Thread replies: 11
Thread images: 3
Thread images: 3
File: 4chan.org-2017-06-10-11_22_21-UTC.png (156KB, 1113x1356px) Image search:
[Google]
156KB, 1113x1356px
This is an experimental general Internet security thread for anyone willing to discuss, help newbies or learn more about Internet security in general.
>DNS
Who among you are using DNSSEC [1, 2] already? Why do you use it? What do you use it for? Have you considered TLSA (DANE [3]), SSHFP [4], OPENPGPKEY [5] resource records (RRs) yet?
>HTTP
Who among you running your own Web server? Do you secure your traffic with TLS and HTTP security headers? Do you use HSTS [6] enforce a secure connection? Do use HPKP [7] for certificate pinning? Do you use CSP [8] to enforce content restrictions?
Who among you running your own mail server (MTA)? Do you secure your traffic with (START)TLS? Do you use SPF [9] to restrict only authorised hosts to send mails? Do you use DKIM [10] to cryptographically verify message authenticity? Do you use DMARC [11] to set domain-level message handling policies?
Share your thoughts!
Newbies section:
There are numerous introductory videos about DNSSEC [12, 13], SPF [14], DKIM [15] and DMARC [16] to familiarise yourself more with. There are also numerous websites [17, 18, 19, 20] that can help you checking your server's security.
[1] https://tools.ietf.org/html/rfc4033
[2] http://www.dnssec.net/
[3] https://tools.ietf.org/html/rfc6698
[4] https://tools.ietf.org/html/rfc4255
[5] https://tools.ietf.org/html/rfc7929
[6] https://tools.ietf.org/html/rfc6797
[7] https://tools.ietf.org/html/rfc7469
[8] https://www.w3.org/TR/CSP2/
[9] https://tools.ietf.org/html/rfc7208
[10] https://tools.ietf.org/html/rfc6376
[11] https://tools.ietf.org/html/rfc7489
[12] https://youtube.com/watch?v=lTABuMxO2AM
[13] https://youtube.com/watch?v=qlto6GfZEvA
[14] https://youtube.com/watch?v=WFPYrAr1boU
[15] https://youtube.com/watch?v=yHv1OPcc-gw
[16] https://youtube.com/watch?v=kGk-Af_92Bk
[17] http://dnsviz.net/
[18] https://www.ssllabs.com/ssltest/index.html
[19] https://observatory.mozilla.org/
[20] https://securityheaders.io/
>>
>>60837891
Really appreciate this kind of thread, but I don't have time to write yet.
Oh and thanks for not choosing fucking Cyber Security. Fuck Cyber.
>>
every /wdg/ faggot needs to read these
>>
Mods pls sticky
>>
File: 1489508396529.png (455KB, 479x477px) Image search:
[Google]
455KB, 479x477px
>internet
>security
Pick one
>>
>>60838052
Looking past your intended nihilism this does has some truth in it. The current Internet is a mess and it's surprising it's actually working for most things we do.
But the Internet is here to stay and instead of suggesting the inherit mutual exclusiveness between the Internet and security (which is not true for a number of reasons), we should learn from our mistakes in the past and design *and implement* better systems and protocols with better security at their foundation.
>>
>>60837891
I'm using DNSSEC (default is RSASHA256, 2048-bit, 5yr rollover) to combat domain spoofing for the most part in regards to email's, lessening the chances for clients mail to be marked as spam by large mail services such as gmail and outlook online. Thankfully, it's easy to implement with Plesk, so it's not like it's hard to do. I have not heard of TLSA, but I'm willing to look into it. Just not willing to put in a lot of effort to implement it though if it can't be easily managed.
>>
>>60838822
That's great, I do roughly the same but for my own domain, without a COTS solution. Personally I use a different DNSSEC algorithm, but I want to use the Ed25519 algorithm which my zone signing utility sadly doesn't support yet.
Regarding TLSA RRs (DANE), the record just holds a copy or a hash of your certificate. In essence it replaces the necessity for certification authorities (CAs) to validate your certificate's authenticity. This trust relationship is moved to DNSSEC which everyone can query and validate for all domains.
For example, when you make a connection to a server which presents you with a signed certificate, you then query the corresponding TLSA RR of the same domain. If the certificate you're presented with by the server matches the TLSA RR of the authoritative name server, then you can be sure that certificate is indeed valid and you can establish a connection to the server using TLS.
>>
>>60837891
>1024-bit RSA in the trust chain
Wew. Why isn't 4chan.org signed with that 2048-bit key?
>>
>>60839536
If you're after a similar strength, just use a 4k bit key size. It'll be marginally slower, but should theoretically be stronger than ed25519, since it's apparently approximated to 3k bit RSA, both of which are currently unbreakable with current tech.
>>60839771
1024 bit is enough maybe when this graph was made, but it's likely they'll change it to 2048 within the next year or two, as it'll be expected to be breakable by 2020.
>>
Thanks for the info OP. This is so much info that I don't even know where to start.
Thread posts: 11
Thread images: 3
Thread images: 3