> It's not so much about replacing keys which aren't strong enough (and
> actually you can just replace the old key+cert in that case), it's
> about dealing with compromised keys.
>
> Certificate revocation is a disaster area. CRLs are often not checked
> at all (letsencrypt aren't even
On 2015-12-12, Kevin Chadwick wrote:
>> > and have to keep changing the cert every year.
>>
>> Your certificate cycling process should be automated, and it should
>> happen more frequently than once a year.
>
> Complete nonsense
>
> firstly and not a major point but you
> Secondly, this whole thread should have ended long ago.
So why you keep it going then.
Let it die please
On Sun, Dec 13, 2015 at 5:00 PM, Daniel Ouellet wrote:
>> Secondly, this whole thread should have ended long ago.
>
> So why you keep it going then.
>
> Let it die please
Flame wars are educational, for readers with an open mind.
And I think I'll air my own two armpits,
Joel Rees wrote:
> Daniel Ouellet wrote:
> > > Secondly, this whole thread should have ended long ago.
> >
> > So why you keep it going then.
> >
> > Let it die please
>
> Flame wars are educational, for readers with an open mind.
Flame wars and crypto speculation also make a lot of noise and
On Mon, Dec 14, 2015 at 11:00 AM, Michael McConville wrote:
> Joel Rees wrote:
>> Daniel Ouellet wrote:
>> > > Secondly, this whole thread should have ended long ago.
>> >
>> > So why you keep it going then.
>> >
>> > Let it die please
>>
>> Flame wars are educational, for
2015-12-13 7:17 GMT+01:00 Delan Azabani :
> On Sun, Dec 13, 2015 at 6:28 AM, Kevin Chadwick wrote:
>> On a low traffic site it already annoys me that I have to change it
>> once per year with startSSL.
>
> This is what the tooling provided by Let's Encrypt
On Sun, Dec 13, 2015 at 6:28 AM, Kevin Chadwick wrote:
> On a low traffic site it already annoys me that I have to change it
> once per year with startSSL.
This is what the tooling provided by Let's Encrypt is designed to
solve. It shouldn't be hard to issue new
On Sat, Dec 12, 2015 at 7:11 PM, Constantine A. Murenin
wrote:
> once you give in to https once, you're hooked
You're only hooked if you use HSTS.
> and have to keep paying someone every year,
There are at least three CAs that provide free certificates, and one
of those is
On 11 December 2015 at 03:58, Kamil Cholewiński wrote:
>> The official CD set contains the signify keys for that release and the
>> next one. Once you have a known good copy of one set, you can always
obtain
>> future ones securely.
>>
>> You don't even need to use the CD
Thus said Tati Chevron on Fri, 11 Dec 2015 13:16:23 +:
> On the other hand, if somebody actually received a fake OpenBSD CD in
> the mail, and it was discovered, it would be a huge news story within
> the IT industry. A bad download, much less so.
My OpenBSD 5.7 CD arrived with a green
> > and have to keep changing the cert every year.
>
> Your certificate cycling process should be automated, and it should
> happen more frequently than once a year.
Complete nonsense
firstly and not a major point but you may have greater security than
automating key changes and secondly the
> > I would consider signify keys printed on CDs and copied across several
> > web sites safer than trusting the hundreds of CA certs shipped with a
> > standard web browser.
>
> Didn't we just established that with HPKP you can disregard the CA
> completely? At least if you trust your fist
On Fri, Dec 11, 2015 at 11:58:17AM +0100, Thijs van Dijk wrote:
> On 11 December 2015 at 05:51, Andy Bradford
> wrote:
>
> > If one wants privacy on a website then more is required than just HTTPS.
> >
>
> Right. *I* just want a reasonable (256-bit) guarantee that the
On Fri, Dec 11, 2015 at 11:58:17AM +0100, Thijs van Dijk wrote:
On 11 December 2015 at 05:51, Andy Bradford
wrote:
If one wants privacy on a website then more is required than just HTTPS.
Right. *I* just want a reasonable (256-bit) guarantee that the signify keys
On 8 December 2015 at 19:26, Anthony J. Bentley wrote:
> Giancarlo Razzolini writes:
>> One of the main benefits of the TLS wouldn't only be to render
>> impossible for anyone to know which pages you're accessing on the site,
>> but also the fact that we would get a little
On 11 December 2015 at 05:51, Andy Bradford
wrote:
> If one wants privacy on a website then more is required than just HTTPS.
>
Right. *I* just want a reasonable (256-bit) guarantee that the signify keys
on my screen are the ones the OpenBSD authors intended me to
"Constantine A. Murenin" writes:
> On 8 December 2015 at 19:26, Anthony J. Bentley wrote:
> > Giancarlo Razzolini writes:
> >> One of the main benefits of the TLS wouldn't only be to render
> >> impossible for anyone to know which pages you're accessing on the site,
> >> but
> The official CD set contains the signify keys for that release and the
> next one. Once you have a known good copy of one set, you can always obtain
> future ones securely.
>
> You don't even need to use the CD set to install, just as a way of obtaining
> the signify keys with a high degree of
On 11 December 2015 at 12:28, Stefan Sperling wrote:
> I would consider signify keys printed on CDs and copied across several
> web sites safer than trusting the hundreds of CA certs shipped with a
> standard web browser.
On 11 December 2015 at 12:35, Tati Chevron
On Fri, Dec 11, 2015 at 12:48:19PM +0100, Thijs van Dijk wrote:
I'm saying I shouldn't *have* to rely on snail-mailed physical media. We,
as a species, have thought of a solution to this problem long ago.
I agree in principle that we shouldn't have to rely in physical media to
obtain the keys
On Fri, Dec 11, 2015 at 12:58:38PM +0100, Kamil Cholewi??ski wrote:
This is the real thing bothering me. I don't even have a CD drive
available, and I was about to ask if it would be possible to get the
signify keys via paper mail in exchange for a donation.
The official CDs have the signify
On Fri, Dec 11, 2015 at 04:37:39AM -0700, Anthony J. Bentley wrote:
Why even bring up OpenBSD 2.3? Anyone running that 19 years after its
release has much bigger problems than not being able to connect to
www.openbsd.org.
I must admit that since gopher://openbsd.org shut down, and tenex
On 11 December 2015 at 13:10, Tati Chevron wrote:
> In either case, I'd be willing to put my money where my mouth is.
>> Whom do I contact about running a site mirror?
>>
>
> Why would we trust your mirror?
Touché.
Em 10-12-2015 20:03, Christian Weisgerber escreveu:
> The true elephant in the room is that I can't get the current OpenBSD
> source tree securely. (Well, _I_ can if push comes to shove, but
> the general user community can't.) CVSync? No integrity or
> authenticity. AnonCVS over SSH? Nope,
On 11 December 2015 at 14:16, Tati Chevron wrote:
> But even if PKI were actively on fire at the moment (which it is not),
>> what's wrong with doing both?
>>
>
> Basically the gain verses the effort and resources expended.
>
> I agree that there is a value in distributing
On 11 December 2015 at 02:58, Thijs van Dijk wrote:
> On 11 December 2015 at 05:51, Andy Bradford
> wrote:
>
>> If one wants privacy on a website then more is required than just HTTPS.
>>
>
> Right. *I* just want a reasonable (256-bit) guarantee
On Fri, Dec 11, 2015 at 01:53:04PM +0100, Thijs van Dijk wrote:
On 11 December 2015 at 13:17, Tati Chevron wrote:
Would you really trust HTTPS more than a physical CD being mailed to
you???
Yes.
Both provide some level of accountability, however with PKI you
On Fri, Dec 11, 2015 at 7:10 AM, Tati Chevron wrote:
> Why would we trust your mirror?
A couple things to keep in mind here:
(1) Security can never be perfect.
(2) Security does not have to be perfect.
(That said... sometimes traditional computer security seems like
people
On 11 December 2015 at 13:17, Tati Chevron wrote:
> Would you really trust HTTPS more than a physical CD being mailed to
> you???
Yes.
Both provide some level of accountability, however with PKI you explicitly
trust a limited (though big) numer of third parties to do
On Fri, Dec 11, 2015 at 01:28:04PM +0100, Kamil Cholewi??ski wrote:
The official CDs have the signify key physically printed on them.
You press a new CD, print a new cover, etc.
...and intercept the package being delivered to you?
Yes, it's possible, but somebody who had the resources to go
On 11 December 2015 at 13:51, Tati Chevron wrote:
> ...and intercept the package being delivered to you?
>
> Yes, it's possible, but somebody who had the resources to go to that
> extreme, and a motive to single you out as a target, would presumably
> have other ways to
On 11 December 2015 at 05:37, Anthony J. Bentley wrote:
> "Constantine A. Murenin" writes:
>> On 8 December 2015 at 19:26, Anthony J. Bentley wrote:
>> > Giancarlo Razzolini writes:
>> >> One of the main benefits of the TLS wouldn't only be to render
>> >>
Hi,
On Fri, Dec 11, 2015, at 23:39, Raul Miller wrote:
> On Fri, Dec 11, 2015 at 7:10 AM, Tati Chevron
> wrote:
> > Why would we trust your mirror?
>
> A couple things to keep in mind here:
>
> (1) Security can never be perfect.
> (2) Security does not have to be perfect.
Em 11-12-2015 09:28, Stefan Sperling escreveu:
> I would consider signify keys printed on CDs and copied across several
> web sites safer than trusting the hundreds of CA certs shipped with a
> standard web browser.
Didn't we just established that with HPKP you can disregard the CA
completely? At
Kevin Chadwick writes:
> What is your problem with it, there are many VPN services promoted
> precisely for this issue as it completely rather than partially stops
> ISP's monitoring traffic like TalkTalks homesafe service that is
> likely hackable itself.
Why encrypt anything? Just run it
On 2015-12-11, Constantine A. Murenin wrote:
> On 11 December 2015 at 02:58, Thijs van Dijk wrote:
>> On 11 December 2015 at 05:51, Andy Bradford
>> wrote:
>>
>>> If one wants privacy on a website then more is required than
I agree, but no one mentioned DANE, I think that's the future and the
way to go. With DANE in theory you wouldn't need a CA. I think it's an
excellent way to establish authenticity of your content. Problem is that
no browser supports it by default, and DNSsec use is marginal.
Regards,
Giancarlo
> The official CDs have the signify key physically printed on them.
You press a new CD, print a new cover, etc.
> If you want to rely on third parties, I can send you a copy of the
> signify keys, signed by my PGP key. How would that help you at all?
Sounds reasonable to me.
> Kevin Chadwick writes:
> > The cvs page fingerprint page could be https enabled, however you can
> > use googles cache over https, also buy a CD to help the project greatly
> > would do far more for world security than TLS everywhere and even look
> > at mailing list archives over https as a web
On 2015-12-08, szs wrote:
> So with letsencrypt here, how about making the main site
> default to https? Is this a good idea or is this a great idea?
I would like it a lot if www.openbsd.org and cvsweb.openbsd.org
switched to https, but I'm not in a position to make it
Thus said Jason Barbier on Tue, 08 Dec 2015 10:14:37 -0800:
> It is a read only site, the privacy you seek is breached as soon as
> you make a DNS call to openbsd.org
Not to mention the Subject on the SSL certificate will most likely
be www.openbsd.org, and perhaps there's also SNI,
On 2015-12-08 Tue 12:06 PM |, szs wrote:
> So with letsencrypt here, how about making the main site
> default to https? Is this a good idea or is this a great idea?
>
Copy & Paste from 2013: "OpenBSD site SSL"
http://marc.info/?t=13815459562=1=2
Please don't.
That would slow it down &
Kevin Chadwick writes:
> The cvs page fingerprint page could be https enabled, however you can
> use googles cache over https, also buy a CD to help the project greatly
> would do far more for world security than TLS everywhere and even look
> at mailing list archives over https as a web of trust.
Em 08-12-2015 23:23, Stuart Henderson escreveu:
> I wasn't aware that
> it lets you disregard the CAs though
Once the client has the two certs pinned (the primary and the backup),
if a malicious CA try to impersonate the server using a forged (although
perfectly valid) certificate, the client
> In the case of www.openbsd.org, using HTTPS isn't so much about
> privacy as it is about integrity. Yes, signify(1) is a thing, but
> using HTTPS in addition to it would make release and package
> downloads more difficult to tamper with.
Well packages usually come from mirrors which I know from
Jason Barbier wrote:
> szs wrote:
> > Not for security.
> > For privacy.
>
> It is a read only site, the privacy you seek is breached as soon as
> you make a DNS call to openbsd.org
There are still some privacy benefits to using HTTPS. It will confound a
lot of simple filtering and monitoring
rivacy.
>
>
> Original Message
> Subject: Re: letsencrypt && https && openbsd.org =
> https://www.openbsd.org/
> Local Time: December 8 2015 5:36 pm
> UTC Time: December 8 2015 5:36 pm
> From: s...@spacehopper.org
> To: misc@openbsd.org
>
>
So with letsencrypt here, how about making the main site
default to https? Is this a good idea or is this a great idea?
On Tue, Dec 08, 2015 at 12:06:52PM -0500, szs wrote:
> Fb jvgu yrgfrapelcg urer, ubj nobhg znxvat gur znva fvgr
> qrsnhyg gb uggcf? Vf guvf n tbbq vqrn be vf guvf n terng vqrn?
I'm sorry, I couldn't read your message because it was encrypted.
How about you sign your messages instead? That way,
Not for security.
For privacy.
Original Message
Subject: Re: letsencrypt && https && openbsd.org = https://www.openbsd.org/
Local Time: December 8 2015 5:36 pm
UTC Time: December 8 2015 5:36 pm
From: s...@spacehopper.org
To: misc@openbsd.org
On 20
Stuart Henderson wrote:
>
> Besides, who is going to agree to the Subscriber Agreement and indemnify ISRG?
Huh? You don't trust robots to perform surgery correctly?
oh, wrong ISRG.
On 2015-12-08, szs wrote:
> So with letsencrypt here, how about making the main site
> default to https? Is this a good idea or is this a great idea?
Don't mistake encryption for security.
Besides, who is going to agree to the Subscriber Agreement and indemnify ISRG?
On Tue, Dec 8, 2015 at 3:23 PM, Ted Unangst wrote:
> Michael McConville wrote:
>> Yes, but it is certainly "Websense" difficult, "Verizon traffic
>> monetization dept." difficult, "nosy VPN/exit node operator" difficult,
>> and "guy in cafe with Wireshark" difficult.
>
> But
Michael McConville wrote:
> Yes, but it is certainly "Websense" difficult, "Verizon traffic
> monetization dept." difficult, "nosy VPN/exit node operator" difficult,
> and "guy in cafe with Wireshark" difficult.
But we don't care about any of those people anymore. The NSA is the only bad
guy
Ted Unangst wrote:
> Michael McConville wrote:
> > Jason Barbier wrote:
> > > szs wrote:
> > > > Not for security.
> > > > For privacy.
> > >
> > > It is a read only site, the privacy you seek is breached as soon as
> > > you make a DNS call to openbsd.org
> >
> > There are still some privacy
Michael McConville wrote:
> Jason Barbier wrote:
> > szs wrote:
> > > Not for security.
> > > For privacy.
> >
> > It is a read only site, the privacy you seek is breached as soon as
> > you make a DNS call to openbsd.org
>
> There are still some privacy benefits to using HTTPS. It will confound
Em 08-12-2015 16:24, Michael McConville escreveu:
> There are still some privacy benefits to using HTTPS. It will confound a
> lot of simple filtering and monitoring software, and what you're reading
> on the site is pretty obfuscated. It also helps security on sketchy
> networks.
>
> HTTPS isn't
Giancarlo Razzolini writes:
> One of the main benefits of the TLS wouldn't only be to render
> impossible for anyone to know which pages you're accessing on the site,
> but also the fact that we would get a little more security getting the
> SSH fingerprints for the anoncvs servers. Having them in
On 2015-12-09, Giancarlo Razzolini wrote:
> Also, now that we have two free TLS certs providers, one can use HPKP
> and completely disregard the CA's, which is a security benefit.
Also wosign (and, sort-of, cloudflare). btw, HPKP doesn't work too well
with letsencrypt as-is
On 2015-12-08, Michael McConville wrote:
> Jason Barbier wrote:
>> szs wrote:
>> > Not for security.
>> > For privacy.
>>
>> It is a read only site, the privacy you seek is breached as soon as
>> you make a DNS call to openbsd.org
>
> There are still some privacy benefits to
On Tue, Dec 8, 2015 at 11:22 PM, Nick Holland
wrote:
> https is a joke. IF and WHEN it works properly, it's too complex for
> the real world to understand (ahem...and even recognize).
That's not the joke, though - that's the punchline.
(1) "Secure" and "Security"
On Wed, Dec 9, 2015 at 12:22 PM, Nick Holland
wrote:
> HAHAHHAHAHA...
> you think adding a certificate changes this?
> https is a joke.
"Some people implement HTTPS poorly sometimes, so we shouldn't try."
The amount of effort "wasted" on Let's Encrypting the OpenBSD
On 12/08/15 20:26, Anthony J. Bentley wrote:
> Giancarlo Razzolini writes:
>> One of the main benefits of the TLS wouldn't only be to render
>> impossible for anyone to know which pages you're accessing on the site,
>> but also the fact that we would get a little more security getting the
>> SSH
> >It would actually reduce the security and potential for DDOS against
> >openbsd.org despite the heroic efforts that have gone into LibreSSL. So
> >where's the benefit to risk analysis for OpenBSD?
>
> Don't you mean reduce the securiry and _increase_ the potential for
> DDOS against
> > So with letsencrypt here, how about making the main site
> > default to https? Is this a good idea or is this a great idea?
>
> Don't mistake encryption for security.
It would actually reduce the security and potential for DDOS against
openbsd.org despite the heroic efforts that have gone
On Tue, Dec 08, 2015 at 10:11:34PM +, Kevin Chadwick wrote:
It would actually reduce the security and potential for DDOS against
openbsd.org despite the heroic efforts that have gone into LibreSSL. So
where's the benefit to risk analysis for OpenBSD?
Don't you mean reduce the securiry and
67 matches
Mail list logo