|
CRIP EATIN BREAD posted:can't you just automate the creation of new certs via lets encrypt? think of a situation like this: https://devcenter.heroku.com/articles/custom-domains#add-a-wildcard-domain where the webapp might not have control over anything so gauche as an IP address or cert
|
#
?
Oct 19, 2017 18:36
|
|
|
|
| # ? May 14, 2024 02:36 |
|
|
It seems like a strange decision because the automation steps involved in using lets encrypt for wildcard certs could probably just as easily be applied to using lets encrypt for dynamic subdomains. I guess if you're big enough maybe you'd hit their 100 domains-a-week limit?
|
|
#
?
Oct 19, 2017 18:43
|
|
|
ate all the Oreos posted:the only legitimate reason to use a wildcard is if you have dynamic subdomains and if you have those you're probably a massive content provider anyway not even then since you can just generate a new cert w/ the additional san on deployment
|
|
#
?
Oct 19, 2017 18:47
|
|
|
nice thing about wildcard certs is that if your key is compromised all your customers sites are compromised and it makes it much easier to deal with the class action lawsuit since you dont have to track exactly which customer was owned (it was all of them).
|
|
#
?
Oct 19, 2017 18:48
|
|
|
wyoak posted:It seems like a strange decision because the automation steps involved in using lets encrypt for wildcard certs could probably just as easily be applied to using lets encrypt for dynamic subdomains. I guess if you're big enough maybe you'd hit their 100 domains-a-week limit? not everyone is going to automate LE, and not everyone should integrate LE automation into their database skin i worked on some poo poo nine years back where travel agents would sign up to get a landing page microsite internet marketing jargon puke goes here for their agency to sell spots on a particular cruise ship, and we ended up with like 1000 registrations in the first 24h, each with a custom subdomain that all went to one app instance like that's textbook wildcard
|
|
#
?
Oct 19, 2017 18:51
|
|
|
i mean working for an ad agency is hell and i would recommend nobody ever do that but at least i know what a wildcard cert is good for
|
|
#
?
Oct 19, 2017 18:53
|
|
|
A dutch insurance company is now offering a cybersec insurance for home users. When you sign up, you get a F-Secure router for free, the insurance says you are required to install it and use that for all your home internet connections. You also get a phone app in case you ever connect your phone to a network other than your home network. Then if your computer gets hosed up by malware, you can call them and an expert will help restore your data. If the computer is hosed beyond repair, the insurance will pay money as a compensation for the loss. They won't pay out more than 3 times per year per home though.
|
|
#
?
Oct 19, 2017 18:57
|
|
|
Wildcard has some uses but I just don't see any application where let's encrypt is acceptable and wildcard certs are acceptable at the same time
|
|
#
?
Oct 19, 2017 18:57
|
|
|
Bulgogi Hoagie posted:god i so so hope that the kaspersky bullshit doesn’t mean the fsb have infiltrated jetbrains too They are based out of st. Pete, and are an it services company.
|
|
#
?
Oct 19, 2017 19:01
|
|
|
Just-In-Timeberlake posted:https://arstechnica.com/information-technology/2017/10/google-play-apps-with-as-many-as-2-6m-downloads-added-devices-to-botnet/ Did anyone actually read this because it's the stupidest scare mongering thing I've read in a while.
|
|
#
?
Oct 19, 2017 19:09
|
|
|
CRIP EATIN BREAD posted:can't you just automate the creation of new certs via lets encrypt? I wrote a few ansible workflows now, which allocate letsencrypt certs to nginx instances automagically, its super duper easy to do took me like 2h and i was new to ansible
|
|
#
?
Oct 19, 2017 19:09
|
|
|
wildcard certs have their place. i used them in a "holy poo poo we have no certs for anything what the gently caress is wrong" period for a few months while i rolled out auto-renewing LE certs for each server
|
|
#
?
Oct 19, 2017 19:09
|
|
|
Cocoa Crispies posted:not everyone is going to automate LE, and not everyone should integrate LE automation into their database skin spankmeister posted:Wildcard has some uses but I just don't see any application where let's encrypt is acceptable and wildcard certs are acceptable at the same time
|
|
#
?
Oct 19, 2017 19:13
|
|
|
Cocoa Crispies posted:not everyone is going to automate LE, and not everyone should integrate LE automation into their database skin yeah back at Heroku there was some wedding website that would give everyone a custom domain. So for those to have something like 18,000 registered domains to the same app and matching certificates is pure rear end and you may as well wildcard them to one entry.
|
|
#
?
Oct 19, 2017 19:17
|
|
|
of course cse has their documentation in english and french https://bitbucket.org/cse-assemblyline/assemblyline on the other hand it makes their malware standout
|
|
#
?
Oct 19, 2017 19:51
|
|
|
wyoak posted:that's also textbook LE without wildcards, but ignoring that my point is quote:The main limit is Certificates per Registered Domain, (20 per week). A registered domain is, generally speaking, the part of the domain you purchased from your domain name registrar. For instance, in the name https://www.example.com the registered domain is example.com. In new.blog.example.co.uk, the registered domain is example.co.uk. We use the Public Suffix List to calculate the registered domain.
|
|
#
?
Oct 19, 2017 20:18
|
|
|
CRIP EATIN BREAD posted:nice thing about wildcard certs is that if your key is compromised all your customers sites are compromised and it makes it much easier to deal with the class action lawsuit since you dont have to track exactly which customer was owned (it was all of them). I admit it; I laughed pretty good at this post.
|
|
#
?
Oct 19, 2017 20:34
|
|
|
whats the new mandatory aslr setting in defender
|
|
#
?
Oct 19, 2017 20:51
|
|
|
Bulgogi Hoagie posted:god i so so hope that the kaspersky bullshit doesn’t mean the fsb have infiltrated jetbrains too quote:JetBrains (formerly IntelliJ) is a software development company whose tools are targeted towards software developers and project managers. No I'm sure it's fine
|
|
#
?
Oct 19, 2017 20:52
|
|
|
To be fair, they did mover their HQ over to the Czech Republic, so it's probably ok.
|
|
#
?
Oct 19, 2017 21:28
|
|
|
i dont care if a saas app has our company name in the domain or not. probably better if it doesnt since the outcome of that tends to be that it cant ever be renamed.
|
|
#
?
Oct 19, 2017 21:32
|
|
|
cinci zoo sniper posted:whats the new mandatory aslr setting in defender
|
|
#
?
Oct 19, 2017 21:38
|
|
|
Wiggly Wayne DDS posted:off unless the program's built with /dynamicbase, but you can set it to force it on everything anyway. cfg/dep/sehop/heap integrity are on by default at least yeah i figured this part out but what does it do, in moderately simple english?
|
|
#
?
Oct 19, 2017 21:42
|
|
|
cinci zoo sniper posted:whats the new mandatory aslr setting in defender it requires headphones and for you to close your eyes
|
|
#
?
Oct 19, 2017 21:57
|
|
|
cinci zoo sniper posted:yeah i figured this part out but what does it do, in moderately simple english? google's trying out bug bounties post-fix in certain popular google play apps: https://security.googleblog.com/2017/10/introducing-google-play-security-reward.html by post-fix i mean the dev has to have patched it, and it's a small starting pool: https://hackerone.com/googleplay participating candidates atm: alibaba, dropbox, duolingo, headspace, line, mail.ru, snapchat, tinder
|
|
#
?
Oct 19, 2017 22:51
|
|
|
Bulgogi Hoagie posted:god i so so hope that the kaspersky bullshit doesn’t mean the fsb have infiltrated jetbrains too my code will give them aids lol
|
|
#
?
Oct 20, 2017 00:32
|
|
|
don't work in national security if u like jetbrains
|
|
#
?
Oct 20, 2017 01:15
|
|
|
akadajet posted:don't work in national security
|
|
#
?
Oct 20, 2017 01:19
|
|
|
working in national security is exactly like yt's mom's job in snow crash is portrayed: you get to work on a tiny part of a thing you are forbidden from understanding and there are insipid metrics and meetings
|
|
#
?
Oct 20, 2017 01:20
|
|
|
|
|
#
?
Oct 20, 2017 01:22
|
|
|
CRIP EATIN BREAD posted:nice thing about wildcard certs is that if your key is compromised all your customers sites are compromised and it makes it much easier to deal with the class action lawsuit since you dont have to track exactly which customer was owned (it was all of them).
|
|
#
?
Oct 20, 2017 02:15
|
|
|
Phone posted:it requires headphones and for you to close your eyes *giggle*
|
|
#
?
Oct 20, 2017 03:18
|
|
|
What's the best article yall got to convince cjs that wildcards are bad?
|
|
#
?
Oct 20, 2017 03:58
|
|
|
Wiggly Wayne DDS posted:unless a program has been compiled by the dev to work correctly with aslr windows won't make use of the mitigation, but you can force it system-wide and ignore that. same practice they've been doing since implementation really thanks, but now to my question, what is aslr and what does it do 
|
|
#
?
Oct 20, 2017 04:01
|
|
|
cinci zoo sniper posted:thanks, but now to my question, what is aslr and what does it do Adress space randomization. Makes it harder to take advantage of buffer overflows.
|
|
#
?
Oct 20, 2017 04:02
|
|
|
Proteus Jones posted:Adress space randomization. Makes it harder to take advantage of buffer overflows. ah, cheers
|
|
#
?
Oct 20, 2017 04:03
|
|
|
Proteus Jones posted:Adress space randomization. Makes it harder to take advantage of buffer overflows. Specifically it makes it harder to know addresses, it's not particularly about buffer overflows (just as applicable to many attack primitives). It means you don't know, short a leak, the address of the function or ROP gadget you want to jump to or struct in memory you wish to mess with isn't known to you at runtime as an attacker.
|
|
#
?
Oct 20, 2017 04:06
|
|
|
Trabisnikof posted:What's the best article yall got to convince cjs that wildcards are bad? using a wildcard is like using one ssh keypair for everything. lots of people do it, it's really convenient, but if someone fucks up and uploads your private key to github or your dropbox gets hacked or whatever, all your poo poo got wrecked. in the event a wildcard gets compromised it's also real easy to forget which servers it was applied to because there's no handy san field to tell you. anthonypants fucked around with this message at 04:14 on Oct 20, 2017 |
|
#
?
Oct 20, 2017 04:10
|
|
|
unfixed 2-year-old remote code execution bug in half-life 1 demo playback used to speedrun game: https://www.youtube.com/watch?v=iE_l_aZNzfo https://github.com/ValveSoftware/halflife/issues/1654
|
|
#
?
Oct 20, 2017 05:33
|
|
|
|
| # ? May 14, 2024 02:36 |
|
|
https://twitter.com/resentfultweet/status/905237090253856771
|
|
#
?
Oct 20, 2017 13:33
|
|
