#soylent | Logs for 2023-06-27
« return
[00:12:06] <kolie> So it looks like nginx is setup for tlsv1.1 already actually on prod
[00:12:24] <kolie> something it's using either the cipher list or openssl itself isnt supporting it so its a deeper fix then just today.
[01:07:21] <chromas> Maybe we just need a separate front-end to support ancient crypto. boomer.soylentnews.org
[01:07:55] <chromas> that way pwning the box (maybe in a vm) doesn't make much available
[01:15:17] <kolie> Ok - I'll play more with it tommorow on nginx. At the very least it's solved for when we do the production move in a few weeks.
[01:55:05] -!- AzumaHazuki [AzumaHazuki!~hazuki@the.end.of.time] has joined #soylent
[02:42:57] <kolie> apparently im a dumb dumb because i just fucked up another journal post
[02:43:29] <kolie> i know its two steps and i did them and i definitely hit save
[02:43:57] <chromas> Did you wait 20 secs before posting?
[02:44:11] <kolie> wym
[02:44:48] <chromas> I don't know if it's required for journals but for comments and subs you need to acquire a reskey and wait 20 seconds before using it to submit
[02:45:36] <chromas> that all happens in the background and usually is only noticeable if you post right after pasting your text in
[02:49:40] <kolie> yea it was a long one i manually inlit
[02:49:44] <kolie> input
[02:53:38] <chromas> maybe it expired then :)
[02:55:54] <ted-ious> I think there's a firefox addon that saves the contents of big text boxes to prevent that and lets you use vim keys as a bonus. :)
[03:00:20] <chromas> sometimes you can use the back button
[03:00:38] <chromas> but at some point they made FF automatically refresh the page whenever it feels like it when you press back
[03:07:44] <ted-ious> Right you need an addon to protect you from that.
[03:08:01] <ted-ious> Copying the box contents into persistent buffers. or whatever they do.
[04:59:27] -!- lilitsyunetsi [lilitsyunetsi!~lilitsyun@37.252.sq.ypj] has parted #soylent
[05:46:07] -!- AzumaHazuki has quit [Ping timeout: 252 seconds]
[05:57:02] -!- lilitsyunetsi [lilitsyunetsi!~lilitsyun@37.252.sq.ypj] has joined #soylent
[09:12:17] -!- lilitsyunetsi [lilitsyunetsi!~lilitsyun@37.252.sq.ypj] has parted #soylent
[09:54:04] -!- lilitsyunetsi [lilitsyunetsi!~lilitsyun@37.252.sq.ypj] has joined #soylent
[09:54:05] -!- lilitsyunetsi [lilitsyunetsi!~lilitsyun@37.252.sq.ypj] has parted #soylent
[11:12:26] -!- lilitsyunetsi [lilitsyunetsi!~lilitsyun@37.252.sq.ypj] has joined #soylent
[12:08:28] -!- lilitsyunetsi [lilitsyunetsi!~lilitsyun@37.252.sq.ypj] has parted #soylent
[12:50:01] -!- [R] [[R]!~rms@zxgmkg.org] has joined #soylent
[12:51:02] <[R]> Moin moin
[15:07:24] <AlwaysNever> kolie "XP SP3 supports 1.2" - that ain't so, Windows XP only support TLS 1.0 in its native crypto implementation, it is Firefox on Windows XP which can do TLS 1.2 because Firefox brings its own crypto implementation
[15:08:27] <ted-ious> Anyone using internet explorer on windows xp is probably doing it on purpose and deserves the consequences.
[15:08:30] <AlwaysNever> I someone has an XP or Win2k3 machine slurping SN's RSS feed, they are out of luck unless SN supports TLS 1.0
[15:11:03] <AlwaysNever> I would enable TLS 1.0, its attack vectors are purely theoretical
[15:15:08] -!- norayr [norayr!~norayr@37.252.sq.ypj] has parted #soylent
[15:19:32] <fab23> AlwaysNever: as far as I know, also Google Chrome on XP does use the OS crypto as well
[15:20:19] <fab23> ah, the other thing they did not support was SNI as well
[15:23:11] <requerdanos> The issue may not be a simple "enable or disable" the protocols you want; it might depend on what algorithms are supported by the underlying server operating system. The openbsd people are heck on deprecated algorithms and they tend to control that sort of thing.
[15:28:50] <fab23> I have disabled old stuff as well on my personal sites, and also to some degree at the dayjob. I usually check sites on https://www.ssllabs.com to get an A+ ranking. :)
[15:28:51] <systemd> ^ 03SSL Server Test (Powered by Qualys SSL Labs)
[15:30:49] <fab23> also a good check is with this: nmap -Pn -p443 www.soylentnews.org --script=ssl-enum-ciphers
[15:32:51] <AlwaysNever> Nobody has cracked TLS 1.0 except in highly rigged lab setups
[15:33:13] <AlwaysNever> in the real world, no one has cracked TLS 1.0 againsta a real target
[15:33:37] <requerdanos> that doesn't stop the openss* folks from disabling the ciphers that are deprecated.
[15:36:28] <AlwaysNever> requerdanos: Does Ubuntu 22.04 not support TLS 1.0 on Apache's mod_ssl with some specific setting?
[15:36:44] <ted-ious> Any comments on this stuff? https://venafi.com
[15:36:45] <systemd> ^ 03The Danger of Using Outdated TLS 1.0 Security
[15:38:09] <requerdanos> I am not sure it's an issue of supporting TLS 1.0 itself vs. being able to negotiate a common cipher
[15:38:30] <requerdanos> I could easily be wrong because I am just some random idiot, not a server admin.
[15:38:50] <ted-ious> I think relying on the fact that breaking sha1 signatures in real time isn't practical for an adversary is a straw man argument.
[15:38:59] <requerdanos> how so ted-ious ?
[15:39:27] <ted-ious> They could have spent all last month breaking it and now they can substitute their own cert for all transactions that go thru every router they have hacked.
[15:40:17] <requerdanos> is the value in https here "the encryption" or "being able to see the darned website which requires https"
[15:40:18] <ted-ious> Or that jerk sitting next to you in the library we talked about yesterday.
[15:40:47] <janrinok> I think you are clutching at straws with that argument. They might have developed magic powers too, and can now see what you type when they close their eyes.
[15:41:11] <ted-ious> I think the value is not allowing the jerk sitting next to you to inject javascript malware into your session and do evil things to your computer.
[15:41:30] <requerdanos> it's perfectly possible to run https without a redirect, so that people may choose between http and https. I don't know how well rehash would handle such a configuration (i.e. do the links have https hardcoded into them) but it's an idea
[15:42:31] <ted-ious> Remember it was within our lifetimes that the jerk sitting next to you could run sslstrip against the library's wifi and rotate all the images on your web pages upside down in real time.
[15:43:21] <ted-ious> That was real and it happened and it was hilarious at the time but also we were lucky that it didn't turn into digital armageddon before it got fixed.
[15:43:25] <requerdanos> ftp and telnet with in-the-clear passwords have also been within my lifetime. such things we outgrow.
[15:45:10] <ted-ious> If sn is going to be the kind of place that still uses ftp and telnet I am very interested in hearing about it.
[15:46:29] <ted-ious> Especially since the guy with the most root passwords brags about travelling the world and living out of his backpack.
[15:47:11] <requerdanos> I am not aware of any such plans.
[15:47:42] <ted-ious> I don't care if other people want to do dangerously silly things but I'm not going to allow packets into my network from a server that I have every reason to expect is already hacked.
[15:49:02] <ted-ious> Telner and ftp are far to one end of the sliding scale but enabling outdated protocols on purpose is not much behind leaving the site un-updated for years.
[15:49:06] <ted-ious> Telnet
[15:49:43] <requerdanos> what's an example of an attack on a server running TLS 1.0? just curious
[15:51:07] -!- halibut has quit [Quit: Timeout]
[15:54:25] <janrinok> It is much more likely that they have installed a camera in the light above you or on a book shelf behind youi and are recording every key stroke that you make.
[15:55:25] <janrinok> and if he is trying to hack SN usernames and passwords he deserves all he gets :)
[15:55:51] -!- halibut [halibut!~halibut@CanHazVHOST/halibut] has joined #soylent
[15:58:29] <janrinok> The site software was out of date before we even got it. We were initially stuck with versions of software that we no longer supported even in 2014.
[15:58:41] <janrinok> * that were no longer
[16:01:10] <requerdanos> The underlying server OS, however, has been updated once or twice
[16:02:57] <janrinok> it was update once in 2016, and then not until Nov last year I think. I cannot remember an interim update, but I suppose I could have forgotten it.
[16:07:49] <AlwaysNever> in the retro scene, everyone goes to gopher://sdf.org the first thing when they manage to get TCP/IP up and lynx working - it would be cool if https://soylentnews.org woulbe de reference go-to place to TLS 1.0 support in the retro scene...
[16:07:50] <systemd> ^ 03SoylentNews: SoylentNews is people
[16:12:58] <ted-ious> Considering how many javascript vulnerabilities such out of date browsers have I don't think that's an ethically responsible thing to do.
[16:12:58] <kolie> AlwaysNever, IE8 on XP SP3 supports 1.1 and 1.2.
[16:14:36] <kolie> TLS 1.0 and 1.1 aren't theoretical. An attacker with 50,000 -100,000$ in computer power can calculate a hash collission signing the session and insert any data they want. They would need great control over the network and the monetary reason to do so but it isn't purely theoretical - it's been shown in the lab and we can be certain nation states are using it for high value targets.
[16:14:38] <AlwaysNever> kolie: not on my Windows XP SP3, IE 8 only goes up to TLS 1.0
[16:15:02] <kolie> It has to be fully patched which I mentioned previous - but support is there in later XP lifecycles.
[16:17:18] <AlwaysNever> IE 8 on Win XP SP3: https://i.ibb.co
[16:18:59] <kolie> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.1]
[16:18:59] <kolie> "OSVersion"="3.6.1.0.0"
[16:19:00] <kolie>
[16:19:00] <kolie> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.2]
[16:19:00] <kolie> "OSVersion"="3.6.1.0.0"
[16:19:08] <kolie> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.1]
[16:19:08] <kolie> "OSVersion"="3.6.1.0.0"
[16:19:08] <kolie>
[16:19:08] <kolie> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.2]
[16:19:08] <kolie> "OSVersion"="3.6.1.0.0"
[16:19:10] <kolie> oops
[16:19:14] <kolie> meant to pastebin that
[16:19:34] <Ingar> XP should be banned from the net
[16:20:03] <ted-ious> That might be the more simplified approach. :)
[16:20:15] <kolie> https://www.emailarchitect.net
[16:20:15] <systemd> ^ 03Enable TLS 1.2 on Windows XP/2003/2008/7/2008 R2 in VB6, ASP, C++, Delphi - Example Code - SMTP Component - User Authentication and SSL Connection
[16:20:35] <kolie> https://warwick.ac.uk
[16:20:38] <systemd> ^ 03Enable TLS 1.2 in Internet Explorer 8, 9 or 10 - IT Services
[16:20:53] <Ingar> also, see: deprecated software
[16:21:09] <kolie> its beyond deprecated
[16:21:32] <kolie> XP is obsolete.
[16:21:57] <Ingar> and if you disagree with that, I'll install you WinXP64!
[16:22:15] <Ingar> (god damn that was an awful OS)
[16:24:35] <AlwaysNever> well, I've never tried that "Windows XP Embedded" thing
[16:25:06] <Ingar> I did, on a scanner
[16:25:07] <kolie> Yea well the POS world still runs xp that's why it mentions it.
[16:25:12] <Ingar> tried to hook it up to the domain
[16:25:14] <kolie> But it applies to SP3 just fine.
[16:25:19] <Ingar> had to call supplier for a replacement :D
[16:26:27] <kolie> The alternative on XP is to compile a browser with static compiled tls that doesnt rely on the os calls.
[16:28:37] <fab23> or use Firefox :)
[16:30:02] <Ingar> or don't use XP
[16:30:16] <kolie> well yea firefox did that for you.
[16:30:17] <fab23> of course, this is the best option
[16:30:31] <kolie> I mean if your rocking XP might as well switch to linux.
[16:30:55] <kolie> I think drivers are finally fully supported on XP era machines - they caught up yea? ;)
[16:31:09] <AlwaysNever> I would still keep TLS 1.0 just for the heck of it on SN, but I guess I won't happen, and in that case I would ditch TLS 1.1 too because very little systems support just up to TLS 1.1 and no higher
[16:31:20] <AlwaysNever> *it won't
[16:36:19] <AlwaysNever> I think TLS 1.0 is going to be built-in, even is disabled by default, in openssl because oportunistic SMTP STARTTLS is better with TLS 1.0 than in clear text
[16:37:06] <AlwaysNever> but I may be wrong, and peopke may prefer clear text SMTP rather than TLS 1.0-encrypted SMTP when old MTAs are involvend
[16:37:49] <kolie> Theres two thoughts on that. 1.0 is not out right broken but it's got weak security guarentees.
[16:38:06] <kolie> As long as 3des and stuff isn't in the cipher list.
[16:38:31] <kolie> TLS 1.0/1.1 issues hinge around server side implementations not allowing stupid shit ( ciphers, downgrades, etc) and the security of SHA-1
[16:39:08] <kolie> That means that old clients - who really have sha-1 and need 1.0 1.1, will get to use them at their own risk - and everyone else is more or less not effected by the availability of lower ciphers.
[16:39:34] <kolie> Some people think - just make it clear - it's insecure it's as good as unencrypted which makes it explicit.
[16:39:46] <kolie> I error on the side of - tls 1.0 or 1.1 is better than nothing.
[16:39:49] <AlwaysNever> yes, exactly that, therefore TLS 1.0 would only be used by those without any other recourse
[16:39:56] <kolie> If it was clear or ceaser cipher - then go clear sure.
[16:40:29] <kolie> With 3DES - some people who dont know may have the illusion of security - but then again - those people don't even know TLS blah blah anyways.
[16:41:19] <kolie> So forcing those on server side makes since - people who don't know they are using really broken stuff need to be hand held on that one.
[16:41:31] <kolie> Just make it explicit - you get clear text.
[16:42:33] <ted-ious> That means you explicitly make those users targets for attack on insecure networks using the simplest tools that even basic script kiddies can manage.
[16:43:33] <AlwaysNever> the point is, when you are a target important enough to have a foe who can break TLS 1.0 on you, your foe is powerfull enought to get what he wants from you using the cops of whatever else
[16:43:41] <ted-ious> Do we want to help these poor users improve their lives or do we want them to get hacked and need to throw their old system in the trash?
[16:44:47] <AlwaysNever> A good stick can breack any cypher
[16:46:13] <janrinok> You are telling them how to spend their money - if you were telling me I would have a much stronger reply than this one to give you.
[16:46:31] <ted-ious> If the website can detect tls1.0 and easily send them a redirect then sending them to a help page explaining the problem and point to links of how to fix it is the ethical thing to do.
[16:47:30] <kolie> Yea I was thinking a popup for 1.0 or 1.1 users.
[16:47:46] <kolie> Cause I've already enabled it so its a moot point.
[16:47:56] <ted-ious> That's great!
[16:48:16] <ted-ious> So we're already helping make things better.
[16:48:25] <AlwaysNever> ted-ious: anyone using TLS 1.0 is doing it on purpose or because they have no other recoruse, not because they are unaware of it, for allmost all the WWW is closed to them
[16:48:35] <janrinok> We did that by letting they use TLS 1.0
[16:48:37] <ted-ious> That's more encouragement than I've seen for awhile.
[16:49:55] <janrinok> You know nothing about schoolchildren in other parts of the world. What they have to use for everything that we take for granted.
[16:50:02] <ted-ious> AlwaysNever: Then maybe they should stop reading news stories for a bit and spend some time cleaning up their messes.
[16:50:35] <janrinok> That sounds quite arrogant to me, I'm sorry to say.
[16:54:37] <AlwaysNever> If SN handled financial information of its users, I would not use TLS 1.0 on SN; but as it is, allowing TLS 1.0 permits some hobbyist to hobbie
[17:01:37] <AlwaysNever> anyway, in the end using TLS 1.0 or not has to be what the sysops teams feels comfortable with, for they are the ones putting in their time and effort
[17:02:13] <AlwaysNever> I just wish that, if the sysops teeam is not uncomfortable with using enabling TLS 1.0, than they then left it enabled
[17:03:45] <janrinok> If it is not hurting us then I would agree. If there are genuine security concerns then perhaps a rethink is necessary. I do not think that we are at the stage yet.
[17:05:40] <AlwaysNever> I agree, but for some people "genuine security concerns" are practical risks, and for other people "genuine security concerns" are theoretical risks too
[17:06:53] <AlwaysNever> The easier and most secure thing is disabling TLS 1.0, there's no doubt about it; I just think that SN security posture does not merit such a decision
[17:07:33] <janrinok> the 'genuine concern' that I had was that several people have experienced connection difficulties since the upgrade. Some of them have now disappeared. They can't access the site so they don't bother trying anymore. I can't get in touch with them easily to ask them to try again.
[17:08:32] <janrinok> Not a huge number of people, I admit, but they deserve to be helped if we can do it.
[17:10:08] <AlwaysNever> janrinok: as kolie said, even a lowly WinXP box with Firefox can access TLS 1.2, that ANYONE who can afford an Internet connection can afford it too - I he wants, of course
[17:10:43] <AlwaysNever> a machne like what can be gotten from a landfill
[17:10:45] <kolie> And as janrinok noted - some people use potato phones for the turn of the century.
[17:11:09] <kolie> Some how they afford a monthly cell sub but can't get a newer potato. Or can't get a plan that has a newer potato
[17:11:25] <kolie> Whatever the reason - supporting that unusual case is not a burden.
[17:12:14] <kolie> The reasons are yack shaving - the practicality has been answered.
[17:12:20] <AlwaysNever> somepeople, me too sometimes, sometimes want to make a silent statment of "ressistance against the odd" by rocking obsolete tech - and I SUPPORT that
[17:12:23] <janrinok> That is not accurate - but it is true for the vast majority of people. The monthly cell sub is paid for by a different charity. I simply supply unwanted hardware to them. They cannot use linux - they have to use a specific version of Windows because that is the only system the training material they have works on.
[17:12:56] <janrinok> The world sucks, and I wish it didn't.
[17:14:02] <janrinok> It is used in schools. Some use windmills for power generation. Buying a new cell phone isn't an option. Updating the software isn't an option.
[17:14:48] <janrinok> I am only involved at a superficial level providing unwanted computers.
[17:20:44] <janrinok> I know this because I was contacted by one of the recipients (a teacher) who found my name and email on a label inside a computer.
[17:21:24] <janrinok> There is a whole world out there which is very different from our own.
[17:28:12] <kolie> For some unknown reason setting nginx properly isn't enabling 1.0 or 1.1 on the production stack. I'm not going to dig into it further on prod - it's a time sink at this point - the changes are in the new load balancer so when staging promotes we will be good.
[17:32:20] <janrinok> thanks - I will take what I can get!
[17:47:08] -!- lilitsyunetsi [lilitsyunetsi!~lilitsyun@37.252.sq.ypj] has joined #soylent
[19:22:19] -!- fliptop has quit [Ping timeout: 252 seconds]
[19:29:53] -!- fliptop [fliptop!~fliptop@67.231.puh.pl] has joined #soylent
[19:31:18] -!- fliptop has quit [Client Quit]
[20:24:00] <chromas> I don't think I've seen any XP POS in the wild recently. Around here it's all Android or occasionally iPads
[21:04:02] -!- norayr [norayr!~norayr@37.252.sq.ypj] has joined #soylent
[21:12:52] <[R]> I recall seeing bliss in the last month
[21:18:23] <Bytram> kolie: Welcome back -- I hope you had a good weekend!
[21:19:07] <Bytram> kolie: As I noticed before the weekend -- and notified you -- I was receiving emails every 10 minutes. It has continued through the entire weekend and is still continuing. I have so far received nearly *600* separate emails. The last time it happened it went on for a long time until someone fixed it. It *can* be stopped (it was stopped before). I ask that you to give it a priority.
[21:19:44] <kolie> I need the emails forwarded to me - not just a paste of what is in them.
[21:19:52] <kolie> If its from both systems I need to see both.
[21:21:04] <Bytram> will do!
[21:21:16] <kolie> There is nothing to fix - the way twitter was handled doesn't work going forward. Needs perl coding to either code a new twitter function or the code to be removed from use.
[21:22:00] <kolie> I havent' seen any patches submitted that fix it.
[21:22:30] <kolie> I tried to adjust the twitter access - but its clear that twitter has locked out the way we are trying to use it.
[21:22:39] <Bytram> what is you email address? DM me if you prefer.
[21:22:45] <kolie> It's not just tweaking our API key - it needs a code update.
[21:31:12] <AlwaysNever> kolie: I say to hell with Twitter
[21:31:40] <AlwaysNever> purge it from the code
[21:36:07] <Bytram> kolie: email sent
[21:38:09] * Bytram has just returned from being unable to connect for ~1.5 days.
[21:38:40] <kolie> storm damage?
[21:40:20] <kolie> Bytram, did you get an email at 9:40UTC ? ( just now )
[21:41:36] <Bytram> kolie: yes, I did.
[21:42:04] <kolie> yea that's weird im not sure how that's possible. It was from dev.sn again?
[21:45:16] <kolie> I'll try a full rebuild from the makefile - it'll take some time to build.
[21:53:43] <kolie> This makefile man - 540 seconds in and just under a third done.
[22:21:51] <kolie> Bytram, I updated dev again 10:30 UTC shouldn't have a mail from Dev.SN. If it does someone better in perl needs to stab at it.
[22:25:49] <Bytram> I have NOT yet received another email
[22:26:12] * Bytram crosses fingers
[22:45:32] <Bytram> kolie: I have received no further emails :^) THANK YOU!
[22:54:35] <kolie> sweet.