00:29.59 | *** join/#wowace Seerah (~umsin@2601:3c2:80:1380:c508:d2e:507c:44e7) |
00:37.20 | *** join/#wowace Funkeh` (~Funkeh`@WoWUIDev/WoWAce/Ace3/BigWigs/funkeh) |
00:37.20 | *** mode/#wowace [+o Funkeh`] by ChanServ |
00:37.29 | *** join/#wowace harl (harl@unaffiliated/harl) |
00:51.48 | *** join/#wowace tlund (tlund@nxs.se) |
00:56.35 | *** join/#wowace Motig (~Motig@2a01:9cc0:47:3:1a:4:0:12c) |
00:56.35 | *** join/#wowace Motig (~Motig@unaffiliated/motig) |
01:03.00 | *** join/#wowace Motig (~Motig@unaffiliated/motig) |
01:20.32 | *** join/#wowace purl (ibot@rikers.org) |
01:20.32 | *** topic/#wowace is https://wowace.com/ | 7.3.x ToC: 70300 | https://wowace.com/paste/ | http://lua.org | This channel is logged, via purl | Vote on Twitch 2FA options: https://goo.gl/CWiHFi https://goo.gl/snFnWY https://goo.gl/SXoS7s https://goo.gl/StjdMd |
01:38.00 | *** join/#wowace hizuro (~hizuro@WoWUIDev/hizuro) |
03:07.45 | znf | god I hate placement matches in OW |
03:07.48 | znf | round 5 complete :-| |
03:28.31 | *** part/#wowace Seerah (~umsin@2601:3c2:80:1380:c508:d2e:507c:44e7) |
03:32.16 | *** join/#wowace Saccarab (~Saccarab@cpe-67-251-119-121.stny.res.rr.com) |
04:28.18 | *** join/#wowace Networker (Networker@174-087-167-178.dhcp.chtrptr.net) |
05:05.43 | *** join/#wowace Networker (Networker@174-087-167-178.dhcp.chtrptr.net) |
05:07.21 | *** join/#wowace ShadniX (dagger@p4FF9F7CE.dip0.t-ipconnect.de) |
05:09.58 | *** part/#wowace Networker (Networker@174-087-167-178.dhcp.chtrptr.net) |
05:22.12 | *** join/#wowace Networkerror (Networkerr@174-087-167-178.dhcp.chtrptr.net) |
06:03.55 | *** join/#wowace ShadniX (dagger@p4FF9FEE5.dip0.t-ipconnect.de) |
06:24.39 | *** join/#wowace dracula (~dracula@ip-217-103-124-30.ip.prioritytelecom.net) |
07:07.03 | quiescens | moo |
07:17.38 | *** join/#wowace Funkeh`` (~Funkeh`@WoWUIDev/WoWAce/Ace3/BigWigs/funkeh) |
07:17.38 | *** mode/#wowace [+o Funkeh``] by ChanServ |
08:04.42 | *** join/#wowace mitch0 (~mitch@78-131-8-219.static.hdsnet.hu) |
08:21.42 | Phixion | hey quiescens |
08:30.27 | *** join/#wowace Justwait_ (~Justwait@546B1128.cm-12-4a.dynamic.ziggo.nl) |
08:48.55 | quiescens | o/ |
09:04.21 | *** join/#wowace Megalon (~wig0r@212-60-172-123.adsl.highway.telekom.at) |
11:25.24 | *** join/#wowace stolenlegacy (~stolenleg@unaffiliated/stolenlegacy) |
12:24.26 | *** join/#wowace Justwait (~Justwait@546B1128.cm-12-4a.dynamic.ziggo.nl) |
12:34.13 | Gnarfoz | znf: https://photos.app.goo.gl/xspT72MEUJn0e5LE3 nom |
12:36.09 | nevcairiel | Gnarfoz: have you used LetsEncrypt with DNS-01 validation before? |
12:36.14 | Gnarfoz | no |
12:36.30 | Gnarfoz | I don't run my own nameservers, I just assumed that was necessary for that |
12:36.43 | nevcairiel | unless your NS provider has an interface you can script somehow |
12:36.43 | quiescens | too much effort |
12:37.07 | nevcairiel | dehydrated has a plugin for hetzner robot NS servers, maybe i should try that out |
12:37.33 | nevcairiel | (DNS-01 is required for wildcard certs, and I kinda want one) |
12:40.19 | quiescens | does it have to do automatic thingy thing? |
12:40.54 | nevcairiel | doing the dns auth manually every 3 month would get quite annoying =p |
12:44.34 | Gnarfoz | using Let's Encrypt without fully automating it would be kind of pointless, yeah |
12:46.01 | Kalroth | but what if someone hacked your automatic updates and injected a hacked certificated so you'd be issuing hacked certificates automatically you should do it manually for maximum safety! |
12:47.32 | quiescens | what if they did the thingy where you use dns to verify control of the domain initially, and then subsequent renewal requires posession of the current cert as well as retaining the same original txt record? |
12:47.42 | quiescens | i wonder what the security implications of that would be |
12:49.40 | quiescens | so that if the domain ends up in someone else's hands, removal of the txt record would prevent renewal, but otherwise, you only have to set the txt record once, and can renew with just proving you have the currently active cert |
12:50.58 | Gnarfoz | everyone has the cert |
12:51.05 | Gnarfoz | so that's kind of pointless |
12:51.16 | quiescens | .. |
12:51.19 | quiescens | the private part |
12:51.39 | Gnarfoz | the key? |
12:51.43 | Gnarfoz | that's what HPKP was for |
12:51.50 | Gnarfoz | and it was abandoned |
12:51.58 | Gnarfoz | don't ask me why ;p |
12:52.00 | quiescens | what? |
12:52.49 | quiescens | only the person/persons hosting stuffs should ever have access to the private key for the encryptions |
12:53.03 | Gnarfoz | indeed, so how do you prove you have it |
12:53.27 | Gnarfoz | also, what you propose has a "can never change", not a good idea. additionally, if the "domain ends up in someone else's hands", how do you then remove the txt record? |
12:53.43 | quiescens | so if you can encrypt something with the private key |
12:53.56 | quiescens | then you have proven you have the private key |
12:54.11 | Gnarfoz | great, and how would that be implemented? |
12:54.40 | Fisker | is that coconut on your pizza Gnarfoz? |
12:54.41 | Gnarfoz | you should probably realize that they thought about these obvious things when they chose not to go that route :P |
12:54.43 | quiescens | letsencrypt client could connected to a server, send an encrypted renewal request |
12:54.54 | Gnarfoz | Fisker: cheese |
12:54.59 | Fisker | wtf |
12:55.16 | quiescens | i am thinking there might be a reason not to, but don't know what it is |
12:55.26 | Gnarfoz | the client would connect to "a server"? |
12:55.29 | Gnarfoz | your own one? |
12:55.33 | Gnarfoz | what would that prove |
12:55.50 | quiescens | to wherever letsencrypt normally receives connections from |
12:56.22 | Phixion | hey Fisker |
12:56.24 | Phixion | i |
12:56.29 | quiescens | i presume letsencrypt has servers that the letsencrypt client normally connects to |
12:57.07 | Gnarfoz | maybe you should look up how LE works before continuing this :P |
12:57.08 | quiescens | you then send the renewal request authenticated by posession of the current non-expired cert |
12:57.18 | quiescens | I'm not saying it works like that at the moment |
12:57.36 | quiescens | I'm wondering what specific reason it wouldn't be a reasonable option |
12:57.39 | Gnarfoz | you seem to think that the cert is useful for this, it's really not |
12:57.44 | quiescens | How is it not? |
12:57.47 | Gnarfoz | I have your cert. |
12:58.02 | quiescens | If you have my cert you can already pretend to be my server |
12:58.02 | Gnarfoz | every visitor to your website does |
12:58.05 | quiescens | you can do that? |
12:58.14 | Gnarfoz | no, I can't, I need the private key the certificate was signed with to do that |
12:58.20 | nevcairiel | the certificate is the public part of this entire deal |
12:58.22 | nevcairiel | anyone gets it |
12:58.22 | quiescens | Yes, that is what I am saying |
12:58.32 | quiescens | Posession of the key |
12:58.39 | Gnarfoz | but the key doesn't expire |
12:58.46 | Gnarfoz | nor is it valid/invalid |
12:58.54 | Gnarfoz | and it can be used for multiple certs as well |
12:59.08 | nevcairiel | LE decided to fully re-authenticate on every renewal, who knows if one could come up with an alternative, but this method certainly is more secure |
12:59.24 | quiescens | Of the ability to encrypt for the relevant public cert |
12:59.30 | Gnarfoz | you don't need to prove ownership of the key, you need to prove ownership of the *domain* or, by extension, the server hosting stuff under that domain |
12:59.37 | nevcairiel | (basically, a renewal isnt even a special request, it just requests the same certificate again) |
12:59.52 | Gnarfoz | you use a new key every time anyway, as nev just said |
13:00.39 | quiescens | yes but posession of the key that is for the moment active, and the txt record still being there does not seem like a terrible proof of ownership |
13:00.51 | Gnarfoz | you could "renew" (it's really just "get another cert", there is no connection to the previous one) on a freshly nuked server every week, you don't need anything except a way to prove you control the domain/server |
13:00.52 | quiescens | unless you lose control of the domain and your encryption key at the same time |
13:01.09 | Fisker | hey Phixion |
13:01.11 | Fisker | not i |
13:01.21 | Gnarfoz | (since these are domain validated certs by nature, and they don't intend to prove *your* identity) |
13:01.33 | quiescens | yes you could, i'm just saying if you weren't doing that then having the encryption key and still having the txt record would indicated that you are still you |
13:01.34 | Gnarfoz | so validating that you're still the same person is not a goal they're after |
13:01.48 | Gnarfoz | validating that you are you is not their goal |
13:01.53 | quiescens | whereas if you get rid of the domain, someone else buys it, they most likely don't continue to have the txt record |
13:02.09 | quiescens | and so the key that you own no longer would be renewable |
13:02.09 | Gnarfoz | of course they would? the record is public |
13:02.12 | quiescens | since you no longer own the domain |
13:02.24 | quiescens | but they don't *Get* anything by keeping the TXT record |
13:02.35 | quiescens | unless they also have your key to renew with |
13:02.58 | Gnarfoz | I don't know what I'm even discussing here, a less safe method that still requires automation? |
13:03.10 | nevcairiel | if they bought the domain, they could just do a fresh auth anyway, i dont see the connection to domain sales =p |
13:03.25 | quiescens | no, it means potentially automation without having to change DNS records automatically |
13:03.28 | Gnarfoz | you don't even have to use DNS-01 so far, that's only in version 2 of their ACME protocol, and apparently only for wildcard certs |
13:03.40 | quiescens | which was what we were talking about |
13:03.41 | Gnarfoz | most people probably use HTTP-01 so far |
13:03.50 | nevcairiel | its unfortunate they screwed up TLS-01 |
13:03.59 | Gnarfoz | they did? |
13:04.11 | nevcairiel | apparently its insecure on shared hosting environments, or something |
13:04.16 | nevcairiel | they discontinued it |
13:04.35 | nevcairiel | its only valid for renewals now as a sort of deprecation period |
13:04.49 | Gnarfoz | hmhm |
13:05.01 | quiescens | I only mentioned the domain sales as a point that if the domain were to change hands, the ability to renew would go with the new owner of the domain |
13:05.21 | nevcairiel | Gnarfoz: https://community.letsencrypt.org/t/2018-01-09-issue-with-tls-sni-01-and-shared-hosting-infrastructure/49996 |
13:05.52 | quiescens | I don't understand why gnarfoz is actively complaining about everything i say ): |
13:06.01 | Gnarfoz | ??? |
13:06.13 | quiescens | even the mere mention of DNS thingy even though that was what started the discussion in the first place |
13:07.02 | Gnarfoz | "disagreeing" is now "actively complaining about 'everything'", I see |
13:07.57 | quiescens | I was wondering about specific reasons why a static TXT record and ownership of the existing encryption key would not be reasonable proof of control of that domain at the time of renewal |
13:08.18 | quiescens | all I get was "it won't work, everyone has your cert and can see the TXT record" |
13:10.08 | Gnarfoz | indeed, since you have yet to explain how this would work, since the account key (used for the TXT record, for the domain validation) and the cert's private key are AFAIK not the same thing |
13:10.41 | quiescens | If you still own the domain, you leave the txt record and prove you were the previous renewer by proving you are able to encrypt for the cert that the domain currently uses |
13:11.45 | quiescens | If the domain has changed hands, you can no longer renew for that domain unless the new owner for is stupid and decides to keep your txt record and allow you to renew for a domain you don't own |
13:11.55 | nevcairiel | i'm sure someone could come up with some method to do this, but its far easier to just use the same method for initial auth and renewal, then invent a secondary one |
13:12.30 | quiescens | Thats fair enough, I just don't think I was proposing something that was fundamentally broken in a simple way, there may be some more complicated reason that it is broken |
13:12.42 | Gnarfoz | the point remains: the private key for the cert and the private key for the TXT record are not the same one |
13:12.48 | nevcairiel | security is always full of complicated reasons |
13:13.16 | quiescens | it is and i was looking for some insight into the potential complicated reasons |
13:13.19 | Gnarfoz | so you can't go the reverse route and check the cert-key to prove what was originally proven by ownership of the account key |
13:13.24 | quiescens | but gnarfoz saysit doesn't work altogether |
13:13.47 | Gnarfoz | if they used the same key for both, it probably could |
13:14.04 | Gnarfoz | I'm not sure why they don't, probably for reasons ;D |
13:15.45 | quiescens | I'm saying I had wanted to discuss the potential reasons instead of being shot down that it wouldn't work in the slightest when it seems to make at least enough sense to have had a discussion ): |
13:15.57 | Gnarfoz | we had a discussion, didn't we? wtf |
13:16.27 | Gnarfoz | how were you "shot down", did anyone ban you or prevent you from participating... where is this even coming from :d |
13:17.25 | Gnarfoz | should I apologize for text chat possibly sounding more hostile than intended? maybe |
13:18.46 | Gnarfoz | how could I hate the giver of cookies? <3 |
13:21.51 | Gnarfoz | I would love if it worked something like that, since my domain registrar doesn't appear to have an API :P |
13:22.26 | quiescens | your responses felt quite a lot like they implied i don't even know there are two keys with public key crypto and that i don't know what letsencrypt does ): |
13:22.52 | nevcairiel | not sure if hetzner actually has an API or someone just wrote something to interact with their web interface, but they might have an API considering the "web interface" is basically a text box to edit a bind zonefile |
13:23.22 | nevcairiel | which is pretty low level, but i like it :D |
13:24.39 | quiescens | i was just spitballing that being able to encrypt for a cert that is currently valid, a cert that letsencrypt knows was originally granted by themselves based on an initial DNS validation, could indicate that the current renewal request is by the same person, at least by someone that has access to the current key |
13:25.41 | Gnarfoz | https://robot.your-server.de/doc/webservice/de.html#allgemein seems to exclude domain bits |
13:26.41 | Gnarfoz | maybe that requires keeping too much state/knowledge on LE's end, they recently crossed 1 million certs/day |
13:27.10 | quiescens | okays then |
13:27.27 | nevcairiel | Gnarfoz: it seems to open the website and find the text box there |
13:27.32 | Gnarfoz | not sure, though :D |
13:27.39 | nevcairiel | i read teh code |
13:27.54 | Gnarfoz | nevcairiel: you can do domain changes via email, though... maybe that takes too long ^^ |
13:28.55 | nevcairiel | who knows, if its an automated tool |
13:29.01 | nevcairiel | you have to wait for dns propagation anyway |
13:29.04 | nevcairiel | its not necessarily instant |
13:29.45 | nevcairiel | the more annoying part is that i get emails when the dns info changes |
13:29.49 | nevcairiel | so i get spammed when the script runs |
13:29.50 | nevcairiel | :D |
13:29.54 | quiescens | there's no reason they couldn't go straight to the authoritive for the letsencrypt check |
13:30.07 | quiescens | so they can probably get around propogation |
13:30.15 | Gnarfoz | I'd hope they do that |
13:30.47 | Gnarfoz | well, Boulder (the server part of LE) is open source, you could dig that up if you wanted, heh |
13:30.51 | quiescens | iuno, maybe they already do |
13:31.24 | Gnarfoz | seems like the way to do things if you don't want to wait hours or more |
13:34.59 | nevcairiel | you would still have to give it a bit of time for the different name servers in your domain to pickup changes, definitely not hours, but maybe minutes |
13:35.19 | nevcairiel | not sure how often one sets those up to sync their zones when changes occur |
14:04.35 | Gnarfoz | quiescens: btw, looks like something similar (account-keys only, since the actual cert keys are not part of this, as discussed above) is actually part of the ACME spec: https://ietf-wg-acme.github.io/acme/draft-ietf-acme-acme.html#rfc.section.7.3.6 but https://community.letsencrypt.org/t/is-account-key-roll-over-supported/12137 said no in 2016 |
14:22.59 | quiescens | shrugs |
14:23.40 | quiescens | i just thought it was interesting to think about what might be borken about it |
14:28.10 | quiescens | my thought was the initial txt record shows control of the domain at that one point in time, and then an unborken chain of renewals using the private key to prove you still have the key to encrypt for the cert in question which by itself works as long as you never lose the key for example, but if you lose the key you would have the option of dropping the txt record and going for a new validation |
14:28.32 | quiescens | it made sense in my head, but it iz getting late |
14:28.44 | quiescens | falls asleep in the corner |
15:28.59 | Gnarfoz | don't die |
15:37.36 | Megalon | if he does, at least it was in his sleep |
15:37.37 | Megalon | :) |
15:43.36 | znf | nevcairiel: I use dns-01 with route53 |
15:44.36 | znf | With dehydrated |
16:11.54 | *** join/#wowace Funkeh` (~Funkeh`@WoWUIDev/WoWAce/Ace3/BigWigs/funkeh) |
16:11.54 | *** mode/#wowace [+o Funkeh`] by ChanServ |
16:20.07 | *** join/#wowace Funkeh` (~Funkeh`@WoWUIDev/WoWAce/Ace3/BigWigs/funkeh) |
16:20.07 | *** mode/#wowace [+o Funkeh`] by ChanServ |
16:34.05 | *** join/#wowace Bribri (~Brybry@unaffiliated/brybry) |
16:39.28 | *** join/#wowace Antiarc (~antiarc@ip68-109-132-126.ph.ph.cox.net) |
16:46.11 | *** join/#wowace stolenlegacy (~stolenleg@unaffiliated/stolenlegacy) |
17:01.47 | *** join/#wowace dubf (~quassel@ti0272a430-1814.bb.online.no) |
17:45.08 | *** join/#wowace Marla (~textual@65.89.172.151) |
17:58.37 | Infus | nevcairiel: thanks |
18:56.28 | *** join/#wowace pompy (~Mike@c-73-194-183-217.hsd1.nj.comcast.net) |
19:05.17 | *** join/#wowace Marla (~textual@65.89.172.151) |
20:58.00 | *** join/#wowace Ermad (~Ermad@pool-108-6-131-199.nycmny.fios.verizon.net) |
21:19.07 | *** join/#wowace Evonder (Networkerr@174-087-167-178.dhcp.chtrptr.net) |
21:35.54 | *** join/#wowace RLD_who (~RLD_when@cpe-70-119-248-251.tx.res.rr.com) |
21:46.52 | *** join/#wowace Jitta (~Jitta@ip5b402718.dynamic.kabel-deutschland.de) |
22:22.11 | *** join/#wowace ls- (~ls@180.183.208.49) |
22:22.28 | znf | Stanzilla, seems that as long as I kill explorer.exe, shit works |
22:22.47 | znf | >last --from Stanzilla --with regedit |
22:22.48 | Catal1na | Error: I couldn't find a message matching that criteria in my history of 18204 messages. |
22:46.19 | *** join/#wowace Seerah (~umsin@2601:3c2:80:1380:c508:d2e:507c:44e7) |
23:03.05 | *** join/#wowace tunekey (~tunekey@unaffiliated/tunekey) |
23:09.14 | *** join/#wowace Saccarab (~Saccarab@cpe-67-251-119-121.stny.res.rr.com) |
23:35.50 | *** join/#wowace dracula (~dracula@ip-217-103-124-30.ip.prioritytelecom.net) |