So, someone submitted a 'bug' to Mozilla.

As some of you may know, in the next year, the new mass surveillance law in the Netherlands is going into effect.

Another fun fact is that the dutch security agencies/government have their own CA (Certificate Authority) for SSL/TLS certificates.

The new law says that the AIVD (dutch NSA/GCHQ equivilant) is allowed to hack into systems through obtained certificates and also that they're allowed to INTERCEPT TRAFFIC THROUGH OBTAINED PRIVATE SSL/TLS KEYS.

So someone actually had the fucking balls to submit a fucking issue to Mozilla saying that the Dutch State certs shouldn't be accepted anymore when the new mass surveillance law gets into place.

This person deservers a fucking medal if you ask me.

Answer to all bosses, managers and TLs...

real shit?

I really, honestly, am getting annoyed when someone tells me that "Linux is user-friendly". Some people seem to think that because they themselves can install Linux, that anyone can, and because I still use Windows I'm some sort of a noob.

So let me tell you why I don't use Linux: because it never actually "just works". I have tried, at the very least two dozen times, to install one distro or another on a machine that I owned. Never, not even once, not even *close*, has it installed and worked without failing on some part of my hardware.

My last experience was with Ubuntu 17.04, supposed to have great hardware and software support. I have a popular Dell Alienware machine with extremely common hardware (please don't hate me, I had a great deal through work with an interest-free loan to buy it!), and I thought for just one moment that maybe Ubuntu had reached the point where it just, y'know, fucking worked when installing it... but no. Not a chance.

It started with my monitors. My secondary monitor that worked fine on Windows and never once failed to display anything, simply didn't work. It wasn't detected, it didn't turn on, it just failed. After hours of toiling with bash commands and fucking around in x conf files, I finally figured out that for some reason, it didn't like my two IDENTICAL monitors on IDENTICAL cables on the SAME video card. I fixed it by using a DVI to HDMI adapter....

Then was my sound card. It appeared to be detected and working, but it was playing at like 0.01% volume. The system volume was fine, the speaker volume was fine, everything appeared great except I literally had no fucking sound. I tried everything from using the front output to checking if it was going to my display through HDMI to "switching the audio sublayer from alsa to whatever the hell other thing exists" but nothing worked. I gave up.

My mouse? Hell. It's a Corsair Gaming mouse, nothing fancy, it only has a couple extra buttons - none of those worked, not even the goddamn scrollwheel. I didn't expect the *lights* to work, but the "back" and "Forward" buttons? COME ON. After an hour, I just gave up.

My media keyboard that's like 15 years old and is of IBM brand obviously wasn't recognized. Didn't even bother with that one.

Of my 3 different network adapters (2 connectors, one wifi), only one physical card was detected. Bluetooth didn't work. At this point I was so tired of finding things that didn't work that I tried something else.

My work VPN... holy shit have you ever tried configuring a corporate VPN on Linux? Goddamn. On windows it's "next next next finish then enter your username/password" and on Linux it's "get this specific format TLS certificate from your IT with a private key and put it in this network conf and then run this whatever command to...." yeah no.

And don't get me started on even attempting to play GAMES on this fucking OS. I mean, even installing the graphic drivers? Never in my life have I had to *exit the GUI layer of an OS* to install a graphic driver. That would be like dropping down to MS-DOS on Windows to install Nvidia drivers. Holy shit what the fuck guys. And don't get me started on WINE, I ain't touching this "not an emulator emulator" with a 10-foot pole.

And then, you start reading online for all these problems and it's a mix of "here are 9038245 steps to fix your problem in the terminal" and "fucking noob go back to Windows if you can't deal with it" posts.

It's SO FUCKING FRUSTRATING, I spent a whole day trying to get a BASIC system up and running, where it takes a half-hour AT MOST with any version of Windows. I'm just... done.

I will give Ubuntu one redeeming quality, however. On the Live USB, you can use the `dd` command to mirror a whole drive in a few minutes. And when you're doing fucking around with this piece of shit OS that refuses to do simple things like "playing audio", `dd` will restore Windows right back to where it was as if Ubuntu never existed in the first place.

Thanks, `dd`. I wish you were on Windows. Your OS is the LEAST user friendly thing I've ever had to deal with.

Good news everyone. As of 30th June 2018, PCI compliance demands a minimum of TLS v1.1. Meaning it's illegal for your website to support IE6-10

Titles in companies does not mean anything.

I just had a "Lead Software Engineer" asking me what TLS was

Found this on reddit.

I absolutely love the email protocols.

IMAP:
x1 LOGIN user@domain password
x2 LIST "" "*"
x3 SELECT Inbox
x4 LOGOUT

Because a state machine is clearly too hard to implement in server software, clients must instead do the state machine thing and therefore it must be in the IMAP protocol.

SMTP:
I should be careful with this one since there's already more than enough spam on the interwebs, and it's a good thing that the "developers" of these email bombers don't know jack shit about the protocol. But suffice it to say that much like on a real letter, you have an envelope and a letter inside. You know these envelopes with a transparent window so you can print the address information on the letter? Or the "regular" envelopes where you write it on the envelope itself?
Yeah not with SMTP. Both your envelope and your letter have them, and they can be different. That's why you can have an email in your inbox that seemingly came from yourself. The mail server only checks for the envelope headers, and as long as everything checks out domain-wise and such, it will be accepted. Then the mail client checks the headers in the letter itself, the data field as far as the mail server is concerned (and it doesn't look at it). Can be something else, can be nothing at all. Emails can even be sent in the future or the past.

Postfix' main.cf:
You have this property "mynetworks" in /etc/postfix/main.cf where you'd imagine you put your own networks in, right? I dunno, to let Postfix discover what your networks are.. like it says on the tin? Haha, nope. This is a property that defines which networks are allowed no authentication at all to the mail server, and that is exactly what makes an open relay an open relay. If any one of the addresses in your networks (such as a gateway, every network has one) is also where your SMTP traffic flows into the mail server from, congrats the whole internet can now send through your mail server without authentication. And all because it was part of "your networks".

Yeah when it comes to naming things, the protocol designers sure have room for improvement... And fuck email.

Oh, bonus one - STARTTLS:
So SMTP has this thing called STARTTLS where you can.. unlike mynetworks, actually starts a TLS connection like it says on the tin. The problem is that almost every mail server uses self-signed certificates so they're basically meaningless. You don't have a chain of trust. Also not everyone supports it *cough* government *cough*, so if you want to send email to those servers, your TLS policy must be opportunistic, not enforced. And as an icing on the cake, if anything is wrong with the TLS connection (such as an MITM attack), the protocol will actively downgrade to plain. I dunno.. isn't that exactly what the MITM attacker wants? Yeah, great design right there. Are the designers of the email protocols fucking retarded?

Long rant ahead.. so feel free to refill your cup of coffee and have a seat 🙂

It's completely useless. At least in the school I went to, the teachers were worse than useless. It's a bit of an old story that I've told quite a few times already, but I had a dispute with said teachers at some point after which I wasn't able nor willing to fully do the classes anymore.

So, just to set the stage.. le me, die-hard Linux user, and reasonably initiated in networking and security already, to the point that I really only needed half an ear to follow along with the classes, while most of the time I was just working on my own servers to pass the time instead. I noticed that the Moodle website that the school was using to do a big chunk of the course material with, wasn't TLS-secured. So whenever the class begins and everyone logs in to the Moodle website..? Yeah.. it wouldn't be hard for anyone in that class to steal everyone else's credentials, including the teacher's (as they were using the same network).

So I brought it up a few times in the first year, teacher was like "yeah yeah we'll do it at some point". Shortly before summer break I took the security teacher aside after class and mentioned it another time - please please take the opportunity to do it during summer break.

Coming back in September.. nothing happened. Maybe I needed to bring in more evidence that this is a serious issue, so I asked the security teacher: can I make a proper PoC using my machines in my home network to steal the credentials of my own Moodle account and mail a screencast to you as a private disclosure? She said "yeah sure, that's fine".
Pro tip: make the people involved sign a written contract for this!!! It'll cover your ass when they decide to be dicks.. which spoiler alert, these teachers decided they wanted to be.

So I made the PoC, mailed it to them, yada yada yada... Soon after, next class, and I noticed that my VPN server was blocked. Now I used my personal VPN server at the time mostly to access a file server at home to securely fetch documents I needed in class, without having to carry an external hard drive with me all the time. However it was also used for gateway redirection (i.e. the main purpose of commercial VPN's, le new IP for "le onenumity"). I mean for example, if some douche in that class would've decided to ARP poison the network and steal credentials, my VPN connection would've prevented that.. it was a decent workaround. But now it's for some reason causing Moodle to throw some type of 403.

Asked the teacher for routers and switches I had a class from at the time.. why is my VPN server blocked? He replied with the statement that "yeah we blocked it because you can bypass the firewall with that and watch porn in class".
Alright, fair enough. I can indeed bypass the firewall with that. But watch porn.. in class? I mean I'm a bit of an exhibitionist too, but in a fucking class!? And why right after that PoC, while I've been using that VPN connection for over a year?

Not too long after that, I prematurely left that class out of sheer frustration (I remember browsing devRant with the intent to write about it while the teacher was watching 😂), and left while looking that teacher dead in the eyes.. and never have I been that cold to someone while calling them a fucking idiot.

Shortly after I've also received an email from them in which they stated that they wanted compensation for "the disruption of good service". They actually thought that I had hacked into their servers. Security teachers, ostensibly technical people, if I may add. Never seen anyone more incompetent than those 3 motherfuckers that plotted against me to save their own asses for making such a shitty infrastructure. Regarding that mail, I not so friendly replied to them that they could settle it in court if they wanted to.. but that I already knew who would win that case. Haven't heard of them since.

So yeah. That's why I regard those expensive shitty pieces of paper as such. The only thing they prove is that someone somewhere with some unknown degree of competence confirms that you know something. I think there's far too many unknowns in there.

Nowadays I'm putting my bets on a certification from the Linux Professional Institute - a renowned and well-regarded certification body in sysadmin. Last February at FOSDEM I did half of the LPIC-1 certification exam, next year I'll do the other half. With the amount of reputation the LPI has behind it, I believe that's a far better route to go with than some random school somewhere.

Dropbox TLS 1.0 & 1.1 is deprecated
Dev: we need to upgrade our projects
Manager: we don't have time for that. can you call to their helpdesk, so we can keep using our projects w/o upgrading?
Dev: ....
Manager: call them!
Dev: ...

2022 Dec
Everyone: hehe, ChatGPT is soo cool, it responds to me and even knows what's the capital of France is! It is really cool!!!

2023 Jun [6 months later]
Everyone: hehe, ChatGPT is SOOOO stupid! I asked it to write a microkernel with native HTTP and TLS support and it made a semantic mistake in line 98823 lolz what a PoS

A client asked us today to disable TLS 1.0 and 1.1 across their servers.

Its not often that I say this. But this makes me proud. It's a good client. Going with the changin times. I wish all clients were like this one.

RIP TLS 1.0/1.1, took you long enough.

Rant? I don't think so.

Launched my own GitLab today with fully functional SSL/TLS <3 loving it

Contenders for arseholes this week

- Elasticsearch as their implemented product identification and integration in client libraries like Python to exclude OpenSearch made a lot of things very painful. Yay....

- Microsoft decided to integrate kill switches in Exchange. Yeah.... Great stuff.

- Atlassian has another week of dumbness - after they botch release after release, they killed Slack with DNS

- Adoptium still hasn't managed to provide repositories after fucking up it's transition from AdoptOpenJDK

- No, a project with JDK 8 makes no sense anymore, take that shit and burn it. JDK 11 the same, would be great if we had a Repository working for JDK 17 Adoptium....

- unwanking a TLS setup by integrating an intermediary load balancer to deal with several outdated TLS implementation is a kind of thing that's really scary...
(TLS 1.3 in, TLS 1.1 - TLS 1.3 out... Theoretically all solutions have TLS 1.2… most of them non working. Solutions is a wild bunch from different vendors)

- If you buy a fucking new Apple with an Arm Chipset, ram it up so far up your arse it gets dissolved in stomach acid.
It's an arm. There's tons of compatibility problems of course. No you shouldn't listen to what the marketing says. No I cannot shit rainbows and make it work.

- German election. No politics I know, but still.

- New neighbors decided to move in. Friendly person's. Except I wanted to murder them since they choose 22 o clock for moving time.

- I forgot putting the heater on. Ever woken up frozen like fuck and having a hard week... It's a good combo to break any form of motivation.

The company next to me is renovating. Waking up to the feeling of an earth quake because they demolish their old building is another thing that makes me unhappy.

It's Friday. I survived.

Me: You need TLS since your users submit confidential data on your website.
Boss: Our hoster has an SSL-Domain
Me: Yeah. But you need TLS not your hoster...
Boss: *confused*

[Little perspective: For the last 7 months I'm working in a certain project.]
[The project is full of unimaginative, non-creative devs with 0 initiative and poor technical background.]
[And they're almost all from one country which you all can figure out.]
[But I'm not going to mention it here because I don't want to come up as a racist]
[So there's US (Europeans) and THEM. 3 of US and about 10 of THEM. And we're doing 90% of all the heavy lifting]
---
Yesterday
---
D (Dev from THEM): Hi S, I have a problem with my task
Me: (sighing) Ok let's have a call
* on the call with D we were checking some stuff loosely related to task *
* code wouldn't get invoked at all for some reason *
* suddenly I realize that even if the code would invoke, D's probably doing everything wrong in it anyway *
Me (thinking): I need to double check something.
Me: I can't help you now, I'll get back to you later.
* call ended *
---
Me: Hey J, I need your help, I need to clarify the work package in my mind, because I am no longer sure.
J (my European TL): Ok, fire away.
* call started *
Me: Is it true that [blahblahblah] and so D's task depends on me completing first my task, or am I losing my mind?
J: That is correct.
Me: Well she's trying to do this in [that] way, which is completely wrong.
J: You see, that's how it is in this project, you do refinements with them, split these work packages to tasks, mention specifically what depends on what and what order should things be taken in, and in some cases all tasks from given user stories should be done by one person entirely... But they do it their way anyway, assign different people to different interdependent tasks, and these people don't even understand the big picture and they try to do the things the way they think they understand them.
Me: It's a fire in a brothel.
J: Yup.
Me: I fucking love this project.
J: (smiling silently)
* call ended *
---
Me: Ok D, you can't do your task because it's dependant on my task.
D: Oh... so what do I do?
Me: I don't know, do something else until I do my task.
---
A (THEIR TL) (Oh, did I forget to mention that there are 2 TLs in this project? THEY have their own. And there are 2 PMs as well.)
A: Hey S, I need to talk
Me: (sighing, getting distracted from work again) Ok let's have a call
* call started *
A: S, we need this entire work package done by Friday EOD.
Me: I can't promise, especially since there are several people working on its several tasks.
A: D's working on hers for 3 days already, and she's stuck. We want you to take over.
Me: (sighing, thinking "great"): Ok.
* call ended *
---
Me: Hey D, A instructed me to take over your task. This is actually going to be easier since you'd have to wait for mine after all.
D: Oh, ok.
---
* I switched the Assigned Person on D's task to myself on Azure *
---
This morning, email from D.
"Hey, I completed my task and it's on [this] branch, what do I do now?"

........................................
Me, hesitating between 2 ways to reply:
(and take note there are people in CC: A, J, P - the last one is THEIR PM)
1) "Hi, Unfortunately you'd still have to wait for my changes because your task is dependent on my task - the column to be changed is in the table that I am introducing and it's not merged to develop branch yet. By the way I already did your task locally, as I was instructed to do it, I'm wrapping things up now."
(y'know: the response which is kind, professional, understanding; without a slight bit of impatience)
2) WHAT FUCKING PART OF "DON'T DO THIS I WILL FUCKING DO IT MYSELF GO HOME JUST GO HOME" YOU DON'T FUCKING UNDERSTAND

Me: ssl conn cannot be esrablished. Cert is not signed

Sr. Dev/architect: what url are you calling?

Me: dns_name:port

sd/a: yeah, I know that. But what is the url?

Me: *how the f... Did you get 'sr' and 'arch' titles, man???*
Me: why does it matter?

Sd/a: certificates depend on a url. Our LB selects a cert according to a request url

me: *buddy, I like you but I no longer look at you with respect like I used to before today...*

First lecture of computer networks. Let's shove all of these abbreviations with their meaning, and possibly a associated port number in one 1.5 hour lecture:

HTTP, HTTPS, FTP, FTPS, SFTP, TCP, IP, UDP, ISP, DSL, DNS, LAN, WLAN, WDM, P2P, TELNET, PGP, TLS, SSL, SSH, MIME, SMTP, POP3, IMAP, IANA, DHT, RTT, DHCP

I really feel sorry for students who didn't have previous knowledge about this stuff..

THE FUCK WHY did the company which made the website I'm maintaining now ADD CUSTOM FACEBOOK LIKES AND TWITTER FOLLOWER WIDGETS - IN A SUBDIRECTORY OF THE THEME?

Guess what, you motherfuckers: One year after you made that damn page the Facebook API changed and your stinking widget is broken REQUIRING ME TO REWRITE MOST OF IT!

Also WHO THE FUCK LEFT HIS BRAIN ON HIS BEDSIDE TABLE the day he decided to HARDCODE ASSETS WITH AN http:// (no tls) URL? YES, browsers will block that shift if the website itself is delivered over tls, because it's a GAPING SECURITY HOLE!

People who sells websites that have user management and thus request authentication without AT LEAST OFFERING FUCKING STANDARD TLS SHOUD BE TARRED AND FEATHERED AND THEN PUT IN A PILLORY IN FRONT OF @ALEXDELARGE'S HOUSE!

Maybe I should be a bit more thankful - I mean I get payed to fix their incompetence. But what kind of doctor is thankful for the broken bones of his patient?

Damn, GitHub is on rampage lately. After dropping tls < 1.3 support, they are expected to drop IE support by July.

Praise GitHub 😍

Hi lil puppies what's your problem?

*proxy vomits*

Have you eaten something wrong....

*proxy happily eats requests and answers correctly*

Hm... Seems like you are...

*proxy vomits dozen of requests at once*

... Not okay.

Ok.... What did u you get fed you lil hellspawn.

TLS handshake error.

Thousands. Of. TLS. Handshake. Errors.

*checking autonomous system information*

Yeah... Requests come from same IP or AS. Someone is actively bombing TLS requests on the TLS terminator.

Wrong / outdated TLS requests.

Let's block the IP addresses....

*Pats HAProxy on the head*

*Gets more vomit as a thank you no sir*

I've now added a list of roughly 320 IP adresses in 4 h to an actively running HAProxy in INet as some Chinese fuckers seemingly find it funny to DDOS with TLS 1.0... or Invalid HTTP Requests... Or Upgrade Headers...

Seriously. I want a fucking weekend you bastards. Shove your communism up your arse if you wanna have some illegal fun. ;)

I think most people are annoyed by the new design of chrome, for all the wrong reasons - I just noticed the TLS indicator lock is now gray when encrypted, giving you the idea of a website being not fully secure imho

I was working in a manufacturing facility where I had hundreds of industrial computers and printers that were between 0 and 20 years old. They were running on their own clean network so that someone has to be in the manufacturing network to access them. The boss announced that the executives will be pushing a “zero trust” security model because they need IoT devices. I told him “A computer running Windows 98 can’t be on the same VLAN as office computers. We can’t harden most of the systems or patch the vulnerabilities. We also can’t reprogram all of the devices to communicate using TLS or encrypt communications.“ Executives got offended that I would even question the decision and be so vocal about it. They hired a team to remove the network hardware and told me that I was overreacting. All of our system support was contracted to India so I was going to be the on-site support person.

They moved all the manufacturing devices to the office network. Then the attacks started. Printers dumped thousands of pages of memes. Ransomware shut down manufacturing computers. Our central database had someone change a serial number for a product to “hello world” and that device got shipped to a customer. SharePoint was attacked in many many ways. VNC servers were running on most computers and occasionally I would see someone remotely poking around and I knew it wasn’t from our team because we were all there.

I bought a case of cheap consumer routers and used them in manufacturing cells to block port traffic. I used Kali on an old computer to scan and patch network vulnerabilities daily.

The worst part was executives didn’t “believe” that there were security incidents. You don’t believe in what you don’t understand right?

After 8 months of responding to security incident after security incident I quit to avoid burning out. This is a company that manufactures and sells devices to big companies like apple and google to install in their network. This isn’t an insignificant company. Security negligence on a level I get angry thinking about.

2 things I'm working on now:

#1 a personal project I am hoping to commercialize and turn it into my moneymaker. Hoping it'd at least be enough to pay the bills and put food on my table so I could forget 9/5 for good. But it has a potential of becoming a much, MUCH bigger thing. This would need the right twist tho, and I'm not sure if I am "the right twister" :) We'll see.

#2 smth I'm thinking of opensourcing once finished -- a new form of TLS. This model could be unbreakable by even quantum computing once it's mature enough to crack conventional TLS. I'm probably gonna use md5 or smth even weakier - I'm leveraging the weakness of hashing functions to make my tool stronger :)

I mean how long can we be racing with more powerful computers, eh? Why not use our weakneses to make them our strengths?

Unittests are already passing, I just haven't polished all the corner-cases and haven't worked out a small piece of the initialization process yet. But it's very close

I actually do have one. 2 years ago I found myself in a stressful situation. It lasted for an hour or so but all ended well. Ever since that incident I was wondering what should be different so that situations like these could be avoided. I had an idea. I began making sketches, sorting out the architecture I'd need and then it hit me. Shit, I could reuse this very principle for a MUCH larger scale! And in fact there's noone in the market offering this yet! There are similar products, products that offer a tiny part of my idea's functionality, but none of them are even close to what I have in mind!

And so the coding began. I was still a student back then. And employed 12hrs/day. And married. Needless to say I did not have much time for coding. Now I'm also a father (although not a student any more!) which makes my schedule even worse.

All in all I've made quite a few widely reusable libraries by now which have saved me 10s of thousands of lines typing, had yet another idea on alternative TLS which seems impossible to crack (well okay, possible. But there's a twist - cracker will not be able to know he cracked the algo :) ). Now I'm close to 100k LOC of my main project and struggling with a fucking FE (since I'm more of a bkend guy). FE's already taken a few months from me and I'm still in a square 1 :/ But I'm moving forward. Slowly, but moving. Frustrated af, but not giving up.

I had a sort of a dream to start my project before I'm 30. I have less than a year left. Still doable. This project, if it's sucessful, has a potential to become extremely popular as it offers solutions to multiple problems we have today. This project should save me from 9-to-5 work every day where, no matter how great the environment is, I feel trapped. But I need money to survive in this city . With my family.
This project should be a solution to all of my problems and probably something great the world could enjoy.

I wish I could make it. I really do. I don't want to be 9-5 any more. I don't want to be dictated what's my schedule, what's that I have to do now. what to think. I want to be free of all of this. Have enough time to live. To travel, see the world. Live in a house (God I miss living in a house....). Spend time with my family. Show my lil boy what a wonderful thing the World is!

I really want this to work. I want to be free again. And I wish I hadn't to deal with FrontEnd.

Allright, enough wabbling. Time for a nice cup of tea and back to coding. "The next big thing" is not going to create itself while I'm ranting, right?

I just installed Opera Mini on my PSP. That alone isn't very exciting on its own, although I am stoked that my website does in fact render on a device from 2009. With the helpful guidance of a laptop from 2004 that's doing the hotspot duties for this thing.

No, what really got me stoked is that Opera still supports these old platforms, and how small they managed to make it. The .jar file for Opera Mini 4.5 is ~800kB large. There's a .jad file as well but it's negligible in size and seems to be a signature of sorts.

Let that sink in for a moment. This entire web browser is 800kB. Firefox meanwhile consistently consumes 800 MEGABYTES.. in MEMORY. So then, I went to think for a moment, how on earth did they manage to cram an entire functioning web browser in 800kB? Hell, what makes up a web browser anyway?

The answer to that question I got to is as follows. You need an engine to render the web page you receive. You need a UI to make the browser look nice. And finally you need a certificate store to know which TLS certificates to trust. And while probably difficult to make, I think it should be possible to do in 800k. Seriously, think about it. How would you go *make* a web browser? Because I've already done that in the past.

Earlier I heard that you need graphics, audio, wasm, yada yada backends too.. no. Give your head a shake. Graphics are the responsibility of the graphics driver. A web browser shouldn't dabble with those at all. Audio, you connect to PulseAudio (in Linux at least) and you're done. Hell I don't even care about ALSA or OSS here. You just connect to the stuff that does that job for you. And WebAssembly.. God I could rant about that shit all day. How about making it a native application? Not like actual Assembly is used for BIOS and low-level drivers. And that we already have a better language for the more portable stuff called C.

Seriously, think about it. Opera - a reputable browser vendor - managed to do it in 800kB on a 12 year old device. Don't go full wank on your framework shit on the comments. And don't you fucking dare to tell me that there's more to it. They did it for crying out loud. Now you take a look at your shitpile for JS code and refactor that shit already. Thank you.

This is the last part of the series
(3 of 3) Credentials everywhere; like literally.

I worked for a company that made an authentication system. In a way it was ahead of it's time as it was an attempt at single sign on before we had industry standards but it was not something that had not been done before.

This security system targeted 3rd party websites. Here is where it went wrong. There was a "save" implementation where users where redirected to the authentication system and back.

However for fear of being to hard to implement they made a second method that simply required the third party site to put up a login form on their site and push the input on to the endpoint of the authentication system. This method was provided with sample code and the only solution that was ever pushed.

So users where trained to leave their credentials wherever they saw the products logo; awesome candidates for phishing. Most of the sites didn't have TLS/SSL. And the system stored the password as pain text right next to the email and birth date making the incompetence complete.

The reason for plain text password was so people could recover there password. Like just call the company convincingly frustrated and you can get them to send you the password.

Running WireShark to see what one of our partners is sending across.

Outdated TLS: Ok, that's par for the course.
Leaking data through DNS queries: ButWhy.jpg
Website leaked through DNS doesn't require auth to view information. TableFlip.jpg

>pentester
Raised an issue with a web application for out client that was weak TLS protocols/cipher suites in use on the sever hosting their application.

Then I was asked to confirm that reissuing the certificate was the correct remidial action for fixing this...

Man, it's scary to think non-technical project managers are in charge of fixing this stuff...

I think that two criterias are important:

- don't block my productivity
- author should have his userbase in mind

1) Some simple anti examples:

- Windows popping up a big fat blue screen screaming for updates. Like... Go suck some donkey balls you stupid shit that's totally irritating you arsehole.
- Graphical tools having no UI concept. E.g. Adobes PDF reader - which was minimalized in it's UI and it became just unbearable pain. When the concept is to castrate the user in it's abilities and call the concept intuitive, it's not a concept it's shit. Other examples are e.g. GEdit - which was severely massacred in Gnome 3 if I remember correctly (never touched Gnome ever again. I was really put off because their concept just alienated me)
- Having an UI concept but no consistency. Eg. looking at a lot of large web apps, especially Atlassian software.
Too many times I had e.g. a simple HTML form. In menu 1 you could use enter. In menu 2 Enter does not work. in another menu Enter works, but it doesn't submit the form it instead submits the whole page... Which can end in clusterfuck.
Yaaayyyy.
- Keyboard usage not possible at all.
It becomes a sad majority.... Pressing tab, not switching between form fields. Looking for keyboard shortcuts, not finding any. Yes, it's a graphical interface. But the charm of 16 bit interfaces (YES. I'm praising DOS interfaces) was that once you memorized the necessary keyboard strokes... You were faster than lightning. Ever seen e.g. a good pharmacist, receptionist or warehouse clerk... most of the software is completely based on short keyboard strokes, eg. for a receptionist at a doctor for the ICD code / pharmaceutical search et cetera.
- don't poop rainbows. I mean it.
I love colors. When they make sense. but when I use some software, e.g. netdata, I think an epilepsy warning would be fair. Too. Many. Neon. Colors. -.-

2) It should be obvious... But it's become a burden.

E.g. when asked for a release as there were some fixes... Don't point to the install from master script. Maybe you like it rolling release style - but don't enforce it please. It's hard to use SHA256 hash as a version number and shortening the hash might be a bad idea.

Don't start experiments. If it works - don't throw everything over board without good reasons. E.g. my previous example of GEdit: Turning a valuable text editor into a minimalistic unusable piece of crap and calling it a genius idea for the sake of simplicity... Nope. You murdered a successful product.
Gnome 3 felt like a complete experiment and judging from the last years of changes in the news it was an rather unsuccessful one... As they gave up quite a few of their ideas.

When doing design stuff or other big changes make it a community event or at least put a poll up on the github page. Even If it's an small user base, listen to them instead of just randomly fucking them over.
--
One of my favorite projects is a texteditor called Kate from KDE.

It has a ton of features, could even be seen as a small IDE. The reason I love it because one of the original authors still cares for his creation and ... It never failed me. I use Kate since over 20 years now I think... Oo

Another example is the git cli. It's simple and yet powerful. git add -i is e.g. a thing I really really really love. (memorize the keyboard shortcuts and you'll chunk up large commits faster than flash.

Curl. Yes. The (http) download tool. It's author still cares. It's another tool I use since 20 years. And it has given me a deep insight of how HTTP worked, new protocols and again. It never failed me. It is such a fucking versatile thing. TLS debugging / performance measurements / what the frigging fuck is going on here. Take curl. Find it out.

My worst enemies....

Git based clients. I just hate them. Mostly because they fill the niche of explaining things (good) but completely nuke the learning of git (very bad). You can do any git action without understanding what you do and even worse... They encourage bad workflows.
I've seen great devs completely fucking up git and crying because they had really no fucking clue what git actually does. The UI lead them on the worst and darkest path imaginable. :(

Atlassian products. On the one hand... They're not total shit. But the mass of bugs and the complete lack of interest of Atlassian towards their customers and the cloud movement.... Ouch. Just ouch.

I had to deal with a lot of completely borked up instances and could trace it back to a bug tracking entry / atlassian, 2 - 3 years old with the comment: vote for this, we'll work on a Bugfix. Go fuck yourself you pisswads.

Microsoft Office / Windows. Oh boy.
I could fill entire days of monologues.
It's bad, hmkay?

XEN.
This is not bad.
This is more like kill it before it lays eggs.
The deeper I got into XEN, the more I wanted to lay in a bathtub full of acid to scrub of the feelings of shame... How could anyone call this good?!?????

TIL if you know the password for a WIFi SSID, you can replicate it with your hardware. All devices that have credentials for that SSID will connect to yours if your signal is stronger. The encryption just needs to be the same (wpa2/wep) The underlying UUID doesn’t matter.

Not bad for a quick and dirty man-in-the-middle attack. The WiFi spec needs a bit more work.
TLS all the things!

Why does email suck so much oh my god, I don't want a fucking lesson in the kinds of domain records, I can set a TXT to prove that I control the DNS record, I have a TLS certificate, what the fuck else would I possibly need to prove!? None of this is contributing anything to security! Just fucking figure it out, it's the internet, not an international border, jesus.

FUCK YOU YOU SHITTY COCK SUCKING BITCH MOTHERFUCKER.

GO DIE IN A HOLE THEN GET RAPED IN HELL. I REALLY HATE THIS SHIT.

FUCK OFF GOOGLE.

Just spent an hour trying to implement an API without any luck. As i delve deeper and deeper into the code i discover that the client's server doesnt support TLS 1.2 and this is why it wasnt working.

Legacy tech be like:

"The connection to this site uses TLS 1.0 (an obsolete protocol), RSA (an obsolete key exchange), and AES_128_CBC with HMAC-SHA1 (an obsolete cipher)."

I don't understand why they're still calling it SSL. It was buried long ago by TLS.

Fuck this marketing bullshit, just fucking call it TLS already.

A conversation between an offshore developer and his manager at a fortune 500:

I'm a software developer and the company I work for is a vendor for $manager's and $offshore_dev's company. They provide endless hours of entertainment/terror. Recently, we've been trying to convince them that they need to stop sending sensitive information plaintext over HTTP and set up TLS/HTTPS which has led to tons of fun conversations such as this one they had during a conference call:

* $manager: "Did $offshore_dev implement TLS1.2?"
* $offshore_dev: "Yes, we enabled a parameter in the code to enable TLS1.2 in the code but according to $me's email, this requires HTTPS in order to work."
* $manager: "No this works, we're using TLS in $other_application right now."
* $offshore_dev: "Well, $manager, it's implemented but it currently doesn't encrypt anything as such."
* $manager: "Okay, HTTPS is in the roadmap in the next quarter, we can move forward without this for now."

Now hol up, that aint what it means you morons!

Debugging TLS failures.

In Java.

With the funny certstore cause "we need to do this by ourselves".

Fucking shitty broken pile of cunt code.

At least the debugging output is good.

As much as I love TLS, debugging it is a nightmare and when a programming language like Java decides to wrap it, it becomes Ctulhu.

OS
- TLS Library
-- TLS Certificate Chain
- JDK
-- JDK SSL Handler
--- JDK Certstore
---- Java Library Abstraction, eg. WS SSL

Joyfully fingering of a tentacle arsehole.

A C++ program that spawns as many threads as it can to open TLS 1.2 connections to a given server and send random data.

Needed this to test scalability of one of our services.

IPMI...

2010....

Java Web...

Oracle JDK needed....

Oracle JDK Download requires Oracle Account..... To circumvent as I don't want a motherfugging shitty oracle account tons of googling and loading shit from not so trustful pages.

TLS 1.0 and WebJDK require Internet Explorer.....

And an even older version of Oracle JDK 8....

Broken keyboard input....

As on Laptop for Windows / Internet Explorer additionally struggling with keyboard...

Mounting SMB Share requires password change, as my password contains invalid characters....

Finally getting shit to load GParted...

Taking fucking ages to load.

Broken keyboard input, no pasting.....

Chrooting / input becomes a 15 min exercise.

Actual input necessary on chroot: 1 command.

Actual time needed to get there : 2 1/2 h.

*sigh*

When that one old machine dies noone was aware of. And this one old machine is only accessible via an IPMI... As noone even knows where that machine is.

Weekend dead. Weekend is so fucking dead and overrated.

When you’ve been warning of how much stuff needs work to support TLS1.1 depreciation but now all that stuff broke because he had you working on a bunch of other random less important stuff. Now he is saying back to me the exact things I said to him about why we needed to work on this stuff months ago.

My vocabulary is way to small to express my feelings when being forced to use .Net 4.0. Just spent like 2 hours searching why my Api requests failed.
Turns out it used TLS 1.0 which got rejected by the server. Then I spent another 2 hours finding out how to make it use TLS 1.2. Surprisingly it does work now (although it came out before TSL 1.2 specification). But yeah still a fucking pile of shit.

Why in fuck's sake would you create a new service and not offer TLS/SSL to your free tier clients ?

Novice computer enthusiasts argue that an application is safe because it's end-to-end encrypted.. but they don't realize this doesn't guarantee safety because of MITM attacks on possibly exploitable midpoints.

A good example of this is mail servers using TLS 1.2 but one or two of them not verifying certificate autorities.

Trying to understand SSL/TLS

For my local dev, set up my own root CA, added to trusted root CA in my machine, generated a cert for my local domain, signed by my own root CA, but the behavior is different across browsers:

Can someone help in making Google Chrome padlock green or grey (not red)?

With a recent HAProxy update on our reverse proxy VM I decided to enable http/2, disable TLS 1.0 and drop support for non forward-secrecy ciphers.

Tested our sites in Chrome and Firefox, all was well, went to bed.

Next morning a medium-critical havock went loose. Our ERP system couldn't create tickets in our ticket system anymore, the ticket systems Outlook AddIn refused to connect, the mobile app we use to access our anti-spam appliance wouldn't connect although our internal blackboard app still connected over the same load balancer without any issues.

So i declared a 10min maintenance window and disabled HTTP/2, thinking that this was the culprit.

Nope. No dice.
Okay, i thought, enable TLS 1.0 again.

Suddenly the ticket system related stuff starts to work again.

So since both the ERP system and the AddIn run on .NET i dug through the .NET documentation and found out that for some fucking reason even in the newest .NET framework version (4.7.2) you have to explicitly enable TLS 1.1 and 1.2 or else you just get a 'socket reset' error. Why the fuck?!

Okay, now that i had the ticket system out of the way i enabled HTTP/2 and verified that everything still works.

It did, nice.

The anti-spam appliance app still did not work however, so i enabled one non-pfs cipher in the OpenSSL config and tested the app.

Behold, it worked.

I'm currently creating a ticket with them asking politely why the fuck their app has pfs-ciphers disabled.

And I thought disabling DEPRECEATED tech wouldn't be an issue... Wrong...

At the time, I'm working on a simple RAT, for leaning purpose, written I'm Go.
Now simple command-execution work's and I want to implement an encrypted connection between the client and the C&C-Server.
I know Go has some kind of TLS in its standard library, but is it really usable, or would it be easier to just implement my own simple encryption-module with some RSA and AES?

The coolest project I ever worked on wasn't programming per second, though it involved a bit of scripting. The company I worked for had an FTP over TLS backup solution and it was put together with glue and paperclips by a guy that hadn't the slightest idea what he was doing. In order to conform with the insurance, data had to be encrypted. I setup a raid-ed server with full disk encryption on the raid volume that fetched the key over the network at boot from another secure server. I wrote a series of scripts for provisioning users and so on. The backup connections was sftp using a ssh tunnel, the users were chrooted to their own home directories, and were unable to open shells. The system was 100x more robust and secure than the original. I set it up on short notice and received absolutely no recognition for saving the company's ass, but it was definitely a fun project.

I found out that apache had built-in support ( via a module - mod_md ) for automatic TLS certificate management with Let's Encrypt since October 2017.

Bloody Hell! Why didn't I hear of this sooner?

So, I ran off into my cloud to set up this so-called ManagedDomain ( mod_md ).

Found the module in the package repositories, installed it and started testing it out.
I started writing IfModule conditions under mod_ssl so that I wouldn't have to overwrite my existing TLS configurations ( which was already issued by Let's Encrypt via certbot, by the way ).

After a whole night of twisting and turning with the configurations, it turns out that the module in the package repositories were built for ACMEv1 and that API has been dead for as long as the module has been around.

I had noticed that the module was 'experimental', but I still hoped that they had the packaged the module.

Finally, I cozied back up with certbot. At least, until this so-called mod_md becomes stable and mainstream.
I hope certbot doesn't make a fuss. I'm sure, it got offended that I was trying to cheat it with mod_md.

Guys, please use caddyserver as your webserver! It creates official tls certs for you without you having to do anything. Help making the web secure. There are too many websites that do not have any security.

IT admins of devRant, explain my dumbass the following:

Why would an IT department put servers in a VPN without TLS.

They presume they don't need because muh-VPN.

And then they don't want to hand out VPN connections to anyone and force me to use Citrix RDP 🤡

I know there are security reasons, but is there not a better way? Like goteleport.com ?

Asking for a friend (or several)

I hate this feeling.

Changing stuff with a greamripers scythe around my neck called doubt because the available data isn't too convincing.

Then having to go big or nothing as it is an ecosystem change (e.g. changing the cipher suites of TLS, changing protocol - e.g. HTTP 1.1 to 2) so it needs to be consistent as otherwise fun stuff could happen (fun as in the grim reaper cuts off my neck except a few centimeters and plays "now your head is off, now your head is on" ).

To top it off - just few seconds after the change has happened people coming up in the support channel.

My hands are - mysteriously - not sweaty then. Rather cold.

Lil prayer to the heavens and getting the whiskey bottle...

Opening an ongoing discussion in support channel....

And they're discussing whether the page needs to have an additional arrow for going back to the last page or if the default page navigation is enough.

Constantly using @all so everyone gets pissed off due to being pinged every few seconds in a channel that was meant for emergency support.

Now my hands go from a dark red to a bright red, my nostrils flare out, my adrenaline goes through the roof and I literally wanna murder people....

Those days.

I hate those days.

And I hate the timing of some people...

Like they're deliberately fucking with me without knowing it, like the universe told them explicitly to do so just to fuck with me.

*gooozfraba*

And of course, everything else is fine and running smooth like butter, except that said discussion now goes on in a total flamewar so I get even more pings.

Sucks to be in management.

You have way to many rooms where people can annoy you.

To top it off - after being grumpy and pissed and angry for people just annoying the fuck out of me, I have to mediate.

Yeah. Cause the usual person is on vacancy.

*slowly strangling the whiskey bottle like homer does with bart*

Turns out after 15 mins listening to enraged UX designer vs Frontend Team Lead that UX designer meant a completely different thing - uploaded wrong screenshot, whole discussion was unnecessary.

*Nah. Fuck it. Drinking whiskey*

Reminding everyone what the fucking frigging support channel is meant for and that penis fights aka who got the longest schlong don't belong there....

"Yeah it was a mistake, but it wasn't so bad"
...

You pinged fucking 32 people like it was the end of the world, you ignorant fucktwads.

For over 5 mins.

For fucking frigging nothing except your tiny dicks and shitty egos.

*Second round of whiskey*

Back to work after a wasted half hour.

What says monitoring?

Ah. Everything's working.

At least luck hasn't failed me.

Good server. Brave server.

Then I hear this lil voice in my head: no.

The servers know your personality.

They're afraid. Terrified.

Somehow that thought makes me giggle always...

Childish? Maybe. But it helps on those days.... Funnily enough, remaining 3 hours noone said anything in any chat channel.

"I wonder why, I wonder how...."... *hum*

When I first saw the .dev TLS was $200 are some odd dollars I was sad. But, that was early access as now they are cheap. Yay!

It gets fucking old, yet it always keeps coming back like Christmas.

If I had a fucking euro each time a CTO asks me why they need CORS and TLS to use webrtc (even on LAN??!1! 🤯), I'd be fucking rich.

At least this time the time I wasted explaining it again was paid for at a much higher rate...

Do you still charge your clients extra for HTTPS being it’s practically a requirement now for SEO purposes?

I'm so tired of fs issues with webpack/react. fucking useless piece of shit. I look online and it looks like it's a pain in the ass for anyone actually using a modern stack. Literally just trying to use mailjet's API to send emails from a React app and I've been solving dependency issues for fucking hours because of the MANY node modules it requires. requires fs, dns, tls, and dgram for a FUCKING post request because mailjet makes you use their node package.

So, I made this API which logins to the system and Used it in an android app, there was one roadblock to it, that everytime user enters a password, it has to match the password hash so I, excitingly, used password_verify($password,$passwordHash), unknowingly that it is fucking unsafe and the code is still there, and here's where it gets interesting it is not over SSL/TLS. Fuck me, any bright solutions?

What's your thoughts on the newly released .app tld? Is it going to be the new .io?
It also seems like Google provides TLS certificates for free to all .app domains. I know there's let's encrypt but I still think that this is great. Google is really pushing a more "Secure" internet.

Did some analysis on some servers that a partner of ours is hosting:

-TLS 1.0: Hmm this isn't great
-TLS_RSA_WITH_RC4_128_SHA preferred Cipher Suite for ALL TLS Versions.

I almost barfed at my desk.

What are the thoughts of privacy conscious people about quantum computers? As far as I understand current TLS version encryption method is vulnerable to quantum computers, thus if your ISP or other agencies store all your traffic data right now, they'll be able to decrypt it after gaining access to quantum computers.

One way to secure your privacy would be to use your own VPN that uses encryption method that is quantum-resistant, but again the VPN would be using TLS to connect to the Internet.

The world must truly hate me.

I refactored my code a lot in order to easily integrate different APIs endpoints but then I can't use the one I specifically did this for, because of TLS errors.
My browsers all agree that it's fine, but curl and the 2 http libraries I tested can't fetxh any data.

END ME!

Irony - The new TLS certificate was finally issued after 10 days of waiting. The project management portal I need to upload it to crashed this afternoon. No ETA on recovery time yet.

Request for internal service

FW takes request

FW NATs request to external / WAN IP

Other FW (different location) gets request

DNS redirect for whole domain
"data-zone: *.*.*.org redirect"

Via DNS redirect request goes to LB

LB sends request to other LB

LB send request to NGINX server

NGINX resolves via Host header

And now you get a TLS handshake error somewhere in the travel of the request...

The level of fucked: my arse can take the Eiffeltower horizontal.

To add a bit more context to my last rant.

The following situation happened today and similar situations are at the moment common as fuck.

Situation started roughly 1 1/2 months ago as a deployment failed.

Seemed to be a DNS problem for the devs, so my basic assumption was that they checked their shit.

As I was and I am currently more than swamped, told them it had to wait if it is an DNS issue...

Well.

Backstabbing product manager complained to upper management as it took so long.

Backstabbing manager even went so far to propose alternative solutions - think of switching product to work around issue and throwing away a year of development of a 5 man team...

So additional to my work I had to deescalate and prevent complete nonsense.

Today I finally found time for the problem.

After 2-3 hours of turning every stone inside the DNS setup, cloudflare, loadbalancers, etc...

Well. Devs. Don't trust them.

Turned out the devs misconfigured the environment entirely.

Its not so obvious in this product as it is rather complicated, though the devs documentation explicitly mentioned that if one overrides the configuration for e.g. several languages, one has to make sure to set two env variables for TLS mode...

There was only one set.

:(

8 fucking weeks of backstabbing and blaming others while they could have just read their own fucking documentation and fixed that shit in 5 minutes.

Why redis, why?! You run "redis-cli -h <host>" and it looks like either it cannot connect to <host> or the redis-cli is frozen.

What was the fix? Adding "--tls" to the call. Why can't you just say "You are starting a non-tls connection to a remote but the remote wants to talk TLS"? Or give any other indication that you did reach the server but did not understand what it said and hint for TLS? I was hunting non-existent connectivity issues for hours just because there wasn't a good error message...

wrote dumb threading and sockets system to make a bunch of https calls

extracted the working code into nice objects and methods to make it look sane and so I can re-use the code for more complex functionality that builds on itself

now suddenly the threads are locking and not multi-threading anymore

turns out?
the http(s) library expects the tls / https thing in an Arc / atomic reference count
but despite Arc being literally intended and designed for threadwork it seems the library in question throttles / locks itself if they are all using the same Arc (I don't even know how that is possible?)
if I clone the tls / https thing, no throttle / lock issues 😒
why did they even try that lol, they didn't test?!

I really didn't expect to be better at multi-threading than others already. I'm newbie. pls

Saw a lot of NodeJS/TLS jokes here, but honestly does anyone get it?

We're remediating tls issues on production servers. gotta be pic compliant. It's been an hour and a half for one server and were not even close to done... we have at least 5 more to go for this particular app... my organization controls over 300... the company has thousands... for the love of god save me.

Maximum overkilled security. Enabled TLS for a non remote access mongodb service...

RANT
THE fucking pip is not working again. This time throwing sslerror ssl_certificate. Googled and came to know they removed TLS 1.0 and 1.1 support. Solution upgrade the pip. Done. Still same.
Checked their website no information.

Don't have words now.

Can anyone recommend me a good and secure email server to use on linux?

Over the last week I've slowly grown to fucking hate IMAP and SMTP. You'd think after so many years we'd have come up with better servers to manage email but no we still rely on fucking decades old protocols that can't even batch requests.

To make things worse I need to attach to IMAP through node and that has been a nightmare. All the libraries suck ass and even the ones tailored towards Gmail don't work for Gmail because Google decided one day to fucking out the header at the bottom of some emails and split into mimeparts. Also why the fuck is fetching email asynchronous? There's no point at all since we requests are processed line by line in IMAP, and if the library actually supported sending asynchronous requests it wouldn't require a new object to be created for each request and allow only a single listener.

Also callbacks are antiquated for a while and it pisses me off that node hasn't updated their libraries i.e. TLS to support async/await. I've taken to "return await new Promise" where the resolve of the promise is passed as the callback, which let's me go from callback to promise to async/await. If anyone has any other ideas I'm all ears otherwise I might just rewrite their TLS library altogether...

And this is just IMAP. I wish browsers supported TLS sockets because I can already see a server struggling with several endpoints and users, it would be much easier to open a connection from the client since the relationship is essentially:

Client [N] --- [1] Server [1] --- [1] IMAP

And to make the legs of that N : N which would fix a lot of issues, I would have to open a new IMAP connection for every client, which is cool cause it could be serverless, but horrifying because that's so inefficient.

Honestly we need a new, unifying email protocol with modern paradigms...

So i just learned aws elastic beanstalk (EBS, ECS, ALB, EC2, Amplify, S3, RDS, SQS)

Essentially i learned how to operate with aws to deploy a full stack web application with custom backend i built, with security and jwt token, certificate manager, ssl/tls to set up https and redirect from http, and react/angular/nextjs on frontend

All with custom CI/CD pipelines docker and other devops shit

But i still feel like im missing on A Lot of stuff regarding aws. I havent worked with Fargate for example and dont know how it works or when to use it, but i heard other devs use it

Can someone list me a number of things i as a dev should know more regarding aws?

Found another gem in the code-base I've been given to troubleshoot.

Let's call recv(), get the TLS encrypted message, and then call BIO_write() and SSL_read() instead of offloading it to OpenSSL.

Fucking dot files...
Written a deployment script to reduce the amount of another dude's fuck ups when updating code on the server. Apparently the website executable automatically generated TLS certificates (let's encrypt) and placed them into the local hidden folder.

There is a limit on how many certificates a single domain can generate so... The website is down...

Why are so many websites' TLS certs broken? This month I've come across at least four different websites with cert errors that I've tried to email the webmasters about. "Tried" - the fourth has only twitter as a contact point and "can't be messaged". None of the other three have been corrected, although I received responses from two claiming they'd look into it.

And that's not even counting the ones I've seen that I didn't care about enough to contact the webmaster.

Thank you hosing company, all you had to do was rebuild the crummy php 5.2 cgi with an up to date version of openssl that supports tls 1.2 so the PayPal integrations work for the seven customers who are too fucking tight to pay to have their sites upgraded to something modern...

Not set all 120 sites across five servers to run on php 5.2..

Assholes!

Fuck me Amazon cert manager is so fucking complicated. Just do it all for me; why do i have to providing a route 53 entry (TECHNICALLY 2 IF I WANT MY NAME CORRECT) BEFORE I set up my load balancer??!! I should be able to test a load balancer first and then add on tls, not have to get a cert all set up and then sit on my fucking ass when the load balancer shits itself

Hey, anyone have experience with email with encryption?

I need to setup TLS for emails for all devices on premises. The printer and other devices does not support TLS.

I'm thinking i could use local exchange server that forwards to our office 365, as we use outlook for the domain. But i would rather use some linux solution.

We have multiple ip's we might send from.

why the fuck does it take 5-7 minutes for fucking filezilla to make a successful connection after I turn on my pc ''Initializing TLS..."? WTF, this makes me angry and paranoid at the same time because it doesn't happen on other PC's I use.

Been integrating with a third party system for the last 2 weeks, we can send them requests fine but when they post the response to us they get a generic error.

After responding very politely to an increasingly aggressive contact at their company for the entire day, where he says it is our system that is badly configured, they figured it out.

Their system only has support for sending data using TLS 1.0 and below....

So turns out he was right our system wasn't configured to work with theirs. We only allow 1.2 and above...

Mongodb CEO and the developer who build this shit for brains interface should be tarred and feathered. Almost 90minutes in and I cannot connect to anything other than error codes. What in the actual fuck is your job other than to make it difficult for a "free tier" user to connect?
"connect ECONNREFUSED 127.0.0.1:27017"

Oh ok another 20 minutes of work and you give me a bland beige error code like "```TLS/SSL is disabled. If possible, enable TLS/SSL to avoid security vulnerabilities.```"... um ok how do I enable it for your site, your database or on my computer... oh wait you don't say shit do you?

So now I'm fully 81 minutes into this shit show and all I get for error codes are these really descriptive gems 'getaddrinfo ENOTFOUND cluster0.hudbd.mongodb 'dot' net` comes up if I choose `mongo` with "connection string scheme" above it or `bad auth : Authentication failed'