Software www

Web 3.0

Web 3 goes against the core promise of the internet which tries to be a great equalizer.

The Web was about making information accessible to all, Web 3 is trying to provide value to a few, where everything is done for the benefit of the few rather than benefit of all.

Web 2 gave us Wikipedia, Google search, Facebook and more. They are not perfect systems, any system which involves humans will have loopholes & problems driven by greed and a hunger for power. But, they did act as an equalizer. Where is Wikipedia of Web3? Wikipedia never started with the mission of making it’s contributors rich.

Source: Ravi Vyas

I’m extremely pessimistic to what Web 3.0 will supposedly bring.

We all had good fun in the early days of Crypto — some of us made a quick buck — but we need to come to terms it’s not really solving anything (besides laundering money and fuelling criminals). And it’s not sustainable at all. And don’t get me started on NFTs.

Linux Networking Software www

Postfix & Courier & Letsencrypt

First of all, create your certificates (the regular way). I created one with multiple domains:,,

In my case, as the mailserver and webserver are behind a proxy (postfix, imap, Roundcube Webmail), I create the certificate on the proxy (nginx) and scp the cert to the mail server. All this is automated with a tiny script.

For Postfix, edit and change/edit/add these lines (check the right path too!):

smtpd_use_tls = yes
smtpd_tls_key_file = /etc/ssl/letsencrypt/webmail.privkey.pem
smtpd_tls_cert_file = /etc/ssl/letsencrypt/webmail.fullchain.pem
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_exchange_name = /var/run/prng_exch
tls_random_source = dev:/dev/urandom
smtpd_tls_dh1024_param_file = /etc/ssl/postfix/dhparams.pem
smtpd_tls_auth_only = yes
smtp_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

And restart postfix: /etc/init.d/postfix restart

As for Courier you’ll need to concatenate the files (again, check the path, it’s most likely /etc/letsencrypt/live/domain/xyz.pem):

cat /etc/ssl/letsencrypt/webmail.privkey.pem /etc/ssl/letsencrypt/webmail.fullchain.pem > /etc/ssl/letsencrypt/webmail.all.pem

Then edit both /etc/courier/pop3d-ssl and /etc/courier/imapd-ssl

And add/change the path of the certificate:


And restart Courier: /etc/init.d/courier-imap-ssl restart && /etc/init.d/courier-pop-ssl restart

Linux Networking Software www

Gmail & Postfix: unencrypted emails?


If you’re running Postfix, add this line to

smtp_tls_security_level = may

Restart Postfix, and retry.


PS: You can set encrypt instead of may — but this can cause issues with Amavis and/or SpamAssassin.

Linux Networking Software www

Belgian banks & SSL — part 5

Minor end of year update. No big SSL exploits have been released since (bar DH, see below).

Once again, this is testing the public websites I can access. There might be other gateways, APIs, etc that are not (as) secure.

It’s worthy to note that some banks are serious about security and fixing their SSL. Most improved their rating and solved all issues (especially getting rid of SHA1 in the chain). However, a couple lowered from B to C (see below). But… No more F’s. 🙂

The noteworthy changers:

  • Hello Bank! went from A to B though due to weak DH,
  • Triodos lost their Forward Secrecy,
  • Optima from F to A(-) (and a bunch others from B to A, and higher),
  • A bunch from B to C due to SSLLabs being more severe (see below). Most did solve some of their issues,
  • BKCP is doing a lot wrong.

Edit: Tested wrong AXA domain; updated to A+.

Update 11 Jan 2016: ABK & BvB updated to A.

Note that not supporting TLS 1.2 or supporting RC4 capped sites to grade B about a year ago; it now caps to grade C (aka SSLLabs is more severe).

Grade A

Grade B

Grade C

  • PSA Bank: weak signature (SHA1), no TLS 1.2, no Forward Secrecy.
  • beobank: weak DH, no TLS 1.2, RC4 (insecure), no Forward Secrecy, no secure renegotiation.
  • BKCP: weak signature (SHA1), no TLS 1.2, RC4 (insecure), no Forward Secrecy, weak DH.

Grade D

  • n/a

Grade E

  • n/a

Grade F

  • n/a
Linux Misc Networking Software www

Belgian banks & SSL — part 4

Because of the mediastorm it’s time for an update. The previous (1, 2, 3) blog posts are outdated!

I’ll do my usual slashdot-effect post in a couple of days (it’s already at 10k views today).

Banks that changed rank since last post (all for the better):

  • 16/02/2015:
    • Keytrade: B to A
    • Hello Bank!: C to A
    • ING: F to A-
    • Record Bank: F to A-
  • 17/02/2015:
    • ABK: F to B
    • Bank Van Breda: C to B
  • 18/02/2015:
    • MeDirect: F to A
    • Added 6 new (small) banks
  • 27/02/2015
    • Ogone: C to A-
  • 02/03/2015
    • Fortuneo: C to B
  • 03/03/2015
    • Crelan: B to A

I cannot test Europabank using SSL Labs. I can only speculate they requested SSL Labs to not scan them. I have also added a couple new banks (Delta Lloyd, Deutsche Bank, Moneyou, Fortuneo, BKCP, Binck, and Isabel as bank tool).

I would like to apologise for every IT’er that had a crappy Monday morning, and thank you for fixing SSL so fast. 🙂

The entire list updated (last partial update 18/02/2015 around 20h00):

I’ve updated the sites to now correctly test the login page and not the main homepage. If that’s not the case somewhere, please tell me.

Grade A

Grade B

  • Argenta: SSL3 (insecure), weak signature (SHA1), RC4 (insecure), no Forward Secrecy.
  • ABK: weak signature (SHA1), no TLS 1.2, no Forward Secrecy, no support for secure renegotiation. [update]
  • AXA: weak signature (SHA1), SSL3 (insecure), RC4 (insecure), no Forward Secrecy.
  • Bank Van Breda: weak signature (SHA1), no TLS 1.2, no Forward Secrecy, no support for secure renegotiation. [update]
  • beobank: weak signature (SHA1), no TLS 1.2, RC4 (insecure), no Forward Secrecy.
  • BKCP: weak signature (SHA1), no TLS 1.2, RC4 (insecure), no Forward Secrecy. [newsletter]
  • CPH: no TLS 1.2, RC4 (insecure), no Forward Secrecy.
  • DHB Bank: weak signature (SHA1), RC4 (insecure).
  • Fortuneo: weak signature (SHA1), no TLS 1.2, no Forward Secrecy.
  • KBC: weak signature (SHA1), no TLS 1.2, no Forward Secrecy.
  • NIBC Direct: weak signature (SHA1), RC4 (insecure), no Forward Secrecy.
  • VDK: SSL3 (insecure),no TLS 1.2, weak signature (SHA1), RC4 (insecure), no Forward Secrecy

Grade C

  • PSA Bank: weak signature (SHA1), no TLS 1.2, RC4 (insecure), no Forward Secrecy.

Grade D

  • n/a

Grade E

  • n/a

Grade F

  • Optima Bank: vulnerable to POODLE attack in SSL3 and TLS format, weak signature (SHA1), RC4, no Forward Secrecy.

Information about SSL Labs grading can be found here. Grade A (+) being the best possible ranking, and F the worst.

Respect to those that send a mailing list to their customers with more detailed information. Communication++

Respect to Rabobank to be the only bank that directly contacted me (officially, not hiding behind a Gmail or Hotmail address) and thanked me for the work I did, asking for more details, etc.

And thank you for an anonymous person, working for one of the big banks, to give me more details about why they are slow at patching this, how legacy works, etc. I wish he could take this discussion public, but alas.