Mastodawn

Another new Let's Encrypt-secured website, another case of getting 82 hacking attempts in the first 30 seconds after it came online for the first time ever.

Do. Not. Kid. Yourself. "Oh, I'll delete the config files once I get it working." "Eh, I'm just some nobody. Who's going to care?" Yeah, I'll tell you who: people who watch for new sites come online and then immediately slam them with hacking probes.

"I'll get to it soon" means you better do it within 3 seconds.

https://honeypot.net/2024/05/16/i-am-not.html

Honeypot.net

I am not exaggerating this: I created a new hostname in DNS, …

Show thread

eska

Nov 22

@tek I don't understand the point of your statement.

do you advocate for LetsEncrypt? Are you against it? Do you recommend any action in particular?
I am kind of a profane on this topic,,

Show thread

Cy Nov 22

I don't think it's an endorsement of LetsEncrypt, just a statement that hackers have godlike powers to immediately divine when a new website exists and attack it within seconds. Which might seem to be the case, but what's really going on is DNS root servers are either controlled by, or selling out to website burglars. No other way for them to know who to attack so quickly.

So it's not LetsEncrypt's fault per se (though they could very well be selling out too).

CC: @[email protected]

Show thread

TerrorBite 🦁Nov 26

@cy @tek @ankhZero

Godlike powers to immediately divine
No other way for them to know

It's not DNS. It's Certificate Transparency logs.

You're right that it's not Let's Encrypt's fault, though. Any certificate provider worth their salt will be publishing public Certificate Transparency logs: https://certificate.transparency.dev/

That means that the instant you receive a certificate, anyone monitoring those logs will know about your website. Unfortunately, malicious actors are amongst those monitoring.

Certificate Transparency : Certificate Transparency

Certificate Transparency

Show thread

Cy Nov 26

...what really?

No, seriously... really?

(checks the website)
Who watches the watchers?
CT depends on independent, reliable logs because it is a distributed ecosystem. Built using Merkle trees, logs are publicly verifiable, append-only, and tamper-proof.
Oh my god that is a stunningly bad idea. Both from a security and a privacy perspective. Is it just me? This is obviously The Worst Thing You Can Do, right?

CC: @[email protected] @[email protected]

Show thread

Tekniquelly correct Nov 26

@cy @ankhZero I think it’s good on balance. It keeps me from issuing www.google.com without anyone noticing. And we’re going to get those malicious requests in minutes anyway.

Show thread

Cy Nov 26

The malicious requests would not come within minutes, because there's nothing else that publically announces when a new website exists, and if there is we need to cut that shit out too.

I can bet there are millions of computers currently compromised because they had a security leak when they were setting up their website. And I don't care who issues google.com. Our browser should warn us when google's key changes, and then people would fix that shit fast, without any requirement that everyone report their vulnerability to every malicious organization in the world.

CC: @[email protected]

Show thread

Tekniquelly correct Nov 26

@cy @ankhZero Those are legit arguments. I understand them and the concerns behind them. Counterarguments:

1. The attacks will come in moments anyway. Consider things like Shodan that continually scan the entire IPv4 space.
2. It's not just google.com. yourownsite.com could be spoofed, and the main tools preventing that, HSTS and cert preloading, are fraught with peril. Need to update to a new cert? Don't screw up the HSTS or no visitors can come to your site for the next 13 years!

Show thread

Cy Nov 26

continually scan the entire IPv4 space.
That takes a LONG time, considering it's at least 4 billion packets per scan, routed all around the world. Anyway that's an argument for IPv6, not for "Certificate Transparency Logs".

It's also an argument for erasing the funds of rich fucks so they can't afford to continually barrage the Internet with their scans.
yourownsite.com could be spoofed
Not if nobody has heard about it! And what if it is spoofed? Do I call up the "Certificate Transparency Logs Police" and tell them that the record published to that log isn't legit? How do I prove that?
Don't screw up the HSTS or no visitors can come to your site for the next 13 years!
HTTP Strict Transport Security
https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

That just uh... tells browsers to change http to https. The only way no one could visit is if you removed SSL and only served stuff over HTTP. The article says "If the security of the connection cannot be ensured (e.g. the server's TLS certificate is not trusted), the user agent must terminate the connection[2]: §8.4 and should not allow the user to access the web application" but that's just true for SSL in general, and it's stupid because your browser shouldn't decide what you are or are not allowed to do. It's not your mom!

So, if you mess up the HSTS, it... still connects via SSL and everything's fine. And if your certificate's expired, everyone's browser throws a hissy fit, regardless of that HSTS thing. Am I reading that right?

CC: @[email protected]

HTTP Strict Transport Security - Wikipedia

Show thread

Tekniquelly correct Nov 26

@cy @ankhZero My bad. I meant the cert pinning thing that was a fad a little while back, and fortunately seems to have been abandoned. But yeah, that’s exactly the idea. If you see that Tiny Registrar has issued an invalid cert, there are ways to report it. That’s critical feedback that must exist.

I think the general takeaway is that we’ve collectively ripped off the “obscurity” band-aid. That’s just not a thing anymore. Before you put anything on the ‘net, make sure it’s secure.

Show thread

Cy Nov 27

I should't have my site reported to burglars before I can determine my registrar issued a bad certificate. I just go to mysite.com, and it's not my site. And "we've ripped off the security band-aid. That's just not a thing anymore," isn't exactly a resoundingly good idea.

Plus again, what's more likely that a registrar will risk getting caught issuing bogus certificates, or that people will actually lose control of their machines, making a botnet crisis of unprecedented scale?

Show thread

Tekniquelly correct

@cy In practice, rogue registrars were busted frequently creating fake certs on behalf of governments and other spies. Now browsers generally won't use root certs from CAs which don't publish their certificate logs. It's bad if your or my server gets pwned. It's horrible if gmail.com gets compromised and a malicious actor can gather credentials from millions of users at ones. That's the kind of thing the logs are meant to protect against. And that's not just hypothetical, sadly.

Show thread

Cy Nov 27

So, when a rogue registrar creates fake certs on behalf of an evil government, and publishes the logs of those certs, who's going to determine they're illegit, again? All the millions of users getting their credentials stolen will have their browsers check and see "oh it's in the log" and not warn them. Someone spots it and raises an alarm, but all those millions of users are already heavily censored and never hear about it. They go to https://mozilla.org to update their browsers to the latest secure version and...

For that matter, how are browsers supposed to check this certificate log, without that getting intercepted? They try to get it from https://certificatelog.com and…

And why is everyone using gmail?!

Anyway like I said, the browser could warn people when a website's key has changed. No public log of all websites needed.

Mozilla - Internet for people, not profit (US)

We’re working to put control of the internet back in the hands of the people using it.

Mozilla