a secure container (like a Docker, Inc container). Containerization allows you to specify which files your MCP can and can't access, to protect anything sensitive from malicious actors that may have created, or gain control over an MCP server you are using. 🔒 To help you, Samuel Batista from MCP Manager has written a superb step-by-step guide to using Workstation/Local MCPs securely, AND he has created some Docker files you can use too. You'll find everything you need here: https://lnkd.in/eM7rjuRM #modelcontextprotocol #cybersecurity #infosec #ai

Ed speaks truths! MCP's, often called the “USB-C for AI” (not by me... but some people) make it easier for GenAI apps to connect with external tools, but they come with real risks. These risks are amplified when developers assume public MCPs are safe by default. I mean... wh... why would you do that....???!? One proof-of-concept showed how a malicious MCP tool could encrypt a user’s files after being triggered inside a GenAI app. Blink Blink.... Small steps to vet an MCP before integrating it into your app, check whether the provider offers clear documentation, active maintenance, and transparent security practices. Look for signs of community trust (e.g., GitHub stars, endorsements), but don't assume even THAT means they deserve a gold star! Treat public MCPs like third-party vendors - because essentially, they are - but likely with less contractual governance. So if you WANT to take on nearly all the risk...