#soylent | Logs for 2023-06-26
« return
[00:34:28] -!- Runaway1956 [Runaway1956!~Yet@172.83.ig.kzv] has joined #soylent
[00:35:10] -!- Runaway1956 has quit [Changing host]
[00:35:10] -!- Runaway1956 [Runaway1956!~Yet@the.abyss.stares.back] has joined #soylent
[00:44:32] <Bytram> kolie: WB! I hope you enjoyed your time off. Children grow up all too fast... and then all that's left are memories :(
[00:45:39] <Bytram> kolie: please ping me when toy receive this.
[03:24:17] -!- lilitsyunetsi [lilitsyunetsi!~lilitsyun@37.252.sq.ypj] has parted #soylent
[06:04:23] -!- lilitsyunetsi [lilitsyunetsi!~lilitsyun@37.252.sq.ypj] has joined #soylent
[06:13:17] <Bytram> karmabot: Those error messages have been coming all weekend. So far, I have received OVER 350 of then. FYI, they are
[06:15:46] <chromas> you might have to start typing a second letter before tab-completing
[06:15:57] <Bytram> the are still coming
[06:18:17] <Bytram> chromas: I noticed, thank you.
[06:23:00] -!- dw861 has quit [Quit: Leaving]
[07:26:19] -!- AzumaHazuki has quit [Ping timeout: 252 seconds]
[10:42:04] -!- norayr [norayr!~norayr@37.252.sq.ypj] has joined #soylent
[10:50:08] -!- norayr [norayr!~norayr@37.252.sq.ypj] has parted #soylent
[10:50:29] -!- norayr [norayr!~norayr@37.252.sq.ypj] has joined #soylent
[11:29:20] -!- lilitsyunetsi [lilitsyunetsi!~lilitsyun@37.252.sq.ypj] has parted #soylent
[11:51:00] -!- lilitsyunetsi [lilitsyunetsi!~lilitsyun@37.252.sq.ypj] has joined #soylent
[12:00:56] -!- lilitsyunetsi [lilitsyunetsi!~lilitsyun@37.252.sq.ypj] has parted #soylent
[15:29:19] -!- norayr [norayr!~norayr@37.252.sq.ypj] has parted #soylent
[15:53:14] -!- halibut has quit [Quit: Timeout]
[15:57:54] -!- halibut [halibut!~halibut@CanHazVHOST/halibut] has joined #soylent
[16:06:52] -!- kolie has quit [Changing host]
[16:06:52] -!- kolie [kolie!~kolie@Soylent/Staff/Management/kolie] has joined #soylent
[16:30:29] <kolie> o/
[16:31:29] <requerdanos> Hi k. bytram was looking for you.
[16:34:09] <kolie> thx
[16:56:21] <fab23> https://www.geekculture.com
[16:56:21] <systemd> ^ �03A reason not to leave the Silo.�
[17:05:49] -!- lilitsyunetsi [lilitsyunetsi!~lilitsyun@37.252.sq.ypj] has joined #soylent
[17:46:09] <kolie> So what's the deal with the site not supporting some encryptions for some users - I'm guessing it has to do with ssl support?
[17:48:04] <janrinok> TLS v1 I think has been removed. For some people that is all they have.
[17:49:00] <janrinok> We mustn't assume that everybody is using this year's iPhone or has the money to spend on any upgrade.
[17:49:31] <kolie> TLS 1.1 and 1.2 were brought in in 2006/2008 so that's not exactly the argument.
[17:49:40] <kolie> But I'll look at what the setting is now.
[17:50:21] <janrinok> I don't care when they were brought it - if the community are using two tins and a piece of string then that is what we should be aiming to meet.
[17:51:14] <kolie> The problem is BEAST and stuff like that are related to 1.0 versions - checking the implications of 1.0 right now though.
[17:51:16] <janrinok> If their provider doesn't give them updates they are stuffed. People who live all over the world don't have the same service that you or I have.
[17:51:41] <kolie> I know all of this janrinok - preaching to the choir on that one.
[17:52:42] <janrinok> my own phone is older than SN
[17:52:50] <kolie> Yea and I'm sure it supports 1.1
[17:53:18] <kolie> I'm looking at whats in the list now and I'll turn on what's missing - as long as there isn't a security issue server side for doing so.
[17:53:42] <kolie> ok yea so 1.1 was disabled.
[17:53:49] <janrinok> THANK YOU
[17:55:20] <janrinok> We had exactly the same problem when TMB did it. We don't appear to have learned from our previous mistakes.
[17:55:33] <kolie> Just some context on this: ios 6.0.1 supports 1.2, chrome 49 xp support 1.2, android 4.4.2 1.2 - It's gotta be old for supporting only 1.1
[17:55:40] <kolie> Yea so what happens is
[17:55:51] <kolie> The upstream providers - of like apache and stuff specify a cipher list
[17:56:22] <kolie> They go based on current recomendations so when we install apache - its not even thought about. It's not like we didnt know people need these ciphers.
[17:56:48] <kolie> So more of - not defining and documenting what needs to be set - having all this in git makes it explicit.
[17:57:30] <kolie> But yea easy to miss given most people just use what the security libraries ship as a default.
[17:57:34] <kolie> They are the crypto lords afterall.
[17:58:09] <kolie> TLS 1.1 is vulnerable to people mitm it
[17:58:17] <kolie> It's based on SHA-1 hashes which we can collide.
[17:58:40] <kolie> That's more of a end user concern though - im checking for any server related problems.
[18:26:26] <janrinok> sorry - I had a phone call incoming. Thanks for identifying it. Is that fix just on staging or will it be on prod too?
[18:27:07] <kolie> I'm not sure what staging is doing rn - the fix i was making will be on prod for now
[18:27:31] <kolie> ill add it into the documentation for the loadbalancer.
[18:27:39] <janrinok> ok thks
[18:28:22] <kolie> checking what dev is doing now.
[18:32:49] <kolie> Here are the largely TLS 1.1 only devices : https://pasteboard.co
[18:32:51] <systemd> ^ �03Pasteboard - Uploaded Image�
[18:33:23] <ted-ious> Supporting tls1.1 enables downgrade mitm attacks doesn't it?
[18:33:29] <kolie> IT does.
[18:33:44] <ted-ious> I can't remember if that's also a problem for tls1.2.
[18:33:47] <kolie> Theres client mitigations.
[18:33:53] <ted-ious> It probably is.
[18:33:53] <kolie> 1.2 isn't prone to the downgrades
[18:34:08] <ted-ious> Ok good.
[18:35:16] <kolie> 1.1 is seriously old - I mean if we are taking smart phones around - most stuff isn't working already. Android 4 is kitkat - the batteries in these devices would've been dead or replaced ten times over.
[18:35:29] <kolie> XP SP3 supports 1.2 - prior to that is an issue.
[18:35:44] <kolie> WIndows 7 oob doesnt support it, fully patches it does.
[18:36:08] <janrinok> ted-ious, as I said, not everybody can upgrade their phones the same way that we might.
[18:36:12] <kolie> Safari 6.0.4 was the last to support it.
[18:36:48] <ted-ious> I can't think of a reason to use something with that many vulnerabilities.
[18:37:01] <ted-ious> Even free stuff from goodwill is safer.
[18:37:02] <janrinok> they can't afford anything better
[18:37:07] <kolie> If they are on a cell plan - don't most plans offer a phone at the current rate ?
[18:37:18] <kolie> It's not iphone 18 but literally android 4.3? its old man.
[18:37:39] <kolie> I got no problem turning it on in theory but lol if you got a phone you can get a phone in the last 15 years.
[18:37:57] <ted-ious> All the major carriers in the english speaking world are desperately trying to get rid of 2g and 3g devices so they can stop paying royalties for the stacks.
[18:38:16] <janrinok> I will tell them that we are not interested in them in our community. I am sure they will understand.
[18:38:41] <ted-ious> Even verizon who are the greediest company ever have been giving away 5g capable phones to anyone with something old just to make the old stuff go away.
[18:38:42] <kolie> Read what I just said - an observation about the feasibility of having a phone 15 years old still and letting them in are different discussions.
[18:38:58] <ted-ious> And at&t decided to just kill the service instead.
[18:39:24] <janrinok> neither of those companies appears to be popular in Peru.
[18:40:19] <kolie> entel bitel and movistar have similar offerings.
[18:40:31] <kolie> Not sure about claro - but they have really good internet pops.
[18:40:42] <ted-ious> I think the only 2g traffic still supported is data only devices like point of sale terminals and security alarm cellular backups.
[18:41:12] <ted-ious> Those things are going to be around forever like cockroaches.
[18:41:12] <janrinok> first world problems....
[18:41:37] <kolie> https://www.nperf.com for reference.
[18:41:40] <systemd> ^ �03Bitel 3G / 4G / 5G coverage - nPerf.com�
[18:41:49] <ted-ious> Anyway there shouldn't be very many people still using tls1.1 on purpose.
[18:42:10] <kolie> Whatever their reason we can enable it I think without too much concern.
[18:42:11] <ted-ious> Maybe a few who don't realize it and need to have their attention gotten.
[18:42:30] <ted-ious> But enabling it allows for downgrade attacks?
[18:42:36] <kolie> Fix your client.
[18:42:41] <kolie> Disable 1.1 if you don't like it.
[18:42:48] <ted-ious> Yes that's exactly what we want them to do. :)
[18:42:56] <kolie> We can force http.
[18:43:04] <ted-ious> That's even worse!
[18:43:16] <kolie> The illusion of a perfect 1.1 connection might be worse.
[18:43:19] <kolie> On http is explicit.
[18:43:40] <kolie> With http - you are basically saying you think your ISP is going to fuck you.
[18:44:06] <ted-ious> If it was my server I'd disable it for half of every hour and for a week I'd run announcements letting people know what was going on.
[18:44:27] <kolie> Or detect they are only on 1.1 and run a popup.
[18:44:29] <ted-ious> That would give a migration schedule and make the world a slightly better place. :)
[18:44:45] <ted-ious> Sure if you could do that easily without breaking anything else.
[18:45:04] <kolie> yea its easy enough to determine what was negotiatied.
[18:45:31] <ted-ious> Oh nice.
[18:45:51] <ted-ious> Then you could poke the 1.2 people next. :)
[18:46:22] <ted-ious> I bet there's a eff.org or something website out there that tells people how to best configure old browsers.
[18:46:37] <kolie> The browser itself needs to have support in it or the libs.
[18:46:46] <kolie> On these android devices - you'd have to root or sideload a working package
[18:46:54] <kolie> And I think for these old versions - there are no libs or browser with it included.
[18:47:08] <kolie> They are all compiled or available for later ones only.
[18:47:19] <ted-ious> Sure but I'm thinking of people who have browsers that are old and misconfigured not ancient and not capable of anything better.
[18:47:35] <kolie> Apparently they still read /.
[18:47:44] <fab23> another problem will be the trust chain to the Let
[18:47:51] <fab23> 's Encrypt certificate
[18:47:59] <ted-ious> Good point.
[18:48:10] <kolie> Every browser can except those tho.
[18:48:12] <ted-ious> I forgot that was a problem for me years ago.
[18:48:24] <ted-ious> kolie: Not without significant work in some cases.
[18:48:24] <fab23> they did quite an effort too keep an old root CA in the chain
[18:48:26] <kolie> Which basically makes http better too because again its explicit you arent protected.
[18:48:36] <kolie> ted-ious, everythings self signed at work I know what it takes.
[18:48:57] <ted-ious> Is that how you fixed it?
[18:49:11] <kolie> Any work machine SHOULD have our work root.
[18:49:11] <ted-ious> Manually accepted le's new master ca cert?
[18:49:42] <kolie> I think the issue is also the new cert - it has new uhh
[18:49:48] <kolie> Well its algo its created with
[18:49:52] <kolie> isnt even supported in those old devices
[18:49:56] <kolie> like its not using rsa 2048
[18:50:09] <ted-ious> How old is sha256?
[18:50:30] <ted-ious> Oh the public key is too new?
[18:50:40] <kolie> the isrg root is signed with sha 256 and sha 1
[18:50:42] <fab23> the thing with the LE root is, that it is not on "old" Android.
[18:51:01] <ted-ious> Now I'm going to end up spending the next day and a half going down crypto standards rabbit holes. :)
[18:51:17] <kolie> yea so it looks like Root X1 is yea its 4096 RSA with SHA 256/1 sigs
[18:51:32] <kolie> R3 intermedia is the same.
[19:03:05] <kolie> Alright 1.1 is enabled on anything new.
[19:04:07] <kolie> And TLS_FALLBACK_SCSV is supported so it should stop downgrades.
[19:08:26] <janrinok> thanks - it will take be a while to get contact with them again.... because they couldn't log in, and they don't yet know that they can now :)
[19:08:46] <kolie> It's not on prod yet.
[19:08:52] <kolie> I'll get it on sometime today.
[19:09:04] <ted-ious> Does that really stop negota downgrade attacks tho?
[19:09:16] <kolie> If the client supports it - yes.
[19:10:49] <kolie> Let's discuss what is vulernable here - the contents of the TLS session. Your SN cookies and login details are potentially accessible - as well as any of the content of that session so posts/comments/etc.
[19:11:26] <kolie> Potentially, a well equipped advisory, could 1) inject into your network stream 2) in real time collide SHA-1 meaningfully 3) downgrade your session to 1.1 and then accomplish the two.
[19:11:46] <kolie> I'm going with nation state actor at that point, and it's probably going to be targetted and not widely down.
[19:12:13] <kolie> If they are targetting you - what you are doing on SN is probably the least of your worries to them.
[19:12:24] <janrinok> exactly
[19:12:26] <ted-ious> I think the biggest threat model is public wifi or some other malicious providr attack.
[19:12:28] <kolie> So I'm fine here enabling 1.1
[19:12:35] <ted-ious> And that has nothing to do with 5 eyes.
[19:13:27] <kolie> Yea the attack may become possible at that scale in years down the road but rn that's a bit of a stretch.
[19:13:43] <ted-ious> Anybody I know who has to use public wifi I have already warned about risks like that but unfortunately I can't get to everybody. :)
[19:14:26] <ted-ious> No I'm talking about the jerk sitting next to you at the library not some big brother controlled hacking and surveillance ai.
[19:14:49] <ted-ious> That jerk is a much bigger threat especially in countries that aren't as nice as america.
[19:18:05] <ted-ious> Oh I'm forgetting about the time the actual nsa attacked slashdot visitors for targetted hacking and persistence. :(
[19:19:47] <ted-ious> I think that was how they hacked into that french company and stole their sim card database?
[19:49:54] -!- norayr [norayr!~norayr@37.252.sq.ypj] has joined #soylent
[21:12:09] -!- kolie has quit [Quit: ZNC 1.8.2 - https://znc.in]
[21:12:52] -!- kolie [kolie!~kolie@208.91.qqu.m] has joined #soylent
[21:27:17] -!- kolie has quit [Changing host]
[21:27:17] -!- kolie [kolie!~kolie@Soylent/Staff/Management/kolie] has joined #soylent