<Regenaxer>
SSL Client Certificates seem a nice thing
<beneroth>
good morning
<Regenaxer>
Hi beneroth
<beneroth>
Regenaxer, yes they are. but pretty bad implemented in browsers (usability), unfortunately
<Regenaxer>
yes, looks like
<beneroth>
(and it only gets worse, pushed by Google which prefers when people trust their servers and stuff)
<Regenaxer>
I Chrome I don't even find them in the config settings
<beneroth>
I used once client cert on android (was a pain to setup on the mobile) to authenticate to a nginx webserver, which had a picolisp app running behind it
<beneroth>
it's not that complicated, just a bit of work to generate all the necessary certificates. and it is a hazzle to install them on client, more than it should be...
<Regenaxer>
hmm, that's a pity
<yunfan>
Regenaxer: just use js based keypair solution
<beneroth>
basically you create a CA certificate, then an intermediate cert from that (maybe optional?), use this to sign generated client certificates, then install client cert on client device.
<Regenaxer>
yunfan, right, something self-rolled
<yunfan>
Regenaxer: and always use cellphone or other reliable way to handle a seed number
<beneroth>
webserver gets the intermediate cert. on a request it sends a HTTP header to the client to send a client cert, webserver checks if its signed by its cert -> pass.
<yunfan>
Regenaxer: telegram use that method while us chinese already use that for serveral years
<beneroth>
cellphone to handle a seed number?
<yunfan>
its a benefit to live in django :D
<aw->
tankf33der: thanks for the links
<yunfan>
beneroth: yes, via sms
<beneroth>
ah. very insecure :P
<yunfan>
beneroth: like 8 digits
<yunfan>
dont worry just seed
<yunfan>
not the only seed
<yunfan>
maybe it should be called salt
<beneroth>
what did you mean by django? python django?
<Regenaxer>
It is for a business app. I can imagine a real-time handshake with the admin
<Regenaxer>
Could be simply stored in a cookie then
<yunfan>
nope i mean the real django
<Regenaxer>
I don't abandon the normal password login, just an additional identity check
<yunfan>
what i meant is chinese network society is like a giant django
<yunfan>
crackers runs everywhere
<Regenaxer>
Whe western movie hero?
<Regenaxer>
Eastwood
<yunfan>
so we people live there were forced to developed our own attitude to security
<beneroth>
I guess yunfan means jungle
<Regenaxer>
ok
<yunfan>
beneroth: ah, yes, sorry for my mispelling
<beneroth>
no worries, just a bit confusion :)
<Regenaxer>
right, np :)
<beneroth>
yeah. also your network topology is very dynamic, is it not? IPv4 shortages etc?
<yunfan>
basiclly our network society is a defensive model, based on a fact no one could be trusted
<yunfan>
yes, and that caused the popular of p2p tools :D
<beneroth>
p2p is a goot mitigation against single points of failures :)
<yunfan>
so when i first heard of that credit card in your courties dont need password, that make me shoted :D
<beneroth>
in "the west", the big corporations all try to be the single point of failure.
<yunfan>
but us chinese user like to clean computer garbase in the disk
<yunfan>
i think that made the whole p2p network not that reliable
<yunfan>
because download cache was considered as garbage too
mtsd has joined #picolisp
<beneroth>
credit cards in europe usually require a PIN number to enter during payment irl, and sometimes (depending on the credit card company) a password when paying online
<mtsd>
Good morning channel!
<beneroth>
Good morning mtsd :)
<yunfan>
there's a tool named 360 computer guard, which almost installed on every chinese familly computer(windows version)
<Regenaxer>
Good morning mtsd!
<mtsd>
Good morning :)
<beneroth>
but most chinese family computers are cracked windows XPs, no? so the legends say :P
<yunfan>
beneroth: password require is forced in china :D
<yunfan>
beneroth: of course, now its win7/win10
<beneroth>
oh ok.
<beneroth>
so no more IE6, good :D
<yunfan>
microsoft used to have a relationship with many chinese factory to procude windows 10 based tablet
<yunfan>
and they gave many free win 10
<beneroth>
I see.
<yunfan>
after that, those factory start to produced keyboard and notebook :D
<beneroth>
though China is one of the only nations who takes this "dependency on US company is maybe a bad thing" topic seriously :)
<yunfan>
so it has free win10 and cash benefit from MS and Intel
<beneroth>
ah nice
<yunfan>
beneroth: nope, at least china is not the first one
<yunfan>
beneroth: if you were elder than me, you might remember the time japan were like china right now
<beneroth>
I might be the same age or younger than you xD
<beneroth>
I'm 30
<yunfan>
at i read from the report archieve that japan used to face many of the problem like china right now
<yunfan>
i am 32 :[
<beneroth>
Regenaxer knew Japan 40-50 years ago
<yunfan>
and the japanese has plan to build their own cpu/os/big airplan/ etc
<yunfan>
just like china does today
<Regenaxer>
beneroth, just 30-40 ;)
<beneroth>
no need to build your own OS, just take gnu/linux
<yunfan>
also the US has hit japan once
<beneroth>
Regenaxer, ok, sorry :P
<Regenaxer>
:)
<Regenaxer>
time flies
<yunfan>
beneroth: dont worry, many of the so called chinese own os is just a custimized linux hahaha
<beneroth>
yeah of course
<beneroth>
that is what I heard
<beneroth>
french federal police switched to linux in secret, because they were afraid (rightly so) of Microsoft lobbyism against it.
<yunfan>
i think a fererated network model might be much important than us own OS
<beneroth>
in germany, some towns switch to linux, some switch back to windows (because microsoft got some friends in new local government), a mess
<yunfan>
beneroth: well, not just ms, if you choose windows, you were just a shining bulk in the dark night , isnt it
<beneroth>
Switzerland is mostly windows. and I fear the government IT is pretty bad (security-wise) :)
<yunfan>
beneroth: well, i just got a funny picture that shows some of the chinese traffic control using linux, i will show you the picture
<beneroth>
ATMs and bus information screens here use windows. you can see when it sometimes crashes and there is a windows screen instead of a timetable :)
<beneroth>
technically nonsense, but windows was dominant in the 90s when the companies started who produce this stuff, so they never switched.
<yunfan>
beneroth: i had saw on subway of many os like windows dos even ubuntu
<tankf33der>
cant translate
<tankf33der>
if the index was at least 4
<tankf33der>
(= 4 index) ?
<tankf33der>
or (> 4 index) ?
<Regenaxer>
or (member X (cdddr L)) ?
<Regenaxer>
more efficient I think
<tankf33der>
nono
<tankf33der>
problem in translation from english
<Regenaxer>
otherwise "at least" is '>='
<tankf33der>
oh
<tankf33der>
i see
<Regenaxer>
Why does 'member' not work?
<Regenaxer>
not (index X L) ?
<tankf33der>
because there is no lists
<Regenaxer>
understand
<Regenaxer>
I was assuming the 'index' *function*
<tankf33der>
:)
<Regenaxer>
The cookie solution with a key from the database would work fine. Problem is that people delete all cookies when closing the browser. Any idea anybody?
<Regenaxer>
AKA super cookie. I don't want to track anybody, just identify the client
<Regenaxer>
In PilBox I use UUID, but here I need something on PCs
<Regenaxer>
I could make a key file or cert to download once, then upload quickly with a button
<Regenaxer>
But that's tedious for the user, must locate the file on the PC to upload it
<beneroth>
cookie would be the intended solution for this. most people don't delete their cookies on browser closing btw (depends on browser settings, and cookie needs to have a valid-to date, without valid-to date = delete after session = closing tab)
<Regenaxer>
Yeah, but this client does (and me too in fact)
<beneroth>
wouldn't the file upload be equal to traditional username + password (just longer password) ?
<Regenaxer>
Sure, but they want unregistered people to be excluded even from login
<beneroth>
need more context
<Regenaxer>
They are afraid that most users use weak passwords
<Regenaxer>
It is paranoia
<beneroth>
two factor authentication? (it's less comfortable) ?
<beneroth>
client certs, if the client device can be trusted
<Regenaxer>
That was my initial idea
<Regenaxer>
But complicated to use (as you said too)
<beneroth>
not complicated to use, but complicated first setup
<beneroth>
and maybe not possible on all devices :(
<Regenaxer>
And not supported by some browsers
<Regenaxer>
T
<Regenaxer>
The easiest would be to tell them *not* to delete cookies
<Regenaxer>
But this smells bad
<Regenaxer>
(I have cookies completely disabled on most browsers)
<beneroth>
shortcut to save with a long secret key as GET parameter? people could save it on their desktop/mobile, and use it to access. not very save though :)
<beneroth>
s/save/secure
<Regenaxer>
yes, good idea
<Regenaxer>
Encode in the desktop shortcut
<beneroth>
make sure to have HTTPS and ...I forgot the name.. the header which on first visit tells browser to only ever connect via HTTPS..
<Regenaxer>
and tedious on mobiles
<Regenaxer>
This is default anyway
<Regenaxer>
not the problem here
<beneroth>
it's not so tedious on mobiles, most have a "add to screen" function in browsers (there is even a special icon similar to favicon for it)
<Regenaxer>
They dont worry about being evesdropped
<Regenaxer>
just others should not be able to log in
<beneroth>
so what they worry about? bad user actions?
<Regenaxer>
no
<Regenaxer>
foreigners
<Regenaxer>
competition
<beneroth>
foreigners can also evesdrop
<beneroth>
WLAN in public coffee etc
<yunfan>
beneroth: you were basiclly asking for a solution for fingerprint user
<beneroth>
yunfan, not me, Regenaxer :)
<Regenaxer>
No, it is all https of course
<yunfan>
ok since my background of mobile AD domain, i could name someone
<Regenaxer>
I meant they don't worry about that here
<yunfan>
like using flash cookie
<beneroth>
yeah, thats horrible thingy :P
<yunfan>
or using canvas fingerprints
<Regenaxer>
No flash ;)
<beneroth>
or E-Tags
<yunfan>
and how about the localstorage used by html5 standard?
<Regenaxer>
What is that?
<yunfan>
also a cache link color bugs was found the last year
<yunfan>
maybe many user still used the unpatched brownser
<yunfan>
which that bug still useful
<beneroth>
just use username + password + either check password strength when a password is set and/or have a bruteforce running all the time attacking the users login and immediately lock the ones you are able to break + send them a strong worded email ;-)
<Regenaxer>
I know, it is *paranoia*
<Regenaxer>
I told them all that
<beneroth>
have a log of all logins + browser agents + devices. check for unusual patterns. sell it to them like snakeoil.
<Regenaxer>
hehe
<beneroth>
or IP whitelisting :P
<Regenaxer>
All too instable
<beneroth>
very uncomfortable
<beneroth>
:)
<Regenaxer>
no, it involves mobiles
<Regenaxer>
worldwide moving around
<Regenaxer>
beneroth you know, BTG
<beneroth>
it's the same customer whos IT department once wanted additional VPN for connection to your backends?
<Regenaxer>
yes
<Regenaxer>
exactly same issue still
<beneroth>
sounds like political pain. you wanted to inherit me this customer one day? argh.
<beneroth>
xD
<Regenaxer>
yep! :D
<Regenaxer>
They are very nice
<Regenaxer>
just paranoid
<beneroth>
does the debate actually involve any arguments? or is it just emotions?
<Regenaxer>
their precious database might be read by competition
<beneroth>
no point in bringing a rational solution to a emotional issue.
<Regenaxer>
I think the args are all told
<beneroth>
what about "principle of least access" ?
<Regenaxer>
They feel uneasy if the login page is even visible
<Regenaxer>
least access?
<beneroth>
is that already implemented.. meaning minimizing harm when a login gets captured
<beneroth>
every person only gets access to what they need for work. nothing more.
<Regenaxer>
no, they don't worry about hard facts
<Regenaxer>
Site visible == bad
<aw->
beneroth: you speak French?
<Regenaxer>
Someone might *try* to log in
<beneroth>
ok, then don't counter with hard facts, just make sure your counters are not easily destroyed using hard facts
<Regenaxer>
It is a politicum
<Regenaxer>
The IT department wants to keep control
<beneroth>
aw-, unfortunately, no. I had like 7 years of french in school but I can hardly speak a proper sentence. I can partly understand written french.
<beneroth>
ok, then just generate a log of all logins from all IPs etc. send them the log for manual review. keeps 'em busy :P
<aw->
oh ok! sorry to interrupt, a bit off-topic ;)
<beneroth>
aw-, no problem, just do it! :)
<beneroth>
aw-, my gf speaks french, she grew up in the french speaking part of switzerland
<beneroth>
Regenaxer, make them a nice website to review login logs and make it easy for them to lock/unlock user accounts :P
<beneroth>
so they have a feeling of being in control
<Regenaxer>
No
<aw->
cool, i wasn't sure if all of Swiss learn French or not
<Regenaxer>
This is all not the point
<aw->
btw another off-topic, MAL is down, it's driving me insane haha
<Regenaxer>
ok, thanks! ;)
<beneroth>
aw-, not all do, but all swiss learn at least one of the other official swiss languages (german, french, italian, and romansh)
<beneroth>
aw-, most german speaking Swiss learn French in school (I did, but learned bad, had a new teacher in french like all two months due shortage of teachers), except some german-speaking areas in south-east which are closer to the italian-speaking part, they usually learn italian
<aw->
i see
<beneroth>
french and italian parts usually get taught german, afaik
<beneroth>
but in recent years "early english" got introduced in the earlier school years, and no there is some debate about learning two languages at early age might be too much (even 3, as "german german" which we use for writting, is kinda foreign language for Swiss)
<beneroth>
but than you cannnot drop a official swiss language in favour of international english, naturally ;)
<beneroth>
most younger french and german speaking swiss talk nowadays english with each other, because they speak better english than french or german
<beneroth>
aw-, MAL ?
<aw->
learning 2 langs at very young age is not difficult, or impossible
<aw->
i can confirm
<beneroth>
Regenaxer, if a non-solution to give them their peace of mind is not a way, then I would say client certs is the only rational way
<Regenaxer>
yeah, or non-deleted cookies
<beneroth>
yeah, better start with cookies and see where the issues is
<Regenaxer>
I cannot present something complicated, cause then they stay with VPN
<beneroth>
VPN is also complicated because its different on most devices...
<Regenaxer>
yes, but IT department does it
<Regenaxer>
for few devices until now
<Regenaxer>
this changes with the new system, many mobiles
<beneroth>
VPN login can be brute-force attacked. authentication via cookie or GET parameter token can be brute forced. login can be brute forced. it's all the same. just have a system in place to detect false logins and make an alert and block the corresponding IP.
<Regenaxer>
With PilBox, but browser access to the main application must also work
<Regenaxer>
They don't understand such arguments
<Regenaxer>
VPN is a black box for them
<beneroth>
then you have to sell them another black box which gives them a good feeling.
<Regenaxer>
exactly
<beneroth>
then its not a technical problem but a selling/emotional one.
<Regenaxer>
But sell *what*
<beneroth>
maybe try to get some statistics about VPN security vs. security of your scheme
<Regenaxer>
registering a browser they understand
<Regenaxer>
just tell a key on the phone
<Regenaxer>
no
<Regenaxer>
statistics won\t help
<Regenaxer>
it is paranoia
<beneroth>
lol ok
<Regenaxer>
sigh
<beneroth>
then get a psychologist :P
<Regenaxer>
At last meeting they accepted password-only
<beneroth>
how long will the paranoia be silent even with a VPN solution?
<Regenaxer>
but still hesitant
<Regenaxer>
so I want to give an additional feature
<beneroth>
good tactic
<Regenaxer>
VPN is invisible to them
<Regenaxer>
it is simply "safe"
<Regenaxer>
cause IT says so
<beneroth>
it's forbidden in many countries :P
<Regenaxer>
true
<Regenaxer>
good argument
<Regenaxer>
I remember this
<Regenaxer>
Perhaps on exhibition sites and in hotels VPN works even there
<beneroth>
yes. though many such networks block VPN because they only allow port 80 or 443 and nothing else
<beneroth>
even Deutsche Bahn ICE
<Regenaxer>
oh, did not know
<Regenaxer>
No, I used 22 in ICE
<beneroth>
I used to use a SSH tunnel on DNS port, didn't work in deutsche bahn
<Regenaxer>
strange
<beneroth>
and deutsche bahn web access is extremely insecure. they got blamed for this 2 times in a row from CCC.
<Regenaxer>
T
<beneroth>
hotels like to block many non-web ports too
<beneroth>
most IT staff is apparently not aware that a protocol is not bound to a port :P
<Regenaxer>
PilBox only uses 443 (bin/ssh)
<Regenaxer>
But I always used ssh in ICE
<beneroth>
ah yes SSH port 22 worked
<Regenaxer>
Is it blocked recently perhaps?
<beneroth>
but not SSH on 53 :P
<Regenaxer>
ah
<Regenaxer>
ok
<Regenaxer>
I see
<Regenaxer>
did not try
<beneroth>
so maybe they have 22, 80, 443 open. maybe ftp.
<beneroth>
but rest closed.
<beneroth>
so depends what their VPN is using :)
<Regenaxer>
Stupid
<beneroth>
T
<beneroth>
as you, I would try the cookie solution. I would guess it works well in most cases.
<Regenaxer>
yes, I persuade them not to delete
<beneroth>
you have to set a ending date when setting the cookie.
<Regenaxer>
At least not on mobiles and laptops
<beneroth>
you can reset the cookie from time to time
<Regenaxer>
T
<Regenaxer>
It is controlled on the main server
<Regenaxer>
a list of keys per +User
<beneroth>
if they can be persuaded to install VPN, and they can be persuaded to accept that they have to re-authenticate (maybe via phone) when they delete their cookies
<Regenaxer>
indeed
<beneroth>
yeah I usually use a separate +Login entity
<beneroth>
so then you could also have multiple and/or different types of logins for every user
<Regenaxer>
right
<Regenaxer>
At BTG it was +Mitarb
<beneroth>
what I also have is that you can only authenticate within the company network
<Regenaxer>
but for the new system I just 'exwend' +User
<Regenaxer>
Checking by IP addr?
<beneroth>
but once authenticated, you can set (in the app) the session to "do not expire", then the session cookie is set to an expiration date (so it doesn't expire right away), and then they can access the app (with the cookie) from outside the company network
<beneroth>
a proxy app which generates an access token runs inside their company network. the token is sent to my app (running outside their network), and if valid used to generate the session cookie. the token-login is only allowed for their IP, yes.
<beneroth>
IPs are hard to spoof in TCP connections
<Regenaxer>
ok
<beneroth>
not impossible, but probably only NSA can do it in the wild. needs a lot of infrastructure to be able to answer quicker than the real server.