XSF Discussion - 2014-04-08

  1. jonathan has left

  2. tato has joined

  3. Wojtek has left

  4. Lance has left

  5. Lance has joined

  6. louiz’ has left

  7. tato has left

  8. jonathan has joined

  9. Lance has left

  10. Lance has joined

  11. Lance has joined

  12. Lance has joined

  13. Lance has joined

  14. Lance has joined

  15. Lance has joined

  16. Neustradamus has left

  17. Neustradamus has joined

  18. Santiago26 has joined

  19. Flow has joined

  20. jabberjocke has left

  21. Santiago26 has left

  22. Santiago26 has joined

  23. Tobias has joined

  24. Flow has left

  25. intosi has joined

  26. intosi

    Sorry guys, my bad. Prosody didn't come back up after upgrading to the new openssl.

  27. intosi

    StartSSL is probably going to make heaps of money from all the revocation requests they will get.

  28. Kev has joined

  29. dwd has joined

  30. Lance has joined

  31. Link Mauve has joined

  32. Lloyd has joined

  33. Link Mauve

    It seems there is only two XEPs remaining here: http://xmpp.org/xmpp-protocols/xmpp-extensions/

  34. intosi

    That's not many.

  35. intosi

    It's only the index that's broken. The actual XEPs seem to work just fine.

  36. Link Mauve


  37. intosi

    That;s a bit of a relief. Still bad, but not as bad as it could be.

  38. Tobias has joined

  39. xnyhps has joined

  40. Zash has joined

  41. intosi

    Who generates the xeplist?

  42. intosi

    It was regenerated yesterday evening at 21:19 UTC.

  43. Kev

    Matt was doing it last night.

  44. Kev

    He and I spent quite some time trying to work out what the dependencies of Tobias's script was, and getting it to work.

  45. intosi

    Ah. There might be a slight issue still then.

  46. martin.hewitt@surevine.com has joined

  47. Ge0rG has joined

  48. fippo has joined

  49. fippo


  50. Kev

    I think on international Internet Is Broken day, probably not our biggest concern.

  51. dwd

    How are we all doing with "free" certificates today?

  52. intosi

    Very sucky, thank you very much.

  53. intosi

    Raspbian doesn't have an update for openssl yet.

  54. intosi

    They must run their buildbots on RPis.

  55. intosi

    Kev: right.

  56. intosi

    Rebooting perseus, see you at the other side of the reboot.

  57. Simon has joined

  58. Link Mauve has joined

  59. intosi has joined

  60. xnyhps has joined

  61. intosi

    I guess the installed version of Prosody on xmpp.org doesn't let us know we're kicked out of the MUC after all.

  62. fippo has joined

  63. fippo has left

  64. intosi has joined

  65. fippo has joined

  66. Lance has joined

  67. intosi has joined

  68. MattJ has joined

  69. dwd has joined

  70. dwd


  71. dwd

    Ah, goodie.

  72. dwd

    AMusing thing: RapidSSL refuse emails for revocation requests; they have to be faxes for security.

  73. Ge0rG has joined

  74. dwd

    SO you send your fax using a free online service via email.

  75. Ge0rG

    intosi: MattJ promised to fix it. I suppose it will be on a Monday

  76. intosi

    Ge0rG: ta

  77. martin.hewitt@surevine.com has joined

  78. Simon

    this whole CA thing is just stupid. So broken. You fix revocations, then break it again by needing to use faxes… Bring on DNSSEC!

  79. Simon

    sorry - grumpy mood.

  80. intosi

    Simon: I think we all are a bit grumpy. The people with more than a few StartSSL certs even more so.

  81. dwd

    I think pretty well any sysadmin or devops is in a shitty mood today.

  82. intosi

    Well, that was the software side of all ik.nu-related machines.

  83. Simon

    It's hard to comprehend the scale of the heartbeat issue! Just effing mindblowing!.

  84. intosi

    Yup. Especially with PHBs who fail to understand the issue, and won't sign off the expenses for key revocations. A friend of mine happens to have this issue.

  85. MattJ

    Ge0rG, intosi: What did I promise to fix?

  86. dwd

    It's so nasty. Not as if you can even switch CA to avoid the bait-and-switch.

  87. dwd

    MattJ, Everything.

  88. MattJ

    Was afraid of that

  89. intosi

    dwd: indeed.

  90. intosi

    MattJ: xeplist only has two items.

  91. Simon

    anyone done a startssl revocation dance yet?

  92. Ge0rG

    MattJ: you wanted to fix heartbeat.

  93. MattJ

    My comment last night was about MUC/s2s on server reboots :)

  94. Ge0rG

    MattJ: it was worth a try ;)

  95. fippo

    mattj: it seems you're leaking all your precious server code in hearbeat!

  96. fippo

    err... bleed

  97. intosi

    Simon, I haven't yet. But they will be rising fast on the list of vendors to be dropped in a heartbeat if it turns out that they will insist on me paying for revocation of all my certs… That's a lot of money that would've bought me certs with vendors that do have a sane revocation policy. It's not like you usually revoke them because you thought it would be the fun thing to do today.

  98. dwd

    Heart Bleed Why do you miss, when my baby kisses me?

  99. dwd

    Turns out there's loads of songs I never knew about called "Heartbeat". You could build a whole playlist.

  100. Simon

    intosi: It's easy to bitch about StartSSL. They have also done more than any other CA to get people to start using certs by making the basic certs free.

  101. dwd

    Oh, this fills me with confidence in StartSSL's knowledge and understanding of security: 72.) I made a mistake, can I get my certificate revoked? Revocations carry a handling fee of currently US$ 24.90. Class 1 subscribers may use a different sub domain in order to create additional certificates without the need to revoke a previously created certificate. Alternatively it's possible to upgrade to Class 2 level which allows to create the same set of certificates once again (besides all the other benefits), because different levels are issued by different issuers, making revocation unnecessary.

  102. dwd

    Private key compromised? Oh, just get a new certificate, then it's all OK.

  103. intosi

    yeah, it sucks.

  104. intosi

    I just mailed them (on a personal title) asking them how they would envision handling this.

  105. dwd

    Also note that, to my amazement, it's not just free certs they charge for - it's anything below EV.

  106. intosi


  107. intosi

    If someone has been gathering private keys using this exploit, StartSSL customers are a nice target for identity spoofing.

  108. dwd

    If you claim it was spoofed, they'll revoke it for free, and ban you for life.

  109. dwd

    So a double win.

  110. intosi


  111. Tobias has joined

  112. Simon

    xnyphs: do you plan on adding any checks for old certs / compromised certs to xmpp.net?

  113. xnyhps

    Simon: Define "compromised"?

  114. dwd

    Simon, You mean running status checks on them?

  115. xnyhps

    Certs past their notAfter date (on the moment of testing) are given an F.

  116. Simon

    anything older than the heartbeat announcement?

  117. xnyhps

    It doesn't check CRL/OCSP yet.

  118. dwd

    I noticed a libnss update whizz past on my workstation - am I just being behind, or was that affected?

  119. intosi

    Strongest would be 'potentially compromised'

  120. intosi

    You cannot claim the certs are compromised at all.

  121. Simon

    intosi: you have a point

  122. Simon imagines TLA employee running ./cert-vacuum.sh

  123. MattJ

    dwd, http://changelogs.ubuntu.com/changelogs/pool/main/n/nss/nss_3.15.4-1ubuntu7/changelog

  124. MattJ

    http://matthewwild.co.uk/uploads/dsas.png :'(

  125. dwd

    Oh, different problem.

  126. MattJ

    intosi, seems someone in prosody@ got an, erm, negative reply from StartSSL

  127. intosi

    Negative in what sense?

  128. intosi

    "We will kill your account", or "pay us, we will revoke"?

  129. dwd

    intosi, The quote was "fuck you stupid", but I'm hoping that's paraphrasing.

  130. intosi

    Ehm, ouch.

  131. intosi

    Would be quite unprofessional if it wasn't.

  132. Simon

    are cert revocations still handled as a massive file that clients download? or is there some kind of querying standard?

  133. MattJ

    Best answer: both

  134. dwd

    Simon, CRLs - signed lists - can be downloaded, and there's also OCSP for querying. In addition, servers can provide a recent OCSP response themselves, via OCSP Stapling, a TLS extension.

  135. intosi

    I shouldn't have had that last cup of coffee.

  136. Simon is informed.

  137. Ge0rG

    is anybody (read: a client implementation) actually using CRLs or OCSP?

  138. dwd

    Ge0rG, Swift may well be. But the TLS implementations don't tend to do this for you - NSS might do, but OpenSSL certainly won;t.

  139. xnyhps

    Ge0rG: If you enable it system-wide on OSX, then Adium does.

  140. Simon

    xnyhps - how does one enable it system wide on OSX?

  141. xnyhps

    Simon: Open "Keychain Access" -> Preferences -> tab "Certificates"

  142. dwd

    xnyhps, This isn't on by default?

  143. intosi

    It's "Best effort"

  144. xnyhps

    I don't remember what the defaults are, but I'm guessing no.

  145. Simon


  146. intosi

    Err, best attempt.

  147. Simon

    defaults to "best effort"

  148. xnyhps

    Ah, so it works, except when you need it to work. ;)

  149. intosi

    Yes, because strict checking would lead to a lessened end-user experience, probably ;)

  150. martin.hewitt@surevine.com has left

  151. martin.hewitt@surevine.com has joined

  152. Alex has joined

  153. Zash has joined

  154. Alex has joined

  155. Lance has joined

  156. Ge0rG

    intosi: isn't that true of all security measures?

  157. intosi


  158. dwd

    Ge0rG, Failing to do security right does also have a detrimental effect on the user experience, too. :-)

  159. Zash has left

  160. Zash has joined

  161. Ge0rG

    dwd: counter-example: cryptocat

  162. intosi

    dwd: like leaving your door unlocked. In normal use it's more convenient, until someone empties your home :)

  163. dwd

    Right, leaving your home unlocked means you can get in and out quickly and easily, but may hamper later attempts to watch the telly you no longer have.

  164. Alex has joined

  165. Santiago26 has joined

  166. Ge0rG

    http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=4817504d069b4c5082161b02a22116ad75f822b1 - Robin Seggelmann broke the Internet. And he also coauthored SCTP-DTLS

  167. Simon

    anyone know of a hosted XMPP service that lets you upload your cert+key?

  168. Lance has joined

  169. fippo

    ge0rg: ah, it's not ekr who is accused this time?

  170. Lloyd has joined

  171. Lloyd has left

  172. Zash has left

  173. dwd

    Friend of mine just pointed out it's not just private keys that could be leaked.

  174. MattJ

    Of course

  175. Zash has joined

  176. fippo

    dwd: user data as well

  177. dwd

    Right, passwords etc.

  178. intosi

    dwd: pretty much anything in memory of the process, right?

  179. fippo

    for https also cookies, csrf token etc

  180. MattJ

    This is what I posted to the Prosody list last night: https://groups.google.com/d/topic/prosody-users/LvbwWkUOGGU/discussion

  181. Kev has joined

  182. Kev

    intosi: And either process.

  183. dwd

    Kev, Oh, if a server requests heartbeats of a client?

  184. MattJ

    Yes, it's possible

  185. MattJ

    I was going to say in XMPP that's not too exciting, because the server generally knows everything the client knows

  186. MattJ

    But not in the case of OTR...

  187. intosi

    Nor in the case of certificate authentication.

  188. dwd

    Or SRP, or SCRAM.

  189. MattJ


  190. intosi

    It appears that once you think you know the magnitude of the impact of this issue, you're not thinking big enough.

  191. Ge0rG

    basically all data stored in the client or server process is screwed.

  192. Tobias has left

  193. Tobias has joined

  194. MattJ

    Also on the topic of security issues: http://thread.gmane.org/gmane.comp.security.oss.general/12514/focus=12523

  195. dwd

    Ah, CVE politics.

  196. Ge0rG

    the bitcoin client is also linked against libssl. sounds like major emoney movement

  197. jonathan has joined

  198. MattJ

    No TLS there though, surely?

  199. Zash

    DTLS perhaps

  200. Zash

    or hashes and stuff

  201. Zash has joined

  202. Lloyd has joined

  203. Kev

    https://twitter.com/warrenguy/status/453510021930680320 It gets better.

  204. Ge0rG

    at least one less of the horrible things: https://twitter.com/agl__/status/453472368589942785

  205. intosi

    Paraphrasing StartCom: "fuck you"

  206. intosi

    More detailed:

  207. intosi

    It's upon the subscriber to take appropriate action since the certificate authority can't enforce which software to use. The terms of service and related fees will not change due to that. See also the Subscriber Obligations at https://www.startssl.com/policy.pdf in particular:    • Never share private keys with any third party and use    adequate protection and best security practices to secure    private keys in order prevent losses and compromises thereof.    • Notify StartCom immediately in case of a private key    compromise and request revocation of the affected    certificate(s). Regards   Signer: Nikolay Duhman, CVO StartCom Ltd. <http://www.startcom.org/> E-Mail: nikolayd@startcom.org Phone: +972-57-631-56-27

  208. intosi

    I believe StartCom fails to see the scale of this issue.

  209. Ge0rG

    intosi: yeah, they fail to see it for the many dollar signs in their eyes

  210. Ge0rG

    intosi: is there a source on that paste?

  211. Kev

    Well, StartCom's model is free certs and paid for revokations if something goes wrong.

  212. Ge0rG

    Kev: sensible if something goes wrong due to admin fail.

  213. Ge0rG

    I wish I could make dumb people pay more for my time.

  214. intosi

    Ge0rG: what do you mean? This is the answer I got from StartCom when I asked about this issue.

  215. Ge0rG

    intosi: I mean something like a pastebin URL I could submit to HN for some easy karma points :P

  216. intosi

    Ah. http://pastebin.com/B0UnY00p

  217. Ge0rG

    thanks very much :)

  218. Kev

    FWIW, I don't see that this is worth anger at StartCom. The model was clear up front.

  219. Kev

    And the openssl vulnerability was hardly their fault.

  220. intosi

    While true, this might hurt the trust in StartCom. This is not an admin-error either.

  221. intosi

    In fact, the desire to have better security is one of the reasons many sites upgraded to openssl 1.0.1 in the first place.

  222. Ge0rG

    it might be good publicity for startcom to open a window of maybe 1 month for free revocations

  223. intosi

    I will most certainly reconsider my plans to get a Class 2 certification with them. I was about to do that.

  224. Simon

    Kev: totally agree. Startcom is very clear that their basic certs are free and that additional services are payed for.

  225. Ge0rG

    StartCom is adding a free angle to the whole CA extortion business.

  226. Ge0rG

    I also like it how they provide an easy way to generate the private keys on their servers.

  227. Simon

    yes - that took me by surprise too.

  228. Ge0rG

    On my paranoid IT-companies-run-by-Mossad list they range right before ICQ

  229. Tobias

    usability WTF

  230. Simon is happy with the free-for-opensource-certs from globalsign. (but wouldn't touch them if I had to pay)

  231. Tobias

    Simon, why not?

  232. Simon


  233. Tobias


  234. Simon

    Can't believe we're still putzing around with CAs.

  235. Ge0rG

    or with TLS

  236. Simon

    (when IPSEC could solve a lot of this for us)

  237. Simon

    Bring back double-rot-13

  238. Ge0rG

    there is even a dedicated opcode on most CPU archs for double-rot13... on x86 it is 0x90

  239. Simon

    one opcode up from the /dev/null acceleration unit?

  240. dwd

    intosi, What amazes me is that StartCom charge for revocation on Class 2. I'd not realised that before.

  241. intosi

    Neither did I until now.

  242. intosi

    Assumptions, and mothers of something I guess.

  243. dwd

    In fairness, I only knew about the revocation charges because I'd stumbled on it before. I disagree that it was "clear up front", I don't think you're warned when you're getting the thing.

  244. intosi

    You're not.

  245. Kev

    OK. I assumed it was clear, because you'd warned me.

  246. intosi

    You only find out about it if you read the FAQ, which is usually when you want to revoke.

  247. Kev

    (Which is why I didn't use them in the end)

  248. Kev

    (That and I felt more trust towards other CAs)

  249. intosi

    It's probably buried in the small print somewhere.

  250. Kev has left

  251. Kev has joined

  252. edhelas has joined

  253. edhelas


  254. dwd

    I've only seen it in the FAQ, under "I made a mistake, can I get my certificate revoked?"

  255. intosi

    There is something in 4.9.1 of the policy.

  256. intosi

    "Revocations of certificates may carry a handling fee"

  257. Kev

    OK. That's considerably less obvious than I'd assumed.

  258. intosi


  259. intosi

    That footnote only applies to "The subscriber makes a request for revocation".

  260. intosi

    "The subscriber’s key is suspected to be compromised;" doesn't have a (*)

  261. ralphm has joined

  262. Simon has left

  263. Lance has joined

  264. ralphm

    intosi: I did know about this. They have to make money somehow, I suppose.

  265. ralphm

    intosi: I wonder if they make an exception this time around, though

  266. intosi

    Sure. And for admin-fuckups, I agree.

  267. intosi

    ralphm: I contacted them, and they said no.

  268. ralphm

    intosi: I am guessing they will back down on this later today

  269. dwd

    ralphm, Why? They'll make more money today than they'll have made the rest of the year.

  270. intosi

    What dwd said.

  271. intosi

    It might lose them a few customers, but those will be mostly just the free-loaders.

  272. ralphm

    dwd: depends. it might result in a PR disaster

  273. intosi

    And perhaps some Class 2 customers who only just found out they are charged for revocation as well.

  274. dwd

    intosi, Except you can't just walk away if you understand and care about security, so they'll pay the fee anyway.

  275. intosi


  276. ralphm

    someone suggested their CA cert should be revoked instead :-)

  277. Santiago26 has left

  278. dwd

    I'd love to see the handling fee on that.

  279. ralphm

    7am. I suppose I should get tonwork early today

  280. ralphm


  281. intosi

    Have some bacon first.

  282. dwd

    Last hotel I stayed at had unlimited free bacon thanks to my status.

  283. dwd

    As far as I could tell, despite some efforts on my behalf to find one, there was no AUP either.

  284. ralphm

    This hotel is pretty good *except* for breakfast. I never seen things so minimal.

  285. dwd

    ralphm, US business hotel?

  286. intosi

    They might charge you a revocation fee should you decide not to eat all your bacon.

  287. ralphm

    dwd: no. I assume no chef and no dishwasher.

  288. intosi

    (or if the vendor of your utensils found out it compromised the bacon)

  289. ralphm

    dwd: the breakfast at Aloft is Royal, in comparision

  290. Kev


  291. ralphm

    intosi: the more retweets, the better, maybe

  292. dwd

    ralphm, What, really? That's really almost travelodgian.

  293. ralphm

    dwd: plastic ware and no cheese or meats, no eggs, no whole fruits, dry croissants

  294. ralphm

    They do have a waffel maker, oddly enough

  295. Tobias

    intosi, any news on wiki.xmpp.org?

  296. intosi

    Tobias: nothing apart from "works if you allow your browser to remember the cookie for 180 days"

  297. Tobias

    how do i tell chrome to allow that :)

  298. intosi

    Well, see the nifty checkbox on the login page?

  299. intosi

    Check that when logging in.

  300. Tobias

    ahh :)

  301. Tobias

    yup..that works...thanks :)

  302. intosi

    Still need to fix the issue though.

  303. intosi

    But having a workaround is good.

  304. dwd

    BTW, Yahoo is apparently leaking passwords via Heartbleed on login.

  305. Kev


  306. Kev

    I thought I pasted that in here a while back.

  307. dwd

    Oh, quite possibly.

  308. MattJ

    dwd, my favourite is the comments on the Ars Technica article... they posted it while their site was still vulnerable, and now users are posting comments on the article as each other using dumped session cookies

  309. edhelas

    we need to regenerate our XMPP certificates ? https://xmpp.net/ the certificates are still valid for my server

  310. MattJ

    edhelas, they may have been compromised though

  311. MattJ

    i.e. it may have been possible that someone downloaded your key file

  312. edhelas


  313. Simon has joined

  314. Simon

    does anyone know if gtalk.com can pass IQ messages?

  315. Simon

    or am I being hit by some kind of rate limiting?

  316. Simon

    seems possible: https://developers.google.com/cloud-print/docs/rawxmpp

  317. ralphm

    Simon: depends. Since May, many things are broken in this respect

  318. Simon

    thanks ralphm.

  319. ralphm

    Like that if the recipient has enabled hangouts, you might not even get iq responses

  320. dwd

    On reddit, somebody claims that OpenSSL.org was vulnerable two hours ago.

  321. intosi

    That's… odd. It's mostly down for me.

  322. intosi

    Ah, no, it's back again.

  323. intosi

    And filippo.io agrees.

  324. intosi


  325. Tobias has left

  326. Tobias has joined

  327. Alex has joined

  328. edhelas has left

  329. dwd

    intosi, I'm hearing that test is not reliable - it can give false positives.

  330. Simon

    I recommend using http://possible.lv/tools/hb/

  331. Ge0rG

    that test does not retest already tetsted domains

  332. dwd

    Ge0rG, Ah, gotcha.

  333. Ge0rG

    not sure if the caching is browser- or server-side

  334. Tobias

    i wonder how fast banks are with their patching

  335. dwd

    I've seen suggestions that some banks have been caught out.

  336. Simon

    I'm avoiding logging into anything crucial today

  337. Ge0rG

    looks like my bank is safe.

  338. Tobias

    dwd, indeed

  339. dwd

    intosi, Lloyd: Ta for the re-tweet. Bit cheeky. I wonder if they'll reply.

  340. Ash has joined

  341. edhelas has joined

  342. ralphm

    dwd: given that they are based in Israel, probably not soon

  343. dwd

    True, they're probably into their evening now.

  344. Lloyd has joined

  345. martin.hewitt@surevine.com has joined

  346. martin.hewitt@surevine.com has joined

  347. dwd

    The Ars Technica article's comments have a severe misunderstanding of PFS. Sadly, I think you could get at the DH parameters on the server, and that'd make EDH protected sessions pretty weak, wouldn't it?

  348. stpeter has joined

  349. xnyhps

    dwd: I'd hope the server securely erases the EDH private key as soon as the handshake is done.

  350. m&m has joined

  351. m&m

    xnyhps: you presume much

  352. Santiago26 has joined

  353. Santiago26 has left

  354. intosi

    Securely erasing things costs cycles, while a simple free() is much cheaper.

  355. intosi

    Guess which of the two many developers will choose?

  356. Simon has left

  357. xnyhps

    I got far enough into the OpenSSL code to see that DH_free is doing something called "cleanse". But then I gave up.

  358. Kev

    It doesn't just cost cycles, it's hard bordering on impossible, depending on platform.

  359. Flow has joined

  360. Ge0rG

    the other problem with securely erasing memory is: compilers. optimizing compilers. compilers optimizing away your write-before-free!

  361. Kev

    That's what I alluded to with 'hard'.

  362. Ge0rG

    oh, you might as well have referenced managed languages with immutable data types, which are impossible to clean up.

  363. Kev

    That was the 'impossible' bit :)

  364. m&m

    nevermind virtualized services

  365. Tobias has left

  366. Ge0rG

    And what about storage on SSD?

  367. intosi

    Well, any virtual memory.

  368. Ge0rG

    intosi: any memory in a modern computer is virtual.

  369. Zash has joined

  370. martin.hewitt@surevine.com has left

  371. Neustradamus has joined

  372. jonathan has left

  373. Lance has joined

  374. Tobias has joined

  375. martin.hewitt@surevine.com has joined

  376. ralphm has left

  377. ralphm has left

  378. Kev has left

  379. Kev has joined

  380. jonathan has joined

  381. jonathan has left

  382. martin.hewitt@surevine.com has left

  383. m&m has left

  384. m&m has joined

  385. jonathan has joined

  386. martin.hewitt@surevine.com has joined

  387. Zash has joined

  388. rbarnes has joined

  389. Lance has joined

  390. Lance has joined

  391. jabberjocke has joined

  392. martin.hewitt@surevine.com has left

  393. martin.hewitt@surevine.com has joined

  394. Zash has joined

  395. martin.hewitt@surevine.com has left

  396. MattJ

    I've seen a couple of people saying that StartSSL have waived revocation fees now

  397. MattJ

    Maybe they're seeing the light

  398. stpeter

    MattJ: wow

  399. stpeter


  400. m&m


  401. m&m

    probably for today only, *IF* it's true

  402. stpeter

    their servers are probably overloaded

  403. Kev

    intosi might appreciate a highlight, then.

  404. rbarnes has left

  405. Kev has left

  406. Kev has joined

  407. rbarnes has joined

  408. rbarnes has left

  409. rbarnes has joined

  410. rbarnes has left

  411. jonathan has left

  412. martin.hewitt@surevine.com has joined

  413. martin.hewitt@surevine.com has left

  414. dwd

    Just seen someone over in prosody@ say they've had an "Exceptionally revoked without fee" from them.

  415. ralphm

    dwd: maybe someone just screwed up

  416. ralphm

    that said, how well do browsers even check revocation?

  417. dwd

    ralphm, Looked into this. Most pass-on-fail. Chromium and Chrome both seemed to be set to not check by default.

  418. ralphm


  419. m&m

    not checking is FAST

  420. dwd

    By "pass-on-fail", I mean if the OCSP server is down they'll just silently pass.

  421. ralphm


  422. jabberjocke has left

  423. Lance has joined

  424. martin.hewitt@surevine.com has joined

  425. dwd

    [21:16:17] tribut: hah. for a second cert i just recieved a request for a paypal transfer. so not always free it seems. @ dwd, ben

  426. Lance has joined

  427. martin.hewitt@surevine.com has left

  428. Ash has left

  429. Flow has left

  430. Lance has joined

  431. Tobias has left

  432. MattJ

    Meanwhile: https://twitter.com/startssl/status/453631038883758080

  433. ralphm


  434. ralphm

    That's not even trying to be nice

  435. Lance

    i really dont understand the mixed messages from startssl. they keep saying 'no' to waiving fees, and yet people say they did get waived fees

  436. Tobias has joined

  437. ralphm

    Lance: right. I am thinking that some of their support people have been slightly more friendly than others

  438. martin.hewitt@surevine.com has joined

  439. martin.hewitt@surevine.com has left

  440. martin.hewitt@surevine.com has joined

  441. edhelas has left

  442. martin.hewitt@surevine.com has left

  443. jonathan has joined

  444. Lance has joined

  445. Tobias has left

  446. martin.hewitt@surevine.com has joined

  447. martin.hewitt@surevine.com has left

  448. Lance has joined

  449. Alex has left

  450. m&m has left

  451. martin.hewitt@surevine.com has joined

  452. intosi has left

  453. intosi has joined

  454. martin.hewitt@surevine.com has left