date:20160130

Thunderbolt

2016-01-30 Thread Russell Coker via luv-main

https://en.wikipedia.org/wiki/Thunderbolt_(interface)

Apple's Thunderbolt uses the same connectors as MiniDisplayPort and USB-C.  Is 
that going to matter to us?  Are there going to be situations in which things 
can physically connect but not be able to talk to each other?

-- 
My Main Blog http://etbe.coker.com.au/
My Documents Bloghttp://doc.coker.com.au/
___
luv-main mailing list
luv-main@luv.asn.au
http://lists.luv.asn.au/listinfo/luv-main

Re: SSL configuration

2016-01-30 Thread Andrew McGlashan via luv-main

On 31/01/2016 4:03 AM, Jason White via luv-main wrote:
> Andrew McGlashan via luv-main  wrote:
> Given that TLS is now required by luv.asn.au, I think a backward-compatible
> approach is appropriate. Arbitrarily excluding users of software that one
> doesn't like sends the wrong kind of message.

All good and fair comments, but anyone whom lets people continue to use
IE and/or Windows XP. well.  They WILL have to change sooner or
later and the sooner the better.  LUV won't be the only driving factor,
it is, but one.

Cheers
A.

___
luv-main mailing list
luv-main@luv.asn.au
http://lists.luv.asn.au/listinfo/luv-main

SSL configuration

2016-01-30 Thread Russell Coker via luv-main

https://www.decadent.org.uk/ben/blog/securing-wwwdecadentorguk.html

I read the above blog post.

https://www.ssllabs.com/ssltest/

I tested the LUV web site with the above URL and got A-.

https://blog.qualys.com/ssllabs/2013/08/05/configuring-apache-nginx-and-
openssl-for-forward-secrecy

I followed the advice at the above URL and got B!

https://blog.qualys.com/ssllabs/2013/03/19/rc4-in-tls-is-broken-now-what

From the comments on the above blog post it seems that the only way to have 
PFS and not be vulnerable to other issues is to require TLS 1.2.

The browser that is built in to Android (which is going to be a long-term 
issue as some people will use it until their phone breaks) only supports TLS 
1.2 in Android 5.0 and above.  The Samsung Galaxy Note 2 is currently not 
supported for Android 5.0 while the Galaxy Note 3 is.  The Note 2 is still 
quite a decent phone.

https://en.wikipedia.org/wiki/Template:TLS/SSL_support_history_of_web_browsers

The above page has TLS/SSL support of various browsers.  If we require TLS 1.2 
we exclude:

The default Android browser before Android 5.0.  Admittedly that browser 
always sucked badly and probably has lots of other security issues.

Chrome versions before 30 didn't support it.  But version 30 was released in 
2013 and Google does a good job of forcing upgrades.  A Debian/Wheezy system I 
run is now displaying warnings from the google-chrome package saying that 
Wheezy is too old and won't be supported for long!

Firefox before version 27 didn't support it (the Wikipedia page is unclear 
about versions 27-31).  27 was released in 2014.  Debian/Wheezy has version 
38, Debian/Squeeze has Iceweasel 3.5.16 which doesn't support it.  Would it be 
reasonable to assume that anyone who's still using Squeeze is using it for a 
server?

IE version 11 supports it and runs on Windows 7+ (all supported versions of 
Windows).  IE 10 doesn't support it and runs on Windows 7 and Windows 8.  Are 
the free upgrades from Windows 7 to Windows 10 going to solve this problem?

Windows mobile doesn't have enough users to care about.

Opera supports it from version 17.  This is noteworthy because Opera used to 
be good for devices running older versions of Android that aren't supported by 
Chrome.

Safari supported it from iOS version 5, I think that's a solved problem there.


Is breaking support for Debian/Squeeze, the built in Android browser on 
Android <5.0, and Windows 7 and 8 systems that haven't upgraded IE as a web 
browsing platform a reasonable trade-off for implementing the best SSL security 
features?

For the LUV server as a stand-alone issue the answer would be no as the only 
really secret data there is accessed via ssh.  For a general web 
infrastructure issue it seems that the answer might be yes.

-- 
My Main Blog http://etbe.coker.com.au/
My Documents Bloghttp://doc.coker.com.au/
___
luv-main mailing list
luv-main@luv.asn.au
http://lists.luv.asn.au/listinfo/luv-main

Re: SSL configuration

2016-01-30 Thread Jason White via luv-main

Andrew McGlashan via luv-main  wrote:
> 
> On 30/01/2016 10:32 PM, Russell Coker via luv-main wrote:
> > IE version 11 supports it and runs on Windows 7+ (all supported
> > versions of Windows).  IE 10 doesn't support it and runs on Windows
> > 7 and Windows 8.  Are the free upgrades from Windows 7 to Windows
> > 10 going to solve this problem?
> 
> Who cares about IE and Edge?  I won't use those browsers except as an
> absolute last resort.

You and I wouldn't use them except as a last resort, but some newcomers to
Linux who want to join Luv might. Ultimately, this is not a matter of our
preferences but of ensuring that people who visit the Web site via TLS can use
it.

> 
> > Windows mobile doesn't have enough users to care about.
> 
> Again, who cares?
> 

The said users care.

> I won't do much on a mobile browser when most things can wait for a
> desktop browser and I can lock down a desktop browser much more and
> have it operate much more securely.
> 

Your preferences aren't universal.

Given that TLS is now required by luv.asn.au, I think a backward-compatible
approach is appropriate. Arbitrarily excluding users of software that one
doesn't like sends the wrong kind of message.

___
luv-main mailing list
luv-main@luv.asn.au
http://lists.luv.asn.au/listinfo/luv-main

Re: Lets Encrypt

2016-01-30 Thread Jason White via luv-main

Andrew McGlashan via luv-main  wrote:
> Oh and I will probably up the number of bits next time I create certs,
> the default is RSA 2048.

If they start supporting elliptic curve cryptography you'll be able to obtain
reputedly stronger encryption at much reduced key lengths.

I just installed the client on my KVM instance hosted at Linode and acquired a
signed public-key certificate.

Note that I have found the haveged package useful; it supplies random numbers
to the kernel's pool by exploiting timing variability in the execution of a
loop by the CPU.

You can also run rngtest to evaluate the quality of the random numbers that
your system is generating.

A reliable hardware random number generator would of course be desirable,
especially for servers.

___
luv-main mailing list
luv-main@luv.asn.au
http://lists.luv.asn.au/listinfo/luv-main

Re: SSL configuration

2016-01-30 Thread Andrew McGlashan via luv-main

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hi,

On 30/01/2016 10:32 PM, Russell Coker via luv-main wrote:
> https://www.ssllabs.com/ssltest/

Did you not see my post?

Not sure if my config that got A+ will suit for luv.asn.au requirements.

> https://blog.qualys.com/ssllabs/2013/03/19/rc4-in-tls-is-broken-now-wh
at

rc4
> 
is being removed from browsers, I think current Firefox 44 doesn't
include it.

> IE version 11 supports it and runs on Windows 7+ (all supported
> versions of Windows).  IE 10 doesn't support it and runs on Windows
> 7 and Windows 8.  Are the free upgrades from Windows 7 to Windows
> 10 going to solve this problem?

Who cares about IE and Edge?  I won't use those browsers except as an
absolute last resort.

> Windows mobile doesn't have enough users to care about.

Again, who cares?

> Is breaking support for Debian/Squeeze, the built in Android
> browser on Android <5.0, and Windows 7 and 8 systems that haven't
> upgraded IE as a web browsing platform a reasonable trade-off for
> implementing the best SSL security features?

You care about squeeze?  I wouldn't be worried about that either.
  - Jessie
  - Wheezey
  - Squeeze LTS

Using that LTS is almost a last resort now, for servers that you can't
easily upgrade and need to keep running.  Anything less that Squeeze
LTS, well, that would be as bad as XP is today (perhaps not quite, but
still).

I won't do much on a mobile browser when most things can wait for a
desktop browser and I can lock down a desktop browser much more and
have it operate much more securely.

Heck, I don't really trust the security of ANY mobile device these
days and use select apps that give me the best confidence; but the
platforms don't seem secure enough for me -- especially if people are
running stock ROMs ... manufacturers like Samsung don't care enough
about porting patches to older phones and there is a vast majority of
insecure Android devices as a result.

Cheers
A.
-BEGIN PGP SIGNATURE-

iF4EAREIAAYFAlas4ncACgkQqBZry7fv4vuarQD9EMZOv41dOXNu1jRMCWU4U+Ox
tAJwIi5l4SJhaRsutpcA/1BULGCWqA5qHOWECPXNoHIEkM41r4c2ihMMigLL51+O
=pC99
-END PGP SIGNATURE-
___
luv-main mailing list
luv-main@luv.asn.au
http://lists.luv.asn.au/listinfo/luv-main

Re: SSL configuration

2016-01-30 Thread Russell Coker via luv-main

On Sun, 31 Jan 2016 04:03:53 AM Jason White via luv-main wrote:
> Andrew McGlashan via luv-main  wrote:
> > On 30/01/2016 10:32 PM, Russell Coker via luv-main wrote:
> > > IE version 11 supports it and runs on Windows 7+ (all supported
> > > versions of Windows).  IE 10 doesn't support it and runs on Windows
> > > 7 and Windows 8.  Are the free upgrades from Windows 7 to Windows
> > > 10 going to solve this problem?
> > 
> > Who cares about IE and Edge?  I won't use those browsers except as an
> > absolute last resort.
> 
> You and I wouldn't use them except as a last resort, but some newcomers to
> Linux who want to join Luv might. Ultimately, this is not a matter of our
> preferences but of ensuring that people who visit the Web site via TLS can
> use it.

I agree, but will people who attend our meetings be using them?

> > > Windows mobile doesn't have enough users to care about.
> > 
> > Again, who cares?
> 
> The said users care.

The number of iPhone users at LUV meetings seems a lot lower than the general 
population.  People who use Windows phone are demonstrating a committment to 
MS that's much greater than average, unlike iPhone the Windows phone has 
little going for it.

Will we have a user of an old Windows phone attending our meeting and if so 
will they actually expect things to work on a Windows phone?

> > I won't do much on a mobile browser when most things can wait for a
> > desktop browser and I can lock down a desktop browser much more and
> > have it operate much more securely.
> 
> Your preferences aren't universal.
> 
> Given that TLS is now required by luv.asn.au, I think a backward-compatible
> approach is appropriate. Arbitrarily excluding users of software that one
> doesn't like sends the wrong kind of message.

True.  But eventually they need to upgrade and other web sites are going to 
demand string connections too.

-- 
My Main Blog http://etbe.coker.com.au/
My Documents Bloghttp://doc.coker.com.au/
___
luv-main mailing list
luv-main@luv.asn.au
http://lists.luv.asn.au/listinfo/luv-main

Re: SSL configuration

2016-01-30 Thread Andrew McGlashan via luv-main

FWIW

XP using Firefox 44 works with my letsencrypt apache2 setup; didn't try
IE -- the XP machine I have access to is being used with as little
software installed as possible.

So, XP, in itself (SP3 installed), is not a problem with a modern
browser for SSL setup.

A.
___
luv-main mailing list
luv-main@luv.asn.au
http://lists.luv.asn.au/listinfo/luv-main

Re: SSL configuration

2016-01-30 Thread Jason White via luv-main

Russell Coker  wrote:

> The number of iPhone users at LUV meetings seems a lot lower than the general 
> population.  People who use Windows phone are demonstrating a committment to 
> MS that's much greater than average, unlike iPhone the Windows phone has 
> little going for it.

All true. It's also worth noting that iPhone users are more likely than
average to keep their operating system up to date.

Linux users, I suspect, are even more likely to keep their operating systems
up to date, even if only for security reasons.

___
luv-main mailing list
luv-main@luv.asn.au
http://lists.luv.asn.au/listinfo/luv-main

Re: SSL configuration

2016-01-30 Thread Morrie Wyatt via luv-main




On 31/01/2016 4:03 AM, Jason White via luv-main wrote:

Andrew McGlashan via luv-main  wrote:

On 30/01/2016 10:32 PM, Russell Coker via luv-main wrote:

IE version 11 supports it and runs on Windows 7+ (all supported
versions of Windows).  IE 10 doesn't support it and runs on Windows
7 and Windows 8.  Are the free upgrades from Windows 7 to Windows
10 going to solve this problem?

Who cares about IE and Edge?  I won't use those browsers except as an
absolute last resort.

You and I wouldn't use them except as a last resort, but some newcomers to
Linux who want to join Luv might. Ultimately, this is not a matter of our
preferences but of ensuring that people who visit the Web site via TLS can use
it.


Windows mobile doesn't have enough users to care about.

Again, who cares?


The said users care.
  

I won't do much on a mobile browser when most things can wait for a
desktop browser and I can lock down a desktop browser much more and
have it operate much more securely.


Your preferences aren't universal.

Given that TLS is now required by luv.asn.au, I think a backward-compatible
approach is appropriate. Arbitrarily excluding users of software that one
doesn't like sends the wrong kind of message.



I agree with Jason here. Bringing people toward best practices should be 
by education

and encouragement, not by blunt instrument.

The latter approach only reinforces the stereotypes of computer nerds 
and grumpy
old grey beards, who should be given a wide berth lest they happen to 
look in your
direction, and end up banging on about their favourite topic for hours 
on end.


Regards,
Morrie.
___
luv-main mailing list
luv-main@luv.asn.au
http://lists.luv.asn.au/listinfo/luv-main

Re: SSL configuration

2016-01-30 Thread Chris Samuel via luv-main

On Sun, 31 Jan 2016 12:56:20 PM Morrie Wyatt via luv-main wrote:

> I agree with Jason here. Bringing people toward best practices should be 
> by education and encouragement, not by blunt instrument.

I agree, if a prospective users first attempt to find out about Linux results 
in 
"I wanted to learn about it, but their website doesn't work" then nobody wins.

All the best,
Chris
-- 
 Chris Samuel  :  http://www.csamuel.org/  :  Melbourne, VIC

___
luv-main mailing list
luv-main@luv.asn.au
http://lists.luv.asn.au/listinfo/luv-main

Re: SSL configuration

2016-01-30 Thread Brian May via luv-main

Andrew McGlashan via luv-main  writes:

>   - Squeeze LTS

Squeeze LTS will stop being supported very soon.

February 2016 according to https://wiki.debian.org/LTS

Then it will be Wheezy LTS.

My understanding is that the LTS releases are used more for servers not
running X, then desktops, so the chances of somebody using a browser on
Wheezy LTS to connect to LUV I think are low.
-- 
Brian May 
https://linuxpenguins.xyz/brian/
___
luv-main mailing list
luv-main@luv.asn.au
http://lists.luv.asn.au/listinfo/luv-main

Thunderbolt

Re: SSL configuration

SSL configuration

Re: SSL configuration

Re: Lets Encrypt

Re: SSL configuration

Re: SSL configuration

Re: SSL configuration

Re: SSL configuration

Re: SSL configuration

Re: SSL configuration

Re: SSL configuration

12 matches

Site Navigation

Mail list logo

Footer information