mozilla :: #security

12 Jul 2017
00:16kpcyrdfyi: https://www.arewee10syet.com/ is broken (bad_cert_domain)
00:23keelerkpcyrd: thanks - filed an issue
01:46linuxmodder_posted earlier in #sumo, and was sugggested to post here too:
01:46linuxmodder_any other security nuts in the channel presently or regularly that would mind a soundboard chat in the coming weeks on startup best practices and ideas for secure infra/logic for new startups? I'm trying to finalize a few talks with local university fall term and redhat mid term if so hit me up in here or at sheldon.corey@openmailbox.org with times or ideas ( mind you I'm gearing this toward not to stig/cis/cc complaint logic
01:46linuxmodder_flow )
01:47ulfrlinuxmodder: selfish plug https://www.manning.com/books/securing-devops?a_aid=securingdevops&a_bid=1353bcd8
01:55linuxmodderulfr, selfish plugs welcome :P Looking for other ideas and angles I may not have looked at, these are university students and fresh startup folks teach them right early on and properly right?
01:55ulfrthat's about my target audience as well, maybe a little bit below
01:56linuxmodderMy tutoring audience is 7-8th grade+ --> the grace
01:56linuxmoddergrave*
01:57linuxmodderthat your self published book or just your site?
01:58linuxmodderalso mind if I reference / use info in/from site/book in such talk(s) so long as credit is given
01:58ulfrnot self published, published by manning editions
02:05linuxmodderulfr, ^^ ??
02:06ulfrfeel free to reference. I'm not sure what the rules are for reproduction though, need to check.
02:06linuxmodderack
02:07ulfrhttps://www.manning.com/ebook-license
02:07linuxmodderwill only use what is available in the livebook atm then and research the repro conditionals
02:07ulfrmost of the text in the livebook is scrambled :/
02:07ulfr(I should try to break that scrambling sometime)
02:08linuxmodderSo that is your content nice
02:08linuxmodderI will contact manning on possiblity of exception to that license for educational talk
02:09linuxmodderand make sure you and manning editions are both properly credited if they allow it
02:09ulfrsounds good. also happy to help out. education is important :)
02:10linuxmodderamen
02:10linuxmodderI'm getting ready to redo the linux side of this beast:
02:10linuxmodderUploading (4.4KiB)...
02:10linuxmodderhttps://da.gd/71Ec -> https://paste.fedoraproject.org/paste/-tVjp8ycLh6C-JTJnslYzw/
02:11linuxmodderDISA STIG'd on linux side and fips140-2 with partial DISA STIG on win 10 side
09:04freddybttaubert, franziskus: does anyone of you know how/if libcurl does PKI things when used as a dynamic library?
09:05franziskusfreddyb: I guess bagder does ;) (but he's on PTO). I suspect they use whatever the TLS library offers
09:06freddybmh.
09:06franziskusso, openssl checking against the root store and probably libpkix in NSS. not sure what the other libs do
09:07freddybok, thanks franziskus :)
09:08freddybI'll wait until he comes back. I don't think it's super urgent.
09:09ttaubertand it probably only tries to verify against any of the root certs in the store, I don't think it has any of the special rules we and Chrome implement on top
09:10freddybspecial rules? like name constraints?
09:10freddybor do you mean more like StartSSL only before October 2016?
09:10ttaubertyeah for example
09:11ttaubertthat's stuff that we don't have in NSS for example
09:11freddybdo we have a list of those "special rules", by any chance?
09:11ttaubertbut implement in PSM
09:11* freddyb nods
09:11freddybwe do the whole PKI chain thing _not_ in NSS, right?
09:12franziskusyep
09:17ttaubertfreddyb: e.g. http://searchfox.org/mozilla-central/source/security/certverifier/NSSCertDBTrustDomain.cpp#849
09:20Peng_There's a wiki page of rules that's supposed to be complete (probably): https://wiki.mozilla.org/CA/Additional_Trust_Changes
09:23ttaubertah, that's nice
09:26freddybgreat. thanks Peng_ and ttaubert
09:26freddybhttp://searchfox.org/mozilla-central/source/security/certverifier/NSSCertDBTrustDomain.cpp#999,1004
09:26freddybTIL we still have a whitelist for CNNIC?
09:27freddybah. 2.5 more years.
10:14Caspy7https://twitter.com/og_tjg/status/884756210267893761
10:15Caspy7Just astounding ^
12:39Caspy7bit of a PR issue here https://twitter.com/NicolasPetton/status/884694176515936256
12:39Caspy7https://www.reddit.com/r/firefox/comments/6mt8i4/security_fuckup_aboutaddons_uses_google_analytics/
12:40Caspy7which leads me to ask about the relevancy of the accusation(s) and what ways it can be mitigated
12:49freddybmuffinresearch: can you take a look? at those two links. they also filed a github issue at https://github.com/mozilla/addons-frontend/issues/2785
12:50freddybah, it looks tofumatt is already on it. latest comments at https://github.com/mozilla/addons-frontend/issues/1107
12:50freddybthank you for raising this, Caspy7
12:51Caspy7sure
12:52freddybnot sure if that's a bug in how we allow addons to block/intercept scripts or how addons usually whitelist all "about:" pages.
12:53freddybI'd lean towards the latter, actually
12:54ulfrGoogle analytics remains an issue to me, but the metrics value generally trumps the privacy concern (which I disagree with, but I understand the rationale)
12:55freddybI think tofumatt gives a very reasonable explanation in #1107
12:55freddybthe ublock guy replied to an issue created on his repo, that he won't block things in about: pages. so it's likely a problem with ublock.
13:02muffinresearchfreddyb: thanks for the heads-up will take a look at the links + issues.
13:08freddybmuffinresearch: I think tofumatt is on it
15:00jcjAAAHHHHH
15:03Alex_Gaynorjcj: good news?
15:03jcjAlex_Gaynor: Just an 8am scream, sorry.
15:04Alex_GaynorHeh
16:02Caspy7someone just posted this in #firefox on freenode " Seriously? https://news.ycombinator.com/item?id=14753546 "
16:02Caspy7for anyone in marketing/PR
18:10evilpieWell that escalated quickly
18:25manchait seems to prima fascie violate GA'
18:25manchait seems to prima fascie violate GA's ToS. not to mention Mozilla ethos.
18:26manchaor advertised ethos, should that diverge from reality.
18:34herschehello everyone, nice to find the right channel for my question :)) i've already wrote it down in the other channel, so i just copypaste
18:34herschemmh, if someone knows: basicly i would like to know if PBKDF2 is used by default for aes-cbc. i've not enabled it, but since w3c says it's the only supported key-deriving-method, it's maybe also used internal for "raw"-settings? when i export the key, it's the same as when i imported it (aka not hashed by PBKDF2) - but it's also not the idea to let any user see the PBKDF2-value, i think.
20:49dmlolhi. does anyone have a guide/suggestions for getting sops to work across accounts with MFA enabled? i've tested and i know it works without requiring MFA, but it does not work when MFA is required. per the changelog, support was added back in february: https://github.com/mozilla/sops/blob/master/vendor/github.com/aws/aws-sdk-go/CHANGELOG.md
20:51vmontecoHello!
20:54vmontecoI'm encountering a little problem : I'm setting up a little nginx server that involves some automatic redirections (from http to https). I screwed my first configuration and firefox redirected to a wrong URL, but even if I've now modified the conf, Firefox looks like it memorized the previous nasty redirection and reproduces it even if it is modified server-side. What could cause this behaviour?
21:02vmontecoNevermind found the solution! :)
21:02vmontecohttps://stackoverflow.com/a/12796598/3156085
22:03dveditzreally? shift-reload doesn't clear redirects?
22:03dveditzTIL
22:04dveditzI appreciate having an "ignore the cached copy" feature; why in the world do we have "mostly ignore the cache"?
23:57herschehey people, does someone know why it could be that webcrypto made out of 32 bytes 3 blocks with aes-cbc?
23:58Peng_Padding
13 Jul 2017
No messages
   
Last message: 8 days and 11 hours ago