> It's not so much about replacing keys which aren't strong enough (and
> actually you can just replace the old key+cert in that case), it's
> about dealing with compromised keys.
>
> Certificate revocation is a disaster area. CRLs are often not checked
> at all (letsencrypt aren't even generating
On 2015-12-12, Kevin Chadwick wrote:
>> > and have to keep changing the cert every year.
>>
>> Your certificate cycling process should be automated, and it should
>> happen more frequently than once a year.
>
> Complete nonsense
>
> firstly and not a major point but you may have greater securit
On Mon, Dec 14, 2015 at 11:00 AM, Michael McConville wrote:
> Joel Rees wrote:
>> Daniel Ouellet wrote:
>> > > Secondly, this whole thread should have ended long ago.
>> >
>> > So why you keep it going then.
>> >
>> > Let it die please
>>
>> Flame wars are educational, for readers with an open min
Joel Rees wrote:
> Daniel Ouellet wrote:
> > > Secondly, this whole thread should have ended long ago.
> >
> > So why you keep it going then.
> >
> > Let it die please
>
> Flame wars are educational, for readers with an open mind.
Flame wars and crypto speculation also make a lot of noise and dri
On Sun, Dec 13, 2015 at 5:00 PM, Daniel Ouellet wrote:
>> Secondly, this whole thread should have ended long ago.
>
> So why you keep it going then.
>
> Let it die please
Flame wars are educational, for readers with an open mind.
And I think I'll air my own two armpits, off-list:
http://free-is
> Secondly, this whole thread should have ended long ago.
So why you keep it going then.
Let it die please
2015-12-13 7:17 GMT+01:00 Delan Azabani :
> On Sun, Dec 13, 2015 at 6:28 AM, Kevin Chadwick wrote:
>> On a low traffic site it already annoys me that I have to change it
>> once per year with startSSL.
>
> This is what the tooling provided by Let's Encrypt is designed to
> solve. It shouldn't be h
On Sun, Dec 13, 2015 at 6:28 AM, Kevin Chadwick wrote:
> On a low traffic site it already annoys me that I have to change it
> once per year with startSSL.
This is what the tooling provided by Let's Encrypt is designed to
solve. It shouldn't be hard to issue new certificates, and for many
applica
> > and have to keep changing the cert every year.
>
> Your certificate cycling process should be automated, and it should
> happen more frequently than once a year.
Complete nonsense
firstly and not a major point but you may have greater security than
automating key changes and secondly the o
> > I would consider signify keys printed on CDs and copied across several
> > web sites safer than trusting the hundreds of CA certs shipped with a
> > standard web browser.
>
> Didn't we just established that with HPKP you can disregard the CA
> completely? At least if you trust your fist acce
Thus said Tati Chevron on Fri, 11 Dec 2015 13:16:23 +:
> On the other hand, if somebody actually received a fake OpenBSD CD in
> the mail, and it was discovered, it would be a huge news story within
> the IT industry. A bad download, much less so.
My OpenBSD 5.7 CD arrived with a green l
On Sat, Dec 12, 2015 at 7:11 PM, Constantine A. Murenin
wrote:
> once you give in to https once, you're hooked
You're only hooked if you use HSTS.
> and have to keep paying someone every year,
There are at least three CAs that provide free certificates, and one
of those is Let's Encrypt.
> and
On 11 December 2015 at 03:58, Kamil Cholewiński wrote:
>> The official CD set contains the signify keys for that release and the
>> next one. Once you have a known good copy of one set, you can always
obtain
>> future ones securely.
>>
>> You don't even need to use the CD set to install, just as
Kevin Chadwick writes:
> What is your problem with it, there are many VPN services promoted
> precisely for this issue as it completely rather than partially stops
> ISP's monitoring traffic like TalkTalks homesafe service that is
> likely hackable itself.
Why encrypt anything? Just run it through
> Kevin Chadwick writes:
> > The cvs page fingerprint page could be https enabled, however you can
> > use googles cache over https, also buy a CD to help the project greatly
> > would do far more for world security than TLS everywhere and even look
> > at mailing list archives over https as a web
I agree, but no one mentioned DANE, I think that's the future and the
way to go. With DANE in theory you wouldn't need a CA. I think it's an
excellent way to establish authenticity of your content. Problem is that
no browser supports it by default, and DNSsec use is marginal.
Regards,
Giancarlo R
On 2015-12-11, Constantine A. Murenin wrote:
> On 11 December 2015 at 02:58, Thijs van Dijk wrote:
>> On 11 December 2015 at 05:51, Andy Bradford
>> wrote:
>>
>>> If one wants privacy on a website then more is required than just HTTPS.
>>>
>>
>> Right. *I* just want a reasonable (256-bit) guaran
Em 11-12-2015 09:28, Stefan Sperling escreveu:
> I would consider signify keys printed on CDs and copied across several
> web sites safer than trusting the hundreds of CA certs shipped with a
> standard web browser.
Didn't we just established that with HPKP you can disregard the CA
completely? At
Hi,
On Fri, Dec 11, 2015, at 23:39, Raul Miller wrote:
> On Fri, Dec 11, 2015 at 7:10 AM, Tati Chevron
> wrote:
> > Why would we trust your mirror?
>
> A couple things to keep in mind here:
>
> (1) Security can never be perfect.
> (2) Security does not have to be perfect.
>
And here's a kind
On Fri, Dec 11, 2015 at 7:10 AM, Tati Chevron wrote:
> Why would we trust your mirror?
A couple things to keep in mind here:
(1) Security can never be perfect.
(2) Security does not have to be perfect.
(That said... sometimes traditional computer security seems like
people are trying to put ban
Em 10-12-2015 20:03, Christian Weisgerber escreveu:
> The true elephant in the room is that I can't get the current OpenBSD
> source tree securely. (Well, _I_ can if push comes to shove, but
> the general user community can't.) CVSync? No integrity or
> authenticity. AnonCVS over SSH? Nope, no
On 11 December 2015 at 14:16, Tati Chevron wrote:
> But even if PKI were actively on fire at the moment (which it is not),
>> what's wrong with doing both?
>>
>
> Basically the gain verses the effort and resources expended.
>
> I agree that there is a value in distributing keys and source code in
On 11 December 2015 at 02:58, Thijs van Dijk wrote:
> On 11 December 2015 at 05:51, Andy Bradford
> wrote:
>
>> If one wants privacy on a website then more is required than just HTTPS.
>>
>
> Right. *I* just want a reasonable (256-bit) guarantee that the signify keys
> on my screen are the ones t
On 11 December 2015 at 05:37, Anthony J. Bentley wrote:
> "Constantine A. Murenin" writes:
>> On 8 December 2015 at 19:26, Anthony J. Bentley wrote:
>> > Giancarlo Razzolini writes:
>> >> One of the main benefits of the TLS wouldn't only be to render
>> >> impossible for anyone to know which page
On Fri, Dec 11, 2015 at 01:53:04PM +0100, Thijs van Dijk wrote:
On 11 December 2015 at 13:17, Tati Chevron wrote:
Would you really trust HTTPS more than a physical CD being mailed to
you???
Yes.
Both provide some level of accountability, however with PKI you explicitly
trust a limited (tho
On 11 December 2015 at 13:51, Tati Chevron wrote:
> ...and intercept the package being delivered to you?
>
> Yes, it's possible, but somebody who had the resources to go to that
> extreme, and a motive to single you out as a target, would presumably
> have other ways to invade your privacy and in
On 11 December 2015 at 13:17, Tati Chevron wrote:
> Would you really trust HTTPS more than a physical CD being mailed to
> you???
Yes.
Both provide some level of accountability, however with PKI you explicitly
trust a limited (though big) numer of third parties to do their job
properly, and in
On Fri, Dec 11, 2015 at 01:28:04PM +0100, Kamil Cholewi??ski wrote:
The official CDs have the signify key physically printed on them.
You press a new CD, print a new cover, etc.
...and intercept the package being delivered to you?
Yes, it's possible, but somebody who had the resources to go
> The official CDs have the signify key physically printed on them.
You press a new CD, print a new cover, etc.
> If you want to rely on third parties, I can send you a copy of the
> signify keys, signed by my PGP key. How would that help you at all?
Sounds reasonable to me.
On Fri, Dec 11, 2015 at 12:48:19PM +0100, Thijs van Dijk wrote:
I'm saying I shouldn't *have* to rely on snail-mailed physical media. We,
as a species, have thought of a solution to this problem long ago.
I agree in principle that we shouldn't have to rely in physical media to
obtain the keys w
On Fri, Dec 11, 2015 at 12:58:38PM +0100, Kamil Cholewi??ski wrote:
This is the real thing bothering me. I don't even have a CD drive
available, and I was about to ask if it would be possible to get the
signify keys via paper mail in exchange for a donation.
The official CDs have the signify ke
On Fri, Dec 11, 2015 at 04:37:39AM -0700, Anthony J. Bentley wrote:
Why even bring up OpenBSD 2.3? Anyone running that 19 years after its
release has much bigger problems than not being able to connect to
www.openbsd.org.
I must admit that since gopher://openbsd.org shut down, and tenex support
On 11 December 2015 at 13:10, Tati Chevron wrote:
> In either case, I'd be willing to put my money where my mouth is.
>> Whom do I contact about running a site mirror?
>>
>
> Why would we trust your mirror?
Touché.
> The official CD set contains the signify keys for that release and the
> next one. Once you have a known good copy of one set, you can always obtain
> future ones securely.
>
> You don't even need to use the CD set to install, just as a way of obtaining
> the signify keys with a high degree of c
On 11 December 2015 at 12:28, Stefan Sperling wrote:
> I would consider signify keys printed on CDs and copied across several
> web sites safer than trusting the hundreds of CA certs shipped with a
> standard web browser.
On 11 December 2015 at 12:35, Tati Chevron wrote:
> The official CD set
"Constantine A. Murenin" writes:
> On 8 December 2015 at 19:26, Anthony J. Bentley wrote:
> > Giancarlo Razzolini writes:
> >> One of the main benefits of the TLS wouldn't only be to render
> >> impossible for anyone to know which pages you're accessing on the site,
> >> but also the fact that we
On Fri, Dec 11, 2015 at 11:58:17AM +0100, Thijs van Dijk wrote:
On 11 December 2015 at 05:51, Andy Bradford
wrote:
If one wants privacy on a website then more is required than just HTTPS.
Right. *I* just want a reasonable (256-bit) guarantee that the signify keys
on my screen are the ones t
On Fri, Dec 11, 2015 at 11:58:17AM +0100, Thijs van Dijk wrote:
> On 11 December 2015 at 05:51, Andy Bradford
> wrote:
>
> > If one wants privacy on a website then more is required than just HTTPS.
> >
>
> Right. *I* just want a reasonable (256-bit) guarantee that the signify keys
> on my screen
On 11 December 2015 at 05:51, Andy Bradford
wrote:
> If one wants privacy on a website then more is required than just HTTPS.
>
Right. *I* just want a reasonable (256-bit) guarantee that the signify keys
on my screen are the ones the OpenBSD authors intended me to see.
I currently just assume t
On 8 December 2015 at 19:26, Anthony J. Bentley wrote:
> Giancarlo Razzolini writes:
>> One of the main benefits of the TLS wouldn't only be to render
>> impossible for anyone to know which pages you're accessing on the site,
>> but also the fact that we would get a little more security getting th
Thus said Jason Barbier on Tue, 08 Dec 2015 10:14:37 -0800:
> It is a read only site, the privacy you seek is breached as soon as
> you make a DNS call to openbsd.org
Not to mention the Subject on the SSL certificate will most likely
be www.openbsd.org, and perhaps there's also SNI,
On 2015-12-08, szs wrote:
> So with letsencrypt here, how about making the main site
> default to https? Is this a good idea or is this a great idea?
I would like it a lot if www.openbsd.org and cvsweb.openbsd.org
switched to https, but I'm not in a position to make it happen.
Much of the discu
Em 08-12-2015 23:23, Stuart Henderson escreveu:
> I wasn't aware that
> it lets you disregard the CAs though
Once the client has the two certs pinned (the primary and the backup),
if a malicious CA try to impersonate the server using a forged (although
perfectly valid) certificate, the client shou
Kevin Chadwick writes:
> The cvs page fingerprint page could be https enabled, however you can
> use googles cache over https, also buy a CD to help the project greatly
> would do far more for world security than TLS everywhere and even look
> at mailing list archives over https as a web of trust.
> In the case of www.openbsd.org, using HTTPS isn't so much about
> privacy as it is about integrity. Yes, signify(1) is a thing, but
> using HTTPS in addition to it would make release and package
> downloads more difficult to tamper with.
Well packages usually come from mirrors which I know from
On 2015-12-08 Tue 12:06 PM |, szs wrote:
> So with letsencrypt here, how about making the main site
> default to https? Is this a good idea or is this a great idea?
>
Copy & Paste from 2013: "OpenBSD site SSL"
http://marc.info/?t=13815459562&r=1&w=2
Please don't.
That would slow it down & e
On Tue, Dec 8, 2015 at 11:22 PM, Nick Holland
wrote:
> https is a joke. IF and WHEN it works properly, it's too complex for
> the real world to understand (ahem...and even recognize).
That's not the joke, though - that's the punchline.
(1) "Secure" and "Security" mean different (and often confl
On Wed, Dec 9, 2015 at 12:22 PM, Nick Holland
wrote:
> HAHAHHAHAHA...
> you think adding a certificate changes this?
> https is a joke.
"Some people implement HTTPS poorly sometimes, so we shouldn't try."
The amount of effort "wasted" on Let's Encrypting the OpenBSD website
is so small compared
On 12/08/15 20:26, Anthony J. Bentley wrote:
> Giancarlo Razzolini writes:
>> One of the main benefits of the TLS wouldn't only be to render
>> impossible for anyone to know which pages you're accessing on the site,
>> but also the fact that we would get a little more security getting the
>> SSH fi
On 2015-12-09, Giancarlo Razzolini wrote:
> Also, now that we have two free TLS certs providers, one can use HPKP
> and completely disregard the CA's, which is a security benefit.
Also wosign (and, sort-of, cloudflare). btw, HPKP doesn't work too well
with letsencrypt as-is (which wants to genera
Giancarlo Razzolini writes:
> One of the main benefits of the TLS wouldn't only be to render
> impossible for anyone to know which pages you're accessing on the site,
> but also the fact that we would get a little more security getting the
> SSH fingerprints for the anoncvs servers. Having them in
Em 08-12-2015 16:24, Michael McConville escreveu:
> There are still some privacy benefits to using HTTPS. It will confound a
> lot of simple filtering and monitoring software, and what you're reading
> on the site is pretty obfuscated. It also helps security on sketchy
> networks.
>
> HTTPS isn't a
On 2015-12-08, Michael McConville wrote:
> Jason Barbier wrote:
>> szs wrote:
>> > Not for security.
>> > For privacy.
>>
>> It is a read only site, the privacy you seek is breached as soon as
>> you make a DNS call to openbsd.org
>
> There are still some privacy benefits to using HTTPS. It will
> >It would actually reduce the security and potential for DDOS against
> >openbsd.org despite the heroic efforts that have gone into LibreSSL. So
> >where's the benefit to risk analysis for OpenBSD?
>
> Don't you mean reduce the securiry and _increase_ the potential for
> DDOS against openbsd.o
On Tue, Dec 08, 2015 at 10:11:34PM +, Kevin Chadwick wrote:
It would actually reduce the security and potential for DDOS against
openbsd.org despite the heroic efforts that have gone into LibreSSL. So
where's the benefit to risk analysis for OpenBSD?
Don't you mean reduce the securiry and _
> > So with letsencrypt here, how about making the main site
> > default to https? Is this a good idea or is this a great idea?
>
> Don't mistake encryption for security.
It would actually reduce the security and potential for DDOS against
openbsd.org despite the heroic efforts that have gone i
On Tue, Dec 8, 2015 at 3:23 PM, Ted Unangst wrote:
> Michael McConville wrote:
>> Yes, but it is certainly "Websense" difficult, "Verizon traffic
>> monetization dept." difficult, "nosy VPN/exit node operator" difficult,
>> and "guy in cafe with Wireshark" difficult.
>
> But we don't care about an
Ted Unangst wrote:
> Michael McConville wrote:
> > Jason Barbier wrote:
> > > szs wrote:
> > > > Not for security.
> > > > For privacy.
> > >
> > > It is a read only site, the privacy you seek is breached as soon as
> > > you make a DNS call to openbsd.org
> >
> > There are still some privacy ben
Michael McConville wrote:
> Yes, but it is certainly "Websense" difficult, "Verizon traffic
> monetization dept." difficult, "nosy VPN/exit node operator" difficult,
> and "guy in cafe with Wireshark" difficult.
But we don't care about any of those people anymore. The NSA is the only bad
guy worth
Michael McConville wrote:
> Jason Barbier wrote:
> > szs wrote:
> > > Not for security.
> > > For privacy.
> >
> > It is a read only site, the privacy you seek is breached as soon as
> > you make a DNS call to openbsd.org
>
> There are still some privacy benefits to using HTTPS. It will confound
Jason Barbier wrote:
> szs wrote:
> > Not for security.
> > For privacy.
>
> It is a read only site, the privacy you seek is breached as soon as
> you make a DNS call to openbsd.org
There are still some privacy benefits to using HTTPS. It will confound a
lot of simple filtering and monitoring sof
rivacy.
>
>
> Original Message
> Subject: Re: letsencrypt && https && openbsd.org =
> https://www.openbsd.org/
> Local Time: December 8 2015 5:36 pm
> UTC Time: December 8 2015 5:36 pm
> From: s...@spacehopper.org
> To: misc@openbsd.org
>
>
Not for security.
For privacy.
Original Message
Subject: Re: letsencrypt && https && openbsd.org = https://www.openbsd.org/
Local Time: December 8 2015 5:36 pm
UTC Time: December 8 2015 5:36 pm
From: s...@spacehopper.org
To: misc@openbsd.org
On 2015-12-08,
Stuart Henderson wrote:
>
> Besides, who is going to agree to the Subscriber Agreement and indemnify ISRG?
Huh? You don't trust robots to perform surgery correctly?
oh, wrong ISRG.
On Tue, Dec 08, 2015 at 12:06:52PM -0500, szs wrote:
> Fb jvgu yrgfrapelcg urer, ubj nobhg znxvat gur znva fvgr
> qrsnhyg gb uggcf? Vf guvf n tbbq vqrn be vf guvf n terng vqrn?
I'm sorry, I couldn't read your message because it was encrypted.
How about you sign your messages instead? That way, eve
On 2015-12-08, szs wrote:
> So with letsencrypt here, how about making the main site
> default to https? Is this a good idea or is this a great idea?
Don't mistake encryption for security.
Besides, who is going to agree to the Subscriber Agreement and indemnify ISRG?
So with letsencrypt here, how about making the main site
default to https? Is this a good idea or is this a great idea?
67 matches
Mail list logo
