This is an experimental Internet security standards thread for anyone willing to discuss, implement, help newbies or learn more about Internet security standards.
>DNS
Who among you are using DNSSEC [1, 2] already? Have you considered TLSA (DANE [3]), SSHFP [4], OPENPGPKEY [5] resource records (RRs) yet?
>HTTP
Who among you are running your own Web server? Do you secure your traffic with TLS and HTTP security headers? Do you use HSTS [6] to enforce a secure connection? Do use HPKP [7] for certificate pinning? Do you use CSP [8] to enforce content restrictions?
Who among you are running your own mail server (MTA)? Do you secure your traffic with (START)TLS? Do you use SPF [9] to restrict only authorised hosts to send mails? Do you use DKIM [10] to cryptographically verify message authenticity? Do you use DMARC [11] to set domain-level message handling policies?
Share your thoughts!
>Newbies section
There are numerous introductory videos about DNSSEC [12, 13], SPF [14], DKIM [15] and DMARC [16] to familiarise yourself more with. There are also numerous websites [17, 18, 19, 20, 21] that can help you check your server's security.
[1] https://tools.ietf.org/html/rfc4033
[2] http://www.dnssec.net/
[3] https://tools.ietf.org/html/rfc6698
[4] https://tools.ietf.org/html/rfc4255
[5] https://tools.ietf.org/html/rfc7929
[6] https://tools.ietf.org/html/rfc6797
[7] https://tools.ietf.org/html/rfc7469
[8] https://www.w3.org/TR/CSP2/
[9] https://tools.ietf.org/html/rfc7208
[10] https://tools.ietf.org/html/rfc6376
[11] https://tools.ietf.org/html/rfc7489
[12] https://www.youtube.com/watch?v=lTABuMxO2AM
[13] https://www.youtube.com/watch?v=qlto6GfZEvA
[14] https://www.youtube.com/watch?v=WFPYrAr1boU
[15] https://www.youtube.com/watch?v=yHv1OPcc-gw
[16] https://www.youtube.com/watch?v=kGk-Af_92Bk
[17] http://dnsviz.net/
[18] https://www.ssllabs.com/ssltest/index.html
[19] https://observatory.mozilla.org/
[20] https://securityheaders.io/
[21] https://www.mail-tester.com/
im focused right now on learning binary corruption and stack overflow based exploits but this really seems interesting to know
>>61236639
Keep learning what you're learning. I wish I knew more about programming vulnerabilities.
I use Caddy (caddyserver.com) cause it does letsencrypt ssl certs automagically.
Also unlike apache/nginx/whatever you don't have to do more than 2 lines of configuration to actually get it working.
I just watched the video for DNSSEC. What does it actually do that's different from https/ssl?
>>61238385
bump for interest
>>61238385
DNSSEC is different because it secures your DNS lookups. For example, if your system asks your resolver if it has an IP address for foo.bar, it gives you back an IP address, but who's to say it's the authoritative IP address of that system? It might just as well be a compromised server.
DNS, much like any other foundational technology, was never designed for security, only for functionality. DNSSEC aims to add security to this ancient protocol we still use daily. It does by cryptographically signing a complete DNS zone, which you can verify with its corresponding public key, also hosted in the zone. This trust relation is then also signed, all the way up to the DNSSEC root, enabling you tovalidate the whole trust chain as well. This hierarchical validation is similar to X.509 PKIX which SSL and TLS make use of, but DNSSEC is one step before that because in order to securely connect to a system, you first need to securely resolve its hostname.
>>61236031
Is this a good place to ask how I should do user authentication for my user accounts on my react website project?
>Who among you are using DNSSEC [1, 2] already?
I'm not for my personal site because I don't run my own nameserver and am just using the free one from my domain provider. In the next few months I'll be rebuilding our servers at work and will probably look further into it then for both the corporate domains and probably use it as the ns for my personal domain too so I can DNSSEC
>Who among you are running your own Web server? Do you secure your traffic with TLS and HTTP security headers? Do you use HSTS [6] to enforce a secure connection? Do use HPKP [7] for certificate pinning? Do you use CSP [8] to enforce content restrictions?
I have all http traffic 301 to https, TLS forced to 1.2. HSTS on. Haven't set up HPKP but my cert is let'sencrypt and therefore only 3 months duration so that might not be worth it. CSP is not set up but I will be looking into it now.
>Who among you are running your own mail server (MTA)? Do you secure your traffic with (START)TLS? Do you use SPF [9] to restrict only authorised hosts to send mails? Do you use DKIM [10] to cryptographically verify message authenticity? Do you use DMARC [11] to set domain-level message handling policies?
Yes. It is set up to receive on 25 (obviously) but will not relay at all. Authenticated tls users can send via 587. IMAP only works over tls. SPF record is configured. DKIM and DMARC are not configured but looking into it now. postfix did my head in when i originally set it up but once you understand it it's quite simple.