Internet security

i wish i understood

>>60910818
You can always start with the newbie section, friend. Or ask a question.

HSTS is nigger shit edition

>>60908889
Why should i care about DNS? Fake page wont have valid ssl cert anyway.
Same thing with email. GPG will guarantee its authenticity.

>>60908889
My mail server at home, for mail that I don't trust with Google, iCloud or any other provider, has DNSSEC, SFP, SKIM and DMARC set to their strictest options.

>>60911780
because the dns provider will see what websites you visit

>>60911940
>dns provider will see what websites you visit
You mean my isp? Well i use vpn, so it wont see shit. Vps provider where i host my vpn will see my dns requests but it is not a big deal. They have all my traffic anyway.

>>60911940
>because the dns provider will see what websites you visit
DNSSEC changes literally nothing about that

>>60912397
but choosing trusted dns servers / running your own

>>60911780
A fake page can have a signed certificate, or none at all, and it would still be effective. It's really up to the victim whether to honour browser warnings and some proceed with connecting to them anyway. Even if one of them connects, it's a win for the attacker.

>ssl cert
Sorry, this triggered me. There's no such thing as an SSL certificate. SSL has long been superceded by TLS and both of them always use X.509 certificates [1].

>GPG will guarantee its authenticity
An email message is not validated by GPG itself. It's a web of trust, and therefore validated by you for trusting a person's public key in order to (automatically) verify the signature of a message using that same trusted public key.

[1] https://tools.ietf.org/html/rfc5280

>>60911917
This guy knows what's up.

>>60911940
Assuming you don't mean your ISP, you can run your DNSSEC enabled resolver and even use QNAME minimisation [1]. Unbound [2] supports both DNSSEC and QNAME minimisation.

[1] https://tools.ietf.org/html/rfc7816
[2] https://unbound.net/

File: ferrari-electropnumatic-transmission.jpg (64KB, 725x485px) Image search: [Google]

64KB, 725x485px

>>60913062
thanks for the links.

cool thread op

Anyone tried darkhttpd https://unix4lyfe.org/darkhttpd/

>>60914159
Why

>>60914342
Barebones web server with simple installation, I wanted to know if someone here has any complain because I plan to use that shit.

It is noted by several groups like suckless and FSF but didn't see any bug tracking. The alternative is knowing how to audit myself but I am too new to all this, and that is why I choose a simple web server like darkhttp.

>>60914387
Sounds like an fun small project, but I don't have any experience with darkhttpd, nor can I help you with static code analysis, sorry. Try asking around in the groups you mentioned where it's being talked about? Or maybe SQT, or Reddit?

>>60914654
I appreciate the advise, thanks.

Bumping a genuinely good thread

>>60908889
DNSSEC is retarded.

>Do you secure your traffic with TLS and HTTP security headers?
No, I secure my traffic with IPSec. TLS is shit.

>Do you use HSTS [6] to enforce a secure connection?
No because it's retarded.

>Do use HPKP [7] for certificate pinning?
Impossible to do it correctly with these short-lived certs.

>Who among you are running your own mail server (MTA)?
Here

>Do you secure your traffic with (START)TLS?
Sadly yes because I want to accept mails from everyone.

>Do you use SPF
You have to sadly, even though it is retarded.

>Do you use DKIM
Same as above.

>to cryptographically verify message authenticity
Sane people use OpenPGP for that.

>DMARC
No

>>60912961
You have to trust the registrars.

>>60917335
>DNSSEC is retarded.
You got anger issues, senpai.
>>Do you secure your traffic with TLS and HTTP security headers?
>No, I secure my traffic with IPSec. TLS is shit.
IPSec is no substitution for TLS or HTTP security headers when connecting to HTTP servers.
>>Do you use HSTS [6] to enforce a secure connection?
>No because it's retarded.
What's wrong with HSTS now?
>>Do use HPKP [7] for certificate pinning?
>Impossible to do it correctly with these short-lived certs.
A certificate renewal won't change the fingerprint and you can change the max-age option for the HPKP header.
>>Do you use SPF
>You have to sadly, even though it is retarded.
What's wrong with SPF now?
>>Do you use DKIM
>Same as above.
What's wrong with DKIM now?
>>to cryptographically verify message authenticity
>Sane people use OpenPGP for that.
I also use OpenPGP, but it's a pain for most people, I'm sure you agree.
>>DMARC
>No
Why?

>>60917350
At least validating the chain is transparent up to the root with DNSSEC . No CA black box tells you to trust something. It's much more transparent this way.

>>60918129
>You got anger issues, senpai.
Calling something retarded as retarded does not imply anger issues.

>IPSec is no substitution for TLS
Sure it is. As long as it is used with something like IKEv2.

>A certificate renewal won't change the fingerprint
Changing the expiration date also changes the fingerprint.

>you can change the max-age option for the HPKP header.
And you can pretend to be the site after it expires.

>What's wrong with HSTS now?
Many things, such as blocking "untrusted" CAs without giving the option to manually verify them.

>What's wrong with DKIM now?
Everybody memes it and forces you to use it, they certify the server but not the sender, everybody uses it with 1024 bit certs because shitty registrars do not allow bigger keys, pushes the whole DNS infrastructure onto SMTP.

>What's wrong with SPF now?
Pushes DNS into SMTP, gives absolutely nothing of use.

>I also use OpenPGP, but it's a pain for most people, I'm sure you agree.
I don't, it's easy as fuck.

Great thread OP, what about setting up an IRC /isg/ channel?

File: 1447089319058.jpg (33KB, 500x500px) Image search: [Google]

33KB, 500x500px

I'm running Unbound with DNSSEC validation to the OpenNIC root.

Is it possible to run my own root server? If so, how?

i have a openssh daemon protocol 2 server with ed25519 pubkeys for certification, running on a windows machine with msys2. i would do it in a linux dist. but i can't be bothered. how do i check what kexalgo is being used? and is it safer to have a dynamic wanip or static? i had to use a dyndns service because i don't know if my ips deliver static adress. i am thinking of also adding port knocking for an extra layer of security.

>>60910818
>>60910983
I want to learn but I am a level below a newbie. I recently started Cyber Aces coureware and Cybrary compitA, then netstatA. Am I on the right track?

>>60920241
Oh and I forgot. I am reading HTTP - The Definitive Guide.

>>60908889
For people setting up email servers, use SSL/TLS, not STARTTLS. STARTTLS sounds more secure and they are about the same but STARTTLS is vulnerable to more types of attacks.