> >So
> >is their an agenda or just many idiots who see TLS=security and don't
> >see lack of secure cookie usage and XSS vulnerabilities (now protected
> >by SSL everywhere) meaning a site is likely exploitable in other ways!!
>
> You guys should seriously check "Nirvana fallacy".
Nivana
>So
>is their an agenda or just many idiots who see TLS=security and don't
>see lack of secure cookie usage and XSS vulnerabilities (now protected
>by SSL everywhere) meaning a site is likely exploitable in other ways!!
You guys should seriously check "Nirvana fallacy".
> > It's main unrealised potential benefit is; add *some* security by
> > default to all those insecure wordpress logins.
>
> That's a terrible reason. And actually it's "make those insecure
> CMS sites look more like they might be secure" when they're no
> such thing. Because people have been
> On 2016-05-10, Kevin Chadwick wrote:
> >> > Also, after you generate and sign the certificate, you don't have
> >> > to keep the script.
> >>
> >> Validity on the letsencrypt CA is 90 days max. (Partly to restrict
> >> usefulness of a bad cert because they don't do
On 2016-05-10, Kevin Chadwick wrote:
>> > Also, after you generate and sign the certificate, you don't have
>> > to keep the script.
>>
>> Validity on the letsencrypt CA is 90 days max. (Partly to restrict
>> usefulness of a bad cert because they don't do CRLs, which are
> > Also, after you generate and sign the certificate, you don't have
> > to keep the script.
>
> Validity on the letsencrypt CA is 90 days max. (Partly to restrict
> usefulness of a bad cert because they don't do CRLs, which are pretty
> much useless anyway, and partly to encourage users to
> > I don't see any with priviledge seperation, nor any which could
> > plausibly be pledged.
>
> For months there wasn't anything other than the official client. After
> the service started operating and showed itself to not be vapourware
> people started writing their own, but obviously the
On 2016-05-10, Theo de Raadt wrote:
>> It's still relatively young and the clients are improving.
>
> I actually don't think they are improving.
>
> I don't see any with priviledge seperation, nor any which could
> plausibly be pledged.
For months there wasn't anything
On Tue, May 10, 2016 at 11:39:44AM +, Giancarlo Razzolini wrote:
> Em maio 10, 2016 1:29 Bob Beck escreveu:
> >
> > And statements like this - and people that think this is a good idea,
> > are why I spoof DNS answers in bars and coffee shops, and why I don't
> > read misc@. This is never a
> It's still relatively young and the clients are improving.
I actually don't think they are improving.
I don't see any with priviledge seperation, nor any which could
plausibly be pledged.
Em maio 10, 2016 9:07 Kamil Cholewiński escreveu:
On Tue, 10 May 2016, Giancarlo Razzolini wrote:
This is of limited usefulness.
All you need to do (as a mitm) is to block the connection on port 443,
client will now automagically fall back to using 80 and plain text...
On Tue, 10 May 2016, Giancarlo Razzolini wrote:
> Until every UA is changed to first try TLS and *only then* fall back
> to clear text http, this kind of measure has its uses.
This is of limited usefulness.
All you need to do (as a mitm) is to block the connection on port
Em maio 10, 2016 1:29 Bob Beck escreveu:
And statements like this - and people that think this is a good idea,
are why I spoof DNS answers in bars and coffee shops, and why I don't
read misc@. This is never a good idea, unless you want the
connections intercepted and MITM'ed.
I don't see
Em maio 9, 2016 18:39 Theo de Raadt escreveu:
Giancarlo Razzolini wrote:
> It is really nice to finally see TLS on openbsd.org. How about
redirecting
> http to https?
I dislike the idea.
Let me be more clear, both of you.
Those decisions will made by the people (Bob
On Tue, 10 May 2016, Ingo Schwarze wrote:
> Hi Kristaps,
>
> Kristaps Dzonsons wrote on Tue, May 10, 2016 at 11:37:42AM +0200:
>
>> (1) download ... couldn't find ... didn't require bash
>> (2) aforementioned script in a cronjob
>> (2b) user to have access to
>> (3) doas rule
>>
On 2016-05-10, arrowscr...@mail.com wrote:
> Just in case someone don't know, there's a non root-required client
> for Let's Encrypt:
> https://github.com/diafygi/letsencrypt-nosudo
The original Python client doesn't need root either, just setup
permissions appropriately.
On 2016-05-10, Ingo Schwarze wrote:
> Hi Kristaps,
>
> Kristaps Dzonsons wrote on Tue, May 10, 2016 at 11:37:42AM +0200:
>
>> (1) download ... couldn't find ... didn't require bash
>> (2) aforementioned script in a cronjob
>> (2b) user to have access to
>> (3) doas rule
>> (4)
Hi Kristaps,
Kristaps Dzonsons wrote on Tue, May 10, 2016 at 11:37:42AM +0200:
> (1) download ... couldn't find ... didn't require bash
> (2) aforementioned script in a cronjob
> (2b) user to have access to
> (3) doas rule
> (4) doas rule
> (5) [another?] script from a cronjob
You must be
>> (By the way, httpd(8) doesn't support SNI yet--what do you use a
>> web server? I found that apache2's chroot and https combo didn't
>> pass the "can I set this up in less than five minutes" sniff
>> test--I ended up using nginx.)
>
> OpenBSD httpd :) If you need to serve more than one
- Original Message -
> (By the way, httpd(8) doesn't support SNI yet--what do you use a web
> server? I found that apache2's chroot and https combo didn't pass the
> "can I set this up in less than five minutes" sniff test--I ended up
> using nginx.)
OpenBSD httpd :)
If you need to serve
> I dislike the idea.
>
> For one, it does not stop a MITM by itself.
>
> In addition, enforced encryption makes it hard to cache and/or use
> proper http proxies with the site.
>
> Purely informative sites don't need TLS. The user can opt to use TLS
> if he thinks the content he needs to read
Just in case someone don't know, there's a non root-required client
for Let's Encrypt:
https://github.com/diafygi/letsencrypt-nosudo
There's some perl scripts too, so you don't have to download python.
Also, after you generate and sign the certificate, you don't have
to keep the script.
> >It's great to see OpenBSD Project supporting Let's Encrypt.
>
> I am absolutely not supporting Let's Encrypt. The client scares the
> shit out of me, and shows me how low the bar has become.
"client effectively containing millions of lines of code, connects
to server on the internet to get a
>It's great to see OpenBSD Project supporting Let's Encrypt.
I am absolutely not supporting Let's Encrypt. The client scares the
shit out of me, and shows me how low the bar
has become. Considering all I need is put something on a web site that
I can convince a DNS server is the one they'll
On Mon, May 09, 2016 at 08:42:32PM +, Stuart Henderson wrote:
> On 2016-05-09, arrowscr...@mail.com wrote:
> > - Do you plan to support ftp.openbsd.org? Would be great to
> > download packages with more security
>
> https is meant to provide privacy from eavesdroppers
> Giancarlo Razzolini wrote:
> > It is really nice to finally see TLS on openbsd.org. How about redirecting
> > http to https?
>
> I dislike the idea.
Let me be more clear, both of you.
Those decisions will made by the people (Bob et all) who maintain the
back end.
They
> Giancarlo Razzolini wrote:
> > It is really nice to finally see TLS on openbsd.org. How about redirecting
> > http to https?
>
> I dislike the idea.
And noone cares what you like or dislike. It is not your site.
Giancarlo Razzolini wrote:
> It is really nice to finally see TLS on openbsd.org. How about redirecting
> http to https?
I dislike the idea.
An http->https redirect does not prevent a MITM by itself.
It also prevents the easy use of caching or proper proxies with the
Giancarlo Razzolini wrote:
> It is really nice to finally see TLS on openbsd.org. How about redirecting
> http to https?
I dislike the idea.
For one, it does not stop a MITM by itself.
In addition, enforced encryption makes it hard to cache and/or use proper
http
On 2016-05-09, arrowscr...@mail.com wrote:
> - Do you plan to support ftp.openbsd.org? Would be great to
> download packages with more security
https is meant to provide privacy from eavesdroppers on the network
path between the endpoints. security is a different matter
On Mon, May 09, 2016 at 06:23:51PM +, Giancarlo Razzolini wrote:
> > Let's Encrypt uses 4096.
> >
>
> I think lets encrypt uses by default 2048, not 4096.
You're right. The default is 2048.
> Also, 4096 might indeed cause trouble with some old software. I recall
> issues with mono and
On 2016-05-09, arrowscr...@mail.com wrote:
> - The RSA is 4096 bits. If I remember correctly, reyk@ said once
> that 4096 is overkill. Any specific reason to use 4096 instead of
> 2048?
That was then, this is now.
--
Christian "naddy" Weisgerber
On Mon, May 9, 2016 12:57 pm, arrowscr...@mail.com wrote:
>
> - I don't know in modern browsers, but Links 2.12 say that the
> certificate is not valid. It's just old browsers, or firefox also
> have this same problem?
Make sure you go to www.openbsd.org as it seems the cert is not valid for
Let's Encrypt uses 4096.
I think lets encrypt uses by default 2048, not 4096. Also, 4096 might indeed
cause trouble with some old software. I recall issues with mono and older java
versions.
It is really nice to finally see TLS on openbsd.org. How about redirecting
http to https? Also, it
2016-05-09 18:57 GMT+02:00 :
> - I don't know in modern browsers, but Links 2.12 say that the
> certificate is not valid. It's just old browsers, or firefox also
> have this same problem?
All's good. See
On Mon, May 09, 2016 at 06:57:52PM +0200, arrowscr...@mail.com wrote:
> It's great to see OpenBSD Project supporting Let's Encrypt. I don't
> know if you folks still configuring it, but there's some points
> that I noticed:
> - I don't know in modern browsers, but Links 2.12 say that the
>
It's great to see OpenBSD Project supporting Let's Encrypt. I don't
know if you folks still configuring it, but there's some points
that I noticed:
- I don't know in modern browsers, but Links 2.12 say that the
certificate is not valid. It's just old browsers, or firefox also
have this same
37 matches
Mail list logo