689 entries in 0.884s
mircea_popescu: "The biggest reason why the bug hasn’t been found for over 16 years is that code reviews were insufficient, especially from experts who had experiences with TLS/
SSL implementation. "
BingoBoingo: asciilifeform: The OpenSSL problem is deeper than
SSL sucking as so many shitpiles just reuse their functions for other crypto applications
mircea_popescu: the long version being that there's no
ssl on trilema because
ssl is so fucking broken, the problem it purports to solve but fails to solve can in fact be actually solved by five lines OF PHP.
Naphex: mircea_popescu: so mircea why no
ssl on trilema? what if NSA steals my cookie?:(
pankkake: by bank can't even configure their
ssl properly
jurov: Naphex you do everything properly and they you get forced to surrender
ssl cert to cloudflare anyway
benkay: i'm irritated that i gotta pay 85/year for wildcard
ssl certs that normal browsers won't freak out about.
benkay: what bugs me about
ssl is the conflation of "this server is authorized to handle requests from this domain" with encrypting the connection between server and client.
mike_c: but you need the underbody wash with your
ssl cert. that's extra.
assbot: Wildcard
SSL Certificate (Unlimited Subdomains) - Digital
SSL Certificates for your Website
assbot: Save money with Wildcard
SSL Certificate from Comodo
benkay: christ a wildcard
ssl cert is 2 grand
mod6: ahh, yeah, heard they were making SSH stand-alone from
SSL/TLS
BingoBoingo: mod6: That's when 5.6 comes out with their redone
SSL libraries and stuff.
fluffypony: for $5 a month I get an
SSL cert and can use a snake-oil self-signed on the server
fluffypony: "5 days before this article was written Cloudflare started offering Full (Strict)
SSL, where traffic between Cloudflare and the origin server is encrypted AND the origin server’s cert is validated."
mike_c: davout: same thing for aws. their load balancer sits in front of your servers and handles
SSL termination for you
Naphex: varnish doesn't support
ssl, so i'd bet that they will PT through regular
http pretty often
Naphex: you pay for a varnish cache and a nginx
ssl PT
Naphex: my fav part is how blockchain api carries password through cloudflare
ssl passthru
Naphex: but it will most likely use x509 certificates, and "
ssl authentication"
benkay: jurov: all i mean is that i want to interact with anything btc-related with encrypted messages, and
ssl does not count.
Naphex: get
SSL working in that :)
bounce: didn't
ssl have a patch a while back that went snprintf(d,dlen,s) -> snprintf(d,dlen,"%s",s) ? something like that at any rate
mircea_popescu: twitter.com, Twitter, Inc. VeriSign Class 3 Extended Validation
SSL CA, VeriSign, Inc. 05/10/2016 12:59:00 AM GMT TLS v1.2 128 bit ARC4 (2048 bit RSA/SHA)
KRS-1: mircea_popescu did you patch your
ssl [\]: because RPC over
SSL isn't a bad thing.
mircea_popescu: we are moving away from
ssl and generally pki, and generally usg-crap. forever.
fluffypony: asciilifeform: aren't we moving towards
SSL on everything forever?
fluffypony: and then they announce a new
SSL cert, wtf
rithm knew he shouldn't have used
ssl on his bouncer
benkay: don' want no mo
ssl holes like that one
Apocalyptic: hum bitcointalk.org still haven't replaced their
SSL cert
benkay: asciilifeform, mike_c, decimation, everyone else interested in
ssl fluffypony: bounce: you could possibly only see people identifying on
SSL connections if the
SSL/non-
SSL memory pools don't overlap
bounce: now I can't help but wonder if your (nickserv/on connect) passwords aren't vulnerable even if /you/ don't connect via
ssl to freenode. since loaded library, probably.
Naphex: mircea_popescu: you can basically sniff whole
SSL trafic with Heartbleed.
mike_c: it is the process space for whatever is handling
ssl connections.. so all ur keyz belong to us
bounce: not all of your assumptions are going to be reasonable, actually.
ssl is fairly logical when enabling rpc ("instant security" amirite or amirite), but restricting IPaddresses only so if either you have enough clue or someone in your vicinity does. similarly, plenty reasons why you'd leave the wallet unlocked.
midnightmagic: bounce: Only if you've allowed rpc connections from random douches, have turned on
ssl, aren't limiting it based on IP, *and* they have your wallet.dat already and have been able to query your bitcoind constantly over time and caught you using the rpc command that unlocks your wallet.
mike_c: trilema.com will do
ssl connections, but you can't get the blog.
cgcardona_: dude I just got an email from heroku about the
ssl bug w/ this as my list of potentially affected apps: Here are your affected applications:
ozbot: [Python] heartbleed
ssl test - Pastebin.com
tg2: #1 google result for "litecoin online wallet", extended validation
SSL cert
ThickAsThieves: i dont even know what a
SSL really does, nor am I a programmer, but I have successfully purchased and installed one on a system I advised the client was not really secure
mike_c: "being a CA involves tedious, mind-numbingly repetitive yet security critical work that unpaid volunteers are ill equipped to do well. " has he ever gone through the process of getting a
SSL cert?? they don't do shit.
mircea_popescu: "This means theoretically that if you’ve been using the flawed iOS or OS X systems since then, a hacker on your shared network could have captured all your data that should have been
SSL- or TSL-encrypted for the past 18 months."
jurov: ThickAsThieves: is that the apple
ssl code?
Mallstromm: I'm sure not logging on my personal POP3, non-
SSL email account through Tor
r3wt: pankkake: should i waste my time with that or should i continue writing
ssl sockets for LUA?
Diablo-D3: you proxy them for
ssl and caching performance
Apocalyptic: pankkake, you said earlier the payment protocol looks fine to you, did you know Hearn pushes for
SSL to be part of it with all the centralized cert authority issues it implies ?
mod6: This is an important notice for developers still using HTTP plaintext connections. On January 14th, 2014, connections to api.twitter.com will be restricted to TLS/
SSL connections only.
mod6: yeah, same thing with a lot of these places. Verisign got hacked, lost all
SSL private keys. Pff.
random_cat: dub: logging into an
ssl secured website
jurov`: truffles: you have to surrender
ssl cert to cloudflare so that it works effectively
pankkake: doesn't protect against MITM - unless you have your own
SSL certificate and check it
taub: oh, it doesn't work without
ssl ozbot: HTTP 2.0 May Be
SSL-Only - Slashdot
dexX7: mircea_popescu: you once said "the problem with
ssl are the CAs".. so what's your take on issuing your own certificate? i'm aware that users would have to install them themselfs etc., but is there any downsite with
ssl by itself?
Vexual: just make sure those
ssl certs are up to date fuckwit
KRS1: thanks for sharing mircea..i handle
SSL certs for the company I work for
ozbot: Why Android
SSL was downgraded from AES256-SHA to RC4-MD5 in late 2010