XMPP Service Operators - 2023-12-12


  1. Riku Viitanen

    I dont get DNSSEC/DANE. So you want to get rid of CAs presumably because you dont want to trust them. So you instead have the One Super-CA To Rule Them All (ICANN, US) which you then can't untrust, or do you break the internet and start from scratch?

  2. Riku Viitanen

    I think its good that there's some separation of powers, DNS is powerful enough as it is </rant>

  3. MattJ

    Existing CAs validate everything based on DNS anyway, so it's not really a separation of powers

  4. Riku Viitanen

    Yeah, but they can do it from many places, simulating users

  5. Riku Viitanen

    Harder to target one user, for example

  6. Riku Viitanen

    You'd be detected easier

  7. MattJ

    That overcomes a MITM on the network, rewriting the DNS response, sure. But your claim was that DNS providers can't be trusted. If that's the case, you can query from as many locations as you want but DNS will always return whatever the provider returns.

  8. Riku Viitanen

    Trust but verify

  9. MattJ

    What should the CA verify against?

  10. Riku Viitanen

    With separate CAs, to break TLS, youd have to poison large numbers of users' dns (ca's, to get the cert, and user's DNS). With dane, you just poison the users DNS, thats it, right?

  11. nuegia.net

    jonas’,

  12. nuegia.net

    are you graphing latency or other metrics for o.j.n. monitored hosts?

  13. moparisthebest

    > With separate CAs, to break TLS, youd have to poison large numbers of users' dns (ca's, to get the cert, and user's DNS). With dane, you just poison the users DNS, thats it, right? Riku Viitanen: nope, you only have to compromise/co-erce/break any single one of the hundreds of CAs to break/mitm TLS, and it's trivial to target a specific person or group, with DNSSEC/DANE you'd have to attack the entire internet very publicly, no one would risk it

  14. Riku Viitanen

    > What should the CA verify against? When diginotar happened, everyone stopped trusting their certs. When eventually one TLD does something equivalent, will all its names stop working?

  15. Riku Viitanen

    So how's the revocation of a TLD going to work?

  16. jonas’

    nuegia.net: yes

  17. nuegia.net

    jonas’, Can I have access to those graphs for my server? I need to troubleshoot a dos attack

  18. jonas’

    nuegia.net, last time I did that, you couldn't access it because you wouldn't enable javascript. Has your stance on that changed?

  19. yakov

    rofl

  20. nuegia.net

    yes

  21. nuegia.net

    I don't recall all the details on that, but I don't think it was related to a missing polyfill not javascript completely

  22. nuegia.net

    let me try it again

  23. jonas’

    I can set you up tomorrow or so

  24. jonas’

    if the thing still works, nobody used it in quite some time I think, I'll have to check that, too

  25. jonas’

    (the thing being the dashboard setup)

  26. moparisthebest

    Riku Viitanen: besides you have the actual keys and can cache them for as long as the domain says, so you can publish your ZSK with a 10 year validity and even compromised icann and tld couldn't mitm you on any clients that had that cached

  27. Riku Viitanen

    > Riku Viitanen: besides you have the actual keys and can cache them for as long as the domain says, so you can publish your ZSK with a 10 year validity and even compromised icann and tld couldn't mitm you on any clients that had that cached Thats PGP

  28. Riku Viitanen

    With extra steps

  29. yakov

    Riku Viitanen, it took months for E-Tugra and TrustCor removals to propogate

  30. yakov

    and people using shit browsers like ancient Firefox forks don't support out of band revocation or proper OCSP/CRLite

  31. yakov

    see also old operating systems with their own CA roots, users will still trust them

  32. unix.dog

    with the way the trust anchors are set up, a comprised ICANN would probably be immediately noticed as they change the keys for big TLDs like .com or .net

  33. nuegia.net

    with the way has handled things the last couple of years can you really blame people for forking?

  34. nuegia.net

    with the way Mozilla has handled things the last couple of years can you really blame people for forking?

  35. yakov

    those forks are directly harming users, but that is offtopic for here

  36. nuegia.net

    There's not a lot of alternatives

  37. Riku Viitanen

    > with the way the trust anchors are set up, a comprised ICANN would probably be immediately noticed as they change the keys for big TLDs like .com or .net Sure, but what about said tlds?

  38. Riku Viitanen

    > and people using shit browsers like ancient Firefox forks don't support out of band revocation or proper OCSP/CRLite > > see also old operating systems with their own CA roots, users will still trust them You cant ever save everyone

  39. moparisthebest

    I've seriously never heard someone argue that DNSSEC / DANE wasn't far superior to the CA system, only that it's not universal yet because crap TLDs refuse to get with the program

  40. moparisthebest glares at .im

  41. nuegia.net

    yakov, privmsg me about it later. I'd like to hear it.

  42. yakov

    nuegia.net, you and I already spoke about this for hours in c-offtopic years ago

  43. nuegia.net

    moparisthebest, my dns providers still haven't implemented dnssec *sigh*

  44. Riku Viitanen

    > Riku Viitanen, it took months for E-Tugra and TrustCor removals to propogate Months is frankly ludicrously optimistic for a TLD change

  45. moparisthebest

    Be your own DNS provider, not your keys, not your DNS 🤣

  46. nuegia.net

    yakov, I don't remember

  47. unix.dog

    if the TLDs decided to generate a new zone key for you and hijack your nameserver entries, that would also be noticed by you

  48. yakov

    there still others aspects than just dns & ca see rpki

  49. unix.dog

    and by the clients that are expecting a certain key in their cache

  50. nuegia.net

    Is there a GUI for managing large DNS zones that's also easy to host?

  51. yakov

    https://isbgpsafeyet.com/

  52. moparisthebest

    unix.dog: and the entire world

  53. unix.dog

    yeah

  54. moparisthebest

    nuegia.net: maybe? I just run bind9 and edit text files

  55. unix.dog

    > Is there a GUI for managing large DNS zones that's also easy to host? if I was self hosting dns, I think just editing a zone file would be plenty enough

  56. nuegia.net

    yakov, I'm actually rpki because ARIN charges an crazy fees for IPv6 and ASNs

  57. nuegia.net

    and there are no LIRs in north america

  58. moparisthebest

    I mean, I'm positive the answer is yes, like I'd bet money webmin has bind9 support, but I don't know anything to recommend

  59. nuegia.net

    RIPE won't server north america either

  60. nuegia.net

    *yakov, I'm actually against rpki because ARIN charges an crazy fees for IPv6 and ASNs

  61. nuegia.net

    unix.dog, what are you doing for linting the zones?

  62. unix.dog

    I don't self host my DNS. but I've edited a zone file before

  63. nuegia.net

    having a GUI to manage zones is pretty useful.

  64. nuegia.net

    prevents a lot of stupid mistakes.

  65. nuegia.net

    makes things easy to manage and see at a glance when zones get large.

  66. yakov

    I just keep all my zone files in git

  67. yakov

    can't do that with a web ui

  68. unix.dog

    yeah I can see how that'd be useful, I haven't ever had a zone too huge that just organizing them by types and entries has been too hard

  69. Riku Viitanen

    Yeah, and when they (.com) get caught for doing mitm, "to catch the terrorists" for example, do we all stop using .com domains?

  70. moparisthebest

    > I just keep all my zone files in git Same, and mass edit them with sed etc

  71. nuegia.net

    what about when you throw in dnssec

  72. nuegia.net

    or you have to manually edit the zone's serial number each time you change it

  73. nuegia.net

    don't forget it or everything will break

  74. moparisthebest

    Riku Viitanen: I guess we stop using the internet then, same as we would if aliens came down from the sky and gifted us a better replacement for the internet, both seem equally likely

  75. moparisthebest

    > or you have to manually edit the zone's serial number each time you change it Yes, but if you forget the only thing that happens is your changes aren't pushed

  76. moparisthebest

    DNSSEC is totally transparent

  77. Riku Viitanen

    As you implied earlier, any org (ca or registry) is compromisable

  78. moparisthebest

    CA much more so though, and less visible, hence why DANE is so much better

  79. Riku Viitanen

    When they get copromised, how will that be handled, is my concern.

  80. Riku Viitanen

    I dont trust "no one would do it", what if they do though?

  81. moparisthebest

    So far none of these compromises have been willing to do anything public that could be attributed to them or get them caught

  82. nuegia.net

    I know this is a bit offtopic but I don't like the idea of giving big corporations and sellout what were supposed to be nonprofits control over the very routing protocol over the internet, especially when they prevent the forming of local internet registries for an entire continent, charge untenable fees for number allocations, and allow things like nic.fox, nic.oracle, and the several sony gTLDs that no longer operate.

  83. savagepeanut

    > I've seriously never heard someone argue that DNSSEC / DANE wasn't far superior to the CA system, only that it's not universal yet because crap TLDs refuse to get with the program https://sockpuppet.org/blog/2015/01/15/against-dnssec/

  84. savagepeanut

    First for everything :)

  85. moparisthebest

    What do you mean, anyone can get a gTLD (for only a few hundred thousand dollars)

  86. nuegia.net

    It doesn't take a few hundred thousand dollars to maintain a dns record

  87. moparisthebest

    >> I've seriously never heard someone argue that DNSSEC / DANE wasn't far superior to the CA system, only that it's not universal yet because crap TLDs refuse to get with the program > https://sockpuppet.org/blog/2015/01/15/against-dnssec/ Super outdated and most is no longer true, most DNSSEC is modern EC crypto these days for instance

  88. nuegia.net

    and a single corporation doesn't need a whole gTLD to themselves.

  89. yakov

    Tor solves a lot of these issues

  90. savagepeanut

    Pick two: human readable, secure, decentralized

  91. nuegia.net

    we shouldn't be selling public resources to the highest bidder.

  92. yakov

    capitalism makes the world go round

  93. nuegia.net

    that's cronyism

  94. nuegia.net

    You know the original intention of IPv6 was supposed to make it so every individual on earth could own their own address

  95. nuegia.net

    address space

  96. nuegia.net

    instead that plentiful resource is hoared by ARIN

  97. nuegia.net

    instead that plentiful resource is hoarded by ARIN to the point of scarcity and continued rent-seeking.

  98. Riku Viitanen

    >> https://sockpuppet.org/blog/2015/01/15/against-dnssec/ > Super outdated and most is no longer true, most DNSSEC is modern EC crypto these days for instance This is still true though: > DNSSEC is the world’s most ambitious key escrow scheme: a backdoor that hands over control of Internet cryptography to world governments. Thankfully, it’s also a total market failure. We should hope it stays that way.

  99. yakov

    nuegia.net, I give out a /64 to every device on my lan

  100. nuegia.net

    yakov, do you actually own those addresses?

  101. nuegia.net

    if you were to switch ISPs, would you still have them?

  102. yakov

    no, but I have no use for that anyway

  103. moparisthebest

    Riku Viitanen: it's nothing at all like a backdoor or key escrow system though, that wasn't correct 30, 10, or 0 years ago

  104. Riku Viitanen

    Except it literally is. The root and tld keys are the ones being escrowed. Those are the ones that matter.

  105. yakov

    security is about layers, don't rely on just one

  106. yakov

    else humpty dumpty will fall off the wall

  107. Riku Viitanen

    Application and policy level is the one that matters in reality.

  108. Riku Viitanen

    Adding a useless layer can worsen security in real world

  109. Riku Viitanen

    You'll just train your users to bypass security warnings in the worst case.

  110. Riku Viitanen

    Here's a great list: https://ianix.com/pub/dnssec-outages.html

  111. Riku Viitanen

    An average user only tolerates certain amount of nuisance in the name of security. You should do the best you can with it. Not keep adding endless layers of dirt.

  112. Riku Viitanen

    Example: my xmpp server goes down because of dnssec fault somewhere. Someone needs to reach me. Instead of OMEMO, with mutual verification, they'll fall back to sms/call. Not figure out GPG, unless they're a nerd and not in a hurry.

  113. moparisthebest

    Riku Viitanen: I mean if having a key capable of signing keys is a backdoor/key escrow that also describes the CA system perfectly

  114. moparisthebest

    It's funny to "I don't trust the US Govt with keys that would be too public to be abused" (DNSSEC) but "I do trust the US, Chinese, all the others, and 500 companies with the keys they could use secretly at any time" (CA)

  115. Riku Viitanen

    > It's funny to "I don't trust the US Govt with keys that would be too public to be abused" (DNSSEC) but "I do trust the US, Chinese, all the others, and 500 companies with the keys they could use secretly at any time" (CA) I just wont accept that much anything would be too public to abuse. Infosec people are a minority. In the end, most people care more about their-favourite-site.com working, than security. The better solution to a lack of transparency is not to centralise more of everything into things that'll be "too big to fail".

  116. Riku Viitanen

    I'd rather see certificate transparency be widely enforced (for "publicly trusted" CAs)