|
Raluek posted:i think cinci's confusion stems from these being basically opposites he wasn't the only one tbh
|
#
?
Jul 6, 2017 13:36
|
|
|
|
| # ? May 13, 2024 23:42 |
|
|
I'm going over the OpenSSL docs to review their cipher support (schannel/openssl configbomb incoming) and there are some PSK suites that have name strings that I am having a hard time parsingcode:
|
|
#
?
Jul 6, 2017 14:14
|
|
|
Hello we are the OpenSSL project let us support ciphers that utilize encryption but yell their symm key in the clear, because Reasons.
|
|
#
?
Jul 6, 2017 14:16
|
|
|
mrmcd posted:lol if there's scrubs itt not using password managers and 2fa to be honest i am too lazy to use 2fa for most things. one day thatll get me in trouble, but for now ive just had chinese guests in my c-tier nth gmail account i accidentally remembered after never using it, and my guild wars 2 account i barely ever used too
|
|
#
?
Jul 6, 2017 14:16
|
|
|
is lastpass still unacceptable to use these days or what? I'm using keepass with my dropbox account to house the pw database, but it's a little more cumbersome than I'd like and I wouldn't mind moving to a centralized platform like LP.
|
|
#
?
Jul 6, 2017 14:17
|
|
|
Wrath of the Bitch King posted:is lastpass still unacceptable to use these days or what? I'm using keepass with my dropbox account to house the pw database, but it's a little more cumbersome than I'd like and I wouldn't mind moving to a centralized platform like LP. lastpass still not great at the specific part that makes it different from standalone cloud storage keepass, yes
|
|
#
?
Jul 6, 2017 14:18
|
|
|
Crypto Config Boogaloo 2017 Edition Server 2016: code:code:code:code:code:code:code:code:code:code:code:code:
|
|
#
?
Jul 6, 2017 15:08
|
|
|
I'm dropping DSA/DSS ciphers from servers because TLS1.3 goes RSA-only and your CA probably isn't issuing DSA certs anyway. Still on for clients for compatibility reasons. The channel config for Win8/8.1 dropped the P521 curves. There's a character limit you bump in to for the group policy object and I am trying to work around that. Win10 split the curve definitions out in to its own policy so you don't have the same limit issues. P521 seems to be falling out of favor for whatever reason though I still prefer it in most situations. The Win8.1 and 2012R2 config should work on 8 and 2012 respectively without issue, there's just an extra two DHE_RSA suites included that will be ignored. But you can mange independent GPOs for each if you want. 3DES is pretty much only needed for XP/2003/IE compatibility. Feel free to drop it if you think those clients should gently caress off.
|
|
#
?
Jul 6, 2017 15:14
|
|
|
i'm the brainpool
|
|
#
?
Jul 6, 2017 15:15
|
|
|
cinci zoo sniper posted:lastpass still not great at the specific part that makes it different from standalone cloud storage keepass, yes I prefer to use KeePass. There's a nice shiny OSX client - KeePassXC. If you want your DB synced across devices you can get a Spideroak account.
|
|
#
?
Jul 6, 2017 15:34
|
|
|
maskenfreiheit posted:I prefer to use KeePass. i use keepass too, "official" windows client with key file in onedrive
|
|
#
?
Jul 6, 2017 15:43
|
|
|
BangersInMyKnickers posted:I'm dropping DSA/DSS ciphers from servers because TLS1.3 goes RSA-only and your CA probably isn't issuing DSA certs anyway. Still on for clients for compatibility reasons. This and your list were really good posts, thanks.
|
|
#
?
Jul 6, 2017 15:50
|
|
|
cinci zoo sniper posted:i use keepass too, "official" windows client with key file in onedrive same but dropbox for syncing.
|
|
#
?
Jul 6, 2017 15:59
|
|
|
cinci zoo sniper posted:i use keepass too, "official" windows client with key file in onedrive I hope you mean password vault? Key file should be local. And yeah, same, except I sync via SCP.
|
|
#
?
Jul 6, 2017 16:03
|
|
|
Truga posted:I hope you mean password vault? Key file should be local. the database file, im not fluent with terminology
|
|
#
?
Jul 6, 2017 16:16
|
|
|
BangersInMyKnickers posted:I'm going over the OpenSSL docs to review their cipher support (schannel/openssl configbomb incoming) and there are some PSK suites that have name strings that I am having a hard time parsing They do it's PSK i.e. a pre-shared key. Meaning you share the AES key offline beforehand.
|
|
#
?
Jul 6, 2017 16:24
|
|
|
So with the RSA/DH PSK variants are you pre-sharing the asymm keys and then letting it negotiating the sym key from there while PSK_WITH_AES_256_GCM_SHA384 just pre-shares the symm key? I am concerned that the non-RSA/DH ciphers are doing something similar to these garbage anon suites through maybe that doesn't matter if you are assuming the out of band exchange was secure.
|
|
#
?
Jul 6, 2017 16:27
|
|
|
moonshine is...... posted:Didn't see this posted https://blog.haschek.at/2017/how-to-defend-your-website-with-zip-bombs.html I know it's not really security stuff, but I thought it was kind of funny. So have some funny computer. hmmm, now I want to apply this to my firewall
|
|
#
?
Jul 6, 2017 16:36
|
|
|
what could possibly go wrong https://letsencrypt.org/2017/07/06/wildcard-certificates-coming-jan-2018.html
|
|
#
?
Jul 6, 2017 16:52
|
|
|
cinci zoo sniper posted:i use keepass too, "official" windows client with key file in onedrive you use a keyfile? don't you worry that if that's compromised? US government wrote it's privacy laws in the goddamned 80s, so files older than something like 30 days don't even require a warrant for government to grab. (And that's if you're a US citizen) Personally I use a passphrase I've memorized. It's kind of a pain to type but no one can steal it or compel it with a court order.
|
|
#
?
Jul 6, 2017 16:53
|
|
|
maskenfreiheit posted:you use a keyfile? don't you worry that if that's compromised? database file locked under a password. cinci zoo sniper posted:the database file, im not fluent with terminology
|
|
#
?
Jul 6, 2017 16:59
|
|
|
Wiggly Wayne DDS posted:what could possibly go wrong For those of us who don't know, what COULD possibly go wrong?
|
|
#
?
Jul 6, 2017 17:22
|
|
|
the permissiveness of wildcard certs was kind of a determining factor to set up lets encrypt in the first place, iirc
|
|
#
?
Jul 6, 2017 17:25
|
|
|
Phone posted:the permissiveness of wildcard certs was kind of a determining factor to set up lets encrypt in the first place, iirc that's not my understanding. what do you have in mind?
|
|
#
?
Jul 6, 2017 17:25
|
|
|
Wiggly Wayne DDS posted:what could possibly go wrong just do it via dns authentication
|
|
#
?
Jul 6, 2017 17:29
|
|
|
Wildcard certs have major security issues: If the the webserver with the cert is compromised it can be used to host malicious sites on any arbitrary URL for the domain. Standard certs with alt-names don't allow that so if you are onlining a new URL you need to swap the cert out with a new one that includes the new domains. If the cert and private key are stolen you can intercept traffic for any url under that domain because there are no alt-name constraints. Wildcard certs and their corresponding private key are often used on multiple servers so by compromising one you are able to decrypt traffic for the entire environment that is passing traffic under that same cert. Hopefully that last one won't be an issue because LetsEncrypt people aren't charging a ton of money for a wildcard cert so key reuse doesn't have the same incentive but its still stupid. Swapping out an existing cert with one that has more alt-names on it is maybe a 2 hour process and wildcard certs are just a crutch for lovely admins that don't want to do that.
|
|
#
?
Jul 6, 2017 17:35
|
|
|
BangersInMyKnickers posted:Swapping out an existing cert with one that has more alt-names on it is maybe a 2 hour process and wildcard certs are just a crutch for lovely admins that don't want to do that. I don't think alt-names are a solution for something like slack that dynamically generates hostnames. A 2-hour process is a long time if you have a lot of machines, especially if you provision new addressable systems frequently. Why would wildcard certs be used across multiple servers more than alt-name ones? If people are going to re-issue for every server, they can do that with a wildcard too.
|
|
#
?
Jul 6, 2017 17:39
|
|
|
quote:Our hope is that offering wildcards will help to accelerate the Web’s progress towards 100% HTTPS. who cares how we get there, just as long as every website has a green lock show up in the url bar when you go to it!
|
|
#
?
Jul 6, 2017 17:45
|
|
|
Subjunctive posted:I don't think alt-names are a solution for something like slack that dynamically generates hostnames. A 2-hour process is a long time if you have a lot of machines, especially if you provision new addressable systems frequently. Yes if only the same use case wasn't already being tackled by load balancers. Pre-allocate a poo poo ton of alt-names in the cert ahead of time and if you start running out then do some more. All that can and should be automated. When you request a wildcard cert from a CA, they typically provide you with the cert, public, and private key in an exportable package. CSR process for a standard cert with alt-names only gives you the signed cert and public key, private key stays on the server requesting it. Less rope to hang yourself with because you then have to go in to the server with the alt-name cert and export everything out which most keystores will discourage or block.
|
|
#
?
Jul 6, 2017 17:48
|
|
|
BangersInMyKnickers posted:Yes if only the same use case wasn't already being tackled by load balancers. Pre-allocate a poo poo ton of alt-names in the cert ahead of time and if you start running out then do some more. All that can and should be automated. Slack generates the names to match the name selected by the community, it's not something you can preallocate.
|
|
#
?
Jul 6, 2017 17:50
|
|
|
BangersInMyKnickers posted:When you request a wildcard cert from a CA, they typically provide you with the cert, public, and private key in an exportable package. CSR process for a standard cert with alt-names only gives you the signed cert and public key, private key stays on the server requesting it. Less rope to hang yourself with because you then have to go in to the server with the alt-name cert and export everything out which most keystores will discourage or block.
|
|
#
?
Jul 6, 2017 17:51
|
|
|
Subjunctive posted:I don't think alt-names are a solution for something like slack that dynamically generates hostnames. A 2-hour process is a long time if you have a lot of machines, especially if you provision new addressable systems frequently. is lets encrypt cert generation not immediate? what is the 2 hour delay? also if you have that much a problem you can provision names prior to provisioning hosts to solve the problem. if the goal of wildcard certs is ease of deployment, then why not include them in your machine templates instead of generating them on the fly? if you have the capability to generate on the fly, why not generate certs with the right names?
|
|
#
?
Jul 6, 2017 17:53
|
|
|
wyoak posted:I thought CSR's didn't include the private key, wildcard or not yeah I've never sent or received a private key from the CA. wildcards function the same as everything else. the problem is mostly around what happens with the cert in your local environment where someone is like "hmm, i could generate a separate, identical wildcard cert for this new server or just copy the existing one from another server." Also according to lets encrypts docs they have a limit of 5 identical cert requests per week so you'd be limited to 5 new hosts per week if you wanted new keys for each wildcard.
|
|
#
?
Jul 6, 2017 17:56
|
|
|
wyoak posted:I thought CSR's didn't include the private key, wildcard or not Depends on the CA and we haven't seen LE's Implimentation, but often with traditional ones the private key also came from the CA to encourage re-use. Not a traditional CSR process
|
|
#
?
Jul 6, 2017 17:56
|
|
|
Shaggar posted:is lets encrypt cert generation not immediate? what is the 2 hour delay? also if you have that much a problem you can provision names prior to provisioning hosts to solve the problem. the 2 hour delay for re-provisioning came from the person I was quoting, based I believe on how long it took someone (idk who) to rotate certs on a set of servers slack, as I keep saying, can't provision names ahead of time. they create new endpoints in real time based on user input I don't know who, if anyone, is suggesting generating wildcard certs on the fly
|
|
#
?
Jul 6, 2017 17:56
|
|
|
Shaggar posted:Also according to lets encrypts docs they have a limit of 5 identical cert requests per week so you'd be limited to 5 new hosts per week if you wanted new keys for each wildcard. lol that's the loving opposite of what they should be doing
|
|
#
?
Jul 6, 2017 17:57
|
|
|
BangersInMyKnickers posted:Depends on the CA and we haven't seen LE's Implimentation, but often with traditional ones the private key also came from the CA to encourage re-use. Not a traditional CSR process can you give an example of a CA that did this? I've been poking around and can't find any, and all the wildcard submission forms I can find just ask for a public key
|
|
#
?
Jul 6, 2017 17:57
|
|
|
Subjunctive posted:the 2 hour delay for re-provisioning came from the person I was quoting, based I believe on how long it took someone (idk who) to rotate certs on a set of servers you were suggesting generating them on the fly instead of reusing existing keys.
|
|
#
?
Jul 6, 2017 17:58
|
|
|
why would you need to issue identical certs more frequently than that? a|b|c is different from a|b, I'm pretty pretty sure
|
|
#
?
Jul 6, 2017 17:58
|
|
|
|
| # ? May 13, 2024 23:42 |
|
|
right that part makes sense, but it clearly wasn't designed w/ wild card certs in mind.
|
|
#
?
Jul 6, 2017 17:59
|
|