|
Wiggly Wayne DDS posted:i disagree on the lawyer v engineer argument on iso 3166 (the standards body is absurdly consistent on its usage in practice), but it's mainly simple data quality issues that are being brought up lately as that's where i started looking. start with the inane stuff that should be easy to surface across any CA for conformity and then work on the more complex cases I could sworn you were the one that mentioned the lawyer v engineer thing but I couldn’t find itt anyway the bigger point is that there is obvious remediation issues that should be done, and they’re just ignoring them (this applies to both Entrust and E-Commerce)
|
# ? May 16, 2024 17:17 |
|
|
# ? Jun 8, 2024 08:06 |
|
hellotoothpaste posted:I have a dumb question probably. How is it that a lot of the incident reports are related to poo poo like “country code was lowercase” and all sorts of inane-sounding data quality issues? Genuinely curious and coming from blockchain so no answer will surprise me. minor little mistakes like these happen all the time. sometimes it's misinterpreting ambiguous parts of the spec, sometimes it's a bug in the linters, sometimes they didn't validate user-entered info enough, sometimes it's just a simple mistake usually it's not a big deal. they file incident reports because the rules say they have to, but everyone understands that it's not a big deal and no real threat to anyone. they tweak their cert-generation a bit, report the issue so everyone else can check and make sure they're not making the same mistake, and everyone moves on without making a big deal out of it but the rules also say they have to revoke certificates with mistakes, no matter how minor the mistakes are. customers generally find this to be annoying, and will make excuses and say it's just too hard to do now and they'll take care of it later when they have some spare time. CAs are unwilling to push their paying customers on it, and will pretend to believe those excuses the problem is that being unable to handle a revoke-and-reissue on short notice is a big deal, since that's also what they would need to do in the case of a huge mistake that poses a serious threat. everyone's supposed to have procedures in place to make sure they can quickly and easily handle a revocation event, so they're not caught flat-footed if some kind of major compromise happens. so when customers start claiming that replacing a cert is a huge hardship that takes months of work to do, that's a Major Concern, because it's absolutely essential that they have the ability to handle a rapid revocation. and if the CA is unwilling to put their foot down against that, then they're part of the problem, and are neglecting the considerable responsibilities they hold as a CA
|
# ? May 16, 2024 17:27 |
|
|
# ? May 16, 2024 19:51 |
|
Raymond T. Racing posted:so there’s a few things at play here: i figured it was to prevent typographic style attacks or misdirections, so that there won't be valid certs from us, US, Us, and uS. only the US cert can possibly be valid. actually, typing that out, sounds like some more of those standards should be enforced on the browser side.
|
# ? May 16, 2024 20:10 |
|
lol email us at feedback@slack.com, the same address we use for ignoring angry emails from computer touchers whenever we change the CSS via https://awscommunity.social/@Quinnypig/112452921509401306
|
# ? May 16, 2024 23:59 |
|
Wiggly Wayne DDS posted:but speaking of different CAs here's the issues i've found that are public so far. i don't have a background in x509 or linting, or reading the BRs. that i can pluck these without any special access, knowledge, or tools should be concerning for the people claiming to be auditors 2024-05-17: SECOM: Difference in upper and lower case between CN field and SAN to be clear it's that the subject common name and SAN don't match character-for-character, been a requirement since 2021, and a lint has existed since then making it obvious that there's an error. i gave them 24 i found, but there's 37 in their list
|
# ? May 17, 2024 03:58 |
|
Wiggly Wayne DDS posted:secom are in the process of publishing their incident atm: man you need a gang tag "I ended a certificate authority: SECFUCK LEAD FUCKER"
|
# ? May 17, 2024 04:04 |
|
is there a reason CT logs or CT monitors don't lint certs
|
# ? May 17, 2024 04:09 |
|
Rufus Ping posted:is there a reason CT logs or CT monitors don't lint certs the big mess of issues in march was a linting experiment, but we don't officially know if it was a personal program or google's root program directly
|
# ? May 17, 2024 04:31 |
|
what if browser vendors said "from so-and-so date, we will no longer consider certs that fail these basic linter checks as valid, even if they come from a trusted CA"
|
# ? May 17, 2024 06:00 |
|
Carthag Tuek posted:what if browser vendors said "from so-and-so date, we will no longer consider certs that fail these basic linter checks as valid, even if they come from a trusted CA" that's basically what I said. maybe call it twoCRL ok that was a joke but seriously why give these CA people so much slack?
|
# ? May 17, 2024 06:03 |
|
presumably because if browser nerds break enough infrastructure (such as a few banks for a few days) lawmakers will get angry. "why should silicon valley people with no oversight have control over our precious deutsche bank?" is a somewhat valid question for an MEP to ask move slow and break things
|
# ? May 17, 2024 06:10 |
|
Thanks for the context, makes sense to me and neat to sit on the sidelines and see y’all have this level of patience. I’d have flipped out by now
|
# ? May 17, 2024 06:26 |
|
spankmeister posted:that's basically what I said. i cant read NFX posted:presumably because if browser nerds break enough infrastructure (such as a few banks for a few days) lawmakers will get angry. "why should silicon valley people with no oversight have control over our precious deutsche bank?" is a somewhat valid question for an MEP to ask sure move slow, hence "from some date in the future"
|
# ? May 17, 2024 06:31 |
|
everything I've ever seen in tech screams "Shake hands with danger"
|
# ? May 17, 2024 07:54 |
|
doing some quick math: quote:• We are working with 944 customer accounts to revoke and re-issue 26,668 affected EV certificates. Here is a summary of our progress as of this posting: quote:We are working diligently with our customers to complete revocation of affected certificates. Over 95% of customers have completed revocation. We have 9,906 certificates remaining within the following four (4) industries: Financial Institutions (6,940 certificates), Government Agencies (170 certificates), Information Technology (46 certificates), and Travel (Airline) (2,750 certificates). All are scheduled to be revoked within the next 20 days with limited exceptions as required. now I'm not good at numbers but I feel like that 95% there is to hide the fact that more than a third are still outstanding
|
# ? May 17, 2024 19:00 |
|
"Chungwa Telecom posted:In the event of similar incidents in the future, we will first assess whether they relate to key access security. If it is a major security issue, we will promptly report to the government and comply with BR regulations by revoking all certificates. However, if it involves only changes to the certificate fields and does not pertain to major security issues, we will explain the reason for the bug here. After confirming the schedule with the government, we will proceed with phased and batch revocations to ensure the availability of government websites is not affected.
|
# ? May 17, 2024 19:10 |
|
I love how that's a Jorgenson clamp, and you have a 50/50 chance of making it looser by cranking down on the wrong handle.
|
# ? May 17, 2024 19:15 |
|
dont get chungwa, get funwa!
|
# ? May 17, 2024 20:45 |
|
Where we got lucky We can take this opportunity to familiarize ourselves with the problem reporting process and use Bugzilla to document issues.
|
# ? May 17, 2024 22:15 |
|
the ironic thing is how much all of this discussion is making me actively suspicious of browsers in general
|
# ? May 18, 2024 02:13 |
|
Main Paineframe posted:Where we got lucky
|
# ? May 18, 2024 02:55 |
|
hellotoothpaste posted:the ironic thing is how much all of this discussion is making me actively suspicious of browsers in general lol if u dont think theyre the largest attack surface on ur computer
|
# ? May 18, 2024 03:15 |
|
quote:All are scheduled to be revoked within the next 20 days with limited exceptions as required. Someone ask them what the limited exceptions are, for each individual and limited exception, and of course which BR grants the aforementioned exception.
|
# ? May 18, 2024 06:56 |
|
SeaborneClink posted:Someone ask them what the limited exceptions are, for each individual and limited exception, and of course which BR grants the aforementioned exception. does "idk i dont feel like it" count?
|
# ? May 18, 2024 07:42 |
|
Carthag Tuek posted:does "idk i dont feel like it" count? it worked for entrust for half a decade
|
# ? May 18, 2024 07:52 |
|
Bonfire Lit posted:it worked for entrust for half a decade hell yea carthag.trusted.ca here we come e: .CA
|
# ? May 18, 2024 08:03 |
|
I really really really hope that Mozilla and the other root programs take action and that this leads to the distrust of several CAs. Given how easy it seems to be to find a CA that isn’t willing to follow the rules this feels like a real moment of truth for webPKI as a whole. maybe this is an influence operation to ruin https everywhere
|
# ? May 18, 2024 11:00 |
|
|
# ? May 18, 2024 13:49 |
|
well then
|
# ? May 18, 2024 14:12 |
|
seems fine to me, unironically, unless that account has dangerous privileges
|
# ? May 18, 2024 14:13 |
|
Subjunctive posted:seems fine to me, unironically, unless that account has dangerous privileges it’s just Conceptually kind of stupid
|
# ? May 18, 2024 14:21 |
|
I mean, in that if you controlled the software completely you could make it invisibly run as that user, but otherwise it’s just kiosk mode with a bit more typing
|
# ? May 18, 2024 14:28 |
|
I would have made the username and password much shorter, though
|
# ? May 18, 2024 14:28 |
|
Subjunctive posted:I would have made the username and password much shorter, though sorry we have audit requirements and standard we have to meet on password security, can't make it too easy to guess!
|
# ? May 18, 2024 14:59 |
|
Subjunctive posted:I mean, in that if you controlled the software completely you could make it invisibly run as that user, but otherwise it’s just kiosk mode with a bit more typing yeah public kiosk mode is fine but at that point just hardcode it
|
# ? May 18, 2024 15:27 |
|
Carthag Tuek posted:yeah public kiosk mode is fine but at that point just hardcode it yeah I bet the people who set it up don’t have that capability (or permission), but also I suspect you can log into that interface with non-public user credentials as well
|
# ? May 18, 2024 15:39 |
|
Subjunctive posted:yeah I bet the people who set it up don’t have that capability (or permission), but also I suspect you can log into that interface with non-public user credentials as well that’s what the interface suggests, but it’s still so jarring
|
# ? May 18, 2024 15:40 |
|
zero knowledge posted:also c'mon Cloudflare it's 2024 why do all your products still say "SSL" in them? rather late but you code switch somewhat when marketing poo poo to, idk, southeast asia or brasil. the latest and greatest technical terms in english have a much slower bake time to places that speak less english and have less of a domestic tech industry. there's both slower language propagation factor and an "lots of people are still using ancient phones running android 9 or some poo poo" factor
|
# ? May 18, 2024 21:06 |
|
|
# ? Jun 8, 2024 08:06 |
|
over 3 billion devices run cobol
|
# ? May 18, 2024 21:41 |