IRC log for #wowace on 20180301

00:29.59*** join/#wowace Seerah (~umsin@2601:3c2:80:1380:c508:d2e:507c:44e7)
00:37.20*** join/#wowace Funkeh` (~Funkeh`@WoWUIDev/WoWAce/Ace3/BigWigs/funkeh)
00:37.20*** mode/#wowace [+o Funkeh`] by ChanServ
00:37.29*** join/#wowace harl (harl@unaffiliated/harl)
00:51.48*** join/#wowace tlund (tlund@nxs.se)
00:56.35*** join/#wowace Motig (~Motig@2a01:9cc0:47:3:1a:4:0:12c)
00:56.35*** join/#wowace Motig (~Motig@unaffiliated/motig)
01:03.00*** join/#wowace Motig (~Motig@unaffiliated/motig)
01:20.32*** join/#wowace purl (ibot@rikers.org)
01:20.32*** topic/#wowace is https://wowace.com/ | 7.3.x ToC: 70300 | https://wowace.com/paste/ | http://lua.org | This channel is logged, via purl | Vote on Twitch 2FA options: https://goo.gl/CWiHFi https://goo.gl/snFnWY https://goo.gl/SXoS7s https://goo.gl/StjdMd
01:38.00*** join/#wowace hizuro (~hizuro@WoWUIDev/hizuro)
03:07.45znfgod I hate placement matches in OW
03:07.48znfround 5 complete :-|
03:28.31*** part/#wowace Seerah (~umsin@2601:3c2:80:1380:c508:d2e:507c:44e7)
03:32.16*** join/#wowace Saccarab (~Saccarab@cpe-67-251-119-121.stny.res.rr.com)
04:28.18*** join/#wowace Networker (Networker@174-087-167-178.dhcp.chtrptr.net)
05:05.43*** join/#wowace Networker (Networker@174-087-167-178.dhcp.chtrptr.net)
05:07.21*** join/#wowace ShadniX (dagger@p4FF9F7CE.dip0.t-ipconnect.de)
05:09.58*** part/#wowace Networker (Networker@174-087-167-178.dhcp.chtrptr.net)
05:22.12*** join/#wowace Networkerror (Networkerr@174-087-167-178.dhcp.chtrptr.net)
06:03.55*** join/#wowace ShadniX (dagger@p4FF9FEE5.dip0.t-ipconnect.de)
06:24.39*** join/#wowace dracula (~dracula@ip-217-103-124-30.ip.prioritytelecom.net)
07:07.03quiescensmoo
07:17.38*** join/#wowace Funkeh`` (~Funkeh`@WoWUIDev/WoWAce/Ace3/BigWigs/funkeh)
07:17.38*** mode/#wowace [+o Funkeh``] by ChanServ
08:04.42*** join/#wowace mitch0 (~mitch@78-131-8-219.static.hdsnet.hu)
08:21.42Phixionhey quiescens
08:30.27*** join/#wowace Justwait_ (~Justwait@546B1128.cm-12-4a.dynamic.ziggo.nl)
08:48.55quiescenso/
09:04.21*** join/#wowace Megalon (~wig0r@212-60-172-123.adsl.highway.telekom.at)
11:25.24*** join/#wowace stolenlegacy (~stolenleg@unaffiliated/stolenlegacy)
12:24.26*** join/#wowace Justwait (~Justwait@546B1128.cm-12-4a.dynamic.ziggo.nl)
12:34.13Gnarfozznf: https://photos.app.goo.gl/xspT72MEUJn0e5LE3 nom
12:36.09nevcairielGnarfoz: have you used LetsEncrypt with DNS-01 validation before?
12:36.14Gnarfozno
12:36.30GnarfozI don't run my own nameservers, I just assumed that was necessary for that
12:36.43nevcairielunless your NS provider has an interface you can script somehow
12:36.43quiescenstoo much effort
12:37.07nevcairieldehydrated has a plugin for hetzner robot NS servers, maybe i should try that out
12:37.33nevcairiel(DNS-01 is required for wildcard certs, and I kinda want one)
12:40.19quiescensdoes it have to do automatic thingy thing?
12:40.54nevcairieldoing the dns auth manually every 3 month would get quite annoying =p
12:44.34Gnarfozusing Let's Encrypt without fully automating it would be kind of pointless, yeah
12:46.01Kalrothbut what if someone hacked your automatic updates and injected a hacked certificated so you'd be issuing hacked certificates automatically you should do it manually for maximum safety!
12:47.32quiescenswhat if they did the thingy where you use dns to verify control of the domain initially, and then subsequent renewal requires posession of the current cert as well as retaining the same original txt record?
12:47.42quiescensi wonder what the security implications of that would be
12:49.40quiescensso that if the domain ends up in someone else's hands, removal of the txt record would prevent renewal, but otherwise, you only have to set the txt record once, and can renew with just proving you have the currently active cert
12:50.58Gnarfozeveryone has the cert
12:51.05Gnarfozso that's kind of pointless
12:51.16quiescens..
12:51.19quiescensthe private part
12:51.39Gnarfozthe key?
12:51.43Gnarfozthat's what HPKP was for
12:51.50Gnarfozand it was abandoned
12:51.58Gnarfozdon't ask me why ;p
12:52.00quiescenswhat?
12:52.49quiescensonly the person/persons hosting stuffs should ever have access to the private key for the encryptions
12:53.03Gnarfozindeed, so how do you prove you have it
12:53.27Gnarfozalso, what you propose has a "can never change", not a good idea. additionally, if the "domain ends up in someone else's hands", how do you then remove the txt record?
12:53.43quiescensso if you can encrypt something with the private key
12:53.56quiescensthen you have proven you have the private key
12:54.11Gnarfozgreat, and how would that be implemented?
12:54.40Fiskeris that coconut on your pizza Gnarfoz?
12:54.41Gnarfozyou should probably realize that they thought about these obvious things when they chose not to go that route :P
12:54.43quiescensletsencrypt client could connected to a server, send an encrypted renewal request
12:54.54GnarfozFisker: cheese
12:54.59Fiskerwtf
12:55.16quiescensi am thinking there might be a reason not to, but don't know what it is
12:55.26Gnarfozthe client would connect to "a server"?
12:55.29Gnarfozyour own one?
12:55.33Gnarfozwhat would that prove
12:55.50quiescensto wherever letsencrypt normally receives connections from
12:56.22Phixionhey Fisker
12:56.24Phixioni
12:56.29quiescensi presume letsencrypt has servers that the letsencrypt client normally connects to
12:57.07Gnarfozmaybe you should look up how LE works before continuing this :P
12:57.08quiescensyou then send the renewal request authenticated by posession of the current non-expired cert
12:57.18quiescensI'm not saying it works like that at the moment
12:57.36quiescensI'm wondering what specific reason it wouldn't be a reasonable option
12:57.39Gnarfozyou seem to think that the cert is useful for this, it's really not
12:57.44quiescensHow is it not?
12:57.47GnarfozI have your cert.
12:58.02quiescensIf you have my cert you can already pretend to be my server
12:58.02Gnarfozevery visitor to your website does
12:58.05quiescensyou can do that?
12:58.14Gnarfozno, I can't, I need the private key the certificate was signed with to do that
12:58.20nevcairielthe certificate is the public part of this entire deal
12:58.22nevcairielanyone gets it
12:58.22quiescensYes, that is what I am saying
12:58.32quiescensPosession of the key
12:58.39Gnarfozbut the key doesn't expire
12:58.46Gnarfoznor is it valid/invalid
12:58.54Gnarfozand it can be used for multiple certs as well
12:59.08nevcairielLE decided to fully re-authenticate on every renewal, who knows if one could come up with an alternative, but this method certainly is more secure
12:59.24quiescensOf the ability to encrypt for the relevant public cert
12:59.30Gnarfozyou don't need to prove ownership of the key, you need to prove ownership of the *domain* or, by extension, the server hosting stuff under that domain
12:59.37nevcairiel(basically, a renewal isnt even a special request, it just requests the same certificate again)
12:59.52Gnarfozyou use a new key every time anyway, as nev just said
13:00.39quiescensyes but posession of the key that is for the moment active, and the txt record still being there does not seem like a terrible proof of ownership
13:00.51Gnarfozyou could "renew" (it's really just "get another cert", there is no connection to the previous one) on a freshly nuked server every week, you don't need anything except a way to prove you control the domain/server
13:00.52quiescensunless you lose control of the domain and your encryption key at the same time
13:01.09Fiskerhey Phixion
13:01.11Fiskernot i
13:01.21Gnarfoz(since these are domain validated certs by nature, and they don't intend to prove *your* identity)
13:01.33quiescensyes you could, i'm just saying if you weren't doing that then having the encryption key and still having the txt record would indicated that you are still you
13:01.34Gnarfozso validating that you're still the same person is not a goal they're after
13:01.48Gnarfozvalidating that you are you is not their goal
13:01.53quiescenswhereas if you get rid of the domain, someone else buys it, they most likely don't continue to have the txt record
13:02.09quiescensand so the key that you own no longer would be renewable
13:02.09Gnarfozof course they would? the record is public
13:02.12quiescenssince you no longer own the domain
13:02.24quiescensbut they don't *Get* anything by keeping the TXT record
13:02.35quiescensunless they also have your key to renew with
13:02.58GnarfozI don't know what I'm even discussing here, a less safe method that still requires automation?
13:03.10nevcairielif they bought the  domain, they could just do a fresh auth anyway, i dont see the connection to domain sales =p
13:03.25quiescensno, it means potentially automation without having to change DNS records automatically
13:03.28Gnarfozyou don't even have to use DNS-01 so far, that's only in version 2 of their ACME protocol, and apparently only for wildcard certs
13:03.40quiescenswhich was what we were talking about
13:03.41Gnarfozmost people probably use HTTP-01 so far
13:03.50nevcairielits unfortunate they screwed up TLS-01
13:03.59Gnarfozthey did?
13:04.11nevcairielapparently its insecure on shared hosting environments, or something
13:04.16nevcairielthey discontinued it
13:04.35nevcairielits only valid for renewals now as a sort of deprecation period
13:04.49Gnarfozhmhm
13:05.01quiescensI only mentioned the domain sales as a point that if the domain were to change hands, the ability to renew would go with the new owner of the domain
13:05.21nevcairielGnarfoz: https://community.letsencrypt.org/t/2018-01-09-issue-with-tls-sni-01-and-shared-hosting-infrastructure/49996
13:05.52quiescensI don't understand why gnarfoz is actively complaining about everything i say ):
13:06.01Gnarfoz???
13:06.13quiescenseven the mere mention of DNS thingy even though that was what started the discussion in the first place
13:07.02Gnarfoz"disagreeing" is now "actively complaining about 'everything'", I see
13:07.57quiescensI was wondering about specific reasons why a static TXT record and ownership of the existing encryption key would not be reasonable proof of control of that domain at the time of renewal
13:08.18quiescensall I get was "it won't work, everyone has your cert and can see the TXT record"
13:10.08Gnarfozindeed, since you have yet to explain how this would work, since the account key (used for the TXT record, for the domain validation) and the cert's private key are AFAIK not the same thing
13:10.41quiescensIf you still own the domain, you leave the txt record and prove you were the previous renewer by proving you are able to encrypt for the cert that the domain currently uses
13:11.45quiescensIf the domain has changed hands, you can no longer renew for that domain unless the new owner for is stupid and decides to keep your txt record and allow you to renew for a domain you don't own
13:11.55nevcairieli'm sure someone could come up with some  method to do this, but its far easier to just use the same method for initial auth and renewal, then invent a secondary one
13:12.30quiescensThats fair enough, I just don't think I was proposing something that was fundamentally broken in a simple way, there may be some more complicated reason that it is broken
13:12.42Gnarfozthe point remains: the private key for the cert and the private key for the TXT record are not the same one
13:12.48nevcairielsecurity is always full of complicated reasons
13:13.16quiescensit is and i was looking for some insight into the potential complicated reasons
13:13.19Gnarfozso you can't go the reverse route and check the cert-key to prove what was originally proven by ownership of the account key
13:13.24quiescensbut gnarfoz saysit doesn't work altogether
13:13.47Gnarfozif they used the same key for both, it probably could
13:14.04GnarfozI'm not sure why they don't, probably for reasons ;D
13:15.45quiescensI'm saying I had wanted to discuss the potential reasons instead of being shot down that it wouldn't work in the slightest when it seems to make at least enough sense to have had a discussion ):
13:15.57Gnarfozwe had a discussion, didn't we? wtf
13:16.27Gnarfozhow were you "shot down", did anyone ban you or prevent you from participating... where is this even coming from :d
13:17.25Gnarfozshould I apologize for text chat possibly sounding more hostile than intended? maybe
13:18.46Gnarfozhow could I hate the giver of cookies? <3
13:21.51GnarfozI would love if it worked something like that, since my domain registrar doesn't appear to have an API :P
13:22.26quiescensyour responses felt quite a lot like they implied i don't even know there are two keys with public key crypto and that i don't know what letsencrypt does ):
13:22.52nevcairielnot sure if hetzner actually has an API or someone just wrote something to interact with their web interface, but they might have an  API considering the "web interface" is basically a text box to edit a bind zonefile
13:23.22nevcairielwhich is pretty low level, but i like it :D
13:24.39quiescensi was just spitballing that being able to encrypt for a cert that is currently valid, a cert that letsencrypt knows was originally granted by themselves based on an initial DNS validation, could indicate that the current renewal request is by the same person, at least by someone that has access to the current key
13:25.41Gnarfozhttps://robot.your-server.de/doc/webservice/de.html#allgemein seems to exclude domain bits
13:26.41Gnarfozmaybe that requires keeping too much state/knowledge on LE's end, they recently crossed 1 million certs/day
13:27.10quiescensokays then
13:27.27nevcairielGnarfoz: it seems to open the website and find the text box there
13:27.32Gnarfoznot sure, though :D
13:27.39nevcairieli read teh code
13:27.54Gnarfoznevcairiel: you can do domain changes via email, though... maybe that takes too long ^^
13:28.55nevcairielwho knows, if its an automated tool
13:29.01nevcairielyou have to wait for  dns propagation anyway
13:29.04nevcairielits not necessarily instant
13:29.45nevcairielthe more annoying part is that i get emails when the dns info changes
13:29.49nevcairielso i get spammed when the script runs
13:29.50nevcairiel:D
13:29.54quiescensthere's no reason they couldn't go straight to the authoritive for the letsencrypt check
13:30.07quiescensso they can probably get around propogation
13:30.15GnarfozI'd hope they do that
13:30.47Gnarfozwell, Boulder (the server part of LE) is open source, you could dig that up if you wanted, heh
13:30.51quiescensiuno, maybe they already do
13:31.24Gnarfozseems like the way to do things if you don't want to wait hours or more
13:34.59nevcairielyou would still have to give it a bit of time for the different name servers in your domain to pickup changes, definitely not hours, but maybe minutes
13:35.19nevcairielnot sure how often one sets those up to sync their zones when changes occur
14:04.35Gnarfozquiescens: btw, looks like something similar (account-keys only, since the actual cert keys are not part of this, as discussed above) is actually part of the ACME spec: https://ietf-wg-acme.github.io/acme/draft-ietf-acme-acme.html#rfc.section.7.3.6 but https://community.letsencrypt.org/t/is-account-key-roll-over-supported/12137 said no in 2016
14:22.59quiescensshrugs
14:23.40quiescensi just thought it was interesting to think about what might be borken about it
14:28.10quiescensmy thought was the initial txt record shows control of the domain at that one point in time, and then an unborken chain of renewals using the private key to prove you still have the key to encrypt for the cert in question which by itself works as long as you never lose the key for example, but if you lose the key you would have the option of dropping the txt record and going for a new validation
14:28.32quiescensit made sense in my head, but it iz getting late
14:28.44quiescensfalls asleep in the corner
15:28.59Gnarfozdon't die
15:37.36Megalonif he does, at least it was in his sleep
15:37.37Megalon:)
15:43.36znfnevcairiel: I use dns-01 with route53
15:44.36znfWith dehydrated
16:11.54*** join/#wowace Funkeh` (~Funkeh`@WoWUIDev/WoWAce/Ace3/BigWigs/funkeh)
16:11.54*** mode/#wowace [+o Funkeh`] by ChanServ
16:20.07*** join/#wowace Funkeh` (~Funkeh`@WoWUIDev/WoWAce/Ace3/BigWigs/funkeh)
16:20.07*** mode/#wowace [+o Funkeh`] by ChanServ
16:34.05*** join/#wowace Bribri (~Brybry@unaffiliated/brybry)
16:39.28*** join/#wowace Antiarc (~antiarc@ip68-109-132-126.ph.ph.cox.net)
16:46.11*** join/#wowace stolenlegacy (~stolenleg@unaffiliated/stolenlegacy)
17:01.47*** join/#wowace dubf (~quassel@ti0272a430-1814.bb.online.no)
17:45.08*** join/#wowace Marla (~textual@65.89.172.151)
17:58.37Infusnevcairiel: thanks
18:56.28*** join/#wowace pompy (~Mike@c-73-194-183-217.hsd1.nj.comcast.net)
19:05.17*** join/#wowace Marla (~textual@65.89.172.151)
20:58.00*** join/#wowace Ermad (~Ermad@pool-108-6-131-199.nycmny.fios.verizon.net)
21:19.07*** join/#wowace Evonder (Networkerr@174-087-167-178.dhcp.chtrptr.net)
21:35.54*** join/#wowace RLD_who (~RLD_when@cpe-70-119-248-251.tx.res.rr.com)
21:46.52*** join/#wowace Jitta (~Jitta@ip5b402718.dynamic.kabel-deutschland.de)
22:22.11*** join/#wowace ls- (~ls@180.183.208.49)
22:22.28znfStanzilla, seems that as long as I kill explorer.exe, shit works
22:22.47znf>last --from Stanzilla --with regedit
22:22.48Catal1naError: I couldn't find a message matching that criteria in my history of 18204 messages.
22:46.19*** join/#wowace Seerah (~umsin@2601:3c2:80:1380:c508:d2e:507c:44e7)
23:03.05*** join/#wowace tunekey (~tunekey@unaffiliated/tunekey)
23:09.14*** join/#wowace Saccarab (~Saccarab@cpe-67-251-119-121.stny.res.rr.com)
23:35.50*** join/#wowace dracula (~dracula@ip-217-103-124-30.ip.prioritytelecom.net)

Generated by irclog2html.pl Modified by Tim Riker to work with infobot.