Www

118 posts in Www

Web 3.0

21 Jun 2022 · software, www

Web 3 goes against the core promise of the internet which tries to be a great equalizer.
The Web was about making information accessible to all, Web 3 is trying to provide value to a few, where everything is done for the benefit of the few rather than benefit of all.
Web 2 gave us Wikipedia, Google search, Facebook and more. They are not perfect systems, any system which involves humans will have loopholes & problems driven by greed and a hunger for power. But, they did act as an equalizer. Where is Wikipedia of Web3? Wikipedia never started with the mission of making it's contributors rich.

Postfix & Courier & Letsencrypt

12 Jun 2016 · linux, networking, software, www

First of all, create your certificates (the regular way). I created one with multiple domains: webmail.rootspirit.com, mail.rootspirit.com, smtp.rootspirit.com.

In my case, as the mailserver and webserver are behind a proxy (postfix, imap, Roundcube Webmail), I create the certificate on the proxy (nginx) and scp the cert to the mail server. All this is automated with a tiny script.

For Postfix, edit main.cf and change/edit/add these lines (check the right path too!):

smtpd_use_tls = yes
smtpd_tls_key_file = /etc/ssl/letsencrypt/webmail.privkey.pem
smtpd_tls_cert_file = /etc/ssl/letsencrypt/webmail.fullchain.pem
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_exchange_name = /var/run/prng_exch
tls_random_source = dev:/dev/urandom
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDB3-SHA, KRB5-DES, CBC3-SHA
smtpd_tls_dh1024_param_file = /etc/ssl/postfix/dhparams.pem
smtpd_tls_auth_only = yes
smtp_tls_security_level = may
smtpd_use_tls=yes
smtpd_tls_security_level=may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_loglevel=1
smtp_tls_loglevel=1

And restart postfix: /etc/init.d/postfix restart

Gmail & Postfix: unencrypted emails?

7 Mar 2016 · linux, networking, software, www

If you're running Postfix, add this line to main.cf:

smtp_tls_security_level = may

Restart Postfix, and retry.

PS: You can set encrypt instead of may -- but this can cause issues with Amavis and/or SpamAssassin.

Belgian banks & SSL — part 5

18 Dec 2015 · linux, networking, software, www

Minor end of year update. No big SSL exploits have been released since (bar DH, see below).

Once again, this is testing the public websites I can access. There might be other gateways, APIs, etc that are not (as) secure.

It’s worthy to note that some banks are serious about security and fixing their SSL. Most improved their rating and solved all issues (especially getting rid of SHA1 in the chain). However, a couple lowered from B to C (see below). But… No more F’s. :)

Belgian banks & SSL — part 4

16 Feb 2015 · linux, misc, networking, software, www

Because of the mediastorm it’s time for an update. The previous (1, 2, 3) blog posts are outdated!

I’ll do my usual slashdot-effect post in a couple of days (it’s already at 10k views today).

Banks that changed rank since last post (all for the better):

16/02/2015:
- Keytrade: B to A
- Hello Bank!: C to A
- ING: F to A-
- Record Bank: F to A-
17/02/2015:
- ABK: F to B
- Bank Van Breda: C to B
18/02/2015:
- MeDirect: F to A
- Added 6 new (small) banks
27/02/2015
- Ogone: C to A-
02/03/2015
- Fortuneo: C to B
03/03/2015
- Crelan: B to A

I cannot test Europabank using SSL Labs. I can only speculate they requested SSL Labs to not scan them. I have also added a couple new banks (Delta Lloyd, Deutsche Bank, Moneyou, Fortuneo, BKCP, Binck, and Isabel as bank tool).

Belgian banks & SSL — part 3

15 Feb 2015 · linux, misc, networking, software, windows, www

EDIT: ING is now A- (not reflected in this blog post). EDIT 2: Keytrade & Hello Bank also went to A. I’ll post a new blog post later tonight. EDIT 3: Updated post here.

Part three, or how I single-handedly “fixed” SSL at the Belgian banks. ;)

Part one and two are available here. Not related but useful nonetheless NY Times article about bank hackers.

Argenta promised to fix their SSL, so it’s the time to check everything again.

Belgian banks & SSL -- part 2

1 Feb 2015 · linux, misc, networking, software, windows, www

I previously wrote about Belgian banks & SSL. Updated version (15/02/2015) here.

Going through my Google Analytics I noticed some noteworthy network domains, which Google discribes as “The fully qualified domain names of your visitors’ Internet service providers (ISPs)”.

WiFi

23 Jan 2015 · hardware, networking, www

An update from last time.

Belgian banks & SSL

20 Jan 2015 · linux, misc, networking, software, windows, www

Tested using SSL Labs on 20/01/2015. Updated version 01/02/2015 here and 15/02/2015 here.

Only providing the weak points. Once there is one SHA1 key in the chain, I will report everything as weak.

Check SSL Labs for a full report, including what they actually did good (if anything).

Grade A

Rabobank (A+): no known issues. Support for HTTP Strict Transport Security and prevented downgrade attacks.
Triodos (A): no downgrade attack prevention.
Belfius (A-): weak signature (SHA1), no Forward Secrecy.

Grade B

Theme

27 Dec 2014 · hardware, linux, networking, software, virtualisation, www

I had the same theme for over four years. I’ve made quite a few custom css and PHP edits myself, and it had been outdated for ages… But it served me well.

However, it’s now time for something new.

As always, as minimalistic as possible.

On a side note, this blog has been moved from vm1 (and one before that) a virtual machine running on a dual Xeon 3070 (2.66Ghz) at Databarn to Akama, a VM on an 8 core Xeon E3-1230 (3.2Ghz) at Leaseweb.