Thunderbolt
https://en.wikipedia.org/wiki/Thunderbolt_(interface) Apple's Thunderbolt uses the same connectors as MiniDisplayPort and USB-C. Is that going to matter to us? Are there going to be situations in which things can physically connect but not be able to talk to each other? -- My Main Blog http://etbe.coker.com.au/ My Documents Bloghttp://doc.coker.com.au/ ___ luv-main mailing list luv-main@luv.asn.au http://lists.luv.asn.au/listinfo/luv-main
Re: SSL configuration
On 31/01/2016 4:03 AM, Jason White via luv-main wrote: > Andrew McGlashan via luv-mainwrote: > Given that TLS is now required by luv.asn.au, I think a backward-compatible > approach is appropriate. Arbitrarily excluding users of software that one > doesn't like sends the wrong kind of message. All good and fair comments, but anyone whom lets people continue to use IE and/or Windows XP. well. They WILL have to change sooner or later and the sooner the better. LUV won't be the only driving factor, it is, but one. Cheers A. ___ luv-main mailing list luv-main@luv.asn.au http://lists.luv.asn.au/listinfo/luv-main
SSL configuration
https://www.decadent.org.uk/ben/blog/securing-wwwdecadentorguk.html I read the above blog post. https://www.ssllabs.com/ssltest/ I tested the LUV web site with the above URL and got A-. https://blog.qualys.com/ssllabs/2013/08/05/configuring-apache-nginx-and- openssl-for-forward-secrecy I followed the advice at the above URL and got B! https://blog.qualys.com/ssllabs/2013/03/19/rc4-in-tls-is-broken-now-what From the comments on the above blog post it seems that the only way to have PFS and not be vulnerable to other issues is to require TLS 1.2. The browser that is built in to Android (which is going to be a long-term issue as some people will use it until their phone breaks) only supports TLS 1.2 in Android 5.0 and above. The Samsung Galaxy Note 2 is currently not supported for Android 5.0 while the Galaxy Note 3 is. The Note 2 is still quite a decent phone. https://en.wikipedia.org/wiki/Template:TLS/SSL_support_history_of_web_browsers The above page has TLS/SSL support of various browsers. If we require TLS 1.2 we exclude: The default Android browser before Android 5.0. Admittedly that browser always sucked badly and probably has lots of other security issues. Chrome versions before 30 didn't support it. But version 30 was released in 2013 and Google does a good job of forcing upgrades. A Debian/Wheezy system I run is now displaying warnings from the google-chrome package saying that Wheezy is too old and won't be supported for long! Firefox before version 27 didn't support it (the Wikipedia page is unclear about versions 27-31). 27 was released in 2014. Debian/Wheezy has version 38, Debian/Squeeze has Iceweasel 3.5.16 which doesn't support it. Would it be reasonable to assume that anyone who's still using Squeeze is using it for a server? IE version 11 supports it and runs on Windows 7+ (all supported versions of Windows). IE 10 doesn't support it and runs on Windows 7 and Windows 8. Are the free upgrades from Windows 7 to Windows 10 going to solve this problem? Windows mobile doesn't have enough users to care about. Opera supports it from version 17. This is noteworthy because Opera used to be good for devices running older versions of Android that aren't supported by Chrome. Safari supported it from iOS version 5, I think that's a solved problem there. Is breaking support for Debian/Squeeze, the built in Android browser on Android <5.0, and Windows 7 and 8 systems that haven't upgraded IE as a web browsing platform a reasonable trade-off for implementing the best SSL security features? For the LUV server as a stand-alone issue the answer would be no as the only really secret data there is accessed via ssh. For a general web infrastructure issue it seems that the answer might be yes. -- My Main Blog http://etbe.coker.com.au/ My Documents Bloghttp://doc.coker.com.au/ ___ luv-main mailing list luv-main@luv.asn.au http://lists.luv.asn.au/listinfo/luv-main
Re: SSL configuration
Andrew McGlashan via luv-mainwrote: > > On 30/01/2016 10:32 PM, Russell Coker via luv-main wrote: > > IE version 11 supports it and runs on Windows 7+ (all supported > > versions of Windows). IE 10 doesn't support it and runs on Windows > > 7 and Windows 8. Are the free upgrades from Windows 7 to Windows > > 10 going to solve this problem? > > Who cares about IE and Edge? I won't use those browsers except as an > absolute last resort. You and I wouldn't use them except as a last resort, but some newcomers to Linux who want to join Luv might. Ultimately, this is not a matter of our preferences but of ensuring that people who visit the Web site via TLS can use it. > > > Windows mobile doesn't have enough users to care about. > > Again, who cares? > The said users care. > I won't do much on a mobile browser when most things can wait for a > desktop browser and I can lock down a desktop browser much more and > have it operate much more securely. > Your preferences aren't universal. Given that TLS is now required by luv.asn.au, I think a backward-compatible approach is appropriate. Arbitrarily excluding users of software that one doesn't like sends the wrong kind of message. ___ luv-main mailing list luv-main@luv.asn.au http://lists.luv.asn.au/listinfo/luv-main
Re: Lets Encrypt
Andrew McGlashan via luv-mainwrote: > Oh and I will probably up the number of bits next time I create certs, > the default is RSA 2048. If they start supporting elliptic curve cryptography you'll be able to obtain reputedly stronger encryption at much reduced key lengths. I just installed the client on my KVM instance hosted at Linode and acquired a signed public-key certificate. Note that I have found the haveged package useful; it supplies random numbers to the kernel's pool by exploiting timing variability in the execution of a loop by the CPU. You can also run rngtest to evaluate the quality of the random numbers that your system is generating. A reliable hardware random number generator would of course be desirable, especially for servers. ___ luv-main mailing list luv-main@luv.asn.au http://lists.luv.asn.au/listinfo/luv-main
Re: SSL configuration
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, On 30/01/2016 10:32 PM, Russell Coker via luv-main wrote: > https://www.ssllabs.com/ssltest/ Did you not see my post? Not sure if my config that got A+ will suit for luv.asn.au requirements. > https://blog.qualys.com/ssllabs/2013/03/19/rc4-in-tls-is-broken-now-wh at rc4 > is being removed from browsers, I think current Firefox 44 doesn't include it. > IE version 11 supports it and runs on Windows 7+ (all supported > versions of Windows). IE 10 doesn't support it and runs on Windows > 7 and Windows 8. Are the free upgrades from Windows 7 to Windows > 10 going to solve this problem? Who cares about IE and Edge? I won't use those browsers except as an absolute last resort. > Windows mobile doesn't have enough users to care about. Again, who cares? > Is breaking support for Debian/Squeeze, the built in Android > browser on Android <5.0, and Windows 7 and 8 systems that haven't > upgraded IE as a web browsing platform a reasonable trade-off for > implementing the best SSL security features? You care about squeeze? I wouldn't be worried about that either. - Jessie - Wheezey - Squeeze LTS Using that LTS is almost a last resort now, for servers that you can't easily upgrade and need to keep running. Anything less that Squeeze LTS, well, that would be as bad as XP is today (perhaps not quite, but still). I won't do much on a mobile browser when most things can wait for a desktop browser and I can lock down a desktop browser much more and have it operate much more securely. Heck, I don't really trust the security of ANY mobile device these days and use select apps that give me the best confidence; but the platforms don't seem secure enough for me -- especially if people are running stock ROMs ... manufacturers like Samsung don't care enough about porting patches to older phones and there is a vast majority of insecure Android devices as a result. Cheers A. -BEGIN PGP SIGNATURE- iF4EAREIAAYFAlas4ncACgkQqBZry7fv4vuarQD9EMZOv41dOXNu1jRMCWU4U+Ox tAJwIi5l4SJhaRsutpcA/1BULGCWqA5qHOWECPXNoHIEkM41r4c2ihMMigLL51+O =pC99 -END PGP SIGNATURE- ___ luv-main mailing list luv-main@luv.asn.au http://lists.luv.asn.au/listinfo/luv-main
Re: SSL configuration
On Sun, 31 Jan 2016 04:03:53 AM Jason White via luv-main wrote: > Andrew McGlashan via luv-mainwrote: > > On 30/01/2016 10:32 PM, Russell Coker via luv-main wrote: > > > IE version 11 supports it and runs on Windows 7+ (all supported > > > versions of Windows). IE 10 doesn't support it and runs on Windows > > > 7 and Windows 8. Are the free upgrades from Windows 7 to Windows > > > 10 going to solve this problem? > > > > Who cares about IE and Edge? I won't use those browsers except as an > > absolute last resort. > > You and I wouldn't use them except as a last resort, but some newcomers to > Linux who want to join Luv might. Ultimately, this is not a matter of our > preferences but of ensuring that people who visit the Web site via TLS can > use it. I agree, but will people who attend our meetings be using them? > > > Windows mobile doesn't have enough users to care about. > > > > Again, who cares? > > The said users care. The number of iPhone users at LUV meetings seems a lot lower than the general population. People who use Windows phone are demonstrating a committment to MS that's much greater than average, unlike iPhone the Windows phone has little going for it. Will we have a user of an old Windows phone attending our meeting and if so will they actually expect things to work on a Windows phone? > > I won't do much on a mobile browser when most things can wait for a > > desktop browser and I can lock down a desktop browser much more and > > have it operate much more securely. > > Your preferences aren't universal. > > Given that TLS is now required by luv.asn.au, I think a backward-compatible > approach is appropriate. Arbitrarily excluding users of software that one > doesn't like sends the wrong kind of message. True. But eventually they need to upgrade and other web sites are going to demand string connections too. -- My Main Blog http://etbe.coker.com.au/ My Documents Bloghttp://doc.coker.com.au/ ___ luv-main mailing list luv-main@luv.asn.au http://lists.luv.asn.au/listinfo/luv-main
Re: SSL configuration
FWIW XP using Firefox 44 works with my letsencrypt apache2 setup; didn't try IE -- the XP machine I have access to is being used with as little software installed as possible. So, XP, in itself (SP3 installed), is not a problem with a modern browser for SSL setup. A. ___ luv-main mailing list luv-main@luv.asn.au http://lists.luv.asn.au/listinfo/luv-main
Re: SSL configuration
Russell Cokerwrote: > The number of iPhone users at LUV meetings seems a lot lower than the general > population. People who use Windows phone are demonstrating a committment to > MS that's much greater than average, unlike iPhone the Windows phone has > little going for it. All true. It's also worth noting that iPhone users are more likely than average to keep their operating system up to date. Linux users, I suspect, are even more likely to keep their operating systems up to date, even if only for security reasons. ___ luv-main mailing list luv-main@luv.asn.au http://lists.luv.asn.au/listinfo/luv-main
Re: SSL configuration
On 31/01/2016 4:03 AM, Jason White via luv-main wrote: Andrew McGlashan via luv-mainwrote: On 30/01/2016 10:32 PM, Russell Coker via luv-main wrote: IE version 11 supports it and runs on Windows 7+ (all supported versions of Windows). IE 10 doesn't support it and runs on Windows 7 and Windows 8. Are the free upgrades from Windows 7 to Windows 10 going to solve this problem? Who cares about IE and Edge? I won't use those browsers except as an absolute last resort. You and I wouldn't use them except as a last resort, but some newcomers to Linux who want to join Luv might. Ultimately, this is not a matter of our preferences but of ensuring that people who visit the Web site via TLS can use it. Windows mobile doesn't have enough users to care about. Again, who cares? The said users care. I won't do much on a mobile browser when most things can wait for a desktop browser and I can lock down a desktop browser much more and have it operate much more securely. Your preferences aren't universal. Given that TLS is now required by luv.asn.au, I think a backward-compatible approach is appropriate. Arbitrarily excluding users of software that one doesn't like sends the wrong kind of message. I agree with Jason here. Bringing people toward best practices should be by education and encouragement, not by blunt instrument. The latter approach only reinforces the stereotypes of computer nerds and grumpy old grey beards, who should be given a wide berth lest they happen to look in your direction, and end up banging on about their favourite topic for hours on end. Regards, Morrie. ___ luv-main mailing list luv-main@luv.asn.au http://lists.luv.asn.au/listinfo/luv-main
Re: SSL configuration
On Sun, 31 Jan 2016 12:56:20 PM Morrie Wyatt via luv-main wrote: > I agree with Jason here. Bringing people toward best practices should be > by education and encouragement, not by blunt instrument. I agree, if a prospective users first attempt to find out about Linux results in "I wanted to learn about it, but their website doesn't work" then nobody wins. All the best, Chris -- Chris Samuel : http://www.csamuel.org/ : Melbourne, VIC ___ luv-main mailing list luv-main@luv.asn.au http://lists.luv.asn.au/listinfo/luv-main
Re: SSL configuration
Andrew McGlashan via luv-mainwrites: > - Squeeze LTS Squeeze LTS will stop being supported very soon. February 2016 according to https://wiki.debian.org/LTS Then it will be Wheezy LTS. My understanding is that the LTS releases are used more for servers not running X, then desktops, so the chances of somebody using a browser on Wheezy LTS to connect to LUV I think are low. -- Brian May https://linuxpenguins.xyz/brian/ ___ luv-main mailing list luv-main@luv.asn.au http://lists.luv.asn.au/listinfo/luv-main