|
digitalist posted:lmao can we make images thread titles
|
# ? May 15, 2024 18:26 |
|
|
# ? Jun 6, 2024 08:24 |
|
Salt Fish posted:I got you, I didn't know about google's crlsets or onecrl. I was really surprised to read that only 9% of TLS connections use OCSP stapling, I thought that was way more widely used. i'm still not sure how this helps given how big CRLs can be. they can be locally cached for a period of time so it's a significant reduction in per-connection traffic to instead put a higher cost on the initial connection and increases the period for revocation to be noticed by all clients
|
# ? May 15, 2024 18:30 |
|
|
# ? May 15, 2024 18:54 |
|
spankmeister posted:no, that's not what I mean. I know what revocation is but that's something the CA does by putting the certs on the CRL (or OCSP). Would that still depend on the CA to self-report the certs in question? I think they would continue to not open incidents. I think Wayne found more certs that were not reported, but that was because they were next to others that were reported.
|
# ? May 15, 2024 18:57 |
|
ugh, I guess I have to post to clarify what I meant about picking CAs that don’t suck. mdsp is probably better for that than the bug…
|
# ? May 15, 2024 19:14 |
|
Wiggly Wayne DDS posted:their ocsp servers and routes can't handle the traffic (and it's a privacy nightmare) which is why we're reverting to that being optional and crls being required. i'm still a bit concerned on how browsers and other tls stacks deal with crls and replay attacks and that is something i should look into for prior research tbh I thought that's what stapling solves. You cache the signed OCSP response on your server and then serve that along with your certificate to prove to the client your cert hasn't been revoked, therefore removing the privacy issue (only the server you sent the request to knows its you) and also the load issue. I have only run into OCSP professionally maybe 2-3x for support issues that clients had with setting up stapling on the web hosting side, so I have essentially no knowledge of what would even drive adoption except the good will of server operators.
|
# ? May 15, 2024 19:42 |
|
yeah, OCSP stapling was supposed to solve the load issues, like 15 years ago
|
# ? May 15, 2024 19:52 |
|
From my experience in fully managed web hosting that somehow includes SEO assistance, you just need all search engines to make a rule that you can't be on the first page of results unless you support stapling and it would be universally adopted in a month. edit this stuff should not be 1% as interesting as it is lol
|
# ? May 15, 2024 19:55 |
|
digitalist posted:lmao that is julie uhrman erasure
|
# ? May 15, 2024 20:54 |
|
Entrust politely asked us to rotate certs when it was convenient for us to do so, there was zero urgency to it. Is it any wonder people are dragging their feet on it? I hope people aren't replacing entrust certs with entrust certs since it's taken so long to even get this far. Lotta companies gonna end up doing surprised pikachu faces if/when Entrust gets yanked from the roots and suddenly a leisurely cert replacement is gonna turn into an emergency.
|
# ? May 15, 2024 21:21 |
|
SeaborneClink posted:Entrust politely asked us to rotate certs when it was convenient for us to do so, there was zero urgency to it. wait are you saying you received a request to rotate and they never mentioned at all that they were under contractual obligation to revoke within 5 days? I feel like this is a much bigger concern: they're straight up avoiding mentioning the violation of 4.9.1.1 if that's the case? Raymond T. Racing fucked around with this message at 21:32 on May 15, 2024 |
# ? May 15, 2024 21:27 |
|
Raymond T. Racing posted:wait are you saying you received a request to rotate and they never mentioned at all that they were under contractual obligation to revoke within 5 days? Why the gently caress would they say that, if they themselves didn't believe they were under an obligation to revoke in the first place
|
# ? May 15, 2024 21:35 |
|
i know for cpsuri they sent out this email: then subsequently did gently caress all. note they want the customers to go onto the online portal and request a reissue and revoke within -30- days....
|
# ? May 15, 2024 22:07 |
|
Wiggly Wayne DDS posted:i know for cpsuri they sent out this email: "pretty please revoke" not "we have revoked them for you please go to entrust dot bad slash new cert and submit a new CSR"
|
# ? May 15, 2024 22:52 |
|
also oh my god, they're charging 219/yr (at one year pricing) for a single example.com/www.example.com OV cert, with a single extra SAN costing 79 their one year wildcard OV (*.example.com) is 799 and this is a loving racket eta: Raymond T. Racing fucked around with this message at 23:38 on May 15, 2024 |
# ? May 15, 2024 22:57 |
|
sure but consider the incredible value organizational validation provides
|
# ? May 15, 2024 23:27 |
|
infernal machines posted:sure but consider the incredible value organizational validation provides like and ?
|
# ? May 15, 2024 23:30 |
|
Raymond T. Racing posted:219/yr they know
|
# ? May 15, 2024 23:31 |
|
Raymond T. Racing posted:like your customers may not appreciate it or even be aware of its existence, but you'll know
|
# ? May 15, 2024 23:52 |
|
Wiggly Wayne DDS posted:note they want the customers to go onto the online portal and request a reissue and revoke within -30- days.... to clarify, the email does communicate the date at which it will be revoked and that they will need to reissue within that deadline as well, but "revoke within 30 days" is still a terrible string to have in the body of an email that most customers are going to glance at, at best. the problem is that within the reissue flow for a cert, there is a button you have to press which means "i assert that i will soon no longer be using the previous issuance of this cert and it is good to revoke". that button is poorly named, but basically means "when you press this button, we are reissuing this cert now and giving you a period of time of up to 30 days to rotate it before we revoke the old one"
|
# ? May 15, 2024 23:58 |
|
Storysmith posted:to clarify, the email does communicate the date at which it will be revoked and that they will need to reissue within that deadline as well, but "revoke within 30 days" is still a terrible string to have in the body of an email that most customers are going to glance at, at best.
|
# ? May 16, 2024 00:23 |
|
If this winds up with the BR prescribing some boilerplate that must be, no matter what, included in revocation notifications... Actually this would probably be a good thing, along with standardized translations, cutting down on excuses and work for everyone once it's done and it will never change. In 2200, the computer touchers will need to speak Chinese and ancient English and by god they will cry every day.
|
# ? May 16, 2024 00:35 |
|
SIGSEGV posted:If this winds up with the BR prescribing some boilerplate that must be, no matter what, included in revocation notifications... if the language used is sufficiently standardised it essentially becomes a human-operated ACME ARI
|
# ? May 16, 2024 03:50 |
|
Storysmith posted:if the language used is sufficiently standardised it essentially becomes a human-operated ACME ARI I don’t entirely think this is what our friends at entrust had in mind
|
# ? May 16, 2024 03:56 |
|
SIGSEGV posted:If this winds up with the BR prescribing some boilerplate that must be, no matter what, included in revocation notifications... buddy, we're already speaking ancient English
|
# ? May 16, 2024 05:44 |
|
https://www.abc.net.au/news/2024-05-16/health-organisation-part-of-large-scale-ransomware-data-breach/103856582quote:The ABC can confirm e-script provider MediSecure is the health organisation at the centre of the large-scale ransomware data breach announced by the National Cyber Security Coordinator on Thursday. from their site: quote:
i sure would love just a smidgen more detail about the status of the broker holding names, addresses, prescription lists, and tokens that let you dispense drugs from pharmacies
|
# ? May 16, 2024 06:50 |
|
Wiggly Wayne DDS posted:the latest entrust update have claimed subscriber reasons. have a seat and don't drink. this incident has been ongoing since earlier March and subscribers were notified March 20th and yet for the cpsuri incident they're incapable of doing that bare minimum: 2024-05-16 03:02: Entrust: Delayed revocation of EV TLS certificates with missing cPSuri Bruce (Entrust) posted:We are working diligently with our customers to complete revocation of affected certificates. Over 95% of customers have completed revocation. We have 9,906 certificates remaining within the following four (4) industries: Financial Institutions (6,940 certificates), Government Agencies (170 certificates), Information Technology (46 certificates), and Travel (Airline) (2,750 certificates). All are scheduled to be revoked within the next 20 days with limited exceptions as required.
|
# ? May 16, 2024 13:52 |
|
Wiggly Wayne DDS posted:and yet for the cpsuri incident they're incapable of doing that bare minimum: 2024-05-16 03:02: "limited exceptions" doin a lot of work in that sentence
|
# ? May 16, 2024 13:54 |
|
these were all supposed to be dealt within 5 days of entrust finding out they had an issue
|
# ? May 16, 2024 14:26 |
|
Wiggly Wayne DDS posted:these were all supposed to be dealt within 5 days of entrust finding out they had an issue tbf to them they still seem to be struggling to recognize that they have an issue
|
# ? May 16, 2024 14:29 |
|
Sir Bobert Fishbone posted:tbf to them they still seem to be struggling to recognize that they have an issue i've been at companies on the other end of "our company has done a bad thing, but we don't think it's all that bad, but other people sure do" plenty of times before and i think i can imagine precisely how management is addressing this internally, cuz their responses look like the same exact bullshit excuses and ignoring the problem or being distracted until someone escalates, etc. it's really funny to watch it from the other side for once.
|
# ? May 16, 2024 14:34 |
|
they’re gonna love putting together per subscriber reasons for 9,000 certs
|
# ? May 16, 2024 14:42 |
a billion dollars a year
|
|
# ? May 16, 2024 15:01 |
|
"please let <customer> know that either you will revoke their certs, or we will revoke both yours and thus theirs."
|
# ? May 16, 2024 15:35 |
|
Raymond T. Racing posted:also oh my god, they're charging 219/yr (at one year pricing) for a single example.com/www.example.com OV cert, with a single extra SAN costing 79 I bought a cert through Azure by way of GoDaddy once, not knowing I didn’t have to pay this much to acquire a wildcard cert. Was even more expensive, would have been pissed but it was paid for in free credits so 🤷♂️
|
# ? May 16, 2024 16:32 |
|
I have a dumb question probably. How is it that a lot of the incident reports are related to poo poo like “country code was lowercase” and all sorts of inane-sounding data quality issues? Genuinely curious and coming from blockchain so no answer will surprise me.
|
# ? May 16, 2024 16:34 |
|
hellotoothpaste posted:I have a dumb question probably. How is it that a lot of the incident reports are related to poo poo like “country code was lowercase” and all sorts of inane-sounding data quality issues? Genuinely curious and coming from blockchain so no answer will surprise me. 1. incidents are (generally) not a bad thing. in theory it should allow for the ecosystem as a whole to be stronger 2. for the country code thing, one spec was written by lawyers, one spec was written by engineers lawyers: "the country code must match what is defined for country. US = us" engineers: "MUST SHALL etc to be treated as RFC2119. country code in cert MUST match country code as defined in blah blah blah. US != us" Raymond T. Racing fucked around with this message at 16:43 on May 16, 2024 |
# ? May 16, 2024 16:36 |
|
there's a general (probably well-founded) assumption that how you react to these "the cert is wrong in a way that doesn't really materially impact anything" events is going to be the same way you react to actual security-impacting issues. showing that you can respond appropriately and churn your certificates in a timely fashion is a good sign, especially if you can also write up some nice lessons learned and make process adjustments to avoid running into the same issues repeatedly. in contrast, if you show in one of these events that you are organizationally incapable of revoking and replacing certs in a timely fashion, that does not give anyone confidence that you'll be able to do so in an event where it's actually important for web security to revoke and replace certs. doubly so if you write up some nice "lessons learned" and then completely fail to actually learn any of the lessons you listed.
|
# ? May 16, 2024 17:05 |
|
Jabor posted:there's a general (probably well-founded) assumption that how you react to these "the cert is wrong in a way that doesn't really materially impact anything" events is going to be the same way you react to actual security-impacting issues. showing that you can respond appropriately and churn your certificates in a timely fashion is a good sign, especially if you can also write up some nice lessons learned and make process adjustments to avoid running into the same issues repeatedly. especially when you previously commit to not making these mistakes again, and especially not failing to revoke for an intended period of time then you do the exact same thing
|
# ? May 16, 2024 17:07 |
|
|
# ? Jun 6, 2024 08:24 |
|
i disagree on the lawyer v engineer argument on iso 3166 (the standards body is absurdly consistent on its usage in practice), but it's mainly simple data quality issues that are being brought up lately as that's where i started looking. start with the inane stuff that should be easy to surface across any CA for conformity and then work on the more complex cases at the rate things are going e-commerce monitoring gmbh is going to be distrusted before entrust even puts together their report
|
# ? May 16, 2024 17:09 |