00:01
billdingo-afk is now known as billdingo
00:17
<
tarcieri >
*crickets*
00:22
<
drbrain >
huh, well, rubygems-openpgp-ca.org fixed their HTTPS problem
00:23
<
drbrain >
well, for www., no-www just goes to HTTP
00:24
<
kseifried >
I'm so glad every uses ssl/tls correctly
00:24
<
kseifried >
the sad thing is he's on EC2 and it's so easy to do right there
00:25
<
dstufft >
SSL is hard ok
00:25
<
drbrain >
kseifried: www. is on EC2, no-www is godaddy
00:26
<
kseifried >
that's... makes no sense
00:26
<
kseifried >
dstufft, : agreed. which is why you use ELB and use amazon defaults and you're done :P
00:26
<
drbrain >
let alone that no respectable rubyist would use godaddy for a new site
00:26
<
drbrain >
the no-www is a landing redirect
00:27
<
dstufft >
Doesn't ELB require a CNAME
00:27
<
drbrain >
I don't know why they don't use the heroku landing redirect
00:27
<
dstufft >
which you can't do at the apex :V
00:27
<
kseifried >
why does ahh its served via heroku
00:27
<
kseifried >
no wonder it's fubar
00:28
<
drbrain >
it's fubar by design
00:28
<
kseifried >
heroku seems to have some real ssl "challenges"
00:28
<
dstufft >
SSL is fine
00:28
<
dstufft >
Basically the only problem is you can't CNAME the apex with most providers
00:28
<
drbrain >
not heroku, the person who set up their DNS this way in the first place
00:28
qmx|away is now known as qmx
00:29
<
drbrain >
let's use HSTS but not have SSL enabled for one of our hostnames!
00:29
<
kseifried >
well sort of. heroku allows BEAST/renegotiation attacks which is not ideal
00:29
<
dstufft >
So you're stuck using some sort of redirect on the apex, or using DNSimple/another provider that either allows you to CNAME the apex
00:29
<
dstufft >
kseifried: too bad you gotta pick between BEAST/Lucky 13 and RC4 now :(
00:30
<
dstufft >
whateve the RC4 attack is called
00:30
<
kseifried >
hahaha yah
00:30
<
kseifried >
TLS FTW!
00:31
<
drbrain >
dstufft: you're missing out on the third option
00:31
<
drbrain >
TLS that few browsers support
00:31
<
dstufft >
drbrain: well there's ciphers that aren't RC4 that aren't BEAST/Lucky 13 vuln too
00:31
<
dstufft >
just again few browsers support
00:32
<
dstufft >
I'm not even giving a fuck about TLS right now because I've just spent 2 weeks trying to convince people that spidering random external urls from PyPI is a bad idea
00:32
<
dstufft >
and i'm still getting people arguing with me
00:38
billdingo is now known as billdingo-afk
00:43
<
kseifried >
I'm always amazed at what terrible things, security wise, people will argue for doing
00:44
<
kseifried >
I can understand arguing against security, people think it's a chore
00:44
<
kseifried >
but like "no,. we should inject random vials of blood into our body. something good might happen!"
00:45
<
kseifried >
anyone here used raidcall BTW?
00:46
<
tarcieri >
drbrain: o_O
00:46
<
tarcieri >
drbrain: needs more HSTS, wtf?
00:46
<
tarcieri >
re: rubygems-openpgp-ca.org
00:46
<
tarcieri >
kseifried: hahaha
00:46
<
kseifried >
no really.
00:47
<
tarcieri >
dstufft: there's not a real RC4 attack... yet
00:47
<
tarcieri >
dstufft: I expect it will be coming quite soon
00:47
<
drbrain >
I submitted one-shot MDNS patch to ruby's Resolv today, it has a small security hole
00:47
<
kseifried >
tarcieri, : they said the same thing about 3des/md5 and speak and spell Elmo
00:47
<
tarcieri >
dstufft: but yeah, basically we're all fucked
00:47
<
drbrain >
it doesn't do the "local network" checks ☹
00:47
<
tarcieri >
kseifried: haha yeah it's definitely coming
00:47
<
drbrain >
unfortunately there's no portable way to discover what your local network is ☹
00:48
<
tarcieri >
kseifried: it needs someone to adapt djb's research into a practical attack though
00:48
<
tarcieri >
kseifried: right now it's just a theoretical attack
00:48
<
kseifried >
the problem is someone may have done it
00:48
<
tarcieri >
that said INDCCA2 security has been broken, time to move on
00:48
<
tarcieri >
to AES-GCM
00:48
<
tarcieri >
or something
00:48
<
tarcieri >
but Adam Langley says don't use AES-GCM
00:48
<
kseifried >
the problem is not all attacks get nicely written up and publicized :P
00:48
<
tarcieri >
I should ask him what he thinks now
00:49
<
tarcieri >
asked on Twitter
00:49
<
tarcieri >
kseifried: yeah, well, the academics released their research yesterday. We probably have a few days ;)
00:49
<
tarcieri >
until the Internet melts
00:50
<
drbrain >
more likely to melt from people getting those 2**32 packets
00:50
<
kseifried >
which one is this?
00:50
<
tarcieri >
err wait
00:50
<
tarcieri >
that's not it
00:50
<
tarcieri >
fucking djb, names everything slides.pdf o_O
00:51
<
drbrain >
there's an RC4 exploit where if you have enough RC4 streams you can recover the first 256 bytes
00:52
davidbalber|away is now known as davidbalbert
00:53
<
tarcieri >
see also:
00:55
<
drbrain >
ah, 2**24 for high probability
00:56
<
tarcieri >
seriously though, uhh... the guy running the OpenPGP CA isn't using HSTS?
00:56
<
tarcieri >
and he wants to run a CA?
00:56
davidbalbert is now known as davidbalber|away
00:56
<
drbrain >
tarcieri: yesterday the SSL cert was invalid though
00:56
<
tarcieri >
this does not bode well
00:56
<
dstufft >
just dont think about it so hard
00:56
<
drbrain >
tarcieri: for some reason www. is heroku but no-www is godaddy (which doesn't respond to HTTPS)
00:56
<
dstufft >
it'll be ok
00:57
<
tarcieri >
before I ever announced a CA I'd probably point someone like Rustle League at it
00:57
<
tarcieri >
and be like
00:57
<
drbrain >
I don't consider people respectable if they buy a domain from godaddy
00:57
<
tarcieri >
"do your worst"
00:57
davidbalber|away is now known as davidbalbert
00:57
<
tarcieri >
seems good bro
00:58
<
kseifried >
honestly at this point I think... we need to start using AES256 and NIST needs to run nextgen-AES starting like right now
00:58
<
kseifried >
and nextgen-SHA
00:58
<
drbrain >
it must be interesting to be a cryptographer
00:59
<
tarcieri >
kseifried: I'm using XSalsa20 + Poly1305 ;)
00:59
<
drbrain >
"I'm going to invent this really secure thing that most likely has a fundamental flaw humanity just hasn't discovered yet"
00:59
<
tarcieri >
kseifried: I will probably use Blake2 instead of SHA3 too
00:59
<
kseifried >
I hope this leads to Johnny Mnemonic data couriers
00:59
<
tarcieri >
FOR SPEED
00:59
<
kseifried >
cause that would fucking rock
00:59
<
tarcieri >
Fire Upon the Deep style xor pad sneakernet
00:59
<
kseifried >
and honestly at this point a courier with a few hundred TB in their head will be faster than the inet anyways
01:00
<
tarcieri >
once you get the XOR pads to all parties
01:00
<
tarcieri >
you're good
01:00
<
tarcieri >
and you can split them apart Shamir style
01:00
<
tarcieri >
so no one person holds the full pad
01:00
<
tarcieri >
until they all rendezvous
01:00
<
tarcieri >
save that for post-quantum crypto ;)
01:01
<
kseifried >
I sitll .. I mean I get for links how it works
01:01
<
kseifried >
but like ... for email? I don't get it
01:02
davidbalbert is now known as davidbalber|away
01:06
davidbalber|away is now known as davidbalbert
01:09
davidbalbert is now known as davidbalber|away
01:11
davidbalber|away is now known as davidbalbert
01:12
davidbalbert is now known as davidbalber|away
01:14
davidbalber|away is now known as davidbalbert
01:16
davidbalbert is now known as davidbalber|away
01:18
davidbalber|away is now known as davidbalbert
01:28
davidbalbert is now known as davidbalber|away
01:35
davidbalber|away is now known as davidbalbert
01:48
davidbalbert is now known as davidbalber|away
01:59
qmx is now known as qmx|away
02:18
davidbalber|away is now known as davidbalbert
04:25
davidbalbert is now known as davidbalber|away
07:06
workmad3 has joined #rubygems-trust
07:34
workmad3 has quit [Ping timeout: 260 seconds]
09:39
havenwood has quit [Remote host closed the connection]
10:08
billdingo-afk is now known as billdingo
12:00
_whitelogger has joined #rubygems-trust
12:39
qmx|away is now known as qmx
13:58
davidbalber|away is now known as davidbalbert
14:06
davidbalbert is now known as davidbalber|away
14:08
qmx is now known as qmx|afk
14:24
davidbalber|away is now known as davidbalbert
14:28
qmx|afk is now known as qmx
14:34
davidbalbert is now known as davidbalber|away
14:34
davidbalber|away is now known as davidbalbert
14:35
davidbalbert is now known as davidbalber|away
14:42
billdingo is now known as billdingo-afk
14:56
billdingo-afk is now known as billdingo
15:22
davidbalber|away is now known as davidbalbert
17:09
qmx is now known as qmx|away
17:42
billdingo is now known as billdingo-afk
18:23
davidbalbert is now known as davidbalber|away
18:52
davidbalber|away is now known as davidbalbert
19:37
qmx|away is now known as qmx
20:00
bradland has joined #rubygems-trust
20:01
bradland has quit [Client Quit]
20:01
bradland has joined #rubygems-trust
20:36
workmad3 has joined #rubygems-trust
20:38
bradland has quit [Quit: bradland]
21:15
workmad3 has quit [Ping timeout: 240 seconds]
22:05
qmx is now known as qmx|away
22:39
havenwood has joined #rubygems-trust
22:56
davidbalbert is now known as davidbalber|away
23:45
qmx|away is now known as qmx