***: mkb has quit IRC (*.net *.split)
tabthorpe has quit IRC (*.net *.split)
dne has quit IRC (*.net *.split)
mjp_ has quit IRC (*.net *.split)
mrsaint_ has quit IRC (*.net *.split)
eryc has quit IRC (*.net *.split)
toeshred has quit IRC (*.net *.split)
tooth has quit IRC (*.net *.split)
karstensrage has quit IRC (*.net *.split)
mhoran_ has quit IRC (*.net *.split)
toddf has quit IRC (*.net *.split)
KILLALLHUMANS01 has quit IRC (*.net *.split)
pjs has quit IRC (*.net *.split)
Guest92753 has quit IRC (*.net *.split)
d^_^b has quit IRC (*.net *.split)
ant has quit IRC (*.net *.split)
mike-burns has quit IRC (*.net *.split)
joepie91_ has quit IRC (*.net *.split)
trobotham has quit IRC (*.net *.split)
_iwc has quit IRC (*.net *.split)
awyeah has quit IRC (*.net *.split)
sjackso has quit IRC (*.net *.split)
BryceBot has quit IRC (*.net *.split)
brycec has quit IRC (*.net *.split)
tellnes has quit IRC (*.net *.split)
BryceBot has joined #arpnetworks
tellnes has joined #arpnetworks
brycec has joined #arpnetworks
hazardous has quit IRC (Ping timeout: 259 seconds)
up_the_irons: weeeeeeeeeeeeeeeeeee
***: hive-mind has quit IRC (Remote host closed the connection)
hazardous has joined #arpnetworks
hive-mind has joined #arpnetworks
nathani has quit IRC (Read error: Connection reset by peer)
mjp_ has joined #arpnetworks
mkb has joined #arpnetworks
trobotham has joined #arpnetworks
_iwc has joined #arpnetworks
awyeah has joined #arpnetworks
sjackso has joined #arpnetworks
nathani has joined #arpnetworks
Guest92753 has joined #arpnetworks
d^_^b has joined #arpnetworks
ant has joined #arpnetworks
mike-burns has joined #arpnetworks
joepie91_ has joined #arpnetworks
tepper.freenode.net sets mode: +o mike-burns
tabthorpe has joined #arpnetworks
dne has joined #arpnetworks
tabthorpe has quit IRC (*.net *.split)
dne has quit IRC (*.net *.split)
nathani has quit IRC (*.net *.split)
Guest92753 has quit IRC (*.net *.split)
d^_^b has quit IRC (*.net *.split)
ant has quit IRC (*.net *.split)
mike-burns has quit IRC (*.net *.split)
joepie91_ has quit IRC (*.net *.split)
trobotham has quit IRC (*.net *.split)
_iwc has quit IRC (*.net *.split)
awyeah has quit IRC (*.net *.split)
sjackso has quit IRC (*.net *.split)
mkb has quit IRC (*.net *.split)
mjp_ has quit IRC (*.net *.split)
trobotham has joined #arpnetworks
_iwc has joined #arpnetworks
awyeah has joined #arpnetworks
sjackso has joined #arpnetworks
tabthorpe has joined #arpnetworks
dne has joined #arpnetworks
mjp_ has joined #arpnetworks
nathani has joined #arpnetworks
Guest92753 has joined #arpnetworks
d^_^b has joined #arpnetworks
ant has joined #arpnetworks
mike-burns has joined #arpnetworks
joepie91_ has joined #arpnetworks
tepper.freenode.net sets mode: +o mike-burns
mrsaint_ has joined #arpnetworks
eryc has joined #arpnetworks
toeshred has joined #arpnetworks
tooth has joined #arpnetworks
karstensrage has joined #arpnetworks
mhoran_ has joined #arpnetworks
toddf has joined #arpnetworks
KILLALLHUMANS01 has joined #arpnetworks
pjs has joined #arpnetworks
tepper.freenode.net sets mode: +o toddf
mkb has joined #arpnetworks
hazardous has quit IRC (Changing host)
hazardous has joined #arpnetworks
neish has quit IRC (Read error: Connection reset by peer)
neish has joined #arpnetworks
fIorz: up_the_irons: I think I would drop the 3DES suites? also, portal doesn't have HSTS, and you use HSTS without includeSubDomains, which generally would be recommended to avoid cookie leaks, if possible
***: mercutio has quit IRC (Ping timeout: 248 seconds)
Guest92753 has quit IRC (Ping timeout: 260 seconds)
Guest92753 has joined #arpnetworks
mercutio has joined #arpnetworks
ChanServ sets mode: +o mercutio
up_the_irons: fIorz: thing is, I'm not too sure how to make modifications wrt HSTS (it's new to me)
brycec: https://cipherli.st
eg for nginx it's the add_header directive
(of course, you'll want to know what you're doing first, *especially* when it comes to setting includeSubDomains)
mercutio: i think includesubdomains is bad idea myself
having hsts in chrome etc would be good thoguh
mike-burns: Depends what the subdomains are/how much control you have over them.
brycec: When you set includeSubDomains, browsers visiting the website will pick that up and store that for future use. Any time a user tries "whatever.arpnetworks.com" their browser will automatically force https. If you have subdomains without https, they are now broken to those users.
mercutio: brycec: and you can't go back ;)
brycec: mercutio: you can, but it's a beast.
mercutio: oh i thought you had to wait for expiration time
brycec: In chrome anyways, you gotta dive into chrome://net-internals#hsts
mercutio: so yeah you can't go back :)
brycec: and delete the domain from the browser's learned HSTS hosts
Effectively, yeah.
I think it's an alright idea, but you really gotta know what you're doing with it and whether it's safe to use it. Much like TNT.
mercutio: brycec: do you know how reliable revoking is now?
mike-burns: You could add TLS to all subdomains...
brycec: mercutio: revoking what?
mercutio: brycec: ssl cert
my understanding is that that doesn't work very well. but times may have changed
brycec: afaik nothing has changed, but more people are realizing it's easier to have short timeframe certificates instead
up_the_irons: i'm too conservative to add includeSubDomains from the outset
brycec: up_the_irons: good man.
mike-burns: Makes sense.
up_the_irons: :)
mercutio: yeah google really led the way on short certs
but i don't know of one big cert outfits doing it yet
s/one/any/
BryceBot: <mercutio> but i don't know of any big cert outfits doing it yet
mike-burns: Isn't Let's Encrypt doing short certs?
mercutio: they're not "big"
mike-burns: Oh.
mercutio: they're getting bigger
it's nowhere near the size of comodo etc
brycec: I saw a headline the other day suggesting LE may be one of the largest CAs now
https://www.eff.org/deeplinks/2016/10/lets-encrypt-largest-certificate-authority-web
mike-burns: It's hard to beat free.
mercutio: biggest by revenue?
brycec: lolol
mercutio: let's encrypt is used by 3% of top 10 million web sites
but a lot of low traffic sites
***: Guest92753 has quit IRC (Ping timeout: 252 seconds)
Guest92753 has joined #arpnetworks
Guest92753 has quit IRC (Ping timeout: 260 seconds)
Guest92753 has joined #arpnetworks
carvite has quit IRC (Ping timeout: 248 seconds)
carvite has joined #arpnetworks
mkb_ has joined #arpnetworks
mkb has quit IRC (Ping timeout: 265 seconds)
mkb_ is now known as mkb
hazardous: brycec: I think you can set a new HSTS policy on the primary domain to expire in one second or something to clear it, at least that's what I remember
But that requires the primary domain be accessible still to unset includesubdomains
fIorz: that doesn't solve the case where a browser that has seen the HSTS header tries to access whatever.domain.tld via TLS even though it's not available via TLS--until it makes a request to domain.tld to receive the short-lives HSTS header, it will insist on using TLS
mkb: which means you've got to keep TLS on at least as long as you had to before in case someone doesn't see the 1 second header before you kill TLS
fIorz: up_the_irons: sure, being careful certainly is a good idea as there is no easy way back, and you have to be sure that all your subdomains are indeed accessible via TLS before you enforce it, that's why I said "if possible"
up_the_irons: but without includeSubDomains, HSTS is actually rather ineffective (or at least you'd have to be very careful with all the web software you are running on that domain for it to be effective)
up_the_irons: and that is due to the way cookies work for historical reasons: your order form on https://arpnetworks.com/, for example, sets a cookie that is not limited to HTTPS
up_the_irons: now, if an eavesdropping attacker wants to learn that cookie despite your use of HSTS, all they need to do is to make the browser make a request to some subdomain.arpnetworks.com that doesn't have HSTS set (or at least the browser doesn't know about it yet) via plain HTTP
up_the_irons: which is relatively easy to do, if they can get the victim to somehow visit some website under their control
up_the_irons: or, if the attacker can do MitM, they can simply hijack any plain HTTP request of the client to any site whatsoever and inject some code into the response that accesses that subdomain
up_the_irons: and as a MitM, they wouldn't even be limited to existing subdomains of arpnetworks.com, they could just fake a DNS response and HTTP server for randomgarbage.arpnetworks.com and inject a access to that
up_the_irons: the browser will then happily send that cookie in plaintext, which means the attacker can take over the session
up_the_irons: now, given that the whole point of HSTS kinda is to protect against MitMs (who could hijack the initial plain HTTP request of a user accessing your site that should ordinarily be redirected to the HTTPS version), it's not really all that useful if a MitM still can compromise your user's sessions
as for revocation of certificates: well, yeah, short-lived certs are one solution, but there is also OCSP must-staple, a certificate extension that tells the browser that the webserver must provide a valid stapled OCSP response or else the certificate is to be considered in valid
IIRC OCSP must-staple has landed in a recent firefox release version
erm, *invalid
mercutio: damn fIorz is knowledgable
up_the_irons: fIorz knows everything
-: brycec was just lazy and didn't want to type all that out :p
fIorz: *gg*
up_the_irons: haha
fIorz: up_the_irons: btw, there isn't really any reason to keep around any of the non-PFS cipher suites (except for the 3DES if you do actually care about support for win XP, which is a bad idea anyway whether it's PFS or not due to DES's short block size, see https://sweet32.info/)
mercutio: ie6/xp is blocked already
fIorz: yeah, but that couldn't even speak TLS 1.0, so it's beyond hopeless if you care about security
mercutio: yeah there's no ssl3 at all
fIorz: 3DES still takes some effort to attack, but if you don't really need it, it's probably better to avoid it
mercutio: so dropping 3des drops ie8/xp
up_the_irons: thoughts?
fIorz: yep
up_the_irons: hasn't microsoft even dropped support for ie8 and xp
mercutio: yeah they dropped xp. it's mostly chinese that use it afaik
so it's mostly if you want chinese vps users that want to vpn
up_the_irons: that's actually not too uncommon
mercutio: at least that's from my understanding
yeh maybe price point
fIorz: and even then, shouldn't a more recent firefox work on xp, which IIRC uses its own NSS on windows, so probably should know some better cipher suites than IE?
mercutio: yeah
that's why i said ie8/xp rather than xp
fIorz: I guess my point is: even if someone is still using XP for whatever reason, how likely is it that someone who bothers to set up their own VPN would still be using the ancient IE that comes with it?
mercutio: ie8 never came with xp did it?
fIorz: erm, that might be true, I don't actually know
mercutio: edge seems ok
but i was never a found of ie