|
love how certificate infrastructure is held up by some random corps and people to follow some rules that are as enforceable as a monopoly game rules and that most browsers and os stopped checking for cert revokations. i mean it says there at top secure!!!
|
# ? Apr 24, 2024 06:35 |
|
|
# ? May 4, 2024 14:49 |
|
NFX posted:I have a question about certificate transparency logs. as far as I can tell CAs only need to submit a pre certificate to the log, and that's what they usually do (according to wayne's comment some pages back). CA sends precert to CT, CT sends back SCT, CA gives subscriber cert+SCT from CT
|
# ? Apr 24, 2024 06:38 |
|
Raymond T. Racing posted:CA sends precert to CT, CT sends back SCT, CA gives subscriber cert+SCT from CT yes, but if subscriber and CA are in on it together to maliciously issue a cert for google.com, can't they issue a precert for foo.com, get an SCT, and use that to generate a google.com cert? then it's up to the client to verify that SCT and the precert are valid and match the cert for google.com. obviously that's no worse than the client needing to validating the cert itself, but it does mean that any discrepancy is only noticed at time of use, and as far as I can tell, only if client uses chrome/safari e: obviously that would be super risky and probably burn the CA, but it might possibly be worth it in some highly targeted scenario. I assume the answer to my original question is "the CAs don't wanna do the extra work, politics, perfect is the enemy of good, etc. etc", I just wanted to know if there was something I have missed in my understanding of CT NFX fucked around with this message at 06:50 on Apr 24, 2024 |
# ? Apr 24, 2024 06:47 |
|
NFX posted:yes, but if subscriber and CA are in on it together to maliciously issue a cert for google.com, can't they issue a precert for foo.com, get an SCT, and use that to generate a google.com cert? then it's up to the client to verify that SCT and the precert are valid and match the cert for google.com. obviously that's no worse than the client needing to validating the cert itself, but it does mean that any discrepancy is only noticed at time of use, and as far as I can tell, only if client uses chrome/safari the sct for the pre-cert is over the entire cert if CA sends foo.com to CT, they'd get back a SCT over foo.com, and if they blasted it into google.com and issued it, they'd end up with an invalid SCT
|
# ? Apr 24, 2024 06:57 |
|
Celexi posted:love how certificate infrastructure is held up by some random corps and people to follow some rules that are as enforceable as a monopoly game rules and that most browsers and os stopped checking for cert revokations. it's like a live game theory experiment
|
# ? Apr 24, 2024 07:35 |
|
Celexi posted:most browsers and os stopped checking for cert revokations. Wait, what?
|
# ? Apr 24, 2024 08:30 |
|
yeah that's not right. we even have OSCP stapling and everything!
|
# ? Apr 24, 2024 09:55 |
|
they'll be getting mixed up with CRLs getting de-prioritised in general and not checked in firefox entirely given OCSP is the norm also post got approved: https://groups.google.com/u/1/a/mozilla.org/g/dev-security-policy/c/J3aX8OKIT_A
|
# ? Apr 24, 2024 10:22 |
|
Zamujasa posted:most people do not expect every public location they are in to have someone recording their every move to be sold to one of the shittiest websites on the planet seen as good? no seen as normal? absolutely yes, because it is normal on the internet
|
# ? Apr 24, 2024 10:58 |
|
Wiggly Wayne DDS posted:they'll be getting mixed up with CRLs getting de-prioritised in general and not checked in firefox entirely given OCSP is the norm ...except now we're heading back the other way and OCSP is on the way out, CRLs back in vogue.
|
# ? Apr 24, 2024 11:14 |
|
i did a spittake btw: Microsec: Misissuance an EV TLS certificate without CPSuri dr. Sándor SZŐKE posted:Incident Status Report - 2024-04-24
|
# ? Apr 24, 2024 12:42 |
|
Wiggly Wayne DDS posted:they'll be getting mixed up with CRLs getting de-prioritised in general and not checked in firefox entirely given OCSP is the norm great work, wayne
|
# ? Apr 24, 2024 12:44 |
|
Wiggly Wayne DDS posted:i did a spittake btw: 🤩 that’s really impressive
|
# ? Apr 24, 2024 12:46 |
|
Wiggly Wayne DDS posted:i did a spittake btw: now this is what an incident report should look like jfc
|
# ? Apr 24, 2024 14:50 |
|
^^^ that's what happens when you touch the poopRaymond T. Racing posted:the sct for the pre-cert is over the entire cert that's what I'm saying, an invalid cert SCT wouldn't be detected by those who just monitor the CT. I suppose I've been looking at this wrong. the big advantage of CT is that the client can verify the SCT and know that the issuer participates in the whole trust ecosystem. the advantage as a domain owner is secondary
|
# ? Apr 24, 2024 17:21 |
|
I see we have some good nothing burger updates from our friends
|
# ? Apr 24, 2024 21:59 |
|
Raymond T. Racing posted:I see we have some good nothing burger updates from our friends
|
# ? Apr 24, 2024 22:02 |
|
Subjunctive posted:I’m threatening you with revenue
|
# ? Apr 24, 2024 22:03 |
|
Raymond T. Racing posted:now this is what an incident report should look like jfc honestly yeah that is a really good one. not too long and pretty easy to read if you're not too technical too
|
# ? Apr 24, 2024 22:22 |
|
akadajet posted:I trialed admin by request for my it dept and it was a huge piece of poo poo Have you tried requesting admin by combat? Wiggly Wayne DDS posted:i did a spittake btw: Congratulations on "The Wiggly Wayne DDS Rule"
|
# ? Apr 24, 2024 22:30 |
|
Quackles posted:We have admin by request at our office. that was pretty much it. random dev tools don't work with it. maybe it's okay if you aren't a developer, but then what do you need local admin for in the first place?
|
# ? Apr 24, 2024 22:32 |
|
psiox posted:what went well: oh my god, that's why i can't force myself to read corpo speak and llm output: it's the same empty, hollow poo poo
|
# ? Apr 24, 2024 23:22 |
|
redleader posted:oh my god, that's why i can't force myself to read corpo speak and llm output: it's the same empty, hollow poo poo It's a circular training model, why do you think the corpos are stroking themselves raw over AI AI AI AI
|
# ? Apr 24, 2024 23:27 |
|
"Sweden's liquor shelves to run empty this week due to ransomware attack"
|
# ? Apr 25, 2024 08:08 |
|
i'm in the middle of doing a meta-analysis of open/recent issues, revocation time, what the situation was like at 5d/15d with .. generous starts times: https://docs.google.com/spreadsheets/d/1JKSv0MZTYNEGzeltf6vM48jD4z77FzPWkQBAhahRtZU/edit?usp=sharing any corrections or input i'm open to, you all know how to contact me privately too. i'm mainly taking a break because i'm been doing this in alphabetical order and gently caress trying to read the entrust issues mess -again- to get the stats out of them entrust also posted some weekly update figures that shows they ain't moving any faster than they wish: Entrust: Delayed revocation of EV TLS certificates with missing cPSuri Bruce Morton posted:Update on the revocation progress: Bruce Morton posted:Update on the revocation progress:
|
# ? Apr 25, 2024 21:12 |
|
tbh if I were Paul i'd go on vacation too
|
# ? Apr 25, 2024 21:22 |
|
maybe sleevi knocked on his door one night and black bagged him, we can hope?
|
# ? Apr 25, 2024 23:30 |
|
Sleevi seems like he’s pretty happy to be out of this game, tbqh
|
# ? Apr 25, 2024 23:36 |
|
TheFluff posted:
|
# ? Apr 25, 2024 23:39 |
|
also i did all the PII/basic lockscreeen+pin/phishing training modules today, gotta do em every two years. played sudoku and fast forwarded a lot, passed every quiz anyway. :coolbeans:
|
# ? Apr 25, 2024 23:43 |
|
spankmeister posted:Doobies Dog Certs, LLC
|
# ? Apr 26, 2024 00:07 |
|
spankmeister posted:Doobies Dog Certs, LLC missed this, wheres the kickstarter?
|
# ? Apr 26, 2024 00:09 |
|
wtf are entrust doing Entrust: Failure to revoke OV TLS - CPS typographical (text placement) error Bruce Morton posted:Entrust voted in favor of the ballot as we did not have a reason at the time not to provide consensus. But to clarify, as noted above, we made three points on why we believe this to be an exceptional situation: 1) the lack of security risk, 2) the data showing minimal impact, and 3) that If the certificates were re-issued, they would be re-issued with the same certificate profile, resulting in the same certificate with a new issuance date. Bruce Morton posted:Your question here goes to the series of incidents that we have posted in recent weeks. We have provided action items and assurances for each. In the best interests of our customers and the TLS ecosystem, our goal is to avoid mistakes and prepare our customers for future threats and mis-issuances, and in doing so to earn your trust.
|
# ? Apr 26, 2024 19:59 |
|
Jesus loving christ how does the whole "motion to distrust" or whatever work amir who do we need to talk to
|
# ? Apr 26, 2024 20:39 |
|
Wiggly Wayne DDS posted:wtf are entrust doing
|
# ? Apr 26, 2024 20:44 |
|
|
# ? Apr 26, 2024 20:45 |
|
goddamn
|
# ? Apr 26, 2024 20:47 |
|
Raymond T. Racing posted:Jesus loving christ tbh what makes all of this interesting is honestly the balance between "it doesn't really matter" kind of being entirely true, and that being an actual slippery slope. not in practical matters, but in letting professionals say "obviously we can trust this". i mean, that's a lot of security, but very well distilled here. entrust could go on doing this forever and if that's all that happens there's obviously no actual security issue, but trust is also all this system is.
|
# ? Apr 26, 2024 20:50 |
|
I also appreciate how their response to "how can we take you seriously if you haven't been following the promises you've made" is "we're posting incidents"
|
# ? Apr 26, 2024 20:51 |
|
|
# ? May 4, 2024 14:49 |
|
quote:Entrust voted in favor of the ballot as we did not have a reason at the time not to provide consensus. But to clarify, as noted above, we made three points on why we believe this to be an exceptional situation: 1) the lack of security risk, 2) the data showing minimal impact, and 3) that If the certificates were re-issued, they would be re-issued with the same certificate profile, resulting in the same certificate with a new issuance date. wait, is the implication here that they don't actually agree with the consensus (on the 5 day max revoke time), but didn't give enough of a poo poo to argue it?
|
# ? Apr 26, 2024 20:53 |