[00:25] finally, an A+ -- https://www.ssllabs.com/ssltest/analyze.html?d=arpnetworks.com&s=208.79.89.246 [02:16] *** mkb has quit IRC (*.net *.split) [02:17] *** tabthorpe has quit IRC (*.net *.split) [02:17] *** dne has quit IRC (*.net *.split) [02:17] *** mjp_ has quit IRC (*.net *.split) [02:17] *** mrsaint_ has quit IRC (*.net *.split) [02:17] *** eryc has quit IRC (*.net *.split) [02:17] *** toeshred has quit IRC (*.net *.split) [02:17] *** tooth has quit IRC (*.net *.split) [02:17] *** karstensrage has quit IRC (*.net *.split) [02:17] *** mhoran_ has quit IRC (*.net *.split) [02:17] *** toddf has quit IRC (*.net *.split) [02:17] *** KILLALLHUMANS01 has quit IRC (*.net *.split) [02:17] *** pjs has quit IRC (*.net *.split) [02:17] *** Guest92753 has quit IRC (*.net *.split) [02:17] *** d^_^b has quit IRC (*.net *.split) [02:17] *** ant has quit IRC (*.net *.split) [02:17] *** mike-burns has quit IRC (*.net *.split) [02:17] *** joepie91_ has quit IRC (*.net *.split) [02:17] *** trobotham has quit IRC (*.net *.split) [02:17] *** _iwc has quit IRC (*.net *.split) [02:17] *** awyeah has quit IRC (*.net *.split) [02:17] *** sjackso has quit IRC (*.net *.split) [02:17] *** BryceBot has quit IRC (*.net *.split) [02:17] *** brycec has quit IRC (*.net *.split) [02:17] *** tellnes has quit IRC (*.net *.split) [02:19] *** BryceBot has joined #arpnetworks [02:19] *** tellnes has joined #arpnetworks [02:19] *** brycec has joined #arpnetworks [02:20] *** hazardous has quit IRC (Ping timeout: 259 seconds) [02:22] weeeeeeeeeeeeeeeeeee [02:22] *** hive-mind has quit IRC (Remote host closed the connection) [02:23] *** hazardous has joined #arpnetworks [02:23] *** hive-mind has joined #arpnetworks [02:39] *** nathani has quit IRC (Read error: Connection reset by peer) [03:06] *** mjp_ has joined #arpnetworks [03:07] *** mkb has joined #arpnetworks [03:07] *** trobotham has joined #arpnetworks [03:07] *** _iwc has joined #arpnetworks [03:07] *** awyeah has joined #arpnetworks [03:07] *** sjackso has joined #arpnetworks [03:09] *** nathani has joined #arpnetworks [03:09] *** Guest92753 has joined #arpnetworks [03:09] *** d^_^b has joined #arpnetworks [03:09] *** ant has joined #arpnetworks [03:09] *** mike-burns has joined #arpnetworks [03:09] *** joepie91_ has joined #arpnetworks [03:09] *** tepper.freenode.net sets mode: +o mike-burns [03:10] *** tabthorpe has joined #arpnetworks [03:10] *** dne has joined #arpnetworks [03:10] *** tabthorpe has quit IRC (*.net *.split) [03:10] *** dne has quit IRC (*.net *.split) [03:10] *** nathani has quit IRC (*.net *.split) [03:10] *** Guest92753 has quit IRC (*.net *.split) [03:10] *** d^_^b has quit IRC (*.net *.split) [03:10] *** ant has quit IRC (*.net *.split) [03:10] *** mike-burns has quit IRC (*.net *.split) [03:10] *** joepie91_ has quit IRC (*.net *.split) [03:10] *** trobotham has quit IRC (*.net *.split) [03:10] *** _iwc has quit IRC (*.net *.split) [03:10] *** awyeah has quit IRC (*.net *.split) [03:10] *** sjackso has quit IRC (*.net *.split) [03:10] *** mkb has quit IRC (*.net *.split) [03:10] *** mjp_ has quit IRC (*.net *.split) [03:26] *** trobotham has joined #arpnetworks [03:26] *** _iwc has joined #arpnetworks [03:26] *** awyeah has joined #arpnetworks [03:26] *** sjackso has joined #arpnetworks [03:27] *** tabthorpe has joined #arpnetworks [03:27] *** dne has joined #arpnetworks [03:27] *** mjp_ has joined #arpnetworks [03:27] *** nathani has joined #arpnetworks [03:27] *** Guest92753 has joined #arpnetworks [03:27] *** d^_^b has joined #arpnetworks [03:27] *** ant has joined #arpnetworks [03:27] *** mike-burns has joined #arpnetworks [03:27] *** joepie91_ has joined #arpnetworks [03:27] *** tepper.freenode.net sets mode: +o mike-burns [03:28] *** mrsaint_ has joined #arpnetworks [03:28] *** eryc has joined #arpnetworks [03:28] *** toeshred has joined #arpnetworks [03:28] *** tooth has joined #arpnetworks [03:28] *** karstensrage has joined #arpnetworks [03:28] *** mhoran_ has joined #arpnetworks [03:28] *** toddf has joined #arpnetworks [03:28] *** KILLALLHUMANS01 has joined #arpnetworks [03:28] *** pjs has joined #arpnetworks [03:28] *** tepper.freenode.net sets mode: +o toddf [03:28] *** mkb has joined #arpnetworks [03:29] *** hazardous has quit IRC (Changing host) [03:29] *** hazardous has joined #arpnetworks [06:39] *** neish has quit IRC (Read error: Connection reset by peer) [06:39] *** neish has joined #arpnetworks [08:46] up_the_irons: I think I would drop the 3DES suites? also, portal doesn't have HSTS, and you use HSTS without includeSubDomains, which generally would be recommended to avoid cookie leaks, if possible [09:47] *** mercutio has quit IRC (Ping timeout: 248 seconds) [11:03] *** Guest92753 has quit IRC (Ping timeout: 260 seconds) [11:04] *** Guest92753 has joined #arpnetworks [13:25] *** mercutio has joined #arpnetworks [13:25] *** ChanServ sets mode: +o mercutio [13:35] fIorz: thing is, I'm not too sure how to make modifications wrt HSTS (it's new to me) [13:37] https://cipherli.st [13:37] eg for nginx it's the add_header directive [13:37] (of course, you'll want to know what you're doing first, *especially* when it comes to setting includeSubDomains) [13:38] i think includesubdomains is bad idea myself [13:39] having hsts in chrome etc would be good thoguh [13:39] Depends what the subdomains are/how much control you have over them. [13:39] When you set includeSubDomains, browsers visiting the website will pick that up and store that for future use. Any time a user tries "whatever.arpnetworks.com" their browser will automatically force https. If you have subdomains without https, they are now broken to those users. [13:39] brycec: and you can't go back ;) [13:39] mercutio: you can, but it's a beast. [13:40] oh i thought you had to wait for expiration time [13:40] In chrome anyways, you gotta dive into chrome://net-internals#hsts [13:40] so yeah you can't go back :) [13:40] and delete the domain from the browser's learned HSTS hosts [13:40] Effectively, yeah. [13:41] I think it's an alright idea, but you really gotta know what you're doing with it and whether it's safe to use it. Much like TNT. [13:46] brycec: do you know how reliable revoking is now? [13:49] You could add TLS to all subdomains... [13:52] mercutio: revoking what? [13:52] brycec: ssl cert [13:52] my understanding is that that doesn't work very well. but times may have changed [13:53] afaik nothing has changed, but more people are realizing it's easier to have short timeframe certificates instead [13:53] i'm too conservative to add includeSubDomains from the outset [13:53] up_the_irons: good man. [13:53] Makes sense. [13:53] :) [13:55] yeah google really led the way on short certs [13:55] but i don't know of one big cert outfits doing it yet [13:55] s/one/any/ [13:55] but i don't know of any big cert outfits doing it yet [13:56] Isn't Let's Encrypt doing short certs? [13:56] they're not "big" [13:56] Oh. [13:56] they're getting bigger [13:56] it's nowhere near the size of comodo etc [14:02] I saw a headline the other day suggesting LE may be one of the largest CAs now [14:02] https://www.eff.org/deeplinks/2016/10/lets-encrypt-largest-certificate-authority-web [14:02] It's hard to beat free. [14:04] biggest by revenue? [14:04] lolol [14:06] let's encrypt is used by 3% of top 10 million web sites [14:06] but a lot of low traffic sites [14:12] *** Guest92753 has quit IRC (Ping timeout: 252 seconds) [14:16] *** Guest92753 has joined #arpnetworks [14:32] *** Guest92753 has quit IRC (Ping timeout: 260 seconds) [14:59] *** Guest92753 has joined #arpnetworks [15:35] *** carvite has quit IRC (Ping timeout: 248 seconds) [15:43] *** carvite has joined #arpnetworks [16:21] *** mkb_ has joined #arpnetworks [16:22] *** mkb has quit IRC (Ping timeout: 265 seconds) [16:26] *** mkb_ is now known as mkb [17:45] brycec: I think you can set a new HSTS policy on the primary domain to expire in one second or something to clear it, at least that's what I remember [17:45] But that requires the primary domain be accessible still to unset includesubdomains [17:57] that doesn't solve the case where a browser that has seen the HSTS header tries to access whatever.domain.tld via TLS even though it's not available via TLS--until it makes a request to domain.tld to receive the short-lives HSTS header, it will insist on using TLS [18:01] which means you've got to keep TLS on at least as long as you had to before in case someone doesn't see the 1 second header before you kill TLS [18:12] up_the_irons: sure, being careful certainly is a good idea as there is no easy way back, and you have to be sure that all your subdomains are indeed accessible via TLS before you enforce it, that's why I said "if possible" [18:14] up_the_irons: but without includeSubDomains, HSTS is actually rather ineffective (or at least you'd have to be very careful with all the web software you are running on that domain for it to be effective) [18:16] up_the_irons: and that is due to the way cookies work for historical reasons: your order form on https://arpnetworks.com/, for example, sets a cookie that is not limited to HTTPS [18:18] up_the_irons: now, if an eavesdropping attacker wants to learn that cookie despite your use of HSTS, all they need to do is to make the browser make a request to some subdomain.arpnetworks.com that doesn't have HSTS set (or at least the browser doesn't know about it yet) via plain HTTP [18:20] up_the_irons: which is relatively easy to do, if they can get the victim to somehow visit some website under their control [18:21] up_the_irons: or, if the attacker can do MitM, they can simply hijack any plain HTTP request of the client to any site whatsoever and inject some code into the response that accesses that subdomain [18:22] up_the_irons: and as a MitM, they wouldn't even be limited to existing subdomains of arpnetworks.com, they could just fake a DNS response and HTTP server for randomgarbage.arpnetworks.com and inject a access to that [18:23] up_the_irons: the browser will then happily send that cookie in plaintext, which means the attacker can take over the session [18:27] up_the_irons: now, given that the whole point of HSTS kinda is to protect against MitMs (who could hijack the initial plain HTTP request of a user accessing your site that should ordinarily be redirected to the HTTPS version), it's not really all that useful if a MitM still can compromise your user's sessions [18:35] as for revocation of certificates: well, yeah, short-lived certs are one solution, but there is also OCSP must-staple, a certificate extension that tells the browser that the webserver must provide a valid stapled OCSP response or else the certificate is to be considered in valid [18:35] IIRC OCSP must-staple has landed in a recent firefox release version [18:36] erm, *invalid [18:41] damn fIorz is knowledgable [19:02] fIorz knows everything [19:07] * brycec was just lazy and didn't want to type all that out :p [19:08] *gg* [19:09] haha [19:13] up_the_irons: btw, there isn't really any reason to keep around any of the non-PFS cipher suites (except for the 3DES if you do actually care about support for win XP, which is a bad idea anyway whether it's PFS or not due to DES's short block size, see https://sweet32.info/) [19:13] ie6/xp is blocked already [19:15] yeah, but that couldn't even speak TLS 1.0, so it's beyond hopeless if you care about security [19:15] yeah there's no ssl3 at all [19:17] 3DES still takes some effort to attack, but if you don't really need it, it's probably better to avoid it [19:18] so dropping 3des drops ie8/xp [19:18] up_the_irons: thoughts? [19:19] yep [19:21] hasn't microsoft even dropped support for ie8 and xp [19:21] yeah they dropped xp. it's mostly chinese that use it afaik [19:22] so it's mostly if you want chinese vps users that want to vpn [19:22] that's actually not too uncommon [19:22] at least that's from my understanding [19:22] yeh maybe price point [19:23] and even then, shouldn't a more recent firefox work on xp, which IIRC uses its own NSS on windows, so probably should know some better cipher suites than IE? [19:24] yeah [19:24] that's why i said ie8/xp rather than xp [19:28] I guess my point is: even if someone is still using XP for whatever reason, how likely is it that someone who bothers to set up their own VPN would still be using the ancient IE that comes with it? [19:29] ie8 never came with xp did it? [19:30] erm, that might be true, I don't actually know [19:39] edge seems ok [19:39] but i was never a found of ie