for no apparent reason, usually followed by banning of the user's IP. The last few days, I noticed that massive numbers of Devuan Project regulars were getting notices of the form I'm afraid mischief on Freenode's channels continues. Posted 21:39 UTC (Sun) by rickmoen (subscriber, #6943) Regular meeting 1stĢ0:33 -!- mode/#svlug by ChanServĢ0:33 -!- #svlug You're not a channel operator Silicon Valley Linux User Group's 24x7 meeting. Silicon Valley Linux User Group's 24x7 meeting.Ģ0:33 -!- ChanServ changed the topic of #svlug to: Welcome to #svlug, the Regular meeting 1st Wednesday.ġ5:28 -!- Topic set by redrick ġ5:28 ġ5:28 -!- Irssi: #svlug: Total of 5 nicks ġ5:28 -!- Channel #svlug created Sat Nov 25 22:43:22 2006ġ5:28 -!- Irssi: Join to #svlug was synced in 8 secsġ5:28 -!- mode/#svlug by ChanServĢ0:33 -!- redrick changed the topic of #svlug to: Welcome to #svlug, the Occurrence just now noted without further comment, except that I've had ops (as "redrick") on Freenode's #svlug IRC channel for decades (and that my colleague Rob "lilo" Levin, faults notwithstanding, would have been embarrassed):ġ5:28 -!- Topic for #svlug: Welcome to #svlug, the Silicon Valley Linux User TLS 1.2 is more than twelve years old, if you aren't able to do security updates for over a decade it's time to admit that you do not in fact want security. You shouldn't be using anything older than TLS 1.2. You might be thinking about something like PCI DSS, but that's a standard for the _customers_ the banks gave themselves an opt out, allowing them to choose much less secure options wherever they wanted if it was cheaper or more convenient, because if the bank gets knocked over they'll just pass it on to their customers, why should they care? Banks have terrible cryptographic security and we have to constantly prod them to get them to at least stay vaguely up to minimum standards. You still haven't offered any real insight into what constitutes "older but still good SSL" here so nobody is going to have much advice. Libera.chat forces users who can connect to Freenode with older but still good (unless you’re a bank) SSL but not to libera.chat so it forces them to unencrypted IRC. > All the IRC networks also offer unencrypted connections. There isn't any feature they can enable on their servers that will somehow allow you to get weaker guarantees despite being able to speak TLS 1.3, if this existed obviously it can be used as a downgrade attack, so it had to be prevented. TLS 1.3 didn't change the fundamentals here, it just surfaced something that was already true and you can bet bad guys knew it.Īnyway, because TLS 1.3 has working downgrade prevention, if the server and client are both capable of TLS 1.3 (Libera.chat servers I tried do speak TLS 1.3) either they get TLS 1.3 or the TLS connection simply doesn't work. If an organisation bought one of the many products broken in this way, it was never functional as designed, though good luck getting a refund now. They aren't actually delivering even the security they appear/ pretend to offer.
Doing the above also costs lots of money (or, equivalently, it's incredibly slow and painful because you didn't spend enough money), but again too bad.Īll the "cheap" options are inherently broken. If you can't get clients to trust you, you can't do this, too bad game over, either do or don't let these clients that don't trust you use your network equipment, your choice. You are now literally in the middle and can do whatever you want, passing data from one to the other, altering or recording it as you see fit. Connections are captured by your interposing server, which has a certificate trusted by whichever set of clients you want to accept this nonsense, and then your client makes an entirely separate connection to the real server. You build a TLS client and a TLS server, you may as well use the best available cryptography in each, and you fasten them back-to-back. The only correct way to "mitm all SSL" (TLS) is explicitly spelled out in the standard and goes like this:
0 kommentar(er)
