#arpnetworks 2016-10-13,Thu

↑back Search ←Prev date Next date→ Show only urls(Click on time to select a line by its url)

WhoWhatWhen
up_the_ironsfinally, an A+ -- https://www.ssllabs.com/ssltest/analyze.html?d=arpnetworks.com&s=208.79.89.246 [00:25]
....................... (idle for 1h51mn)
***mkb has quit IRC (*.net *.split)
tabthorpe has quit IRC (*.net *.split)
dne has quit IRC (*.net *.split)
mjp_ has quit IRC (*.net *.split)
mrsaint_ has quit IRC (*.net *.split)
eryc has quit IRC (*.net *.split)
toeshred has quit IRC (*.net *.split)
tooth has quit IRC (*.net *.split)
karstensrage has quit IRC (*.net *.split)
mhoran_ has quit IRC (*.net *.split)
toddf has quit IRC (*.net *.split)
KILLALLHUMANS01 has quit IRC (*.net *.split)
pjs has quit IRC (*.net *.split)
Guest92753 has quit IRC (*.net *.split)
d^_^b has quit IRC (*.net *.split)
ant has quit IRC (*.net *.split)
mike-burns has quit IRC (*.net *.split)
joepie91_ has quit IRC (*.net *.split)
trobotham has quit IRC (*.net *.split)
_iwc has quit IRC (*.net *.split)
awyeah has quit IRC (*.net *.split)
sjackso has quit IRC (*.net *.split)
BryceBot has quit IRC (*.net *.split)
brycec has quit IRC (*.net *.split)
tellnes has quit IRC (*.net *.split)
BryceBot has joined #arpnetworks
tellnes has joined #arpnetworks
brycec has joined #arpnetworks
hazardous has quit IRC (Ping timeout: 259 seconds)
[02:16]
up_the_ironsweeeeeeeeeeeeeeeeeee [02:22]
***hive-mind has quit IRC (Remote host closed the connection)
hazardous has joined #arpnetworks
hive-mind has joined #arpnetworks
[02:22]
.... (idle for 16mn)
nathani has quit IRC (Read error: Connection reset by peer) [02:39]
...... (idle for 27mn)
mjp_ has joined #arpnetworks
mkb has joined #arpnetworks
trobotham has joined #arpnetworks
_iwc has joined #arpnetworks
awyeah has joined #arpnetworks
sjackso has joined #arpnetworks
nathani has joined #arpnetworks
Guest92753 has joined #arpnetworks
d^_^b has joined #arpnetworks
ant has joined #arpnetworks
mike-burns has joined #arpnetworks
joepie91_ has joined #arpnetworks
tepper.freenode.net sets mode: +o mike-burns
tabthorpe has joined #arpnetworks
dne has joined #arpnetworks
tabthorpe has quit IRC (*.net *.split)
dne has quit IRC (*.net *.split)
nathani has quit IRC (*.net *.split)
Guest92753 has quit IRC (*.net *.split)
d^_^b has quit IRC (*.net *.split)
ant has quit IRC (*.net *.split)
mike-burns has quit IRC (*.net *.split)
joepie91_ has quit IRC (*.net *.split)
trobotham has quit IRC (*.net *.split)
_iwc has quit IRC (*.net *.split)
awyeah has quit IRC (*.net *.split)
sjackso has quit IRC (*.net *.split)
mkb has quit IRC (*.net *.split)
mjp_ has quit IRC (*.net *.split)
[03:06]
.... (idle for 16mn)
trobotham has joined #arpnetworks
_iwc has joined #arpnetworks
awyeah has joined #arpnetworks
sjackso has joined #arpnetworks
tabthorpe has joined #arpnetworks
dne has joined #arpnetworks
mjp_ has joined #arpnetworks
nathani has joined #arpnetworks
Guest92753 has joined #arpnetworks
d^_^b has joined #arpnetworks
ant has joined #arpnetworks
mike-burns has joined #arpnetworks
joepie91_ has joined #arpnetworks
tepper.freenode.net sets mode: +o mike-burns
mrsaint_ has joined #arpnetworks
eryc has joined #arpnetworks
toeshred has joined #arpnetworks
tooth has joined #arpnetworks
karstensrage has joined #arpnetworks
mhoran_ has joined #arpnetworks
toddf has joined #arpnetworks
KILLALLHUMANS01 has joined #arpnetworks
pjs has joined #arpnetworks
tepper.freenode.net sets mode: +o toddf
mkb has joined #arpnetworks
hazardous has quit IRC (Changing host)
hazardous has joined #arpnetworks
[03:26]
....................................... (idle for 3h10mn)
neish has quit IRC (Read error: Connection reset by peer)
neish has joined #arpnetworks
[06:39]
.......................... (idle for 2h7mn)
fIorzup_the_irons: I think I would drop the 3DES suites? also, portal doesn't have HSTS, and you use HSTS without includeSubDomains, which generally would be recommended to avoid cookie leaks, if possible [08:46]
............. (idle for 1h1mn)
***mercutio has quit IRC (Ping timeout: 248 seconds) [09:47]
................ (idle for 1h16mn)
Guest92753 has quit IRC (Ping timeout: 260 seconds)
Guest92753 has joined #arpnetworks
[11:03]
............................. (idle for 2h21mn)
mercutio has joined #arpnetworks
ChanServ sets mode: +o mercutio
[13:25]
up_the_ironsfIorz: thing is, I'm not too sure how to make modifications wrt HSTS (it's new to me) [13:35]
brycechttps://cipherli.st
eg for nginx it's the add_header directive
(of course, you'll want to know what you're doing first, *especially* when it comes to setting includeSubDomains)
[13:37]
mercutioi think includesubdomains is bad idea myself
having hsts in chrome etc would be good thoguh
[13:38]
mike-burnsDepends what the subdomains are/how much control you have over them. [13:39]
brycecWhen you set includeSubDomains, browsers visiting the website will pick that up and store that for future use. Any time a user tries "whatever.arpnetworks.com" their browser will automatically force https. If you have subdomains without https, they are now broken to those users. [13:39]
mercutiobrycec: and you can't go back ;) [13:39]
brycecmercutio: you can, but it's a beast. [13:39]
mercutiooh i thought you had to wait for expiration time [13:40]
brycecIn chrome anyways, you gotta dive into chrome://net-internals#hsts [13:40]
mercutioso yeah you can't go back :) [13:40]
brycecand delete the domain from the browser's learned HSTS hosts
Effectively, yeah.
I think it's an alright idea, but you really gotta know what you're doing with it and whether it's safe to use it. Much like TNT.
[13:40]
mercutiobrycec: do you know how reliable revoking is now? [13:46]
mike-burnsYou could add TLS to all subdomains... [13:49]
brycecmercutio: revoking what? [13:52]
mercutiobrycec: ssl cert
my understanding is that that doesn't work very well. but times may have changed
[13:52]
brycecafaik nothing has changed, but more people are realizing it's easier to have short timeframe certificates instead [13:53]
up_the_ironsi'm too conservative to add includeSubDomains from the outset [13:53]
brycecup_the_irons: good man. [13:53]
mike-burnsMakes sense. [13:53]
up_the_irons:) [13:53]
mercutioyeah google really led the way on short certs
but i don't know of one big cert outfits doing it yet
s/one/any/
[13:55]
BryceBot<mercutio> but i don't know of any big cert outfits doing it yet [13:55]
mike-burnsIsn't Let's Encrypt doing short certs? [13:56]
mercutiothey're not "big" [13:56]
mike-burnsOh. [13:56]
mercutiothey're getting bigger
it's nowhere near the size of comodo etc
[13:56]
brycecI saw a headline the other day suggesting LE may be one of the largest CAs now
https://www.eff.org/deeplinks/2016/10/lets-encrypt-largest-certificate-authority-web
[14:02]
mike-burnsIt's hard to beat free. [14:02]
mercutiobiggest by revenue? [14:04]
bryceclolol [14:04]
mercutiolet's encrypt is used by 3% of top 10 million web sites
but a lot of low traffic sites
[14:06]
***Guest92753 has quit IRC (Ping timeout: 252 seconds)
Guest92753 has joined #arpnetworks
[14:12]
.... (idle for 16mn)
Guest92753 has quit IRC (Ping timeout: 260 seconds) [14:32]
...... (idle for 27mn)
Guest92753 has joined #arpnetworks [14:59]
........ (idle for 36mn)
carvite has quit IRC (Ping timeout: 248 seconds) [15:35]
carvite has joined #arpnetworks [15:43]
........ (idle for 38mn)
mkb_ has joined #arpnetworks
mkb has quit IRC (Ping timeout: 265 seconds)
mkb_ is now known as mkb
[16:21]
................ (idle for 1h19mn)
hazardousbrycec: I think you can set a new HSTS policy on the primary domain to expire in one second or something to clear it, at least that's what I remember
But that requires the primary domain be accessible still to unset includesubdomains
[17:45]
fIorzthat doesn't solve the case where a browser that has seen the HSTS header tries to access whatever.domain.tld via TLS even though it's not available via TLS--until it makes a request to domain.tld to receive the short-lives HSTS header, it will insist on using TLS [17:57]
mkbwhich means you've got to keep TLS on at least as long as you had to before in case someone doesn't see the 1 second header before you kill TLS [18:01]
fIorzup_the_irons: sure, being careful certainly is a good idea as there is no easy way back, and you have to be sure that all your subdomains are indeed accessible via TLS before you enforce it, that's why I said "if possible"
up_the_irons: but without includeSubDomains, HSTS is actually rather ineffective (or at least you'd have to be very careful with all the web software you are running on that domain for it to be effective)
up_the_irons: and that is due to the way cookies work for historical reasons: your order form on https://arpnetworks.com/, for example, sets a cookie that is not limited to HTTPS
up_the_irons: now, if an eavesdropping attacker wants to learn that cookie despite your use of HSTS, all they need to do is to make the browser make a request to some subdomain.arpnetworks.com that doesn't have HSTS set (or at least the browser doesn't know about it yet) via plain HTTP
up_the_irons: which is relatively easy to do, if they can get the victim to somehow visit some website under their control
up_the_irons: or, if the attacker can do MitM, they can simply hijack any plain HTTP request of the client to any site whatsoever and inject some code into the response that accesses that subdomain
up_the_irons: and as a MitM, they wouldn't even be limited to existing subdomains of arpnetworks.com, they could just fake a DNS response and HTTP server for randomgarbage.arpnetworks.com and inject a access to that
up_the_irons: the browser will then happily send that cookie in plaintext, which means the attacker can take over the session
up_the_irons: now, given that the whole point of HSTS kinda is to protect against MitMs (who could hijack the initial plain HTTP request of a user accessing your site that should ordinarily be redirected to the HTTPS version), it's not really all that useful if a MitM still can compromise your user's sessions
[18:12]
as for revocation of certificates: well, yeah, short-lived certs are one solution, but there is also OCSP must-staple, a certificate extension that tells the browser that the webserver must provide a valid stapled OCSP response or else the certificate is to be considered in valid
IIRC OCSP must-staple has landed in a recent firefox release version
erm, *invalid
[18:35]
mercutiodamn fIorz is knowledgable [18:41]
..... (idle for 21mn)
up_the_ironsfIorz knows everything [19:02]
brycecbrycec was just lazy and didn't want to type all that out :p [19:07]
fIorz*gg* [19:08]
up_the_ironshaha [19:09]
fIorzup_the_irons: btw, there isn't really any reason to keep around any of the non-PFS cipher suites (except for the 3DES if you do actually care about support for win XP, which is a bad idea anyway whether it's PFS or not due to DES's short block size, see https://sweet32.info/) [19:13]
mercutioie6/xp is blocked already [19:13]
fIorzyeah, but that couldn't even speak TLS 1.0, so it's beyond hopeless if you care about security [19:15]
mercutioyeah there's no ssl3 at all [19:15]
fIorz3DES still takes some effort to attack, but if you don't really need it, it's probably better to avoid it [19:17]
mercutioso dropping 3des drops ie8/xp
up_the_irons: thoughts?
[19:18]
fIorzyep [19:19]
up_the_ironshasn't microsoft even dropped support for ie8 and xp [19:21]
mercutioyeah they dropped xp. it's mostly chinese that use it afaik
so it's mostly if you want chinese vps users that want to vpn
[19:21]
up_the_ironsthat's actually not too uncommon [19:22]
mercutioat least that's from my understanding
yeh maybe price point
[19:22]
fIorzand even then, shouldn't a more recent firefox work on xp, which IIRC uses its own NSS on windows, so probably should know some better cipher suites than IE? [19:23]
mercutioyeah
that's why i said ie8/xp rather than xp
[19:24]
fIorzI guess my point is: even if someone is still using XP for whatever reason, how likely is it that someone who bothers to set up their own VPN would still be using the ancient IE that comes with it? [19:28]
mercutioie8 never came with xp did it? [19:29]
fIorzerm, that might be true, I don't actually know [19:30]
mercutioedge seems ok
but i was never a found of ie
[19:39]

↑back Search ←Prev date Next date→ Show only urls(Click on time to select a line by its url)