www.lrpcyberia.pt

Authorized security testing endpoint.

TLSv1.3 PQC YES HSTS ✓ Fwd Secrecy ✓ Headers 6/6 HTTP/2 ✓

Authorized Ethical Testing Notice

This endpoint is part of a controlled and authorized lab. Unknown hostnames are not part of the public lab scope.

Legal & Ethical Use Statement — expand

This environment is operated exclusively as a controlled laboratory for authorized cybersecurity research, education, penetration testing training, and protocol demonstration. Access and use of this system is permitted only within the scope of a written or explicitly agreed authorization.

By accessing this system you acknowledge and agree that:

Any unauthorized access, exploitation, data exfiltration, denial-of-service, or other offensive activity against this or any third-party system is strictly prohibited and constitutes a criminal offence under applicable law (including but not limited to: Computer Fraud and Abuse Act (USA), Computer Misuse Act (UK), Lei n.º 109/2009 (Portugal), NIS2 Directive (EU), and equivalent national legislation).
The operators of this system expressly disclaim all liability for any misuse, unauthorized access, illegal or immoral activity, or any direct, indirect, incidental, consequential, or special damages — including but not limited to loss of data, loss of revenue, loss of profit, business interruption, or reputational harm — arising from any unauthorized, abusive, or illegal use of or reliance on this system or its outputs.
All sessions on this system are monitored and logged. Connection metadata, TLS parameters, and client information are recorded for security research and audit purposes.
This system provides no warranties of availability, accuracy, completeness, or fitness for any particular purpose. It is provided strictly as-is for laboratory use.
Any security findings, vulnerabilities discovered, or sensitive information encountered during authorized testing must be handled in accordance with responsible disclosure principles and must not be shared, published, or exploited outside the authorized scope.

If you are not an authorized participant in this lab, disconnect immediately.

Server Time

Current server date and time 2026-05-12 15:27:53 +0100

Timezone Europe/Lisbon

NTP synchronized yes

NTP provider detected ntp/ntpsec

Selected NTP server/source time.cloudflare — (DNS timeout)

Candidate NTP server/source list

smtp-in1.aqea.n
time.cloudflare

Client Request

Remote address observed by Apache 216.73.216.223

Remote client port observed by Apache 13324

HTTP Host www.lrpcyberia.pt

Apache virtual host endpoint www.lrpcyberia.pt:443

User-Agent Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; ClaudeBot/1.0; +claudebot@anthropic.com)

Client browser / version Mozilla

TLS Session & Certificate

Connection

Protocol negotiated TLSv1.3

Cipher suite TLS_AES_256_GCM_SHA384 Symmetric key: 256 bits used | algorithm max: 256 bits

Apache-linked OpenSSL OpenSSL/3.5.5

TLS SNI hostname www.lrpcyberia.pt

Session type Initial

Post-Quantum Key Exchange — This Connection

PQC negotiation status YES (inferred) — TLS 1.3 · OpenSSL 3.5+ · PQC groups offered All server-side PQC conditions are met. Probe via openssl s_client did not return a KE group name; a modern client (Chrome 124+, Firefox 132+, curl/OpenSSL 3.5+) will negotiate the strongest mutual hybrid group.

Client browser — PQC readinessMozillaPQC support for this client is unknown. Minimum versions: Chrome 124+, Edge 124+, Firefox 132+.

Key exchange group — dissected

Key exchange group could not be determined (probe failed). See PQC status above.

TLS probe raw output (debug)

show / hide

CONNECTED(00000003)
---
Certificate chain
 0 s:CN=lrpcyberai.pt
   i:C=US, O=Let's Encrypt, CN=E7
   a:PKEY: EC, (secp384r1); sigalg: ecdsa-with-SHA384
   v:NotBefore: May 12 12:26:07 2026 GMT; NotAfter: Aug 10 12:26:06 2026 GMT
 1 s:C=US, O=Let's Encrypt, CN=E7
   i:C=US, O=Internet Security Research Group, CN=ISRG Root X1
   a:PKEY: EC, (secp384r1); sigalg: sha256WithRSAEncryption
   v:NotBefore: Mar 13 00:00:00 2024 GMT; NotAfter: Mar 12 23:59:59 2027 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIID+zCCA4KgAwIBAgISBY6UKTeiUUBHSLJhp1n1nd56MAoGCCqGSM49BAMDMDIx
CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF
NzAeFw0yNjA1MTIxMjI2MDdaFw0yNjA4MTAxMjI2MDZaMBgxFjAUBgNVBAMTDWxy
cGN5YmVyYWkucHQwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAS0cHfuXSC0ZnsPnAHi
kfQJPyVhtTJU8kBWqlMMousQlWfEnIFogTzCM13nV/6OTwPqiGNf6K5n+nJZXHWT
+OcVFZU8cDWwzpL3biMr8n5NGz8UsMrxfUbIRiR3IS80EsKjggJzMIICbzAOBgNV
HQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAd
BgNVHQ4EFgQU45x15OHo/ItuDQmfKFNYk4mgbTcwHwYDVR0jBBgwFoAUrkie3Icd
RKBv2qLlYHQEeMKcAIAwMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzAChhZodHRw
Oi8vZTcuaS5sZW5jci5vcmcvMHEGA1UdEQRqMGiCDmUtc2VjdXJpdHkudG9wgg1s
cnBjeWJlcmFpLnB0gg1scnBjeWJlcmlhLnB0ghJ3d3cuZS1zZWN1cml0eS50b3CC
EXd3dy5scnBjeWJlcmFpLnB0ghF3d3cubHJwY3liZXJpYS5wdDATBgNVHSAEDDAK
MAgGBmeBDAECATAuBgNVHR8EJzAlMCOgIaAfhh1odHRwOi8vZTcuYy5sZW5jci5v
cmcvMTIzLmNybDCCAQwGCisGAQQB1nkCBAIEgf0EgfoA+AB2AMijxH/Hs625NWsB
P2p6Em3jOk5DpcZG+ZetOXWZHc+aAAABnhxcYyMAAAQDAEcwRQIhAKkLjIdmgq+Z
xAIaZ1SNO9OUNZ5MJQnkuUsKzrBVmZcNAiBN+DA7jTeIK/Sp3tUiVvdtD/46tfz4
aflbG45fsEQvvwB+AEavhj07PuWfpXfeqCRdNrDZ7SKiI/Rhd0EilFLulVBfAAAB
nhxcY1EACAAABQAGZckUBAMARzBFAiBrN4bb5R8MlF4QOGmZ79nN4rICPfbz0g7M
23fX5GmceAIhALaKM141XLn1KSf3ITE2stWG2VezLvQydxfap2tR1exiMAoGCCqG
SM49BAMDA2cAMGQCMGRpUjMU7p3u9R1CrK9KNeaYZLLQ9IRqXfzedAd7NIkxkcZQ
6Lmk6WX+//Q9h9ShqQIwLxjioOwaSKHIffZES9MjFzofleswp7ft3DJ7f3K5gHQ9
RXMuRf6IZcyk+7CIpxYT
-----END CERTIFICATE-----
subject=CN=lrpcyberai.pt
issuer=C=US, O=Let's Encrypt, CN=E7
---
No client certificate CA names sent
Peer signing digest: SHA384
Peer signature type: ecdsa_secp384r1_sha384
Negotiated TLS1.3 group: SecP384r1MLKEM1024
---
SSL handshake has read 4182 bytes and written 2048 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Protocol: TLSv1.3
Server public key is 384 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

---STDERR---
Connecting to 127.0.0.1
depth=2 C=US, O=Internet Security Research Group, CN=ISRG Root X1
verify return:1
depth=1 C=US, O=Let's Encrypt, CN=E7
verify return:1
depth=0 CN=lrpcyberai.pt
verify return:1
DONE

Server PQC Capability

PQC library support YES — ML-KEM (FIPS 203) native support Binary: OpenSSL 3.5.5 27 Jan 2026 (Library: OpenSSL 3.5.5 27 Jan 2026)

PQC groups available in OpenSSL

ML-KEM-512 — ML-KEM-512 (pure KEM) · NIST Level 1 / FIPS 203
ML-KEM-768 — ML-KEM-768 (pure KEM) · NIST Level 3 / FIPS 203
ML-KEM-1024 — ML-KEM-1024 (pure KEM) · NIST Level 5 / FIPS 203
X25519MLKEM768 — X25519 + ML-KEM-768 · NIST Level 3 / ~192-bit PQC
X448MLKEM1024 — X448 + ML-KEM-1024 · NIST Level 5 / ~256-bit PQC
SecP256r1MLKEM768 — P-256 + ML-KEM-768 · NIST Level 3 / ~192-bit PQC
SecP384r1MLKEM1024 — P-384 + ML-KEM-1024 · NIST Level 5 / ~256-bit PQC

PQC hybrid groups configured in Apache (priority order)

SecP384r1MLKEM1024 — P-384 + ML-KEM-1024 · NIST Level 5 / ~256-bit PQC
X25519MLKEM768 — X25519 + ML-KEM-768 · NIST Level 3 / ~192-bit PQC
SecP256r1MLKEM768 — P-256 + ML-KEM-768 · NIST Level 3 / ~192-bit PQC

Classical fallback groups configured in Apache

P-384
P-256

Session Security & Forward Secrecy

Forward secrecyYES — every session uses a unique ephemeral keyTLS 1.3 mandates ephemeral key exchange on every handshake

Session fingerprint17e96a4531c91f8bSHA-256 of protocol · cipher · KE group · cert serial — compare across connections to confirm session isolation.

Session ticketsDISABLEDSSLSessionTickets Off — no ticket key compromise risk; every reconnect negotiates fresh keys.

Server Certificate

Certificate subject CN=lrpcyberai.pt

Certificate issuer CN=E7,O=Let's Encrypt,C=US

Validity window May 12 12:26:07 2026 GMT → Aug 10 12:26:06 2026 GMT

Key algorithm id-ecPublicKey

Signature algorithm ecdsa-with-SHA384

Cipher suite TLS_AES_256_GCM_SHA384 Symmetric strength: 256 bits

Serial number 058E942937A251404748B261A759F59DDE7A

Security Headers

Header	Value	Requirement
✓ HSTS	max-age=63072000; includeSubDomains	max-age ≥ 1 year
✓ X-Frame-Options	DENY	DENY or SAMEORIGIN
✓ X-Content-Type-Options	nosniff	nosniff
✓ Content-Security-Policy	default-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; script-src 'none'; object-src 'none'; base-u	present and non-trivial
✓ Referrer-Policy	no-referrer	present
✓ Permissions-Policy	camera=(), microphone=(), geolocation=(), payment=(), usb=(), bluetooth=(), serial=(), hid=()	present

DNS Certification Authority Authorization (CAA)

ns1.lrpcyberia.pt.

Quantum Threat Context

Why post-quantum cryptography matters and how this server is protected.

2022 – 2024

NIST PQC Standardization

NIST finalizes FIPS 203 (ML-KEM / Kyber), FIPS 204 (ML-DSA / Dilithium), FIPS 205 (SLH-DSA / SPHINCS+). First post-quantum standards ready for deployment.

2025 – 2026 (now)

Early Hybrid Deployment — This Server

OpenSSL 3.5 ships ML-KEM natively. Chrome 124+, Firefox 132+, and this Apache instance negotiate X25519MLKEM768 / SecP384r1MLKEM1024 hybrid key exchange. Classical + PQC keys are combined — breaking either requires breaking both.

~2030

Harvest Now, Decrypt Later risk materializes

Adversaries may already be archiving encrypted TLS traffic today. If a sufficiently powerful quantum computer becomes available by 2030, any RSA/ECC-only session recorded today could be decrypted retroactively. PQC hybrid KE prevents this.

2030 – 2035 (estimated)

Cryptographically Relevant Quantum Computer (CRQC)

Conservative NIST and NCSC estimates suggest a CRQC capable of breaking RSA-2048 and P-256 ECC within this window. Exact timeline is contested; defensive posture requires acting now.

ML-KEM security basis

Module Learning With Errors (MLWE)

ML-KEM is based on the hardness of MLWE, a lattice problem with no known efficient quantum algorithm. NIST Level 3 (ML-KEM-768) provides ~192-bit post-quantum security. The hybrid approach adds a classical key — even if PQC is somehow broken classically, the classical component still protects.

OWASP Coverage — This Endpoint

OWASP Top 10 (2021)

ID	Category	Status	Mitigation in place
A01	Broken Access Control	Mitigated	No writable endpoints; all routes return read-only diagnostic data; default-deny vhost blocks unknown hosts
A02	Cryptographic Failures	Mitigated	TLS 1.3 + PQC hybrid KE; HSTS enforced; ECDSA P-384 cert; AES-256-GCM preferred; no plaintext fallback
A03	Injection	Mitigated	No database, no shell execution of user input; all output escaped via html.escape(); WSGI isolates HTTP from OS
A04	Insecure Design	Mitigated	Security by design: least privilege, defence-in-depth, fail-secure defaults; no sensitive data stored; read-only WSGI app
A05	Security Misconfiguration	Mitigated	Hardened Apache: server tokens off, directory listing off, mod_evasive, custom error pages, security headers enforced
A06	Vulnerable & Outdated Components	Mitigated	Ubuntu 26.04 LTS; OpenSSL 3.5 (ML-KEM native); Apache 2.4 current; no third-party libraries in WSGI app
A07	Identification & Auth Failures	N/A	No authentication mechanism; endpoint is intentionally public read-only within authorized lab scope
A08	Software & Data Integrity	Mitigated	No external package dependencies; no dynamic code execution; WSGI app is self-contained and version-controlled
A09	Security Logging & Monitoring	Mitigated	Apache access/error logs with client port; fail2ban jails; session history recorded; syslog forwarding available
A10	Server-Side Request Forgery	Mitigated	No user-controlled URL parameters; internal probes (TLS probe, headers probe) use hardcoded 127.0.0.1 only

OWASP API Top 10 (2023)

ID	Category	Status	Mitigation in place
API1	Broken Object Level Authorization	N/A	No object-level resources or identifiers exposed
API2	Broken Authentication	N/A	No authentication — public read-only endpoint by design
API3	Broken Object Property Level Auth	N/A	No user-settable properties; all fields server-computed
API4	Unrestricted Resource Consumption	Mitigated	mod_evasive rate limiting; RequestReadTimeout; sysctl SYN cookies; fail2ban; UFW rate limit rules
API5	Broken Function Level Authorization	N/A	Single function: serve diagnostic page. No privileged functions exposed
API6	Unrestricted Sensitive Business Flows	N/A	No business flows; lab endpoint only
API7	Server-Side Request Forgery	Mitigated	Internal probes use static hardcoded addresses; no user input reaches network calls
API8	Security Misconfiguration	Mitigated	Same as A05: hardened Apache, no defaults, minimal attack surface
API9	Improper Inventory Management	Mitigated	Single versioned endpoint per domain; no shadow or undocumented routes
API10	Unsafe Consumption of APIs	Mitigated	No external API calls; internal probes (NTP, DNS, OpenSSL) are read-only diagnostic queries

Security by Design — Implemented Principles

Principle	How it is applied here
Minimise attack surface	Read-only WSGI app; no file upload, no forms, no database, no shell exec; default-deny vhost drops unknown Host headers
Secure defaults	TLS enforced on first connection; HSTS with 2-year max-age; session tickets disabled; PQC groups active without opt-in
Least privilege	WSGI daemon runs as www-data; private key mode 0600 root:root; app directory 0755; no root-owned writable paths in WSGI
Defence in depth	TLS (transport) + security headers (browser) + mod_evasive (rate) + fail2ban (IP ban) + UFW (network) — multiple independent layers
Fail securely	Errors return generic messages; server tokens hidden; directory listing disabled; WSGI exceptions caught and logged, not exposed to client
Avoid security by obscurity	Security depends on strong crypto (ML-KEM, AES-256, ECDSA P-384) and correct configuration — not on hiding server identity
Separation of duties	Certificate management (local Python script) separated from server hardening (server bash script) separated from application logic (WSGI app)
Fix security issues correctly	Configuration generated from validated templates with backup/rollback; each hardening step idempotent and logged

Session Cipher History — Last 10 HTTPS Connections

Show session log

Timestamp (UTC)	Protocol	Cipher	Bits	KE Group	PQC	Fingerprint
No sessions recorded yet.