Re: [DNG] Web browser needed
Renaud (Ron) OLGIATI wrote: > If the developpers are worried about users wandering into unsafe sites, I > would understand a warning, but why the complete blockage ? > > And is there a way around it ? While not directly addressing your problem, it's a symptom of the "nothing old exists, all (would be) legacy stuff gets replaced by 3 years old, we don't care" approach from several quarters. Browsers that won't connect to sites running old and deprecated encryption methods (which I suspect is your problem), Java that refuses to run "old insecure" code that comprises the GUI for network switches, and so on. As you say, issuing warnings, even going through several levels of "this is dangerous, are you REALLY sure" would be better than the outright "no way" approach that's creeping in. It would be an interesting exchange to have with vendor support, I suspect it would go along the lines of : I can't connect to X Ah, you need to upgrade X because it's using old insecure encryption So, can you provide me with such an upgrade for X ? No, you'll have to ask the vendor $Vendor ended support several years ago, that's not going to happen In that case, you need to throw away your perfectly functional gigabit switch and buy a new one that will do nothing more than the old one except have more up to date firmware ! Well perhaps not those words ! With my professional hat on, at work we have had quite a few clients keeping old and unsupported stuff around just to service such issues. With one client, they kept an old Win2008 server running **JUST** to interface (dealing with the logged in domain user <--> non-domain aware PBX mapping) between the PBX and some desktop CTI stuff, plus an old laptop running the right (old) versions of stuff like Java to be able to manage the PBX. Keeping VMs of older OSs/installations is one way of being able to update your main desktop/laptop while still being able to administer your "legacy" equipment (I still have a Win95 VM, not that it gets fired up very often !) But I really agree with you that it's darned annoying when developers make decisions which are effectively "we aren't going to allow you to do this even if you *must* do it and you *do* know what you are doing". Even when you are connecting to your own kit, on your own network, and there's more chance of watching a porcine aviation display than seeing a firmware update for your 5 year old router/switch/whatever. That latter bit is going to be (already is ?) yet another issue people will find as they take on IoT stuff - finding that it becomes an expensive paperweight when the vendor stops supporting it or the backend it's been engineered to require. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
[DNG] what has gone wrong with networking in ascii?
I upgraded my home serverto ascii a bit ore than a week ago, and then proceeded to make a full backup of user files (and system files in case I have to consult them on reinstallation if the system gets hoplessly broken). I finally rebooted yesterday after a week of flawless running, only to find that netwrking is completely nonfunctional. Afer a day of struggling, I rebooted to an old copy of Debian wheezy I still had lying around on the hard drive and networking worked perfectly. So the hardware appears to be OK. But software is another story. On ascii: my client laptops can connect to the wifi modem, but never get an IP number assigned. My server normally uses pppoe to connect to my ISP. My script to identity the access concentrator manages to connect to it, so the hardware must be working even for proper pppoe operation, but I can never manage to get a pppoe connection. So: (1) What has changed between jessie and ascii? Everything worked fine on Jessie. Do pppoe and dhcpd need different configuration files or is something else a problem? The files I'm using seem to have the same chap and pap secrets as on ascii as on wheezy. (2) How should I go about tracking down the problem? I might add that ifconfig reports the usual interfaces of eth0, eth1, and loopback, so I don't *seem* to be haveing problems with the systemd and Debian's new interface naming conventions. Of course it's possible that I did something stupid after the upgrade. -- hendrik ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] what has gone wrong with networking in ascii?
Am Samstag, 14. Juli 2018 schrieb Hendrik Boom: > (2) How should I go about tracking down the problem? > > I might add that ifconfig reports the usual interfaces of eth0, eth1, Have you checked they also have the same MAC address like before? Kind regards, Stefan ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Web browser needed
On Fri, 13 Jul 2018 18:50:51 -0400, Renaud wrote in message <20180713185051.417e3...@ron.cerrocora.org>: > I would welcome advice on what browser to use, given that Mozilla > Firefox now refuses to connect to my IPCop firewall box at > 192.168.127.254:8022 making the administration of the firewall > impossible. > > It claims that it cannot let me connect: > "The page you are trying to view cannot be shown because the > authenticity of the received data could not be verified." > > Tried others, Dillo will not do https, Arora complains that: > "Received finished signal while progress is still: 10 Url: > QUrl( "https://192.168.127.254:8022/"; ) " > > Vivaldi complains that: > "This site can’t provide a secure connection 192.168.1.254 sent an > invalid response. ERR_SSL_PROTOCOL_ERROR" > > Even tried the venerable links in a terminal, ssl error. > > Any other idea ? ..you try to web browse into an ssh port? Tried "ssh -vp 8022 root@192.168.127.254 "? (Or was ipcop's ssh port moved to 222? Too long time ago...) .."nmap -AT4 192.168.127.254 " and "man nmap " should help tell you more about it. -- ..med vennlig hilsen = with Kind Regards from Arnt Karlsen ...with a number of polar bear hunters in his ancestry... Scenarios always come in sets of three: best case, worst case, and just in case. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Web browser needed
On Sat, Jul 14, 2018 at 10:09:37AM +0100, Simon Hobson wrote: > Renaud (Ron) OLGIATI wrote: > > If the developpers are worried about users wandering into unsafe sites, > > I would understand a warning, but why the complete blockage ? > > > > And is there a way around it ? > > While not directly addressing your problem, it's a symptom of the "nothing > old exists, all (would be) legacy stuff gets replaced by 3 years old, we > don't care" approach from several quarters. > > Browsers that won't connect to sites running old and deprecated encryption > methods (which I suspect is your problem), Nope. A good part of browsers on the list he tried are unmaintained, thus it's not a matter of deprecated encryption being dropped, but of the appliance breaking. And even if it were, IoS (Internet of Shit) insecure appliances are a common nuisance, thus any of those that ceases to work is actually a boon to the society, as it teaches people not to buy those, and if we're lucky, perhaps is grounds for warranty return, thus costing the manufacturer some (and for most, margins are so thin that a single return costs more than they earn on several sales). Were it running free software, users would be able to upgrade, avoiding whatever the breakage is. From the error messages, it's clear it's not an expired cert -- but no clue what. > $Vendor ended support several years ago, that's not going to happen > In that case, you need to throw away your perfectly functional gigabit > switch and buy a new one that will do nothing more than the old one except > have more up to date firmware ! Well perhaps not those words ! Welcome to the world of proprietary crap. Now you know what not to buy. Meow. -- // If you believe in so-called "intellectual property", please immediately // cease using counterfeit alphabets. Instead, contact the nearest temple // of Amon, whose priests will provide you with scribal services for all // your writing needs, for Reasonable And Non-Discriminatory prices. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Web browser needed
On Sat, Jul 14, 2018 at 10:20:46PM +0200, Adam Borowski wrote: > On Sat, Jul 14, 2018 at 10:09:37AM +0100, Simon Hobson wrote: > > Renaud (Ron) OLGIATI wrote: > > > If the developpers are worried about users wandering into unsafe sites, > > > I would understand a warning, but why the complete blockage ? > > While not directly addressing your problem, it's a symptom of the "nothing > > old exists, all (would be) legacy stuff gets replaced by 3 years old, we > > don't care" approach from several quarters. This might not be relevant, but I have a "legacy" switch/router. It does not have wifi, so there are no free firmwares to use. The problem with connecting securely, as I recall is that the manufacturer had/has several brands, and the certificate had a mismatch there. When I used to use firefox, it allowed me to specify a "security" exception, and then I could connect. Nowadays, I usually use Palemoon (I know that some people here object to the licence conditions, so let's not go there now). That also allows me to declare an exception and connect. This is from memory, and may not be quite right, but perhaps may give a clue. You will want to know how to allow an exception. As I recall that was offered when the security problem is detected. You problem might be different, of course. ael ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Web browser needed
ael wrote on 15/07/18 07:30: On Sat, Jul 14, 2018 at 10:20:46PM +0200, Adam Borowski wrote: On Sat, Jul 14, 2018 at 10:09:37AM +0100, Simon Hobson wrote: Renaud (Ron) OLGIATI wrote: If the developpers are worried about users wandering into unsafe sites, I would understand a warning, but why the complete blockage ? While not directly addressing your problem, it's a symptom of the "nothing old exists, all (would be) legacy stuff gets replaced by 3 years old, we don't care" approach from several quarters. This might not be relevant, but I have a "legacy" switch/router. It does not have wifi, so there are no free firmwares to use. The problem with connecting securely, as I recall is that the manufacturer had/has several brands, and the certificate had a mismatch there. When I used to use firefox, it allowed me to specify a "security" exception, and then I could connect. Since the HTTPS certification principle is based on domain names, it's hard to understand in general how routers would be able to hold such certificates (installed by vendors), and if they could, what value that would have in terms of security. Nowadays, I usually use Palemoon (I know that some people here object to the licence conditions, so let's not go there now). That also allows me to declare an exception and connect. [me too] [snip] Ralph. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] what has gone wrong with networking in ascii?
On Sat, Jul 14, 2018 at 12:53:08PM -0400, Hendrik Boom wrote: > But software is another story. On ascii: > > my client laptops can connect to the wifi modem, but never get an IP > number assigned. The change I'm aware of for dhcpd between jessie and Ascii is that dhcpd on Ascii automatically does v4 and v6. You asked what changed, and that's the biggest change I'm aware of. That doesn't mean this is the cause of your problem. What does /var/log/daemon.log say when one of your machines attempts to obtain an IP address? > > My server normally uses pppoe to connect to my ISP. My script to > identity the access concentrator manages to connect to it, so the > hardware must be working even for proper pppoe operation, but I can > never manage to get a pppoe connection. What does /var/log/ppp-connect-errors say? What does /var/log/daemon.log say? Greg -- web site: http://www.gregn.net gpg public key: http://www.gregn.net/pubkey.asc skype: gregn1 (authorization required, add me to your contacts list first) If we haven't been in touch before, e-mail me before adding me to your contacts. -- Free domains: http://www.eu.org/ or mail dns-mana...@eu.org ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Web browser needed
On Sun, Jul 15, 2018 at 08:14:20AM +1000, Ralph Ronnquist wrote: > Since the HTTPS certification principle is based on domain names, it's hard > to understand in general how routers would be able to hold such certificates > (installed by vendors), and if they could, what value that would have in > terms of security. The only problem here is renewal of those certs -- a router that was offline for a while or is in a network that doesn't allow phoning home risks having its cert expire. There's no reason why you can't have multiple certs for the same name; any CA will gladly give you thousands of cert-key pairs, and while they'll charge more for such a special case the per-router price will still be peanuts. A vendor who doesn't care about security (insert the obvious rant here) can also use a single cert, but in that case anyone who extracts the firmware can get the private key then MITM you. It would work much better with DNSSEC+DANE -- but alas, no mainstream browser supports it out of the box[1]. By the way, this is why DNSSEC (DNS only, not DANE) support got disabled in systemd: router owned by Lennart's mother used "fritz.box" which gets rejected by any DNSSEC-validating resolver. It could be trivially fixed by the vendor registering the "fritz.box" domain (.box is an actual TLD) -- DNSSEC instead of proving the router is lying would either detect the domain is existing but unsigned (a properly terminated NSEC) or get a signing chain all the way. But no, the vendor didn't even bother to register that domain, then DNSSEC did its task and outed the response as fraudulent. Meow! [1]. Which I'm quite certain was a request from a three letter agency -- DANE is no silver bullet but it's so massively better than the CA model (and can be paired with it) that it's hard to see any reason for its implementation suddenly getting WONTFIXed other than _someone_ wanting to retain capability of MITMing arbitrary targets. -- // If you believe in so-called "intellectual property", please immediately // cease using counterfeit alphabets. Instead, contact the nearest temple // of Amon, whose priests will provide you with scribal services for all // your writing needs, for Reasonable And Non-Discriminatory prices. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Web browser needed
Adam Borowski wrote on 15/07/18 11:51: On Sun, Jul 15, 2018 at 08:14:20AM +1000, Ralph Ronnquist wrote: Since the HTTPS certification principle is based on domain names, it's hard to understand in general how routers would be able to hold such certificates (installed by vendors), and if they could, what value that would have in terms of security. The only problem here is renewal of those certs -- a router that was offline for a while or is in a network that doesn't allow phoning home risks having its cert expire. There's no reason why you can't have multiple certs for the same name; any CA will gladly give you thousands of cert-key pairs, and while they'll charge more for such a special case the per-router price will still be peanuts. Either you are joking, or I am being thick (or both, perhaps), but how could the vendor know beforehand what I want as domain name for my router? [snip] No need to discuss things that aren't. Ralph. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] data reliability (was: Home server replacement hardware suggestions?)
On Sat, 7 Jul 2018 20:56:46 -0700 spiralofhope wrote: > I understand there are problems with USB sticks, but what's wrong with > that connection for a drive? (assuming cabling won't get kicked > out) This isn't Devuan-related, but as I had been given a flat dictate I did some research and hoped to bend an ear on this. What I can tell these are the main issues: - Storage reliability - Storage temperature (e.g. sustained-usage storage is not properly cooled and will cook) - Temperature of the USB area itself - Frail cabling or seating of the device - Device removal without unmounting/ejecting - Device removal while the device/area is hot So for a low-quality server, it seems to me that this is the chain: computer -> usb 3.1 -> drive (dock) The only problems I would have with this are: - Temperature of the USB area on the computer - eSata adapter or USB dock trustworthiness - Hard drive cooling (Is a passively-cooled vertical drive okay?) Am I missing something? With backups, I'd be fine with the above risks. Also, I reproduced a heat issue with the worst offender and worst conditions I could manage.. a shit usb 2.0 key in a 3.1 port situated above a battery. Heat issues were solved using either a cable or a hub. I can only guess why that worked.. -- An M.2 to SATA hack was mentioned, but basic searching for a simple conversion method came up dry. I'll keep that in mind for when I retire my low-end laptop and convert it into a torrent box. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
