|
Yeah, if your server just unconditionally 301s all http network to https (which it should), I don't think there's a way to downgrade that in any way.
|
#
?
Jan 9, 2018 14:36
|
|
|
|
| # ? May 28, 2024 15:12 |
|
|
Truga posted:Yeah, if your server just unconditionally 301s all http network to https (which it should), I don't think there's a way to downgrade that in any way. A sophisticated MITM could run a proxy that fetches content from your server over https, modifies it to suppress https links, and serves that to the victim over plain http. No certs mean you just blindly trust DNS to tell you what the authoritative server is. Or, they could just build a fake copy of your site, basically using their control over DNS to enhance a phishing attack. HSTS makes sure that https connectivity is a latching operation - if you connect to the legit site once, it won't let you be fooled by an HTTP MITM ever again. Since a lot of threats involve rogue access points for mobile devices, it provides a useful enhancement.
|
|
#
?
Jan 9, 2018 16:42
|
|
|
Truga posted:probably that if you're mitm, you can suppress the hsts header If the browser visited a HSTS site before, then it should not allow it to load on HTTP without a complete cache clear.
|
|
#
?
Jan 9, 2018 23:28
|
|
|
I think Truga means on first connection. Secure introduction is still a pain.
|
|
#
?
Jan 9, 2018 23:31
|
|
|
That's what the preload lists are for
|
|
#
?
Jan 9, 2018 23:33
|
|
|
Thanks Ants posted:That's what the preload lists are for The problem with preload lists is that there are only 3k domains on it . The requirements to get on it is easy but I'd you ever want to do something like change certs entirely with no upgrade path, i hear it's like getting your teeth pulled. Also only that helps is that browsers can be assigned "secure" cookies so even if the mitm provided a non-ssl http version, the browser won't provide poo poo. There's a good list of when it's vulnerable and considering a mitm attack.
|
|
#
?
Jan 10, 2018 00:27
|
|
|
What are the odds Oracle releases anti-Spectre microcode updates for SPARC processors lmao gently caress my life
|
|
#
?
Jan 10, 2018 01:43
|
|
|
EVIL Gibson posted:The problem with preload lists is that there are only 3k domains on it . The requirements to get on it is easy but I'd you ever want to do something like change certs entirely with no upgrade path, i hear it's like getting your teeth pulled. HSTS has nothing to do with certs--it just ensures that your browser will never make a request to a given domain using HTTP. So you can rotate certificates/CAs freely. Are you thinking of HPKP, which is indeed very dangerous if you lose your private keys? (Stopping serving for HTTPS once you have served an HSTS header is hard, of course, but you should never stop serving HTTPS.)
|
|
#
?
Jan 10, 2018 01:45
|
|
|
eversion posted:HSTS has nothing to do with certs Related to HKP, but preload does require certs as one of it's requirements From hstspreload.org which Chrome uses and other browsers base their preloads on. quote:Submission Requirements It goes on, but certificates are critical. EVIL Gibson fucked around with this message at 01:54 on Jan 10, 2018 |
|
#
?
Jan 10, 2018 01:51
|
|
|
Of course certs are required, they’re an essential part of HTTPS, pinned or no.
|
|
#
?
Jan 10, 2018 02:06
|
|
|
Are you suggesting that HSTS preload also requires you to use HPKP, or what? I mean, you always need a cert for https, the point in question is how easy it is to change what cert you're using later.
|
|
#
?
Jan 10, 2018 02:08
|
|
|
CLAM DOWN posted:What are the odds Oracle releases anti-Spectre microcode updates for SPARC processors lmao gently caress my life Hopefully it IS specter and not meltdown. Paying oracle to patch in less performance. What a time to be alive.
|
|
#
?
Jan 10, 2018 02:13
|
|
|
CLAM DOWN posted:What are the odds Oracle releases anti-Spectre microcode updates for SPARC processors lmao gently caress my life It would be *so* awesome if the greybeard inventors of SPARC came out of hiding after a couple of weeks of hacking and published just this. Like, they just took the time from retirement to do that. But hey are SPARC processors vulnerable anyway?
|
|
#
?
Jan 10, 2018 02:15
|
|
|
À propos HTTPS and 301 stuff, I've been away from the web scene for a while and imagine my surprise when I discovered that you can just use a thing called certbot to install valid, public certificates for your hosts without the hassle of buying them or adding your own CA for development. it's awesome and why didn't anyone thing of doing that sooner?
|
|
#
?
Jan 10, 2018 02:19
|
|
|
Because nobody was willing to do the work to run a CA for free until Mozilla and co stepped up.
|
|
#
?
Jan 10, 2018 02:24
|
|
|
JazzmasterCurious posted:It would be *so* awesome if the greybeard inventors of SPARC came out of hiding after a couple of weeks of hacking and published just this. Like, they just took the time from retirement to do that. But hey are SPARC processors vulnerable anyway? They appear to be, they use speculative execution in the same manner. incoherent posted:Paying oracle to patch in less performance So, normal then?
|
|
#
?
Jan 10, 2018 02:51
|
|
|
CLAM DOWN posted:What are the odds Oracle releases anti-Spectre microcode updates for SPARC processors lmao gently caress my life I can't find "predict" or "pipeline" in the wiki page; if the architecture doesn't have any of that, why would they be vulnerable?
|
|
#
?
Jan 10, 2018 04:11
|
|
|
Absurd Alhazred posted:I can't find "predict" or "pipeline" in the wiki page; if the architecture doesn't have any of that, why would they be vulnerable? I don't know from SPARC, but I can't imagine any modern processor doesn't use speculative exec or branch prediction in some manner or another. poo poo's been around since the 90s.
|
|
#
?
Jan 10, 2018 04:31
|
|
|
Absurd Alhazred posted:I can't find "predict" or "pipeline" in the wiki page; if the architecture doesn't have any of that, why would they be vulnerable? SPARC is an interesting case in that it's a specification for a processor architecture as seen from the assembly level up, not the processor's internals themselves. Oracle doesn't make SPARC processors themselves; they license the specifications out to other companies like Fujitsu, Weitek, Texas Instruments, LSI, etc. who then go design and build their own SPARC architecture processors. I know Fujitsu's had pretty deep speculative execution in their SPARCs since 2001. Possibly earlier.
|
|
#
?
Jan 10, 2018 04:35
|
|
|
Absurd Alhazred posted:I can't find "predict" or "pipeline" in the wiki page; if the architecture doesn't have any of that, why would they be vulnerable? The sparc procs in our machines are made by Fujitsu which apparently uses speculative execution, so they'd be vulnerable. E:fb
|
|
#
?
Jan 10, 2018 04:47
|
|
|
quote:Hallelujah, dumb again. 
|
|
#
?
Jan 10, 2018 05:03
|
|
|
Everything old is new again: https://twitter.com/qrs/status/950462488348446721 It's worse than you think: https://twitter.com/0x6d696368/status/950479587515011072
|
|
#
?
Jan 10, 2018 05:12
|
|
|
Absurd Alhazred posted:Everything old is new again: It ALWAYS is. 
|
|
#
?
Jan 10, 2018 10:10
|
|
|
The Infosec Thread: It's worse than you think
|
|
#
?
Jan 10, 2018 11:58
|
|
|
Aren't we used to this by now? Virtualization, which only really became big in the 90s, is from the 70s. Containers aren't a new thing, either - even aside from the fact that FreeBSD jails are from 1998, the idea itself dates back to the 70s. CHERI, a capability-enforcing ISA based on RISC, isn't even settled enough that hardware can be fabbed - but the idea is from way back in the 60s, if I recall correctly.
|
|
#
?
Jan 10, 2018 12:00
|
|
|
D. Ebdrup posted:Aren't we used to this by now? I know I am. Nothing gets me excited anymore and I'm already at the upper limit of drinking.
|
|
#
?
Jan 10, 2018 12:32
|
|
|
Full transparency for everyone - e-mail accounts open for everyone to see, free information everywhere and with regards to everything (except maybe bank accounts). As technology stacks become more and more complex and with one billion different features, it's impossible to protect everything. Add to this the eventual product that will automatically check for every known vulnerability in the entire stack and there's an easy way for anyone to get in your infrastructure and get privileges. Diplomacy would be interesting in this case
|
|
#
?
Jan 10, 2018 17:20
|
|
|
I fully expect Oracle to deal with SPARC microcode in such a way that it affects the licensing of their software.
|
|
#
?
Jan 10, 2018 18:12
|
|
|
Okay here's a fun scenario that we ran in to with SEP and the Meltdown patches: Bunch of clients are still running 12.1 with a reboot pending to upgrade to 14. 12.1 clients installed the live update packages and created the meltdown compatibility reg keys so the patches will install. If they do, they will install the kernel fix and reboot only to come up on SEP14 with defs and engine from back in December that is not Meltdown compatible and boom, BSOD. lovely temp fix is to constantly run a script on them that looks for SEP12.1 presence and deletes the compatibility registry key. Once the system has rebooted and taken 14, live update will fire and get the new eraser engine, compatibility key will be created and stick, then MS patches can apply. gently caress. Me.
|
|
#
?
Jan 10, 2018 18:16
|
|
|
Proteus Jones posted:I don't know from SPARC, but I can't imagine any modern processor doesn't use speculative exec or branch prediction in some manner or another. poo poo's been around since the 90s. Itanium doesn't (in the hardware sense, anyway). Not doing OoO type stuff is/was literally that CPU's whole schtick.
|
|
#
?
Jan 10, 2018 18:27
|
|
|
Maybe itanium will make a comeback?
|
|
#
?
Jan 10, 2018 18:30
|
|
|
Evis posted:Maybe itanium will make a comeback? I think HP kept making them through the end of 2017 so maybe they're not dead!!!!
|
|
#
?
Jan 10, 2018 18:36
|
|
|
I've got your Itanium laptop ready sir
|
|
#
?
Jan 10, 2018 18:43
|
|
|
So many of our machines are pre-Haswell or are Haswell and are from a local computer store, not an actual vendor. gently caress me sideways.
|
|
#
?
Jan 10, 2018 19:13
|
|
|
CLAM DOWN posted:I think HP kept making them through the end of 2017 so maybe they're not dead!!!! https://www.pcworld.com/article/3196080/data-center/intels-itanium-once-destined-to-replace-x86-in-pcs-hits-end-of-line.html Not quite yet but it's a dead man walking
|
|
#
?
Jan 10, 2018 22:53
|
|
|
feedmegin posted:Itanium doesn't (in the hardware sense, anyway). Not doing OoO type stuff is/was literally that CPU's whole schtick. Bonnell and Saltwell Atoms as well, though Silvermont and beyond have it and thus are affected. So my old netbook is immune, wheeee.
|
|
#
?
Jan 10, 2018 23:24
|
|
|
Kazinsal posted:So many of our machines are pre-Haswell or are Haswell and are from a local computer store, not an actual vendor. Good opportunity to get that fixed
|
|
#
?
Jan 11, 2018 21:25
|
|
|
Well, so far as I can tell, my old Core 2 Quad seems immune. So yay for my kitbashed old crap.
|
|
#
?
Jan 11, 2018 22:28
|
|
|
Samizdata posted:Well, so far as I can tell, my old Core 2 Quad seems immune. So yay for my kitbashed old crap. It's vulnerable. Have you run the microsoft utility?
|
|
#
?
Jan 11, 2018 22:32
|
|
|
|
| # ? May 28, 2024 15:12 |
|
|
mewse posted:It's vulnerable. Have you run the microsoft utility? Yup.
|
|
#
?
Jan 11, 2018 22:34
|
|