Re: letsencrypt && https && openbsd.org = https://www.openbsd.org/

> It's not so much about replacing keys which aren't strong enough (and > actually you can just replace the old key+cert in that case), it's > about dealing with compromised keys. > > Certificate revocation is a disaster area. CRLs are often not checked > at all (letsencrypt aren't even

Re: letsencrypt && https && openbsd.org = https://www.openbsd.org/

On 2015-12-12, Kevin Chadwick wrote: >> > and have to keep changing the cert every year. >> >> Your certificate cycling process should be automated, and it should >> happen more frequently than once a year. > > Complete nonsense > > firstly and not a major point but you

Re: letsencrypt && https && openbsd.org = https://www.openbsd.org/

> Secondly, this whole thread should have ended long ago. So why you keep it going then. Let it die please

Re: letsencrypt && https && openbsd.org = https://www.openbsd.org/

On Sun, Dec 13, 2015 at 5:00 PM, Daniel Ouellet wrote: >> Secondly, this whole thread should have ended long ago. > > So why you keep it going then. > > Let it die please Flame wars are educational, for readers with an open mind. And I think I'll air my own two armpits,

Re: letsencrypt && https && openbsd.org = https://www.openbsd.org/

Joel Rees wrote: > Daniel Ouellet wrote: > > > Secondly, this whole thread should have ended long ago. > > > > So why you keep it going then. > > > > Let it die please > > Flame wars are educational, for readers with an open mind. Flame wars and crypto speculation also make a lot of noise and

Re: letsencrypt && https && openbsd.org = https://www.openbsd.org/

On Mon, Dec 14, 2015 at 11:00 AM, Michael McConville wrote: > Joel Rees wrote: >> Daniel Ouellet wrote: >> > > Secondly, this whole thread should have ended long ago. >> > >> > So why you keep it going then. >> > >> > Let it die please >> >> Flame wars are educational, for

Re: letsencrypt && https && openbsd.org = https://www.openbsd.org/

2015-12-13 7:17 GMT+01:00 Delan Azabani : > On Sun, Dec 13, 2015 at 6:28 AM, Kevin Chadwick wrote: >> On a low traffic site it already annoys me that I have to change it >> once per year with startSSL. > > This is what the tooling provided by Let's Encrypt

Re: letsencrypt && https && openbsd.org = https://www.openbsd.org/

On Sun, Dec 13, 2015 at 6:28 AM, Kevin Chadwick wrote: > On a low traffic site it already annoys me that I have to change it > once per year with startSSL. This is what the tooling provided by Let's Encrypt is designed to solve. It shouldn't be hard to issue new

Re: letsencrypt && https && openbsd.org = https://www.openbsd.org/

On Sat, Dec 12, 2015 at 7:11 PM, Constantine A. Murenin wrote: > once you give in to https once, you're hooked You're only hooked if you use HSTS. > and have to keep paying someone every year, There are at least three CAs that provide free certificates, and one of those is

Re: letsencrypt && https && openbsd.org = https://www.openbsd.org/

On 11 December 2015 at 03:58, Kamil Cholewiński wrote: >> The official CD set contains the signify keys for that release and the >> next one. Once you have a known good copy of one set, you can always obtain >> future ones securely. >> >> You don't even need to use the CD

Re: letsencrypt && https && openbsd.org = https://www.openbsd.org/

Thus said Tati Chevron on Fri, 11 Dec 2015 13:16:23 +: > On the other hand, if somebody actually received a fake OpenBSD CD in > the mail, and it was discovered, it would be a huge news story within > the IT industry. A bad download, much less so. My OpenBSD 5.7 CD arrived with a green

Re: letsencrypt && https && openbsd.org = https://www.openbsd.org/

> > and have to keep changing the cert every year. > > Your certificate cycling process should be automated, and it should > happen more frequently than once a year. Complete nonsense firstly and not a major point but you may have greater security than automating key changes and secondly the

Re: letsencrypt && https && openbsd.org = https://www.openbsd.org/

> > I would consider signify keys printed on CDs and copied across several > > web sites safer than trusting the hundreds of CA certs shipped with a > > standard web browser. > > Didn't we just established that with HPKP you can disregard the CA > completely? At least if you trust your fist

Re: letsencrypt && https && openbsd.org = https://www.openbsd.org/

On Fri, Dec 11, 2015 at 11:58:17AM +0100, Thijs van Dijk wrote: > On 11 December 2015 at 05:51, Andy Bradford > wrote: > > > If one wants privacy on a website then more is required than just HTTPS. > > > > Right. *I* just want a reasonable (256-bit) guarantee that the

Re: letsencrypt && https && openbsd.org = https://www.openbsd.org/

On Fri, Dec 11, 2015 at 11:58:17AM +0100, Thijs van Dijk wrote: On 11 December 2015 at 05:51, Andy Bradford wrote: If one wants privacy on a website then more is required than just HTTPS. Right. *I* just want a reasonable (256-bit) guarantee that the signify keys

Re: letsencrypt && https && openbsd.org = https://www.openbsd.org/

On 8 December 2015 at 19:26, Anthony J. Bentley wrote: > Giancarlo Razzolini writes: >> One of the main benefits of the TLS wouldn't only be to render >> impossible for anyone to know which pages you're accessing on the site, >> but also the fact that we would get a little

Re: letsencrypt && https && openbsd.org = https://www.openbsd.org/

On 11 December 2015 at 05:51, Andy Bradford wrote: > If one wants privacy on a website then more is required than just HTTPS. > Right. *I* just want a reasonable (256-bit) guarantee that the signify keys on my screen are the ones the OpenBSD authors intended me to

Re: letsencrypt && https && openbsd.org = https://www.openbsd.org/

"Constantine A. Murenin" writes: > On 8 December 2015 at 19:26, Anthony J. Bentley wrote: > > Giancarlo Razzolini writes: > >> One of the main benefits of the TLS wouldn't only be to render > >> impossible for anyone to know which pages you're accessing on the site, > >> but

Re: letsencrypt && https && openbsd.org = https://www.openbsd.org/

> The official CD set contains the signify keys for that release and the > next one. Once you have a known good copy of one set, you can always obtain > future ones securely. > > You don't even need to use the CD set to install, just as a way of obtaining > the signify keys with a high degree of

Re: letsencrypt && https && openbsd.org = https://www.openbsd.org/

On 11 December 2015 at 12:28, Stefan Sperling wrote: > I would consider signify keys printed on CDs and copied across several > web sites safer than trusting the hundreds of CA certs shipped with a > standard web browser. On 11 December 2015 at 12:35, Tati Chevron

Re: letsencrypt && https && openbsd.org = https://www.openbsd.org/

On Fri, Dec 11, 2015 at 12:48:19PM +0100, Thijs van Dijk wrote: I'm saying I shouldn't *have* to rely on snail-mailed physical media. We, as a species, have thought of a solution to this problem long ago. I agree in principle that we shouldn't have to rely in physical media to obtain the keys

Re: letsencrypt && https && openbsd.org = https://www.openbsd.org/

On Fri, Dec 11, 2015 at 12:58:38PM +0100, Kamil Cholewi??ski wrote: This is the real thing bothering me. I don't even have a CD drive available, and I was about to ask if it would be possible to get the signify keys via paper mail in exchange for a donation. The official CDs have the signify

Re: letsencrypt && https && openbsd.org = https://www.openbsd.org/

On Fri, Dec 11, 2015 at 04:37:39AM -0700, Anthony J. Bentley wrote: Why even bring up OpenBSD 2.3? Anyone running that 19 years after its release has much bigger problems than not being able to connect to www.openbsd.org. I must admit that since gopher://openbsd.org shut down, and tenex

Re: letsencrypt && https && openbsd.org = https://www.openbsd.org/

On 11 December 2015 at 13:10, Tati Chevron wrote: > In either case, I'd be willing to put my money where my mouth is. >> Whom do I contact about running a site mirror? >> > > Why would we trust your mirror? Touché.

Re: letsencrypt && https && openbsd.org = https://www.openbsd.org/

Em 10-12-2015 20:03, Christian Weisgerber escreveu: > The true elephant in the room is that I can't get the current OpenBSD > source tree securely. (Well, _I_ can if push comes to shove, but > the general user community can't.) CVSync? No integrity or > authenticity. AnonCVS over SSH? Nope,

Re: letsencrypt && https && openbsd.org = https://www.openbsd.org/

On 11 December 2015 at 14:16, Tati Chevron wrote: > But even if PKI were actively on fire at the moment (which it is not), >> what's wrong with doing both? >> > > Basically the gain verses the effort and resources expended. > > I agree that there is a value in distributing

Re: letsencrypt && https && openbsd.org = https://www.openbsd.org/

On 11 December 2015 at 02:58, Thijs van Dijk wrote: > On 11 December 2015 at 05:51, Andy Bradford > wrote: > >> If one wants privacy on a website then more is required than just HTTPS. >> > > Right. *I* just want a reasonable (256-bit) guarantee

Re: letsencrypt && https && openbsd.org = https://www.openbsd.org/

On Fri, Dec 11, 2015 at 01:53:04PM +0100, Thijs van Dijk wrote: On 11 December 2015 at 13:17, Tati Chevron wrote: Would you really trust HTTPS more than a physical CD being mailed to you??? Yes. Both provide some level of accountability, however with PKI you

Re: letsencrypt && https && openbsd.org = https://www.openbsd.org/

On Fri, Dec 11, 2015 at 7:10 AM, Tati Chevron wrote: > Why would we trust your mirror? A couple things to keep in mind here: (1) Security can never be perfect. (2) Security does not have to be perfect. (That said... sometimes traditional computer security seems like people

Re: letsencrypt && https && openbsd.org = https://www.openbsd.org/

On 11 December 2015 at 13:17, Tati Chevron wrote: > Would you really trust HTTPS more than a physical CD being mailed to > you??? Yes. Both provide some level of accountability, however with PKI you explicitly trust a limited (though big) numer of third parties to do

Re: letsencrypt && https && openbsd.org = https://www.openbsd.org/

On Fri, Dec 11, 2015 at 01:28:04PM +0100, Kamil Cholewi??ski wrote: The official CDs have the signify key physically printed on them. You press a new CD, print a new cover, etc. ...and intercept the package being delivered to you? Yes, it's possible, but somebody who had the resources to go

Re: letsencrypt && https && openbsd.org = https://www.openbsd.org/

On 11 December 2015 at 13:51, Tati Chevron wrote: > ...and intercept the package being delivered to you? > > Yes, it's possible, but somebody who had the resources to go to that > extreme, and a motive to single you out as a target, would presumably > have other ways to

Re: letsencrypt && https && openbsd.org = https://www.openbsd.org/

On 11 December 2015 at 05:37, Anthony J. Bentley wrote: > "Constantine A. Murenin" writes: >> On 8 December 2015 at 19:26, Anthony J. Bentley wrote: >> > Giancarlo Razzolini writes: >> >> One of the main benefits of the TLS wouldn't only be to render >> >>

Re: letsencrypt && https && openbsd.org = https://www.openbsd.org/

Hi, On Fri, Dec 11, 2015, at 23:39, Raul Miller wrote: > On Fri, Dec 11, 2015 at 7:10 AM, Tati Chevron > wrote: > > Why would we trust your mirror? > > A couple things to keep in mind here: > > (1) Security can never be perfect. > (2) Security does not have to be perfect.

Re: letsencrypt && https && openbsd.org = https://www.openbsd.org/

Em 11-12-2015 09:28, Stefan Sperling escreveu: > I would consider signify keys printed on CDs and copied across several > web sites safer than trusting the hundreds of CA certs shipped with a > standard web browser. Didn't we just established that with HPKP you can disregard the CA completely? At

Re: letsencrypt && https && openbsd.org = https://www.openbsd.org/

Kevin Chadwick writes: > What is your problem with it, there are many VPN services promoted > precisely for this issue as it completely rather than partially stops > ISP's monitoring traffic like TalkTalks homesafe service that is > likely hackable itself. Why encrypt anything? Just run it

Re: letsencrypt && https && openbsd.org = https://www.openbsd.org/

On 2015-12-11, Constantine A. Murenin wrote: > On 11 December 2015 at 02:58, Thijs van Dijk wrote: >> On 11 December 2015 at 05:51, Andy Bradford >> wrote: >> >>> If one wants privacy on a website then more is required than

Re: letsencrypt && https && openbsd.org = https://www.openbsd.org/

I agree, but no one mentioned DANE, I think that's the future and the way to go. With DANE in theory you wouldn't need a CA. I think it's an excellent way to establish authenticity of your content. Problem is that no browser supports it by default, and DNSsec use is marginal. Regards, Giancarlo

Re: letsencrypt && https && openbsd.org = https://www.openbsd.org/

> The official CDs have the signify key physically printed on them. You press a new CD, print a new cover, etc. > If you want to rely on third parties, I can send you a copy of the > signify keys, signed by my PGP key. How would that help you at all? Sounds reasonable to me.

Re: letsencrypt && https && openbsd.org = https://www.openbsd.org/

> Kevin Chadwick writes: > > The cvs page fingerprint page could be https enabled, however you can > > use googles cache over https, also buy a CD to help the project greatly > > would do far more for world security than TLS everywhere and even look > > at mailing list archives over https as a web

Re: letsencrypt && https && openbsd.org = https://www.openbsd.org/

On 2015-12-08, szs wrote: > So with letsencrypt here, how about making the main site > default to https? Is this a good idea or is this a great idea? I would like it a lot if www.openbsd.org and cvsweb.openbsd.org switched to https, but I'm not in a position to make it

Re: letsencrypt && https && openbsd.org = https://www.openbsd.org/

Thus said Jason Barbier on Tue, 08 Dec 2015 10:14:37 -0800: > It is a read only site, the privacy you seek is breached as soon as > you make a DNS call to openbsd.org Not to mention the Subject on the SSL certificate will most likely be www.openbsd.org, and perhaps there's also SNI,

Re: letsencrypt && https && openbsd.org = https://www.openbsd.org/

On 2015-12-08 Tue 12:06 PM |, szs wrote: > So with letsencrypt here, how about making the main site > default to https? Is this a good idea or is this a great idea? > Copy & Paste from 2013: "OpenBSD site SSL" http://marc.info/?t=13815459562=1=2 Please don't. That would slow it down &

Re: letsencrypt && https && openbsd.org = https://www.openbsd.org/

Kevin Chadwick writes: > The cvs page fingerprint page could be https enabled, however you can > use googles cache over https, also buy a CD to help the project greatly > would do far more for world security than TLS everywhere and even look > at mailing list archives over https as a web of trust.

Re: letsencrypt && https && openbsd.org = https://www.openbsd.org/

Em 08-12-2015 23:23, Stuart Henderson escreveu: > I wasn't aware that > it lets you disregard the CAs though Once the client has the two certs pinned (the primary and the backup), if a malicious CA try to impersonate the server using a forged (although perfectly valid) certificate, the client

Re: letsencrypt && https && openbsd.org = https://www.openbsd.org/

> In the case of www.openbsd.org, using HTTPS isn't so much about > privacy as it is about integrity. Yes, signify(1) is a thing, but > using HTTPS in addition to it would make release and package > downloads more difficult to tamper with. Well packages usually come from mirrors which I know from

Re: letsencrypt && https && openbsd.org = https://www.openbsd.org/

Jason Barbier wrote: > szs wrote: > > Not for security. > > For privacy. > > It is a read only site, the privacy you seek is breached as soon as > you make a DNS call to openbsd.org There are still some privacy benefits to using HTTPS. It will confound a lot of simple filtering and monitoring

Re: letsencrypt && https && openbsd.org = https://www.openbsd.org/

rivacy. > > > Original Message > Subject: Re: letsencrypt && https && openbsd.org = > https://www.openbsd.org/ > Local Time: December 8 2015 5:36 pm > UTC Time: December 8 2015 5:36 pm > From: s...@spacehopper.org > To: misc@openbsd.org > >

letsencrypt && https && openbsd.org = https://www.openbsd.org/

So with letsencrypt here, how about making the main site default to https? Is this a good idea or is this a great idea?

Re: letsencrypt && https && openbsd.org = https://www.openbsd.org/

On Tue, Dec 08, 2015 at 12:06:52PM -0500, szs wrote: > Fb jvgu yrgfrapelcg urer, ubj nobhg znxvat gur znva fvgr > qrsnhyg gb uggcf? Vf guvf n tbbq vqrn be vf guvf n terng vqrn? I'm sorry, I couldn't read your message because it was encrypted. How about you sign your messages instead? That way,

Re: letsencrypt && https && openbsd.org = https://www.openbsd.org/

Not for security. For privacy. Original Message Subject: Re: letsencrypt && https && openbsd.org = https://www.openbsd.org/ Local Time: December 8 2015 5:36 pm UTC Time: December 8 2015 5:36 pm From: s...@spacehopper.org To: misc@openbsd.org On 20

Re: letsencrypt && https && openbsd.org = https://www.openbsd.org/

Stuart Henderson wrote: > > Besides, who is going to agree to the Subscriber Agreement and indemnify ISRG? Huh? You don't trust robots to perform surgery correctly? oh, wrong ISRG.

Re: letsencrypt && https && openbsd.org = https://www.openbsd.org/

On 2015-12-08, szs wrote: > So with letsencrypt here, how about making the main site > default to https? Is this a good idea or is this a great idea? Don't mistake encryption for security. Besides, who is going to agree to the Subscriber Agreement and indemnify ISRG?

Re: letsencrypt && https && openbsd.org = https://www.openbsd.org/

On Tue, Dec 8, 2015 at 3:23 PM, Ted Unangst wrote: > Michael McConville wrote: >> Yes, but it is certainly "Websense" difficult, "Verizon traffic >> monetization dept." difficult, "nosy VPN/exit node operator" difficult, >> and "guy in cafe with Wireshark" difficult. > > But

Re: letsencrypt && https && openbsd.org = https://www.openbsd.org/

Michael McConville wrote: > Yes, but it is certainly "Websense" difficult, "Verizon traffic > monetization dept." difficult, "nosy VPN/exit node operator" difficult, > and "guy in cafe with Wireshark" difficult. But we don't care about any of those people anymore. The NSA is the only bad guy

Re: letsencrypt && https && openbsd.org = https://www.openbsd.org/

Ted Unangst wrote: > Michael McConville wrote: > > Jason Barbier wrote: > > > szs wrote: > > > > Not for security. > > > > For privacy. > > > > > > It is a read only site, the privacy you seek is breached as soon as > > > you make a DNS call to openbsd.org > > > > There are still some privacy

Re: letsencrypt && https && openbsd.org = https://www.openbsd.org/

Michael McConville wrote: > Jason Barbier wrote: > > szs wrote: > > > Not for security. > > > For privacy. > > > > It is a read only site, the privacy you seek is breached as soon as > > you make a DNS call to openbsd.org > > There are still some privacy benefits to using HTTPS. It will confound

Re: letsencrypt && https && openbsd.org = https://www.openbsd.org/

Em 08-12-2015 16:24, Michael McConville escreveu: > There are still some privacy benefits to using HTTPS. It will confound a > lot of simple filtering and monitoring software, and what you're reading > on the site is pretty obfuscated. It also helps security on sketchy > networks. > > HTTPS isn't

Re: letsencrypt && https && openbsd.org = https://www.openbsd.org/

Giancarlo Razzolini writes: > One of the main benefits of the TLS wouldn't only be to render > impossible for anyone to know which pages you're accessing on the site, > but also the fact that we would get a little more security getting the > SSH fingerprints for the anoncvs servers. Having them in

Re: letsencrypt && https && openbsd.org = https://www.openbsd.org/

On 2015-12-09, Giancarlo Razzolini wrote: > Also, now that we have two free TLS certs providers, one can use HPKP > and completely disregard the CA's, which is a security benefit. Also wosign (and, sort-of, cloudflare). btw, HPKP doesn't work too well with letsencrypt as-is

Re: letsencrypt && https && openbsd.org = https://www.openbsd.org/

On 2015-12-08, Michael McConville wrote: > Jason Barbier wrote: >> szs wrote: >> > Not for security. >> > For privacy. >> >> It is a read only site, the privacy you seek is breached as soon as >> you make a DNS call to openbsd.org > > There are still some privacy benefits to

Re: letsencrypt && https && openbsd.org = https://www.openbsd.org/

On Tue, Dec 8, 2015 at 11:22 PM, Nick Holland wrote: > https is a joke. IF and WHEN it works properly, it's too complex for > the real world to understand (ahem...and even recognize). That's not the joke, though - that's the punchline. (1) "Secure" and "Security"

Re: letsencrypt && https && openbsd.org = https://www.openbsd.org/

On Wed, Dec 9, 2015 at 12:22 PM, Nick Holland wrote: > HAHAHHAHAHA... > you think adding a certificate changes this? > https is a joke. "Some people implement HTTPS poorly sometimes, so we shouldn't try." The amount of effort "wasted" on Let's Encrypting the OpenBSD

Re: letsencrypt && https && openbsd.org = https://www.openbsd.org/

On 12/08/15 20:26, Anthony J. Bentley wrote: > Giancarlo Razzolini writes: >> One of the main benefits of the TLS wouldn't only be to render >> impossible for anyone to know which pages you're accessing on the site, >> but also the fact that we would get a little more security getting the >> SSH

Re: letsencrypt && https && openbsd.org = https://www.openbsd.org/

> >It would actually reduce the security and potential for DDOS against > >openbsd.org despite the heroic efforts that have gone into LibreSSL. So > >where's the benefit to risk analysis for OpenBSD? > > Don't you mean reduce the securiry and _increase_ the potential for > DDOS against

Re: letsencrypt && https && openbsd.org = https://www.openbsd.org/

> > So with letsencrypt here, how about making the main site > > default to https? Is this a good idea or is this a great idea? > > Don't mistake encryption for security. It would actually reduce the security and potential for DDOS against openbsd.org despite the heroic efforts that have gone

Re: letsencrypt && https && openbsd.org = https://www.openbsd.org/

On Tue, Dec 08, 2015 at 10:11:34PM +, Kevin Chadwick wrote: It would actually reduce the security and potential for DDOS against openbsd.org despite the heroic efforts that have gone into LibreSSL. So where's the benefit to risk analysis for OpenBSD? Don't you mean reduce the securiry and