| ↑back Search ←Prev date Next date→ Show only urls | (Click on time to select a line by its url) |
| Who | What | When |
|---|---|---|
| up_the_irons | finally, an A+ -- https://www.ssllabs.com/ssltest/analyze.html?d=arpnetworks.com&s=208.79.89.246 | [00:25] |
| ....................... (idle for 1h51mn) | ||
| *** | mkb has quit IRC (*.net *.split)
tabthorpe has quit IRC (*.net *.split) dne has quit IRC (*.net *.split) mjp_ has quit IRC (*.net *.split) mrsaint_ has quit IRC (*.net *.split) eryc has quit IRC (*.net *.split) toeshred has quit IRC (*.net *.split) tooth has quit IRC (*.net *.split) karstensrage has quit IRC (*.net *.split) mhoran_ has quit IRC (*.net *.split) toddf has quit IRC (*.net *.split) KILLALLHUMANS01 has quit IRC (*.net *.split) pjs has quit IRC (*.net *.split) Guest92753 has quit IRC (*.net *.split) d^_^b has quit IRC (*.net *.split) ant has quit IRC (*.net *.split) mike-burns has quit IRC (*.net *.split) joepie91_ has quit IRC (*.net *.split) trobotham has quit IRC (*.net *.split) _iwc has quit IRC (*.net *.split) awyeah has quit IRC (*.net *.split) sjackso has quit IRC (*.net *.split) BryceBot has quit IRC (*.net *.split) brycec has quit IRC (*.net *.split) tellnes has quit IRC (*.net *.split) BryceBot has joined #arpnetworks tellnes has joined #arpnetworks brycec has joined #arpnetworks hazardous has quit IRC (Ping timeout: 259 seconds) | [02:16] |
| up_the_irons | weeeeeeeeeeeeeeeeeee | [02:22] |
| *** | hive-mind has quit IRC (Remote host closed the connection)
hazardous has joined #arpnetworks hive-mind has joined #arpnetworks | [02:22] |
| .... (idle for 16mn) | ||
| nathani has quit IRC (Read error: Connection reset by peer) | [02:39] | |
| ...... (idle for 27mn) | ||
| mjp_ has joined #arpnetworks
mkb has joined #arpnetworks trobotham has joined #arpnetworks _iwc has joined #arpnetworks awyeah has joined #arpnetworks sjackso has joined #arpnetworks nathani has joined #arpnetworks Guest92753 has joined #arpnetworks d^_^b has joined #arpnetworks ant has joined #arpnetworks mike-burns has joined #arpnetworks joepie91_ has joined #arpnetworks tepper.freenode.net sets mode: +o mike-burns tabthorpe has joined #arpnetworks dne has joined #arpnetworks tabthorpe has quit IRC (*.net *.split) dne has quit IRC (*.net *.split) nathani has quit IRC (*.net *.split) Guest92753 has quit IRC (*.net *.split) d^_^b has quit IRC (*.net *.split) ant has quit IRC (*.net *.split) mike-burns has quit IRC (*.net *.split) joepie91_ has quit IRC (*.net *.split) trobotham has quit IRC (*.net *.split) _iwc has quit IRC (*.net *.split) awyeah has quit IRC (*.net *.split) sjackso has quit IRC (*.net *.split) mkb has quit IRC (*.net *.split) mjp_ has quit IRC (*.net *.split) | [03:06] | |
| .... (idle for 16mn) | ||
| trobotham has joined #arpnetworks
_iwc has joined #arpnetworks awyeah has joined #arpnetworks sjackso has joined #arpnetworks tabthorpe has joined #arpnetworks dne has joined #arpnetworks mjp_ has joined #arpnetworks nathani has joined #arpnetworks Guest92753 has joined #arpnetworks d^_^b has joined #arpnetworks ant has joined #arpnetworks mike-burns has joined #arpnetworks joepie91_ has joined #arpnetworks tepper.freenode.net sets mode: +o mike-burns mrsaint_ has joined #arpnetworks eryc has joined #arpnetworks toeshred has joined #arpnetworks tooth has joined #arpnetworks karstensrage has joined #arpnetworks mhoran_ has joined #arpnetworks toddf has joined #arpnetworks KILLALLHUMANS01 has joined #arpnetworks pjs has joined #arpnetworks tepper.freenode.net sets mode: +o toddf mkb has joined #arpnetworks hazardous has quit IRC (Changing host) hazardous has joined #arpnetworks | [03:26] | |
| ....................................... (idle for 3h10mn) | ||
| neish has quit IRC (Read error: Connection reset by peer)
neish has joined #arpnetworks | [06:39] | |
| .......................... (idle for 2h7mn) | ||
| fIorz | up_the_irons: I think I would drop the 3DES suites? also, portal doesn't have HSTS, and you use HSTS without includeSubDomains, which generally would be recommended to avoid cookie leaks, if possible | [08:46] |
| ............. (idle for 1h1mn) | ||
| *** | mercutio has quit IRC (Ping timeout: 248 seconds) | [09:47] |
| ................ (idle for 1h16mn) | ||
| Guest92753 has quit IRC (Ping timeout: 260 seconds)
Guest92753 has joined #arpnetworks | [11:03] | |
| ............................. (idle for 2h21mn) | ||
| mercutio has joined #arpnetworks
ChanServ sets mode: +o mercutio | [13:25] | |
| up_the_irons | fIorz: thing is, I'm not too sure how to make modifications wrt HSTS (it's new to me) | [13:35] |
| brycec | https://cipherli.st
eg for nginx it's the add_header directive (of course, you'll want to know what you're doing first, *especially* when it comes to setting includeSubDomains) | [13:37] |
| mercutio | i think includesubdomains is bad idea myself
having hsts in chrome etc would be good thoguh | [13:38] |
| mike-burns | Depends what the subdomains are/how much control you have over them. | [13:39] |
| brycec | When you set includeSubDomains, browsers visiting the website will pick that up and store that for future use. Any time a user tries "whatever.arpnetworks.com" their browser will automatically force https. If you have subdomains without https, they are now broken to those users. | [13:39] |
| mercutio | brycec: and you can't go back ;) | [13:39] |
| brycec | mercutio: you can, but it's a beast. | [13:39] |
| mercutio | oh i thought you had to wait for expiration time | [13:40] |
| brycec | In chrome anyways, you gotta dive into chrome://net-internals#hsts | [13:40] |
| mercutio | so yeah you can't go back :) | [13:40] |
| brycec | and delete the domain from the browser's learned HSTS hosts
Effectively, yeah. I think it's an alright idea, but you really gotta know what you're doing with it and whether it's safe to use it. Much like TNT. | [13:40] |
| mercutio | brycec: do you know how reliable revoking is now? | [13:46] |
| mike-burns | You could add TLS to all subdomains... | [13:49] |
| brycec | mercutio: revoking what? | [13:52] |
| mercutio | brycec: ssl cert
my understanding is that that doesn't work very well. but times may have changed | [13:52] |
| brycec | afaik nothing has changed, but more people are realizing it's easier to have short timeframe certificates instead | [13:53] |
| up_the_irons | i'm too conservative to add includeSubDomains from the outset | [13:53] |
| brycec | up_the_irons: good man. | [13:53] |
| mike-burns | Makes sense. | [13:53] |
| up_the_irons | :) | [13:53] |
| mercutio | yeah google really led the way on short certs
but i don't know of one big cert outfits doing it yet s/one/any/ | [13:55] |
| BryceBot | <mercutio> but i don't know of any big cert outfits doing it yet | [13:55] |
| mike-burns | Isn't Let's Encrypt doing short certs? | [13:56] |
| mercutio | they're not "big" | [13:56] |
| mike-burns | Oh. | [13:56] |
| mercutio | they're getting bigger
it's nowhere near the size of comodo etc | [13:56] |
| brycec | I saw a headline the other day suggesting LE may be one of the largest CAs now
https://www.eff.org/deeplinks/2016/10/lets-encrypt-largest-certificate-authority-web | [14:02] |
| mike-burns | It's hard to beat free. | [14:02] |
| mercutio | biggest by revenue? | [14:04] |
| brycec | lolol | [14:04] |
| mercutio | let's encrypt is used by 3% of top 10 million web sites
but a lot of low traffic sites | [14:06] |
| *** | Guest92753 has quit IRC (Ping timeout: 252 seconds)
Guest92753 has joined #arpnetworks | [14:12] |
| .... (idle for 16mn) | ||
| Guest92753 has quit IRC (Ping timeout: 260 seconds) | [14:32] | |
| ...... (idle for 27mn) | ||
| Guest92753 has joined #arpnetworks | [14:59] | |
| ........ (idle for 36mn) | ||
| carvite has quit IRC (Ping timeout: 248 seconds) | [15:35] | |
| carvite has joined #arpnetworks | [15:43] | |
| ........ (idle for 38mn) | ||
| mkb_ has joined #arpnetworks
mkb has quit IRC (Ping timeout: 265 seconds) mkb_ is now known as mkb | [16:21] | |
| ................ (idle for 1h19mn) | ||
| hazardous | brycec: I think you can set a new HSTS policy on the primary domain to expire in one second or something to clear it, at least that's what I remember
But that requires the primary domain be accessible still to unset includesubdomains | [17:45] |
| fIorz | that doesn't solve the case where a browser that has seen the HSTS header tries to access whatever.domain.tld via TLS even though it's not available via TLS--until it makes a request to domain.tld to receive the short-lives HSTS header, it will insist on using TLS | [17:57] |
| mkb | which means you've got to keep TLS on at least as long as you had to before in case someone doesn't see the 1 second header before you kill TLS | [18:01] |
| fIorz | up_the_irons: sure, being careful certainly is a good idea as there is no easy way back, and you have to be sure that all your subdomains are indeed accessible via TLS before you enforce it, that's why I said "if possible"
up_the_irons: but without includeSubDomains, HSTS is actually rather ineffective (or at least you'd have to be very careful with all the web software you are running on that domain for it to be effective) up_the_irons: and that is due to the way cookies work for historical reasons: your order form on https://arpnetworks.com/, for example, sets a cookie that is not limited to HTTPS up_the_irons: now, if an eavesdropping attacker wants to learn that cookie despite your use of HSTS, all they need to do is to make the browser make a request to some subdomain.arpnetworks.com that doesn't have HSTS set (or at least the browser doesn't know about it yet) via plain HTTP up_the_irons: which is relatively easy to do, if they can get the victim to somehow visit some website under their control up_the_irons: or, if the attacker can do MitM, they can simply hijack any plain HTTP request of the client to any site whatsoever and inject some code into the response that accesses that subdomain up_the_irons: and as a MitM, they wouldn't even be limited to existing subdomains of arpnetworks.com, they could just fake a DNS response and HTTP server for randomgarbage.arpnetworks.com and inject a access to that up_the_irons: the browser will then happily send that cookie in plaintext, which means the attacker can take over the session up_the_irons: now, given that the whole point of HSTS kinda is to protect against MitMs (who could hijack the initial plain HTTP request of a user accessing your site that should ordinarily be redirected to the HTTPS version), it's not really all that useful if a MitM still can compromise your user's sessions | [18:12] |
| as for revocation of certificates: well, yeah, short-lived certs are one solution, but there is also OCSP must-staple, a certificate extension that tells the browser that the webserver must provide a valid stapled OCSP response or else the certificate is to be considered in valid
IIRC OCSP must-staple has landed in a recent firefox release version erm, *invalid | [18:35] | |
| mercutio | damn fIorz is knowledgable | [18:41] |
| ..... (idle for 21mn) | ||
| up_the_irons | fIorz knows everything | [19:02] |
| brycec | brycec was just lazy and didn't want to type all that out :p | [19:07] |
| fIorz | *gg* | [19:08] |
| up_the_irons | haha | [19:09] |
| fIorz | up_the_irons: btw, there isn't really any reason to keep around any of the non-PFS cipher suites (except for the 3DES if you do actually care about support for win XP, which is a bad idea anyway whether it's PFS or not due to DES's short block size, see https://sweet32.info/) | [19:13] |
| mercutio | ie6/xp is blocked already | [19:13] |
| fIorz | yeah, but that couldn't even speak TLS 1.0, so it's beyond hopeless if you care about security | [19:15] |
| mercutio | yeah there's no ssl3 at all | [19:15] |
| fIorz | 3DES still takes some effort to attack, but if you don't really need it, it's probably better to avoid it | [19:17] |
| mercutio | so dropping 3des drops ie8/xp
up_the_irons: thoughts? | [19:18] |
| fIorz | yep | [19:19] |
| up_the_irons | hasn't microsoft even dropped support for ie8 and xp | [19:21] |
| mercutio | yeah they dropped xp. it's mostly chinese that use it afaik
so it's mostly if you want chinese vps users that want to vpn | [19:21] |
| up_the_irons | that's actually not too uncommon | [19:22] |
| mercutio | at least that's from my understanding
yeh maybe price point | [19:22] |
| fIorz | and even then, shouldn't a more recent firefox work on xp, which IIRC uses its own NSS on windows, so probably should know some better cipher suites than IE? | [19:23] |
| mercutio | yeah
that's why i said ie8/xp rather than xp | [19:24] |
| fIorz | I guess my point is: even if someone is still using XP for whatever reason, how likely is it that someone who bothers to set up their own VPN would still be using the ancient IE that comes with it? | [19:28] |
| mercutio | ie8 never came with xp did it? | [19:29] |
| fIorz | erm, that might be true, I don't actually know | [19:30] |
| mercutio | edge seems ok
but i was never a found of ie | [19:39] |
| ↑back Search ←Prev date Next date→ Show only urls | (Click on time to select a line by its url) |