Dňa 24. októbra 2023 8:44:49 UTC používateľ Christof Meerwald via mailop
napísal:
>On Tue, Oct 24, 2023 at 12:17:30PM +0800, Philip Paeps via mailop wrote:
>> crt.sh provides a handy service you can poll.
>>
>> They provide JSON output.
>
>They also provide an Atom feed you can use with your
On Tue, Oct 24, 2023 at 11:04:05AM +0200, Alessandro Vesely via mailop wrote:
> On Tue 24/Oct/2023 06:53:37 +0200 Matt Palmer via mailop wrote:
> > On Tue, Oct 24, 2023 at 03:11:06AM +0100, Richard Clayton via mailop wrote:
> > > In message <07d58480-7dde-4d15-a5ca-5bb6c8e10...@mtasv.net>, Matt
On Tue, 24 Oct 2023, Slavko via mailop wrote:
Dňa 24. 10. o 4:04 Ian Kelling via mailop napísal(a):
Anyone know how to monitor C-T logs? I looked around a bit and didn't
see how to actually do it for let's encrypt certs.
I recently installed https://github.com/SSLMate/certspotter
Hard to
Manual user of certbot renew me and definitely will be checking kernel log cert
log cert issue logs every 2.5 months since renewal for letsecrypt at normal 3
months
Colin
Sent from my iPod
> On 24 Oct 2023, at 11:01, Jaroslaw Rafa via mailop wrote:
>
> Dnia 24.10.2023 o godz. 11:04:05
Dnia 24.10.2023 o godz. 11:04:05 Alessandro Vesely via mailop pisze:
>
> Is that the way it went? Let's Encrypt certificates get renewed
> automatically, so it's hard to "forget" to do it.
They don't have to. You can just run a simple ACME client (like 'bacme') one
time, get a certificate and
On Tue 24/Oct/2023 06:53:37 +0200 Matt Palmer via mailop wrote:
On Tue, Oct 24, 2023 at 03:11:06AM +0100, Richard Clayton via mailop wrote:
In message <07d58480-7dde-4d15-a5ca-5bb6c8e10...@mtasv.net>, Matt Palmer
via mailop writes
The relative "noisiness" of the attack, in fact, is a fairly
On Tue, Oct 24, 2023 at 12:17:30PM +0800, Philip Paeps via mailop wrote:
> On 2023-10-24 10:04:25 (+0800), Ian Kelling via mailop wrote:
> > Philip Paeps via mailop writes:
> >> On 2023-10-22 14:34:39 (+0530), Slavko via mailop wrote:
> >> Indeed: not directly related to mailops. But a very
On 24/10/2023 04:04, Ian Kelling via mailop wrote:
Anyone know how to monitor C-T logs? I looked around a bit and didn't
see how to actually do it for let's encrypt certs.
There is a link in the original article pointing
tohttps://github.com/SSLMate/certspotterwhich you can run yourself.
We've
Dňa 24. 10. o 4:04 Ian Kelling via mailop napísal(a):
Anyone know how to monitor C-T logs? I looked around a bit and didn't
see how to actually do it for let's encrypt certs.
I recently installed https://github.com/SSLMate/certspotter
Hard to say any opinion yet, as i install it on one my
On 10/23/23 9:43 PM, Matt Palmer via mailop wrote:
On Mon, Oct 23, 2023 at 10:04:25PM -0400, Ian Kelling via mailop wrote:
Philip Paeps via mailop writes:
On 2023-10-22 14:34:39 (+0530), Slavko via mailop wrote:
Indeed: not directly related to mailops. But a very instructive example
of why
On 10/23/23 7:11 PM, Richard Clayton via mailop wrote:
In message , Matt
Corallo via mailop writes
On 10/23/23 3:26 AM, Jaroslaw Rafa via mailop wrote:
However, all this discussion is hardly related to email, as - as many have
noted - there's hardly any certificate checking at all
On Tue, Oct 24, 2023 at 03:11:06AM +0100, Richard Clayton via mailop wrote:
> In message <07d58480-7dde-4d15-a5ca-5bb6c8e10...@mtasv.net>, Matt Palmer
> via mailop writes
>
> >The relative "noisiness" of the attack, in fact, is a fairly strong signal
> >that it *isn't* lawful intercept; western
On Mon, Oct 23, 2023 at 10:04:25PM -0400, Ian Kelling via mailop wrote:
> Philip Paeps via mailop writes:
> > On 2023-10-22 14:34:39 (+0530), Slavko via mailop wrote:
> > Indeed: not directly related to mailops. But a very instructive example
> > of why monitoring C-T logs is a good idea.
>
>
On 2023-10-24 10:04:25 (+0800), Ian Kelling via mailop wrote:
> Philip Paeps via mailop writes:
>> On 2023-10-22 14:34:39 (+0530), Slavko via mailop wrote:
>> Indeed: not directly related to mailops. But a very instructive example
>> of why monitoring C-T logs is a good idea.
>
> Anyone know how
Philip Paeps via mailop writes:
> On 2023-10-22 14:34:39 (+0530), Slavko via mailop wrote:
> Indeed: not directly related to mailops. But a very instructive example
> of why monitoring C-T logs is a good idea.
Anyone know how to monitor C-T logs? I looked around a bit and didn't
see how to
In message , Matt
Corallo via mailop writes
>
>
>On 10/23/23 3:26 AM, Jaroslaw Rafa via mailop wrote:
>> However, all this discussion is hardly related to email, as - as many have
>> noted - there's hardly any certificate checking at all between MTAs.
>
>Indeed, MTAs mostly use DNSSEC/DANE which
In message <07d58480-7dde-4d15-a5ca-5bb6c8e10...@mtasv.net>, Matt Palmer
via mailop writes
>The relative "noisiness" of the attack, in fact, is a fairly strong signal
>that it *isn't* lawful intercept; western law enforcement agencies are
>typically very hesitant to do anything that could "tip
On 10/22/23 1:56 PM, Taavi Eomäe via mailop wrote:
On 22/10/2023 16:08, Slavko via mailop wrote:
Hmm, and what about MUAs?
Without MUA-STS, it's up to the MUAs and only MUAs to enforce connection security. The next step
after that would be some kind of pinning.
Some have suggested
On 10/23/23 3:26 AM, Jaroslaw Rafa via mailop wrote:
Dnia 22.10.2023 o godz. 12:59:18 Matt Corallo via mailop pisze:
SSL certificates do not, and have never, "protected against MiTM".
The certificate authority trust model can best be summarized as
"someone else's DNS resolver and connection",
Dnia 23.10.2023 o godz. 11:27:09 Slavko via mailop pisze:
> Dňa 23. októbra 2023 10:26:57 UTC používateľ Jaroslaw Rafa via mailop
> napísal:
>
> >However, all this discussion is hardly related to email, as - as many have
> >noted - there's hardly any certificate checking at all between MTAs.
>
Dňa 23. októbra 2023 10:26:57 UTC používateľ Jaroslaw Rafa via mailop
napísal:
>However, all this discussion is hardly related to email, as - as many have
>noted - there's hardly any certificate checking at all between MTAs.
Do you want to tell, that MUAs communications are not part of email?
Dnia 22.10.2023 o godz. 12:59:18 Matt Corallo via mailop pisze:
> SSL certificates do not, and have never, "protected against MiTM".
> The certificate authority trust model can best be summarized as
> "someone else's DNS resolver and connection", it is not a statement
> of who actually owns the
simply put, who has the power to force both Hetzner and Linode to setup a proxy
redirection attack on their networks? This kind of attack requires high level
privileges on those two networks and I'm guessing only a government can enforce
this.
Unless both Hetzner and Linode are run by
On Sun, Oct 22, 2023 at 12:48:26PM +0300, Mary via mailop wrote:
> from what I understand, this is a government issued wiretapping against
> that specific services/servers (hosted by Hetzner and Linode in Germany?)
> and not a general TLS exploit.
On what evidence do you base that understanding?
On Sun, Oct 22, 2023 at 08:56:26PM +, Gellner, Oliver via mailop wrote:
> > On 22.10.2023 at 15:06 Philip Paeps via mailop wrote:
> > On 2023-10-22 14:34:39 (+0530), Slavko via mailop wrote:
> >> while not directly about email, recently was published details
> >> about success MiTM attack
On 22/10/2023 16:08, Slavko via mailop wrote:
Hmm, and what about MUAs?
Without MUA-STS, it's up to the MUAs and only MUAs to enforce connection
security. The next step after that would be some kind of pinning.
Some have suggested DANE+DNSSEC, but DNSSEC operators can be coerced
just as
> On 22.10.2023 at 15:06 Philip Paeps via mailop wrote:
>
> On 2023-10-22 14:34:39 (+0530), Slavko via mailop wrote:
>> while not directly about email, recently was published details
>> about success MiTM attack against XMPP server, the attacker
>> was able to decrypt TLS communication without
Dňa 22. októbra 2023 19:18:33 UTC používateľ Jeroen via mailop
napísal:
>...most MTAs and MUAs support it out of the box.
Is list of these availeble somewhere?
regards
--
Slavko
https://www.slavino.sk/
___
mailop mailing list
mailop@mailop.org
I read that they were able to redirect the traffic to their own machine,
and therefore perform an http-01 challenge like anyone else.
Which can effectively be mitigated by using DNSSEC, DANE and CAA.
Browser support for DANE is currently rather poor, but most MTAs and
MUAs support it out of
On 10/22/23 9:08 AM, Slavko via mailop wrote:
Dňa 22. októbra 2023 12:50:52 UTC používateľ Philip Paeps
napísal:
Note that, as far as email is concerned, plaintext downgrade attacks are much
more likely than fraudulent certificates.
Hmm, and what about MUAs?
As Philip pointed out,
SSL certificates do not, and have never, "protected against MiTM". The certificate authority trust
model can best be summarized as "someone else's DNS resolver and connection", it is not a statement
of who actually owns the domain or what server is actually supposed to be on the other end.
If
I read that they were able to redirect the traffic to their own machine,
and therefore perform an http-01 challenge like anyone else.
Le dim. 22 oct. 2023 à 18:55, Alessandro Vesely via mailop <
mailop@mailop.org> a écrit :
> On Sun 22/Oct/2023 13:18:53 +0200 Hans-Martin Mosner via mailop
On Sun 22/Oct/2023 13:18:53 +0200 Hans-Martin Mosner via mailop wrote:
Am 22.10.23 um 12:23 schrieb Paul Menzel via mailop:
It was interesting and surprising to me, as the common perception is, that
SSL certificates protect against MiTM attacks as it should provide authenticity.
The weak
Dňa 22. októbra 2023 12:50:52 UTC používateľ Philip Paeps
napísal:
>Note that, as far as email is concerned, plaintext downgrade attacks are much
>more likely than fraudulent certificates.
Hmm, and what about MUAs?
regards
--
Slavko
https://www.slavino.sk/
On 2023-10-22 14:34:39 (+0530), Slavko via mailop wrote:
while not directly about email, recently was published details
about success MiTM attack against XMPP server, the attacker
was able to decrypt TLS communication without notice (from
both sides, the server and client) and was success for at
Use DANE, MTA-STS, TLSA, CCA (to restrict how certs can be issued to your
domain, restrict the LetsEncrypt account, method, etc), host your own DNS
and manage DNSSEC yourself.
Le dim. 22 oct. 2023 à 11:20, Slavko via mailop a
écrit :
> Hi all,
>
> while not directly about email, recently was
Am 22.10.23 um 12:23 schrieb Paul Menzel via mailop:
It was interesting and surprising to me, as the common perception is, that SSL certificates protect against MiTM
attacks as it should provide authenticity.
The weak point of SSL certificates is that clients are willing to accept new certs
Dear Mary,
Am 22.10.23 um 11:48 schrieb Mary via mailop:
from what I understand, this is a government issued wiretapping
against that specific services/servers (hosted by Hetzner and Linode
in Germany?) and not a general TLS exploit.
so nothing interesting or unique.
It was interesting and
from what I understand, this is a government issued wiretapping against that
specific services/servers (hosted by Hetzner and Linode in Germany?) and not a
general TLS exploit.
so nothing interesting or unique.
On Sun, 22 Oct 2023 09:04:39 + Slavko via mailop wrote:
> Hi all,
>
>
Hi all,
while not directly about email, recently was published details
about success MiTM attack against XMPP server, the attacker
was able to decrypt TLS communication without notice (from
both sides, the server and client) and was success for at least
three months, see
40 matches
Mail list logo
