Re: TLS now supported on openbsd.org?

> >So > >is their an agenda or just many idiots who see TLS=security and don't > >see lack of secure cookie usage and XSS vulnerabilities (now protected > >by SSL everywhere) meaning a site is likely exploitable in other ways!! > > You guys should seriously check "Nirvana fallacy". Nivana

Re: TLS now supported on openbsd.org?

>So >is their an agenda or just many idiots who see TLS=security and don't >see lack of secure cookie usage and XSS vulnerabilities (now protected >by SSL everywhere) meaning a site is likely exploitable in other ways!! You guys should seriously check "Nirvana fallacy".

Re: TLS now supported on openbsd.org?

> > It's main unrealised potential benefit is; add *some* security by > > default to all those insecure wordpress logins. > > That's a terrible reason. And actually it's "make those insecure > CMS sites look more like they might be secure" when they're no > such thing. Because people have been

Re: TLS now supported on openbsd.org?

> On 2016-05-10, Kevin Chadwick wrote: > >> > Also, after you generate and sign the certificate, you don't have > >> > to keep the script. > >> > >> Validity on the letsencrypt CA is 90 days max. (Partly to restrict > >> usefulness of a bad cert because they don't do

Re: TLS now supported on openbsd.org?

On 2016-05-10, Kevin Chadwick wrote: >> > Also, after you generate and sign the certificate, you don't have >> > to keep the script. >> >> Validity on the letsencrypt CA is 90 days max. (Partly to restrict >> usefulness of a bad cert because they don't do CRLs, which are

Re: TLS now supported on openbsd.org?

> > Also, after you generate and sign the certificate, you don't have > > to keep the script. > > Validity on the letsencrypt CA is 90 days max. (Partly to restrict > usefulness of a bad cert because they don't do CRLs, which are pretty > much useless anyway, and partly to encourage users to

Re: letsencrypt (Was: Re: TLS now supported on openbsd.org?)

> > I don't see any with priviledge seperation, nor any which could > > plausibly be pledged. > > For months there wasn't anything other than the official client. After > the service started operating and showed itself to not be vapourware > people started writing their own, but obviously the

Re: letsencrypt (Was: Re: TLS now supported on openbsd.org?)

On 2016-05-10, Theo de Raadt wrote: >> It's still relatively young and the clients are improving. > > I actually don't think they are improving. > > I don't see any with priviledge seperation, nor any which could > plausibly be pledged. For months there wasn't anything

Re: TLS now supported on openbsd.org?

On Tue, May 10, 2016 at 11:39:44AM +, Giancarlo Razzolini wrote: > Em maio 10, 2016 1:29 Bob Beck escreveu: > > > > And statements like this - and people that think this is a good idea, > > are why I spoof DNS answers in bars and coffee shops, and why I don't > > read misc@. This is never a

Re: letsencrypt (Was: Re: TLS now supported on openbsd.org?)

> It's still relatively young and the clients are improving. I actually don't think they are improving. I don't see any with priviledge seperation, nor any which could plausibly be pledged.

Re: TLS now supported on openbsd.org?

Em maio 10, 2016 9:07 Kamil Cholewiński escreveu: On Tue, 10 May 2016, Giancarlo Razzolini wrote: This is of limited usefulness. All you need to do (as a mitm) is to block the connection on port 443, client will now automagically fall back to using 80 and plain text...

Re: TLS now supported on openbsd.org?

On Tue, 10 May 2016, Giancarlo Razzolini wrote: > Until every UA is changed to first try TLS and *only then* fall back > to clear text http, this kind of measure has its uses. This is of limited usefulness. All you need to do (as a mitm) is to block the connection on port

Re: TLS now supported on openbsd.org?

Em maio 10, 2016 1:29 Bob Beck escreveu: And statements like this - and people that think this is a good idea, are why I spoof DNS answers in bars and coffee shops, and why I don't read misc@. This is never a good idea, unless you want the connections intercepted and MITM'ed. I don't see

Re: TLS now supported on openbsd.org?

Em maio 9, 2016 18:39 Theo de Raadt escreveu: Giancarlo Razzolini wrote: > It is really nice to finally see TLS on openbsd.org. How about redirecting > http to https? I dislike the idea. Let me be more clear, both of you. Those decisions will made by the people (Bob

Re: letsencrypt (Was: Re: TLS now supported on openbsd.org?)

On Tue, 10 May 2016, Ingo Schwarze wrote: > Hi Kristaps, > > Kristaps Dzonsons wrote on Tue, May 10, 2016 at 11:37:42AM +0200: > >> (1) download ... couldn't find ... didn't require bash >> (2) aforementioned script in a cronjob >> (2b) user to have access to >> (3) doas rule >>

Re: TLS now supported on openbsd.org?

On 2016-05-10, arrowscr...@mail.com wrote: > Just in case someone don't know, there's a non root-required client > for Let's Encrypt: > https://github.com/diafygi/letsencrypt-nosudo The original Python client doesn't need root either, just setup permissions appropriately.

Re: letsencrypt (Was: Re: TLS now supported on openbsd.org?)

On 2016-05-10, Ingo Schwarze wrote: > Hi Kristaps, > > Kristaps Dzonsons wrote on Tue, May 10, 2016 at 11:37:42AM +0200: > >> (1) download ... couldn't find ... didn't require bash >> (2) aforementioned script in a cronjob >> (2b) user to have access to >> (3) doas rule >> (4)

Re: letsencrypt (Was: Re: TLS now supported on openbsd.org?)

Hi Kristaps, Kristaps Dzonsons wrote on Tue, May 10, 2016 at 11:37:42AM +0200: > (1) download ... couldn't find ... didn't require bash > (2) aforementioned script in a cronjob > (2b) user to have access to > (3) doas rule > (4) doas rule > (5) [another?] script from a cronjob You must be

Re: letsencrypt (Was: Re: TLS now supported on openbsd.org?)

>> (By the way, httpd(8) doesn't support SNI yet--what do you use a >> web server? I found that apache2's chroot and https combo didn't >> pass the "can I set this up in less than five minutes" sniff >> test--I ended up using nginx.) > > OpenBSD httpd :) If you need to serve more than one

Re: letsencrypt (Was: Re: TLS now supported on openbsd.org?)

- Original Message - > (By the way, httpd(8) doesn't support SNI yet--what do you use a web > server? I found that apache2's chroot and https combo didn't pass the > "can I set this up in less than five minutes" sniff test--I ended up > using nginx.) OpenBSD httpd :) If you need to serve

letsencrypt (Was: Re: TLS now supported on openbsd.org?)

> I dislike the idea. > > For one, it does not stop a MITM by itself. > > In addition, enforced encryption makes it hard to cache and/or use > proper http proxies with the site. > > Purely informative sites don't need TLS. The user can opt to use TLS > if he thinks the content he needs to read

Re: TLS now supported on openbsd.org?

Just in case someone don't know, there's a non root-required client for Let's Encrypt: https://github.com/diafygi/letsencrypt-nosudo There's some perl scripts too, so you don't have to download python. Also, after you generate and sign the certificate, you don't have to keep the script.

Re: TLS now supported on openbsd.org?

> >It's great to see OpenBSD Project supporting Let's Encrypt. > > I am absolutely not supporting Let's Encrypt. The client scares the > shit out of me, and shows me how low the bar has become. "client effectively containing millions of lines of code, connects to server on the internet to get a

Re: TLS now supported on openbsd.org?

>It's great to see OpenBSD Project supporting Let's Encrypt. I am absolutely not supporting Let's Encrypt. The client scares the shit out of me, and shows me how low the bar has become. Considering all I need is put something on a web site that I can convince a DNS server is the one they'll

Re: TLS now supported on openbsd.org?

On Mon, May 09, 2016 at 08:42:32PM +, Stuart Henderson wrote: > On 2016-05-09, arrowscr...@mail.com wrote: > > - Do you plan to support ftp.openbsd.org? Would be great to > > download packages with more security > > https is meant to provide privacy from eavesdroppers

Re: TLS now supported on openbsd.org?

> Giancarlo Razzolini wrote: > > It is really nice to finally see TLS on openbsd.org. How about redirecting > > http to https? > > I dislike the idea. Let me be more clear, both of you. Those decisions will made by the people (Bob et all) who maintain the back end. They

Re: TLS now supported on openbsd.org?

> Giancarlo Razzolini wrote: > > It is really nice to finally see TLS on openbsd.org. How about redirecting > > http to https? > > I dislike the idea. And noone cares what you like or dislike. It is not your site.

Re: TLS now supported on openbsd.org?

Giancarlo Razzolini wrote: > It is really nice to finally see TLS on openbsd.org. How about redirecting > http to https? I dislike the idea. An http->https redirect does not prevent a MITM by itself. It also prevents the easy use of caching or proper proxies with the

Re: TLS now supported on openbsd.org?

Giancarlo Razzolini wrote: > It is really nice to finally see TLS on openbsd.org. How about redirecting > http to https? I dislike the idea. For one, it does not stop a MITM by itself. In addition, enforced encryption makes it hard to cache and/or use proper http

Re: TLS now supported on openbsd.org?

On 2016-05-09, arrowscr...@mail.com wrote: > - Do you plan to support ftp.openbsd.org? Would be great to > download packages with more security https is meant to provide privacy from eavesdroppers on the network path between the endpoints. security is a different matter

Re: TLS now supported on openbsd.org?

On Mon, May 09, 2016 at 06:23:51PM +, Giancarlo Razzolini wrote: > > Let's Encrypt uses 4096. > > > > I think lets encrypt uses by default 2048, not 4096. You're right. The default is 2048. > Also, 4096 might indeed cause trouble with some old software. I recall > issues with mono and

Re: TLS now supported on openbsd.org?

On 2016-05-09, arrowscr...@mail.com wrote: > - The RSA is 4096 bits. If I remember correctly, reyk@ said once > that 4096 is overkill. Any specific reason to use 4096 instead of > 2048? That was then, this is now. -- Christian "naddy" Weisgerber

Re: TLS now supported on openbsd.org?

On Mon, May 9, 2016 12:57 pm, arrowscr...@mail.com wrote: > > - I don't know in modern browsers, but Links 2.12 say that the > certificate is not valid. It's just old browsers, or firefox also > have this same problem? Make sure you go to www.openbsd.org as it seems the cert is not valid for

Re: TLS now supported on openbsd.org?

Let's Encrypt uses 4096. I think lets encrypt uses by default 2048, not 4096. Also, 4096 might indeed cause trouble with some old software. I recall issues with mono and older java versions. It is really nice to finally see TLS on openbsd.org. How about redirecting http to https? Also, it

Re: TLS now supported on openbsd.org?

2016-05-09 18:57 GMT+02:00 : > - I don't know in modern browsers, but Links 2.12 say that the > certificate is not valid. It's just old browsers, or firefox also > have this same problem? All's good. See

Re: TLS now supported on openbsd.org?

On Mon, May 09, 2016 at 06:57:52PM +0200, arrowscr...@mail.com wrote: > It's great to see OpenBSD Project supporting Let's Encrypt. I don't > know if you folks still configuring it, but there's some points > that I noticed: > - I don't know in modern browsers, but Links 2.12 say that the >

TLS now supported on openbsd.org?

It's great to see OpenBSD Project supporting Let's Encrypt. I don't know if you folks still configuring it, but there's some points that I noticed: - I don't know in modern browsers, but Links 2.12 say that the certificate is not valid. It's just old browsers, or firefox also have this same