Do all the things like ++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatarSign Up
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple APILearn More
Search - "tls"
So, someone submitted a 'bug' to Mozilla.
As some of you may know, in the next year, the new mass surveillance law in the Netherlands is going into effect.
Another fun fact is that the dutch security agencies/government have their own CA (Certificate Authority) for SSL/TLS certificates.
The new law says that the AIVD (dutch NSA/GCHQ equivilant) is allowed to hack into systems through obtained certificates and also that they're allowed to INTERCEPT TRAFFIC THROUGH OBTAINED PRIVATE SSL/TLS KEYS.
So someone actually had the fucking balls to submit a fucking issue to Mozilla saying that the Dutch State certs shouldn't be accepted anymore when the new mass surveillance law gets into place.
This person deservers a fucking medal if you ask me.71
I really, honestly, am getting annoyed when someone tells me that "Linux is user-friendly". Some people seem to think that because they themselves can install Linux, that anyone can, and because I still use Windows I'm some sort of a noob.
So let me tell you why I don't use Linux: because it never actually "just works". I have tried, at the very least two dozen times, to install one distro or another on a machine that I owned. Never, not even once, not even *close*, has it installed and worked without failing on some part of my hardware.
My last experience was with Ubuntu 17.04, supposed to have great hardware and software support. I have a popular Dell Alienware machine with extremely common hardware (please don't hate me, I had a great deal through work with an interest-free loan to buy it!), and I thought for just one moment that maybe Ubuntu had reached the point where it just, y'know, fucking worked when installing it... but no. Not a chance.
It started with my monitors. My secondary monitor that worked fine on Windows and never once failed to display anything, simply didn't work. It wasn't detected, it didn't turn on, it just failed. After hours of toiling with bash commands and fucking around in x conf files, I finally figured out that for some reason, it didn't like my two IDENTICAL monitors on IDENTICAL cables on the SAME video card. I fixed it by using a DVI to HDMI adapter....
Then was my sound card. It appeared to be detected and working, but it was playing at like 0.01% volume. The system volume was fine, the speaker volume was fine, everything appeared great except I literally had no fucking sound. I tried everything from using the front output to checking if it was going to my display through HDMI to "switching the audio sublayer from alsa to whatever the hell other thing exists" but nothing worked. I gave up.
My mouse? Hell. It's a Corsair Gaming mouse, nothing fancy, it only has a couple extra buttons - none of those worked, not even the goddamn scrollwheel. I didn't expect the *lights* to work, but the "back" and "Forward" buttons? COME ON. After an hour, I just gave up.
My media keyboard that's like 15 years old and is of IBM brand obviously wasn't recognized. Didn't even bother with that one.
Of my 3 different network adapters (2 connectors, one wifi), only one physical card was detected. Bluetooth didn't work. At this point I was so tired of finding things that didn't work that I tried something else.
My work VPN... holy shit have you ever tried configuring a corporate VPN on Linux? Goddamn. On windows it's "next next next finish then enter your username/password" and on Linux it's "get this specific format TLS certificate from your IT with a private key and put it in this network conf and then run this whatever command to...." yeah no.
And don't get me started on even attempting to play GAMES on this fucking OS. I mean, even installing the graphic drivers? Never in my life have I had to *exit the GUI layer of an OS* to install a graphic driver. That would be like dropping down to MS-DOS on Windows to install Nvidia drivers. Holy shit what the fuck guys. And don't get me started on WINE, I ain't touching this "not an emulator emulator" with a 10-foot pole.
And then, you start reading online for all these problems and it's a mix of "here are 9038245 steps to fix your problem in the terminal" and "fucking noob go back to Windows if you can't deal with it" posts.
It's SO FUCKING FRUSTRATING, I spent a whole day trying to get a BASIC system up and running, where it takes a half-hour AT MOST with any version of Windows. I'm just... done.
I will give Ubuntu one redeeming quality, however. On the Live USB, you can use the `dd` command to mirror a whole drive in a few minutes. And when you're doing fucking around with this piece of shit OS that refuses to do simple things like "playing audio", `dd` will restore Windows right back to where it was as if Ubuntu never existed in the first place.
Thanks, `dd`. I wish you were on Windows. Your OS is the LEAST user friendly thing I've ever had to deal with.28
Good news everyone. As of 30th June 2018, PCI compliance demands a minimum of TLS v1.1. Meaning it's illegal for your website to support IE6-1011
I absolutely love the email protocols.
x1 LOGIN user@domain password
x2 LIST "" "*"
x3 SELECT Inbox
Because a state machine is clearly too hard to implement in server software, clients must instead do the state machine thing and therefore it must be in the IMAP protocol.
I should be careful with this one since there's already more than enough spam on the interwebs, and it's a good thing that the "developers" of these email bombers don't know jack shit about the protocol. But suffice it to say that much like on a real letter, you have an envelope and a letter inside. You know these envelopes with a transparent window so you can print the address information on the letter? Or the "regular" envelopes where you write it on the envelope itself?
Yeah not with SMTP. Both your envelope and your letter have them, and they can be different. That's why you can have an email in your inbox that seemingly came from yourself. The mail server only checks for the envelope headers, and as long as everything checks out domain-wise and such, it will be accepted. Then the mail client checks the headers in the letter itself, the data field as far as the mail server is concerned (and it doesn't look at it). Can be something else, can be nothing at all. Emails can even be sent in the future or the past.
You have this property "mynetworks" in /etc/postfix/main.cf where you'd imagine you put your own networks in, right? I dunno, to let Postfix discover what your networks are.. like it says on the tin? Haha, nope. This is a property that defines which networks are allowed no authentication at all to the mail server, and that is exactly what makes an open relay an open relay. If any one of the addresses in your networks (such as a gateway, every network has one) is also where your SMTP traffic flows into the mail server from, congrats the whole internet can now send through your mail server without authentication. And all because it was part of "your networks".
Yeah when it comes to naming things, the protocol designers sure have room for improvement... And fuck email.
Oh, bonus one - STARTTLS:
So SMTP has this thing called STARTTLS where you can.. unlike mynetworks, actually starts a TLS connection like it says on the tin. The problem is that almost every mail server uses self-signed certificates so they're basically meaningless. You don't have a chain of trust. Also not everyone supports it *cough* government *cough*, so if you want to send email to those servers, your TLS policy must be opportunistic, not enforced. And as an icing on the cake, if anything is wrong with the TLS connection (such as an MITM attack), the protocol will actively downgrade to plain. I dunno.. isn't that exactly what the MITM attacker wants? Yeah, great design right there. Are the designers of the email protocols fucking retarded?9
Long rant ahead.. so feel free to refill your cup of coffee and have a seat 🙂
It's completely useless. At least in the school I went to, the teachers were worse than useless. It's a bit of an old story that I've told quite a few times already, but I had a dispute with said teachers at some point after which I wasn't able nor willing to fully do the classes anymore.
So, just to set the stage.. le me, die-hard Linux user, and reasonably initiated in networking and security already, to the point that I really only needed half an ear to follow along with the classes, while most of the time I was just working on my own servers to pass the time instead. I noticed that the Moodle website that the school was using to do a big chunk of the course material with, wasn't TLS-secured. So whenever the class begins and everyone logs in to the Moodle website..? Yeah.. it wouldn't be hard for anyone in that class to steal everyone else's credentials, including the teacher's (as they were using the same network).
So I brought it up a few times in the first year, teacher was like "yeah yeah we'll do it at some point". Shortly before summer break I took the security teacher aside after class and mentioned it another time - please please take the opportunity to do it during summer break.
Coming back in September.. nothing happened. Maybe I needed to bring in more evidence that this is a serious issue, so I asked the security teacher: can I make a proper PoC using my machines in my home network to steal the credentials of my own Moodle account and mail a screencast to you as a private disclosure? She said "yeah sure, that's fine".
Pro tip: make the people involved sign a written contract for this!!! It'll cover your ass when they decide to be dicks.. which spoiler alert, these teachers decided they wanted to be.
So I made the PoC, mailed it to them, yada yada yada... Soon after, next class, and I noticed that my VPN server was blocked. Now I used my personal VPN server at the time mostly to access a file server at home to securely fetch documents I needed in class, without having to carry an external hard drive with me all the time. However it was also used for gateway redirection (i.e. the main purpose of commercial VPN's, le new IP for "le onenumity"). I mean for example, if some douche in that class would've decided to ARP poison the network and steal credentials, my VPN connection would've prevented that.. it was a decent workaround. But now it's for some reason causing Moodle to throw some type of 403.
Asked the teacher for routers and switches I had a class from at the time.. why is my VPN server blocked? He replied with the statement that "yeah we blocked it because you can bypass the firewall with that and watch porn in class".
Alright, fair enough. I can indeed bypass the firewall with that. But watch porn.. in class? I mean I'm a bit of an exhibitionist too, but in a fucking class!? And why right after that PoC, while I've been using that VPN connection for over a year?
Not too long after that, I prematurely left that class out of sheer frustration (I remember browsing devRant with the intent to write about it while the teacher was watching 😂), and left while looking that teacher dead in the eyes.. and never have I been that cold to someone while calling them a fucking idiot.
Shortly after I've also received an email from them in which they stated that they wanted compensation for "the disruption of good service". They actually thought that I had hacked into their servers. Security teachers, ostensibly technical people, if I may add. Never seen anyone more incompetent than those 3 motherfuckers that plotted against me to save their own asses for making such a shitty infrastructure. Regarding that mail, I not so friendly replied to them that they could settle it in court if they wanted to.. but that I already knew who would win that case. Haven't heard of them since.
So yeah. That's why I regard those expensive shitty pieces of paper as such. The only thing they prove is that someone somewhere with some unknown degree of competence confirms that you know something. I think there's far too many unknowns in there.
Nowadays I'm putting my bets on a certification from the Linux Professional Institute - a renowned and well-regarded certification body in sysadmin. Last February at FOSDEM I did half of the LPIC-1 certification exam, next year I'll do the other half. With the amount of reputation the LPI has behind it, I believe that's a far better route to go with than some random school somewhere.27
A client asked us today to disable TLS 1.0 and 1.1 across their servers.
Its not often that I say this. But this makes me proud. It's a good client. Going with the changin times. I wish all clients were like this one.
RIP TLS 1.0/1.1, took you long enough.2
[Little perspective: For the last 7 months I'm working in a certain project.]
[The project is full of unimaginative, non-creative devs with 0 initiative and poor technical background.]
[And they're almost all from one country which you all can figure out.]
[But I'm not going to mention it here because I don't want to come up as a racist]
[So there's US (Europeans) and THEM. 3 of US and about 10 of THEM. And we're doing 90% of all the heavy lifting]
D (Dev from THEM): Hi S, I have a problem with my task
Me: (sighing) Ok let's have a call
* on the call with D we were checking some stuff loosely related to task *
* code wouldn't get invoked at all for some reason *
* suddenly I realize that even if the code would invoke, D's probably doing everything wrong in it anyway *
Me (thinking): I need to double check something.
Me: I can't help you now, I'll get back to you later.
* call ended *
Me: Hey J, I need your help, I need to clarify the work package in my mind, because I am no longer sure.
J (my European TL): Ok, fire away.
* call started *
Me: Is it true that [blahblahblah] and so D's task depends on me completing first my task, or am I losing my mind?
J: That is correct.
Me: Well she's trying to do this in [that] way, which is completely wrong.
J: You see, that's how it is in this project, you do refinements with them, split these work packages to tasks, mention specifically what depends on what and what order should things be taken in, and in some cases all tasks from given user stories should be done by one person entirely... But they do it their way anyway, assign different people to different interdependent tasks, and these people don't even understand the big picture and they try to do the things the way they think they understand them.
Me: It's a fire in a brothel.
Me: I fucking love this project.
J: (smiling silently)
* call ended *
Me: Ok D, you can't do your task because it's dependant on my task.
D: Oh... so what do I do?
Me: I don't know, do something else until I do my task.
A (THEIR TL) (Oh, did I forget to mention that there are 2 TLs in this project? THEY have their own. And there are 2 PMs as well.)
A: Hey S, I need to talk
Me: (sighing, getting distracted from work again) Ok let's have a call
* call started *
A: S, we need this entire work package done by Friday EOD.
Me: I can't promise, especially since there are several people working on its several tasks.
A: D's working on hers for 3 days already, and she's stuck. We want you to take over.
Me: (sighing, thinking "great"): Ok.
* call ended *
Me: Hey D, A instructed me to take over your task. This is actually going to be easier since you'd have to wait for mine after all.
D: Oh, ok.
* I switched the Assigned Person on D's task to myself on Azure *
This morning, email from D.
"Hey, I completed my task and it's on [this] branch, what do I do now?"
Me, hesitating between 2 ways to reply:
(and take note there are people in CC: A, J, P - the last one is THEIR PM)
1) "Hi, Unfortunately you'd still have to wait for my changes because your task is dependent on my task - the column to be changed is in the table that I am introducing and it's not merged to develop branch yet. By the way I already did your task locally, as I was instructed to do it, I'm wrapping things up now."
(y'know: the response which is kind, professional, understanding; without a slight bit of impatience)
2) WHAT FUCKING PART OF "DON'T DO THIS I WILL FUCKING DO IT MYSELF GO HOME JUST GO HOME" YOU DON'T FUCKING UNDERSTAND4
Me: You need TLS since your users submit confidential data on your website.
Boss: Our hoster has an SSL-Domain
Me: Yeah. But you need TLS not your hoster...
Me: ssl conn cannot be esrablished. Cert is not signed
Sr. Dev/architect: what url are you calling?
sd/a: yeah, I know that. But what is the url?
Me: *how the f... Did you get 'sr' and 'arch' titles, man???*
Me: why does it matter?
Sd/a: certificates depend on a url. Our LB selects a cert according to a request url
me: *buddy, I like you but I no longer look at you with respect like I used to before today...*11
First lecture of computer networks. Let's shove all of these abbreviations with their meaning, and possibly a associated port number in one 1.5 hour lecture:
HTTP, HTTPS, FTP, FTPS, SFTP, TCP, IP, UDP, ISP, DSL, DNS, LAN, WLAN, WDM, P2P, TELNET, PGP, TLS, SSL, SSH, MIME, SMTP, POP3, IMAP, IANA, DHT, RTT, DHCP
I really feel sorry for students who didn't have previous knowledge about this stuff..5
THE FUCK WHY did the company which made the website I'm maintaining now ADD CUSTOM FACEBOOK LIKES AND TWITTER FOLLOWER WIDGETS - IN A SUBDIRECTORY OF THE THEME?
Guess what, you motherfuckers: One year after you made that damn page the Facebook API changed and your stinking widget is broken REQUIRING ME TO REWRITE MOST OF IT!
Also WHO THE FUCK LEFT HIS BRAIN ON HIS BEDSIDE TABLE the day he decided to HARDCODE ASSETS WITH AN http:// (no tls) URL? YES, browsers will block that shift if the website itself is delivered over tls, because it's a GAPING SECURITY HOLE!
People who sells websites that have user management and thus request authentication without AT LEAST OFFERING FUCKING STANDARD TLS SHOUD BE TARRED AND FEATHERED AND THEN PUT IN A PILLORY IN FRONT OF @ALEXDELARGE'S HOUSE!
Maybe I should be a bit more thankful - I mean I get payed to fix their incompetence. But what kind of doctor is thankful for the broken bones of his patient?9
Damn, GitHub is on rampage lately. After dropping tls < 1.3 support, they are expected to drop IE support by July.
Praise GitHub 😍9
I think most people are annoyed by the new design of chrome, for all the wrong reasons - I just noticed the TLS indicator lock is now gray when encrypted, giving you the idea of a website being not fully secure imho6
2 things I'm working on now:
#1 a personal project I am hoping to commercialize and turn it into my moneymaker. Hoping it'd at least be enough to pay the bills and put food on my table so I could forget 9/5 for good. But it has a potential of becoming a much, MUCH bigger thing. This would need the right twist tho, and I'm not sure if I am "the right twister" :) We'll see.
#2 smth I'm thinking of opensourcing once finished -- a new form of TLS. This model could be unbreakable by even quantum computing once it's mature enough to crack conventional TLS. I'm probably gonna use md5 or smth even weakier - I'm leveraging the weakness of hashing functions to make my tool stronger :)
I mean how long can we be racing with more powerful computers, eh? Why not use our weakneses to make them our strengths?
Unittests are already passing, I just haven't polished all the corner-cases and haven't worked out a small piece of the initialization process yet. But it's very close6
I actually do have one. 2 years ago I found myself in a stressful situation. It lasted for an hour or so but all ended well. Ever since that incident I was wondering what should be different so that situations like these could be avoided. I had an idea. I began making sketches, sorting out the architecture I'd need and then it hit me. Shit, I could reuse this very principle for a MUCH larger scale! And in fact there's noone in the market offering this yet! There are similar products, products that offer a tiny part of my idea's functionality, but none of them are even close to what I have in mind!
And so the coding began. I was still a student back then. And employed 12hrs/day. And married. Needless to say I did not have much time for coding. Now I'm also a father (although not a student any more!) which makes my schedule even worse.
All in all I've made quite a few widely reusable libraries by now which have saved me 10s of thousands of lines typing, had yet another idea on alternative TLS which seems impossible to crack (well okay, possible. But there's a twist - cracker will not be able to know he cracked the algo :) ). Now I'm close to 100k LOC of my main project and struggling with a fucking FE (since I'm more of a bkend guy). FE's already taken a few months from me and I'm still in a square 1 :/ But I'm moving forward. Slowly, but moving. Frustrated af, but not giving up.
I had a sort of a dream to start my project before I'm 30. I have less than a year left. Still doable. This project, if it's sucessful, has a potential to become extremely popular as it offers solutions to multiple problems we have today. This project should save me from 9-to-5 work every day where, no matter how great the environment is, I feel trapped. But I need money to survive in this city . With my family.
This project should be a solution to all of my problems and probably something great the world could enjoy.
I wish I could make it. I really do. I don't want to be 9-5 any more. I don't want to be dictated what's my schedule, what's that I have to do now. what to think. I want to be free of all of this. Have enough time to live. To travel, see the world. Live in a house (God I miss living in a house....). Spend time with my family. Show my lil boy what a wonderful thing the World is!
I really want this to work. I want to be free again. And I wish I hadn't to deal with FrontEnd.
Allright, enough wabbling. Time for a nice cup of tea and back to coding. "The next big thing" is not going to create itself while I'm ranting, right?6
I just installed Opera Mini on my PSP. That alone isn't very exciting on its own, although I am stoked that my website does in fact render on a device from 2009. With the helpful guidance of a laptop from 2004 that's doing the hotspot duties for this thing.
No, what really got me stoked is that Opera still supports these old platforms, and how small they managed to make it. The .jar file for Opera Mini 4.5 is ~800kB large. There's a .jad file as well but it's negligible in size and seems to be a signature of sorts.
Let that sink in for a moment. This entire web browser is 800kB. Firefox meanwhile consistently consumes 800 MEGABYTES.. in MEMORY. So then, I went to think for a moment, how on earth did they manage to cram an entire functioning web browser in 800kB? Hell, what makes up a web browser anyway?
The answer to that question I got to is as follows. You need an engine to render the web page you receive. You need a UI to make the browser look nice. And finally you need a certificate store to know which TLS certificates to trust. And while probably difficult to make, I think it should be possible to do in 800k. Seriously, think about it. How would you go *make* a web browser? Because I've already done that in the past.
Earlier I heard that you need graphics, audio, wasm, yada yada backends too.. no. Give your head a shake. Graphics are the responsibility of the graphics driver. A web browser shouldn't dabble with those at all. Audio, you connect to PulseAudio (in Linux at least) and you're done. Hell I don't even care about ALSA or OSS here. You just connect to the stuff that does that job for you. And WebAssembly.. God I could rant about that shit all day. How about making it a native application? Not like actual Assembly is used for BIOS and low-level drivers. And that we already have a better language for the more portable stuff called C.
Seriously, think about it. Opera - a reputable browser vendor - managed to do it in 800kB on a 12 year old device. Don't go full wank on your framework shit on the comments. And don't you fucking dare to tell me that there's more to it. They did it for crying out loud. Now you take a look at your shitpile for JS code and refactor that shit already. Thank you.22
This is the last part of the series
(3 of 3) Credentials everywhere; like literally.
I worked for a company that made an authentication system. In a way it was ahead of it's time as it was an attempt at single sign on before we had industry standards but it was not something that had not been done before.
This security system targeted 3rd party websites. Here is where it went wrong. There was a "save" implementation where users where redirected to the authentication system and back.
However for fear of being to hard to implement they made a second method that simply required the third party site to put up a login form on their site and push the input on to the endpoint of the authentication system. This method was provided with sample code and the only solution that was ever pushed.
So users where trained to leave their credentials wherever they saw the products logo; awesome candidates for phishing. Most of the sites didn't have TLS/SSL. And the system stored the password as pain text right next to the email and birth date making the incompetence complete.
The reason for plain text password was so people could recover there password. Like just call the company convincingly frustrated and you can get them to send you the password.1
Raised an issue with a web application for out client that was weak TLS protocols/cipher suites in use on the sever hosting their application.
Then I was asked to confirm that reissuing the certificate was the correct remidial action for fixing this...
Man, it's scary to think non-technical project managers are in charge of fixing this stuff...4
Running WireShark to see what one of our partners is sending across.
Outdated TLS: Ok, that's par for the course.
Leaking data through DNS queries: ButWhy.jpg
Website leaked through DNS doesn't require auth to view information. TableFlip.jpg2
TIL if you know the password for a WIFi SSID, you can replicate it with your hardware. All devices that have credentials for that SSID will connect to yours if your signal is stronger. The encryption just needs to be the same (wpa2/wep) The underlying UUID doesn’t matter.
Not bad for a quick and dirty man-in-the-middle attack. The WiFi spec needs a bit more work.
TLS all the things!4
Just spent an hour trying to implement an API without any luck. As i delve deeper and deeper into the code i discover that the client's server doesnt support TLS 1.2 and this is why it wasnt working.
FUCK YOU YOU SHITTY COCK SUCKING BITCH MOTHERFUCKER.
GO DIE IN A HOLE THEN GET RAPED IN HELL. I REALLY HATE THIS SHIT.
FUCK OFF GOOGLE.13
Legacy tech be like:
"The connection to this site uses TLS 1.0 (an obsolete protocol), RSA (an obsolete key exchange), and AES_128_CBC with HMAC-SHA1 (an obsolete cipher)."2
I don't understand why they're still calling it SSL. It was buried long ago by TLS.
Fuck this marketing bullshit, just fucking call it TLS already.1
A conversation between an offshore developer and his manager at a fortune 500:
I'm a software developer and the company I work for is a vendor for $manager's and $offshore_dev's company. They provide endless hours of entertainment/terror. Recently, we've been trying to convince them that they need to stop sending sensitive information plaintext over HTTP and set up TLS/HTTPS which has led to tons of fun conversations such as this one they had during a conference call:
* $manager: "Did $offshore_dev implement TLS1.2?"
* $offshore_dev: "Yes, we enabled a parameter in the code to enable TLS1.2 in the code but according to $me's email, this requires HTTPS in order to work."
* $manager: "No this works, we're using TLS in $other_application right now."
* $offshore_dev: "Well, $manager, it's implemented but it currently doesn't encrypt anything as such."
* $manager: "Okay, HTTPS is in the roadmap in the next quarter, we can move forward without this for now."4
When you’ve been warning of how much stuff needs work to support TLS1.1 depreciation but now all that stuff broke because he had you working on a bunch of other random less important stuff. Now he is saying back to me the exact things I said to him about why we needed to work on this stuff months ago.1
What might replace email in the future?
Email is a very old concept based on a legacy technology and rules. It used to be some tech for g33ks, then it became all serious and all business. People who did not uderstand its flaws adopted it as standard and that was just idiotic back then. Now sysadmins are working hard to make it more secure. I don't care bout tls implementation as every email server has those messages stored in clear text, as encryption is not a default. Most people still find it secure. Just dumb.24
My vocabulary is way to small to express my feelings when being forced to use .Net 4.0. Just spent like 2 hours searching why my Api requests failed.
Turns out it used TLS 1.0 which got rejected by the server. Then I spent another 2 hours finding out how to make it use TLS 1.2. Surprisingly it does work now (although it came out before TSL 1.2 specification). But yeah still a fucking pile of shit.1
DNS ove TLS might come just in time for the Netherlands (if we're lucky).
With a recent HAProxy update on our reverse proxy VM I decided to enable http/2, disable TLS 1.0 and drop support for non forward-secrecy ciphers.
Tested our sites in Chrome and Firefox, all was well, went to bed.
Next morning a medium-critical havock went loose. Our ERP system couldn't create tickets in our ticket system anymore, the ticket systems Outlook AddIn refused to connect, the mobile app we use to access our anti-spam appliance wouldn't connect although our internal blackboard app still connected over the same load balancer without any issues.
So i declared a 10min maintenance window and disabled HTTP/2, thinking that this was the culprit.
Nope. No dice.
Okay, i thought, enable TLS 1.0 again.
Suddenly the ticket system related stuff starts to work again.
So since both the ERP system and the AddIn run on .NET i dug through the .NET documentation and found out that for some fucking reason even in the newest .NET framework version (4.7.2) you have to explicitly enable TLS 1.1 and 1.2 or else you just get a 'socket reset' error. Why the fuck?!
Okay, now that i had the ticket system out of the way i enabled HTTP/2 and verified that everything still works.
It did, nice.
The anti-spam appliance app still did not work however, so i enabled one non-pfs cipher in the OpenSSL config and tested the app.
Behold, it worked.
I'm currently creating a ticket with them asking politely why the fuck their app has pfs-ciphers disabled.
And I thought disabling DEPRECEATED tech wouldn't be an issue... Wrong...
Why in fuck's sake would you create a new service and not offer TLS/SSL to your free tier clients ?10
The coolest project I ever worked on wasn't programming per second, though it involved a bit of scripting. The company I worked for had an FTP over TLS backup solution and it was put together with glue and paperclips by a guy that hadn't the slightest idea what he was doing. In order to conform with the insurance, data had to be encrypted. I setup a raid-ed server with full disk encryption on the raid volume that fetched the key over the network at boot from another secure server. I wrote a series of scripts for provisioning users and so on. The backup connections was sftp using a ssh tunnel, the users were chrooted to their own home directories, and were unable to open shells. The system was 100x more robust and secure than the original. I set it up on short notice and received absolutely no recognition for saving the company's ass, but it was definitely a fun project.1
At the time, I'm working on a simple RAT, for leaning purpose, written I'm Go.
Now simple command-execution work's and I want to implement an encrypted connection between the client and the C&C-Server.
I know Go has some kind of TLS in its standard library, but is it really usable, or would it be easier to just implement my own simple encryption-module with some RSA and AES?
Novice computer enthusiasts argue that an application is safe because it's end-to-end encrypted.. but they don't realize this doesn't guarantee safety because of MITM attacks on possibly exploitable midpoints.
A good example of this is mail servers using TLS 1.2 but one or two of them not verifying certificate autorities.6
For my local dev, set up my own root CA, added to trusted root CA in my machine, generated a cert for my local domain, signed by my own root CA, but the behavior is different across browsers:
Can someone help in making Google Chrome padlock green or grey (not red)?7
To the VPN users here, I have been always using VPN as soon as I am out of my own network, ie. cafes or hotels, now I came across an interesting article
which tl;dr basically describes the first impact seconds, which happen before the vpn connection is actually established.
Do you (or your vpn-client) take any precautions to prevent that? or are you just sure that everything is using tls and doesn't auto sync?5
Guys, please use caddyserver as your webserver! It creates official tls certs for you without you having to do anything. Help making the web secure. There are too many websites that do not have any security.8
Trustico CEO emailed private key which is used to sign TLS certificates, making more than 23k certificates compromised!
This makes me think, that we should not trust others for our security (like ca), failure of CA can put our website at risk. What is the better way to do it?
I found out that apache had built-in support ( via a module - mod_md ) for automatic TLS certificate management with Let's Encrypt since October 2017.
Bloody Hell! Why didn't I hear of this sooner?
So, I ran off into my cloud to set up this so-called ManagedDomain ( mod_md ).
Found the module in the package repositories, installed it and started testing it out.
I started writing IfModule conditions under mod_ssl so that I wouldn't have to overwrite my existing TLS configurations ( which was already issued by Let's Encrypt via certbot, by the way ).
After a whole night of twisting and turning with the configurations, it turns out that the module in the package repositories were built for ACMEv1 and that API has been dead for as long as the module has been around.
I had noticed that the module was 'experimental', but I still hoped that they had the packaged the module.
Finally, I cozied back up with certbot. At least, until this so-called mod_md becomes stable and mainstream.
I hope certbot doesn't make a fuss. I'm sure, it got offended that I was trying to cheat it with mod_md.4
Do you still charge your clients extra for HTTPS being it’s practically a requirement now for SEO purposes?7
When I first saw the .dev TLS was $200 are some odd dollars I was sad. But, that was early access as now they are cheap. Yay!5
I'm so tired of fs issues with webpack/react. fucking useless piece of shit. I look online and it looks like it's a pain in the ass for anyone actually using a modern stack. Literally just trying to use mailjet's API to send emails from a React app and I've been solving dependency issues for fucking hours because of the MANY node modules it requires. requires fs, dns, tls, and dgram for a FUCKING post request because mailjet makes you use their node package.1
Irony - The new TLS certificate was finally issued after 10 days of waiting. The project management portal I need to upload it to crashed this afternoon. No ETA on recovery time yet.5
The world must truly hate me.
I refactored my code a lot in order to easily integrate different APIs endpoints but then I can't use the one I specifically did this for, because of TLS errors.
My browsers all agree that it's fine, but curl and the 2 http libraries I tested can't fetxh any data.
I hate this feeling.
Changing stuff with a greamripers scythe around my neck called doubt because the available data isn't too convincing.
Then having to go big or nothing as it is an ecosystem change (e.g. changing the cipher suites of TLS, changing protocol - e.g. HTTP 1.1 to 2) so it needs to be consistent as otherwise fun stuff could happen (fun as in the grim reaper cuts off my neck except a few centimeters and plays "now your head is off, now your head is on" ).
To top it off - just few seconds after the change has happened people coming up in the support channel.
My hands are - mysteriously - not sweaty then. Rather cold.
Lil prayer to the heavens and getting the whiskey bottle...
Opening an ongoing discussion in support channel....
And they're discussing whether the page needs to have an additional arrow for going back to the last page or if the default page navigation is enough.
Constantly using @all so everyone gets pissed off due to being pinged every few seconds in a channel that was meant for emergency support.
Now my hands go from a dark red to a bright red, my nostrils flare out, my adrenaline goes through the roof and I literally wanna murder people....
I hate those days.
And I hate the timing of some people...
Like they're deliberately fucking with me without knowing it, like the universe told them explicitly to do so just to fuck with me.
And of course, everything else is fine and running smooth like butter, except that said discussion now goes on in a total flamewar so I get even more pings.
Sucks to be in management.
You have way to many rooms where people can annoy you.
To top it off - after being grumpy and pissed and angry for people just annoying the fuck out of me, I have to mediate.
Yeah. Cause the usual person is on vacancy.
*slowly strangling the whiskey bottle like homer does with bart*
Turns out after 15 mins listening to enraged UX designer vs Frontend Team Lead that UX designer meant a completely different thing - uploaded wrong screenshot, whole discussion was unnecessary.
*Nah. Fuck it. Drinking whiskey*
Reminding everyone what the fucking frigging support channel is meant for and that penis fights aka who got the longest schlong don't belong there....
"Yeah it was a mistake, but it wasn't so bad"
You pinged fucking 32 people like it was the end of the world, you ignorant fucktwads.
For over 5 mins.
For fucking frigging nothing except your tiny dicks and shitty egos.
*Second round of whiskey*
Back to work after a wasted half hour.
What says monitoring?
Ah. Everything's working.
At least luck hasn't failed me.
Good server. Brave server.
Then I hear this lil voice in my head: no.
The servers know your personality.
They're afraid. Terrified.
Somehow that thought makes me giggle always...
Childish? Maybe. But it helps on those days.... Funnily enough, remaining 3 hours noone said anything in any chat channel.
"I wonder why, I wonder how...."... *hum*
What are the thoughts of privacy conscious people about quantum computers? As far as I understand current TLS version encryption method is vulnerable to quantum computers, thus if your ISP or other agencies store all your traffic data right now, they'll be able to decrypt it after gaining access to quantum computers.
One way to secure your privacy would be to use your own VPN that uses encryption method that is quantum-resistant, but again the VPN would be using TLS to connect to the Internet.6
I feel so damn stupid right now.
I've been playing around with GNU Guile, a Scheme implementation, over the weekend. I wanted to make https requests with Scheme, for which I needed the Guile TLS bindings library. So I navigated over to the GnuTLS Web page and downloaded the library source for the Guile bindings (I forgot about the GnuTLS source itself, possibly adding to my problems).
Over the next 8 hours, after various attempts at making, installing, and configuring, I was deep in errors and no where near having a working library. I even tried installing the Guix package manage on my Ubuntu MATE distro. I knew the library was in its repositories. I just ended up with many of the same problems.
A sys admin I'm not.
"What good is free software if you can't install it?! Why isn't this stuff in the repositories?!"
2 days later I sit at my computer for some other task and after a thought, I open a terminal:
apt search gnutls
And there it is, from the repositories, staring me in the face: guile-gnutls
Moral of the story, thoroughly search your repositories first and save yourself 8 hours of pain.1
Did some analysis on some servers that a partner of ours is hosting:
-TLS 1.0: Hmm this isn't great
-TLS_RSA_WITH_RC4_128_SHA preferred Cipher Suite for ALL TLS Versions.
I almost barfed at my desk.4
So, I made this API which logins to the system and Used it in an android app, there was one roadblock to it, that everytime user enters a password, it has to match the password hash so I, excitingly, used password_verify($password,$passwordHash), unknowingly that it is fucking unsafe and the code is still there, and here's where it gets interesting it is not over SSL/TLS. Fuck me, any bright solutions?27
What's your thoughts on the newly released .app tld? Is it going to be the new .io?
It also seems like Google provides TLS certificates for free to all .app domains. I know there's let's encrypt but I still think that this is great. Google is really pushing a more "Secure" internet.
We're remediating tls issues on production servers. gotta be pic compliant. It's been an hour and a half for one server and were not even close to done... we have at least 5 more to go for this particular app... my organization controls over 300... the company has thousands... for the love of god save me.5
THE fucking pip is not working again. This time throwing sslerror ssl_certificate. Googled and came to know they removed TLS 1.0 and 1.1 support. Solution upgrade the pip. Done. Still same.
Checked their website no information.
Don't have words now.3
Crypto! I've always thought of crypto as some complicated black box! How does it work, but then I did the cryptopals challenge and learned to exploit cryptography. What to do with this new found knowledge? Write new libraries and ransomware of course! So I present two projects that taught me a lot!
Pydhe, possibly the first(!!!) Open source diffie Hellman library for python. (Yea I know openssl, but they don't let you do diffie hellman without TLS. I do!) https://github.com/deadPix3l/pyDHE
And Cryptsky! One of the first ever fully python, opensource ransomware! (Again caveat, most open source python ransomware isn't truely licensed as OSS or uses some lower functions written in C)
Request for internal service
FW takes request
FW NATs request to external / WAN IP
Other FW (different location) gets request
DNS redirect for whole domain
"data-zone: *.*.*.org redirect"
Via DNS redirect request goes to LB
LB sends request to other LB
LB send request to NGINX server
NGINX resolves via Host header
And now you get a TLS handshake error somewhere in the travel of the request...
The level of fucked: my arse can take the Eiffeltower horizontal.
Over the last week I've slowly grown to fucking hate IMAP and SMTP. You'd think after so many years we'd have come up with better servers to manage email but no we still rely on fucking decades old protocols that can't even batch requests.
To make things worse I need to attach to IMAP through node and that has been a nightmare. All the libraries suck ass and even the ones tailored towards Gmail don't work for Gmail because Google decided one day to fucking out the header at the bottom of some emails and split into mimeparts. Also why the fuck is fetching email asynchronous? There's no point at all since we requests are processed line by line in IMAP, and if the library actually supported sending asynchronous requests it wouldn't require a new object to be created for each request and allow only a single listener.
Also callbacks are antiquated for a while and it pisses me off that node hasn't updated their libraries i.e. TLS to support async/await. I've taken to "return await new Promise" where the resolve of the promise is passed as the callback, which let's me go from callback to promise to async/await. If anyone has any other ideas I'm all ears otherwise I might just rewrite their TLS library altogether...
And this is just IMAP. I wish browsers supported TLS sockets because I can already see a server struggling with several endpoints and users, it would be much easier to open a connection from the client since the relationship is essentially:
Client [N] ---  Server  ---  IMAP
And to make the legs of that N : N which would fix a lot of issues, I would have to open a new IMAP connection for every client, which is cool cause it could be serverless, but horrifying because that's so inefficient.
Honestly we need a new, unifying email protocol with modern paradigms...8
Why are so many websites' TLS certs broken? This month I've come across at least four different websites with cert errors that I've tried to email the webmasters about. "Tried" - the fourth has only twitter as a contact point and "can't be messaged". None of the other three have been corrected, although I received responses from two claiming they'd look into it.
And that's not even counting the ones I've seen that I didn't care about enough to contact the webmaster.11
How does one secure data-in-transit when using NFS. Even v4 does not support data encryption per say. TLS is used almost everywhere else. I refuse to use samba. There's sshfs, glusterfs, but that's not quite the same. I could use wireguard, but this seems like an overcomplication. How come this function got left behind?
Is there some great alternative that I've missed? Don't go stunnel on me.3
Thank you hosing company, all you had to do was rebuild the crummy php 5.2 cgi with an up to date version of openssl that supports tls 1.2 so the PayPal integrations work for the seven customers who are too fucking tight to pay to have their sites upgraded to something modern...
Not set all 120 sites across five servers to run on php 5.2..
In addition to being able to lookup DNS queries over Twitter, telegram (even literal ones), devRant, HTTP(s), TLS and even the DNS protocol itself - Cloudflare will now offer DNS-over-HAM in London.
- Heise Online (German): https://heise.de/newsticker/...
- Original Tweet: https://mobile.twitter.com/jgrahamc...1
Hey, anyone have experience with email with encryption?
I need to setup TLS for emails for all devices on premises. The printer and other devices does not support TLS.
I'm thinking i could use local exchange server that forwards to our office 365, as we use outlook for the domain. But i would rather use some linux solution.
We have multiple ip's we might send from.1
Fuck me Amazon cert manager is so fucking complicated. Just do it all for me; why do i have to providing a route 53 entry (TECHNICALLY 2 IF I WANT MY NAME CORRECT) BEFORE I set up my load balancer??!! I should be able to test a load balancer first and then add on tls, not have to get a cert all set up and then sit on my fucking ass when the load balancer shits itself1
Fucking dot files...
Written a deployment script to reduce the amount of another dude's fuck ups when updating code on the server. Apparently the website executable automatically generated TLS certificates (let's encrypt) and placed them into the local hidden folder.
There is a limit on how many certificates a single domain can generate so... The website is down...7
why the fuck does it take 5-7 minutes for fucking filezilla to make a successful connection after I turn on my pc ''Initializing TLS..."? WTF, this makes me angry and paranoid at the same time because it doesn't happen on other PC's I use.5
Been integrating with a third party system for the last 2 weeks, we can send them requests fine but when they post the response to us they get a generic error.
After responding very politely to an increasingly aggressive contact at their company for the entire day, where he says it is our system that is badly configured, they figured it out.
Their system only has support for sending data using TLS 1.0 and below....
So turns out he was right our system wasn't configured to work with theirs. We only allow 1.2 and above...