 |
Post Aw6ZEcQ8xBgqrV3V5M by [email protected] |
 |
More posts by [email protected] |
|
Post #Aw6WnDguacVoRBhqTo by [email protected] |
|
0 likes, 0 repeats |
|
|
|
TLS 1.3 is still not secure to be used for the public internet instead of appli… |
|
|
|
Post #Aw6WnDneBZtqm4rDyi by [email protected] |
|
0 likes, 0 repeats |
|
|
|
And that annoys me. It could be made secure, but that's outside of the scop… |
|
|
|
Post #Aw6WnDuNmXHt6y0bTc by [email protected] |
|
0 likes, 0 repeats |
|
|
|
TLS is only meant to be used when you can trust the CAs. When your browser come… |
|
|
|
Post #Aw6WnE0lOoOLQkzhQG by [email protected] |
|
0 likes, 0 repeats |
|
|
|
For example an Android app. You ship the CA pubkey, then you use TLS for all yo… |
|
|
|
Post #Aw6WnE7UzlmNle94vA by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@ity http public key pinning used to be a thing, but has proven to cause more t… |
|
|
|
Post #Aw6WnEEEajAQ6XISQ4 by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@ww CAA?Also afaik CT does not protect against the CA simply leaking the privat… |
|
|
|
Post #Aw6WnEKyBgYSRQRpuy by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@ity caa is a convention, it doesn't do as much, but you can specify which … |
|
|
|
Post #Aw6WnES3lKE4nPlUy8 by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@ity like, remember before acme, one had to generate a keypair and a .csr file … |
|
|
|
Post #Aw6WnEZ9Kxth9P5A1I by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@ww Ah hmm, I guess that makes sense, I misunderstood how it worksMeaning the o… |
|
|
|
Post #Aw6WnEgEubZJVOOp4S by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@ity yeah! there isn't much you can do to prevent misissuance without redes… |
|
|
|
Post #Aw6WnEmGYCOBo5DdSq by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@ww https://notes.valdikss.org.ru/jabber.ru-mitm/ some attackers indeed burn CA… |
|
|
|
Post #Aw6WnEt099mE8yN0xk by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@ity it wasn't let's encrypt. if you can perform active mitm on the sid… |
|
|
|
Post #Aw6WnF05inRqUxgg0u by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@ww Ah, apologies, am tired x3Hmm. So this seems to be an issue in ACME ? As it… |
|
|
|
Post #Aw6WnF6pJkpspqq3Vo by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@ity acme verifies that you control the domain, that's itany isp between th… |
|
|
|
Post #Aw6WnFCqxLel8XeruC by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@ww @ity You can mitigate this with DNSSEC and ACME account binding. The attac… |
|
|
|
Post #Aw6WnFgHBxBybnQMlc by [email protected] |
|
0 likes, 0 repeats |
|
|
|
And no mTLS doesn't solve this, because mTLS is just having client auth use… |
|
|
|
Post #Aw6WnGxKS2QWYyPUzA by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@ity so while it isn't impossible to do the mitm, you can't hide it. yo… |
|
|
|
Post #Aw6WnHt6zCeDSBRe3E by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@ity which, as i understand, google is encouraging everyone to send their app s… |
|
|
|
Post #Aw6WnI4oHi0O2SuzHk by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@ity so like the traffic between you and your users is safe, all their isps can… |
|
|
|
Post #Aw6X1HXV4x6wQW0dsG by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@ww I don't follow. If the ISP can MITM the connection from the ACME verifi… |
|
|
|
Post #Aw6X1HdAjreEi6fAiO by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@ity yeah, i meant that the isp between you and your users is unlikely to also … |
|
|
|
Post #Aw6X1HkGJVJr45yplY by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@ww I don't understand how the section you linked mentions "misconfigu… |
|
|
|
Post #Aw6X1HqdvmQJNsxviC by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@ity @ww Self-DoS: you lost the private key.The proper way to run something lik… |
|
|
|
Post #Aw6ZEcQ8xBgqrV3V5M by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@alwayscurious @ity interesting, i didn't know about account bindings. do a… |
|
|
|
Post #Aw6ZEcWsY94tCOCsaG by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@ww @ity no, but account binding uses the CAA record to tell Let’s Encrypt to… |
|
|
|
Post #Aw84tZBlANIwRqIDzs by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@alwayscurious @ity oh!! that's really cool, i'm gonna use it. i though… |
|
|
|
Post #Aw84tZJug3pIr86jho by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@alwayscurious @ity oh, or access to your dns records, or the resolver that the… |
|
|
|
Post #Aw84tZPwJeeB9ovY6C by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@ww @ity Let’s Encrypt will not accept an unsigned DNS record without a crypt… |
