XSF Discussion - 2014-04-08

  1. jonathan has left
  2. tato has joined
  3. Wojtek has left
  4. Lance has left
  5. Lance has joined
  6. louiz’ has left
  7. tato has left
  8. jonathan has joined
  9. Lance has left
  10. Lance has joined
  11. Lance has joined
  12. Lance has joined
  13. Lance has joined
  14. Lance has joined
  15. Lance has joined
  16. Neustradamus has left
  17. Neustradamus has joined
  18. Santiago26 has joined
  19. Flow has joined
  20. jabberjocke has left
  21. Santiago26 has left
  22. Santiago26 has joined
  23. Tobias has joined
  24. Flow has left
  25. intosi has joined
  26. intosi Sorry guys, my bad. Prosody didn't come back up after upgrading to the new openssl.
  27. intosi StartSSL is probably going to make heaps of money from all the revocation requests they will get.
  28. Kev has joined
  29. dwd has joined
  30. Lance has joined
  31. Link Mauve has joined
  32. Lloyd has joined
  33. Link Mauve It seems there is only two XEPs remaining here: http://xmpp.org/xmpp-protocols/xmpp-extensions/
  34. intosi That's not many.
  35. intosi It's only the index that's broken. The actual XEPs seem to work just fine.
  36. Link Mauve Yeah.
  37. intosi That;s a bit of a relief. Still bad, but not as bad as it could be.
  38. Tobias has joined
  39. xnyhps has joined
  40. Zash has joined
  41. intosi Who generates the xeplist?
  42. intosi It was regenerated yesterday evening at 21:19 UTC.
  43. Kev Matt was doing it last night.
  44. Kev He and I spent quite some time trying to work out what the dependencies of Tobias's script was, and getting it to work.
  45. intosi Ah. There might be a slight issue still then.
  46. martin.hewitt@surevine.com has joined
  47. Ge0rG has joined
  48. fippo has joined
  49. fippo blerg
  50. Kev I think on international Internet Is Broken day, probably not our biggest concern.
  51. dwd How are we all doing with "free" certificates today?
  52. intosi Very sucky, thank you very much.
  53. intosi Raspbian doesn't have an update for openssl yet.
  54. intosi They must run their buildbots on RPis.
  55. intosi Kev: right.
  56. intosi Rebooting perseus, see you at the other side of the reboot.
  57. Simon has joined
  58. Link Mauve has joined
  59. intosi has joined
  60. xnyhps has joined
  61. intosi I guess the installed version of Prosody on xmpp.org doesn't let us know we're kicked out of the MUC after all.
  62. fippo has joined
  63. fippo has left
  64. intosi has joined
  65. fippo has joined
  66. Lance has joined
  67. intosi has joined
  68. MattJ has joined
  69. dwd has joined
  70. dwd .
  71. dwd Ah, goodie.
  72. dwd AMusing thing: RapidSSL refuse emails for revocation requests; they have to be faxes for security.
  73. Ge0rG has joined
  74. dwd SO you send your fax using a free online service via email.
  75. Ge0rG intosi: MattJ promised to fix it. I suppose it will be on a Monday
  76. intosi Ge0rG: ta
  77. martin.hewitt@surevine.com has joined
  78. Simon this whole CA thing is just stupid. So broken. You fix revocations, then break it again by needing to use faxes… Bring on DNSSEC!
  79. Simon sorry - grumpy mood.
  80. intosi Simon: I think we all are a bit grumpy. The people with more than a few StartSSL certs even more so.
  81. dwd I think pretty well any sysadmin or devops is in a shitty mood today.
  82. intosi Well, that was the software side of all ik.nu-related machines.
  83. Simon It's hard to comprehend the scale of the heartbeat issue! Just effing mindblowing!.
  84. intosi Yup. Especially with PHBs who fail to understand the issue, and won't sign off the expenses for key revocations. A friend of mine happens to have this issue.
  85. MattJ Ge0rG, intosi: What did I promise to fix?
  86. dwd It's so nasty. Not as if you can even switch CA to avoid the bait-and-switch.
  87. dwd MattJ, Everything.
  88. MattJ Was afraid of that
  89. intosi dwd: indeed.
  90. intosi MattJ: xeplist only has two items.
  91. Simon anyone done a startssl revocation dance yet?
  92. Ge0rG MattJ: you wanted to fix heartbeat.
  93. MattJ My comment last night was about MUC/s2s on server reboots :)
  94. Ge0rG MattJ: it was worth a try ;)
  95. fippo mattj: it seems you're leaking all your precious server code in hearbeat!
  96. fippo err... bleed
  97. intosi Simon, I haven't yet. But they will be rising fast on the list of vendors to be dropped in a heartbeat if it turns out that they will insist on me paying for revocation of all my certs… That's a lot of money that would've bought me certs with vendors that do have a sane revocation policy. It's not like you usually revoke them because you thought it would be the fun thing to do today.
  98. dwd Heart Bleed Why do you miss, when my baby kisses me?
  99. dwd Turns out there's loads of songs I never knew about called "Heartbeat". You could build a whole playlist.
  100. Simon intosi: It's easy to bitch about StartSSL. They have also done more than any other CA to get people to start using certs by making the basic certs free.
  101. dwd Oh, this fills me with confidence in StartSSL's knowledge and understanding of security: 72.) I made a mistake, can I get my certificate revoked? Revocations carry a handling fee of currently US$ 24.90. Class 1 subscribers may use a different sub domain in order to create additional certificates without the need to revoke a previously created certificate. Alternatively it's possible to upgrade to Class 2 level which allows to create the same set of certificates once again (besides all the other benefits), because different levels are issued by different issuers, making revocation unnecessary.
  102. dwd Private key compromised? Oh, just get a new certificate, then it's all OK.
  103. intosi yeah, it sucks.
  104. intosi I just mailed them (on a personal title) asking them how they would envision handling this.
  105. dwd Also note that, to my amazement, it's not just free certs they charge for - it's anything below EV.
  106. intosi Yeah.
  107. intosi If someone has been gathering private keys using this exploit, StartSSL customers are a nice target for identity spoofing.
  108. dwd If you claim it was spoofed, they'll revoke it for free, and ban you for life.
  109. dwd So a double win.
  110. intosi Yup.
  111. Tobias has joined
  112. Simon xnyphs: do you plan on adding any checks for old certs / compromised certs to xmpp.net?
  113. xnyhps Simon: Define "compromised"?
  114. dwd Simon, You mean running status checks on them?
  115. xnyhps Certs past their notAfter date (on the moment of testing) are given an F.
  116. Simon anything older than the heartbeat announcement?
  117. xnyhps It doesn't check CRL/OCSP yet.
  118. dwd I noticed a libnss update whizz past on my workstation - am I just being behind, or was that affected?
  119. intosi Strongest would be 'potentially compromised'
  120. intosi You cannot claim the certs are compromised at all.
  121. Simon intosi: you have a point
  122. Simon imagines TLA employee running ./cert-vacuum.sh
  123. MattJ dwd, http://changelogs.ubuntu.com/changelogs/pool/main/n/nss/nss_3.15.4-1ubuntu7/changelog
  124. MattJ http://matthewwild.co.uk/uploads/dsas.png :'(
  125. dwd Oh, different problem.
  126. MattJ intosi, seems someone in prosody@ got an, erm, negative reply from StartSSL
  127. intosi Negative in what sense?
  128. intosi "We will kill your account", or "pay us, we will revoke"?
  129. dwd intosi, The quote was "fuck you stupid", but I'm hoping that's paraphrasing.
  130. intosi Ehm, ouch.
  131. intosi Would be quite unprofessional if it wasn't.
  132. Simon are cert revocations still handled as a massive file that clients download? or is there some kind of querying standard?
  133. MattJ Best answer: both
  134. dwd Simon, CRLs - signed lists - can be downloaded, and there's also OCSP for querying. In addition, servers can provide a recent OCSP response themselves, via OCSP Stapling, a TLS extension.
  135. intosi I shouldn't have had that last cup of coffee.
  136. Simon is informed.
  137. Ge0rG is anybody (read: a client implementation) actually using CRLs or OCSP?
  138. dwd Ge0rG, Swift may well be. But the TLS implementations don't tend to do this for you - NSS might do, but OpenSSL certainly won;t.
  139. xnyhps Ge0rG: If you enable it system-wide on OSX, then Adium does.
  140. Simon xnyhps - how does one enable it system wide on OSX?
  141. xnyhps Simon: Open "Keychain Access" -> Preferences -> tab "Certificates"
  142. dwd xnyhps, This isn't on by default?
  143. intosi It's "Best effort"
  144. xnyhps I don't remember what the defaults are, but I'm guessing no.
  145. Simon thanks.
  146. intosi Err, best attempt.
  147. Simon defaults to "best effort"
  148. xnyhps Ah, so it works, except when you need it to work. ;)
  149. intosi Yes, because strict checking would lead to a lessened end-user experience, probably ;)
  150. martin.hewitt@surevine.com has left
  151. martin.hewitt@surevine.com has joined
  152. Alex has joined
  153. Zash has joined
  154. Alex has joined
  155. Lance has joined
  156. Ge0rG intosi: isn't that true of all security measures?
  157. intosi Usually.
  158. dwd Ge0rG, Failing to do security right does also have a detrimental effect on the user experience, too. :-)
  159. Zash has left
  160. Zash has joined
  161. Ge0rG dwd: counter-example: cryptocat
  162. intosi dwd: like leaving your door unlocked. In normal use it's more convenient, until someone empties your home :)
  163. dwd Right, leaving your home unlocked means you can get in and out quickly and easily, but may hamper later attempts to watch the telly you no longer have.
  164. Alex has joined
  165. Santiago26 has joined
  166. Ge0rG http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=4817504d069b4c5082161b02a22116ad75f822b1 - Robin Seggelmann broke the Internet. And he also coauthored SCTP-DTLS
  167. Simon anyone know of a hosted XMPP service that lets you upload your cert+key?
  168. Lance has joined
  169. fippo ge0rg: ah, it's not ekr who is accused this time?
  170. Lloyd has joined
  171. Lloyd has left
  172. Zash has left
  173. dwd Friend of mine just pointed out it's not just private keys that could be leaked.
  174. MattJ Of course
  175. Zash has joined
  176. fippo dwd: user data as well
  177. dwd Right, passwords etc.
  178. intosi dwd: pretty much anything in memory of the process, right?
  179. fippo for https also cookies, csrf token etc
  180. MattJ This is what I posted to the Prosody list last night: https://groups.google.com/d/topic/prosody-users/LvbwWkUOGGU/discussion
  181. Kev has joined
  182. Kev intosi: And either process.
  183. dwd Kev, Oh, if a server requests heartbeats of a client?
  184. MattJ Yes, it's possible
  185. MattJ I was going to say in XMPP that's not too exciting, because the server generally knows everything the client knows
  186. MattJ But not in the case of OTR...
  187. intosi Nor in the case of certificate authentication.
  188. dwd Or SRP, or SCRAM.
  189. MattJ True
  190. intosi It appears that once you think you know the magnitude of the impact of this issue, you're not thinking big enough.
  191. Ge0rG basically all data stored in the client or server process is screwed.
  192. Tobias has left
  193. Tobias has joined
  194. MattJ Also on the topic of security issues: http://thread.gmane.org/gmane.comp.security.oss.general/12514/focus=12523
  195. dwd Ah, CVE politics.
  196. Ge0rG the bitcoin client is also linked against libssl. sounds like major emoney movement
  197. jonathan has joined
  198. MattJ No TLS there though, surely?
  199. Zash DTLS perhaps
  200. Zash or hashes and stuff
  201. Zash has joined
  202. Lloyd has joined
  203. Kev https://twitter.com/warrenguy/status/453510021930680320 It gets better.
  204. Ge0rG at least one less of the horrible things: https://twitter.com/agl__/status/453472368589942785
  205. intosi Paraphrasing StartCom: "fuck you"
  206. intosi More detailed:
  207. intosi It's upon the subscriber to take appropriate action since the certificate authority can't enforce which software to use. The terms of service and related fees will not change due to that. See also the Subscriber Obligations at https://www.startssl.com/policy.pdf in particular:    • Never share private keys with any third party and use    adequate protection and best security practices to secure    private keys in order prevent losses and compromises thereof.    • Notify StartCom immediately in case of a private key    compromise and request revocation of the affected    certificate(s). Regards   Signer: Nikolay Duhman, CVO StartCom Ltd. <http://www.startcom.org/> E-Mail: nikolayd@startcom.org Phone: +972-57-631-56-27
  208. intosi I believe StartCom fails to see the scale of this issue.
  209. Ge0rG intosi: yeah, they fail to see it for the many dollar signs in their eyes
  210. Ge0rG intosi: is there a source on that paste?
  211. Kev Well, StartCom's model is free certs and paid for revokations if something goes wrong.
  212. Ge0rG Kev: sensible if something goes wrong due to admin fail.
  213. Ge0rG I wish I could make dumb people pay more for my time.
  214. intosi Ge0rG: what do you mean? This is the answer I got from StartCom when I asked about this issue.
  215. Ge0rG intosi: I mean something like a pastebin URL I could submit to HN for some easy karma points :P
  216. intosi Ah. http://pastebin.com/B0UnY00p
  217. Ge0rG thanks very much :)
  218. Kev FWIW, I don't see that this is worth anger at StartCom. The model was clear up front.
  219. Kev And the openssl vulnerability was hardly their fault.
  220. intosi While true, this might hurt the trust in StartCom. This is not an admin-error either.
  221. intosi In fact, the desire to have better security is one of the reasons many sites upgraded to openssl 1.0.1 in the first place.
  222. Ge0rG it might be good publicity for startcom to open a window of maybe 1 month for free revocations
  223. intosi I will most certainly reconsider my plans to get a Class 2 certification with them. I was about to do that.
  224. Simon Kev: totally agree. Startcom is very clear that their basic certs are free and that additional services are payed for.
  225. Ge0rG StartCom is adding a free angle to the whole CA extortion business.
  226. Ge0rG I also like it how they provide an easy way to generate the private keys on their servers.
  227. Simon yes - that took me by surprise too.
  228. Ge0rG On my paranoid IT-companies-run-by-Mossad list they range right before ICQ
  229. Tobias usability WTF
  230. Simon is happy with the free-for-opensource-certs from globalsign. (but wouldn't touch them if I had to pay)
  231. Tobias Simon, why not?
  232. Simon expensive.
  233. Tobias ah..k
  234. Simon Can't believe we're still putzing around with CAs.
  235. Ge0rG or with TLS
  236. Simon (when IPSEC could solve a lot of this for us)
  237. Simon Bring back double-rot-13
  238. Ge0rG there is even a dedicated opcode on most CPU archs for double-rot13... on x86 it is 0x90
  239. Simon one opcode up from the /dev/null acceleration unit?
  240. dwd intosi, What amazes me is that StartCom charge for revocation on Class 2. I'd not realised that before.
  241. intosi Neither did I until now.
  242. intosi Assumptions, and mothers of something I guess.
  243. dwd In fairness, I only knew about the revocation charges because I'd stumbled on it before. I disagree that it was "clear up front", I don't think you're warned when you're getting the thing.
  244. intosi You're not.
  245. Kev OK. I assumed it was clear, because you'd warned me.
  246. intosi You only find out about it if you read the FAQ, which is usually when you want to revoke.
  247. Kev (Which is why I didn't use them in the end)
  248. Kev (That and I felt more trust towards other CAs)
  249. intosi It's probably buried in the small print somewhere.
  250. Kev has left
  251. Kev has joined
  252. edhelas has joined
  253. edhelas hi
  254. dwd I've only seen it in the FAQ, under "I made a mistake, can I get my certificate revoked?"
  255. intosi There is something in 4.9.1 of the policy.
  256. intosi "Revocations of certificates may carry a handling fee"
  257. Kev OK. That's considerably less obvious than I'd assumed.
  258. intosi Quite.
  259. intosi That footnote only applies to "The subscriber makes a request for revocation".
  260. intosi "The subscriber’s key is suspected to be compromised;" doesn't have a (*)
  261. ralphm has joined
  262. Simon has left
  263. Lance has joined
  264. ralphm intosi: I did know about this. They have to make money somehow, I suppose.
  265. ralphm intosi: I wonder if they make an exception this time around, though
  266. intosi Sure. And for admin-fuckups, I agree.
  267. intosi ralphm: I contacted them, and they said no.
  268. ralphm intosi: I am guessing they will back down on this later today
  269. dwd ralphm, Why? They'll make more money today than they'll have made the rest of the year.
  270. intosi What dwd said.
  271. intosi It might lose them a few customers, but those will be mostly just the free-loaders.
  272. ralphm dwd: depends. it might result in a PR disaster
  273. intosi And perhaps some Class 2 customers who only just found out they are charged for revocation as well.
  274. dwd intosi, Except you can't just walk away if you understand and care about security, so they'll pay the fee anyway.
  275. intosi Yup.
  276. ralphm someone suggested their CA cert should be revoked instead :-)
  277. Santiago26 has left
  278. dwd I'd love to see the handling fee on that.
  279. ralphm 7am. I suppose I should get tonwork early today
  280. ralphm -n
  281. intosi Have some bacon first.
  282. dwd Last hotel I stayed at had unlimited free bacon thanks to my status.
  283. dwd As far as I could tell, despite some efforts on my behalf to find one, there was no AUP either.
  284. ralphm This hotel is pretty good *except* for breakfast. I never seen things so minimal.
  285. dwd ralphm, US business hotel?
  286. intosi They might charge you a revocation fee should you decide not to eat all your bacon.
  287. ralphm dwd: no. I assume no chef and no dishwasher.
  288. intosi (or if the vendor of your utensils found out it compromised the bacon)
  289. ralphm dwd: the breakfast at Aloft is Royal, in comparision
  290. Kev Golly.
  291. ralphm intosi: the more retweets, the better, maybe
  292. dwd ralphm, What, really? That's really almost travelodgian.
  293. ralphm dwd: plastic ware and no cheese or meats, no eggs, no whole fruits, dry croissants
  294. ralphm They do have a waffel maker, oddly enough
  295. Tobias intosi, any news on wiki.xmpp.org?
  296. intosi Tobias: nothing apart from "works if you allow your browser to remember the cookie for 180 days"
  297. Tobias how do i tell chrome to allow that :)
  298. intosi Well, see the nifty checkbox on the login page?
  299. intosi Check that when logging in.
  300. Tobias ahh :)
  301. Tobias yup..that works...thanks :)
  302. intosi Still need to fix the issue though.
  303. intosi But having a workaround is good.
  304. dwd BTW, Yahoo is apparently leaking passwords via Heartbleed on login.
  305. Kev Yep.
  306. Kev I thought I pasted that in here a while back.
  307. dwd Oh, quite possibly.
  308. MattJ dwd, my favourite is the comments on the Ars Technica article... they posted it while their site was still vulnerable, and now users are posting comments on the article as each other using dumped session cookies
  309. edhelas we need to regenerate our XMPP certificates ? https://xmpp.net/ the certificates are still valid for my server
  310. MattJ edhelas, they may have been compromised though
  311. MattJ i.e. it may have been possible that someone downloaded your key file
  312. edhelas yup
  313. Simon has joined
  314. Simon does anyone know if gtalk.com can pass IQ messages?
  315. Simon or am I being hit by some kind of rate limiting?
  316. Simon seems possible: https://developers.google.com/cloud-print/docs/rawxmpp
  317. ralphm Simon: depends. Since May, many things are broken in this respect
  318. Simon thanks ralphm.
  319. ralphm Like that if the recipient has enabled hangouts, you might not even get iq responses
  320. dwd On reddit, somebody claims that OpenSSL.org was vulnerable two hours ago.
  321. intosi That's… odd. It's mostly down for me.
  322. intosi Ah, no, it's back again.
  323. intosi And filippo.io agrees.
  324. intosi http://filippo.io/Heartbleed/#openssl.org
  325. Tobias has left
  326. Tobias has joined
  327. Alex has joined
  328. edhelas has left
  329. dwd intosi, I'm hearing that test is not reliable - it can give false positives.
  330. Simon I recommend using http://possible.lv/tools/hb/
  331. Ge0rG that test does not retest already tetsted domains
  332. dwd Ge0rG, Ah, gotcha.
  333. Ge0rG not sure if the caching is browser- or server-side
  334. Tobias i wonder how fast banks are with their patching
  335. dwd I've seen suggestions that some banks have been caught out.
  336. Simon I'm avoiding logging into anything crucial today
  337. Ge0rG looks like my bank is safe.
  338. Tobias dwd, indeed
  339. dwd intosi, Lloyd: Ta for the re-tweet. Bit cheeky. I wonder if they'll reply.
  340. Ash has joined
  341. edhelas has joined
  342. ralphm dwd: given that they are based in Israel, probably not soon
  343. dwd True, they're probably into their evening now.
  344. Lloyd has joined
  345. martin.hewitt@surevine.com has joined
  346. martin.hewitt@surevine.com has joined
  347. dwd The Ars Technica article's comments have a severe misunderstanding of PFS. Sadly, I think you could get at the DH parameters on the server, and that'd make EDH protected sessions pretty weak, wouldn't it?
  348. stpeter has joined
  349. xnyhps dwd: I'd hope the server securely erases the EDH private key as soon as the handshake is done.
  350. m&m has joined
  351. m&m xnyhps: you presume much
  352. Santiago26 has joined
  353. Santiago26 has left
  354. intosi Securely erasing things costs cycles, while a simple free() is much cheaper.
  355. intosi Guess which of the two many developers will choose?
  356. Simon has left
  357. xnyhps I got far enough into the OpenSSL code to see that DH_free is doing something called "cleanse". But then I gave up.
  358. Kev It doesn't just cost cycles, it's hard bordering on impossible, depending on platform.
  359. Flow has joined
  360. Ge0rG the other problem with securely erasing memory is: compilers. optimizing compilers. compilers optimizing away your write-before-free!
  361. Kev That's what I alluded to with 'hard'.
  362. Ge0rG oh, you might as well have referenced managed languages with immutable data types, which are impossible to clean up.
  363. Kev That was the 'impossible' bit :)
  364. m&m nevermind virtualized services
  365. Tobias has left
  366. Ge0rG And what about storage on SSD?
  367. intosi Well, any virtual memory.
  368. Ge0rG intosi: any memory in a modern computer is virtual.
  369. Zash has joined
  370. martin.hewitt@surevine.com has left
  371. Neustradamus has joined
  372. jonathan has left
  373. Lance has joined
  374. Tobias has joined
  375. martin.hewitt@surevine.com has joined
  376. ralphm has left
  377. ralphm has left
  378. Kev has left
  379. Kev has joined
  380. jonathan has joined
  381. jonathan has left
  382. martin.hewitt@surevine.com has left
  383. m&m has left
  384. m&m has joined
  385. jonathan has joined
  386. martin.hewitt@surevine.com has joined
  387. Zash has joined
  388. rbarnes has joined
  389. Lance has joined
  390. Lance has joined
  391. jabberjocke has joined
  392. martin.hewitt@surevine.com has left
  393. martin.hewitt@surevine.com has joined
  394. Zash has joined
  395. martin.hewitt@surevine.com has left
  396. MattJ I've seen a couple of people saying that StartSSL have waived revocation fees now
  397. MattJ Maybe they're seeing the light
  398. stpeter MattJ: wow
  399. stpeter yeah
  400. m&m really?
  401. m&m probably for today only, *IF* it's true
  402. stpeter their servers are probably overloaded
  403. Kev intosi might appreciate a highlight, then.
  404. rbarnes has left
  405. Kev has left
  406. Kev has joined
  407. rbarnes has joined
  408. rbarnes has left
  409. rbarnes has joined
  410. rbarnes has left
  411. jonathan has left
  412. martin.hewitt@surevine.com has joined
  413. martin.hewitt@surevine.com has left
  414. dwd Just seen someone over in prosody@ say they've had an "Exceptionally revoked without fee" from them.
  415. ralphm dwd: maybe someone just screwed up
  416. ralphm that said, how well do browsers even check revocation?
  417. dwd ralphm, Looked into this. Most pass-on-fail. Chromium and Chrome both seemed to be set to not check by default.
  418. ralphm splendid
  419. m&m not checking is FAST
  420. dwd By "pass-on-fail", I mean if the OCSP server is down they'll just silently pass.
  421. ralphm right
  422. jabberjocke has left
  423. Lance has joined
  424. martin.hewitt@surevine.com has joined
  425. dwd [21:16:17] tribut: hah. for a second cert i just recieved a request for a paypal transfer. so not always free it seems. @ dwd, ben
  426. Lance has joined
  427. martin.hewitt@surevine.com has left
  428. Ash has left
  429. Flow has left
  430. Lance has joined
  431. Tobias has left
  432. MattJ Meanwhile: https://twitter.com/startssl/status/453631038883758080
  433. ralphm woah
  434. ralphm That's not even trying to be nice
  435. Lance i really dont understand the mixed messages from startssl. they keep saying 'no' to waiving fees, and yet people say they did get waived fees
  436. Tobias has joined
  437. ralphm Lance: right. I am thinking that some of their support people have been slightly more friendly than others
  438. martin.hewitt@surevine.com has joined
  439. martin.hewitt@surevine.com has left
  440. martin.hewitt@surevine.com has joined
  441. edhelas has left
  442. martin.hewitt@surevine.com has left
  443. jonathan has joined
  444. Lance has joined
  445. Tobias has left
  446. martin.hewitt@surevine.com has joined
  447. martin.hewitt@surevine.com has left
  448. Lance has joined
  449. Alex has left
  450. m&m has left
  451. martin.hewitt@surevine.com has joined
  452. intosi has left
  453. intosi has joined
  454. martin.hewitt@surevine.com has left