So, someone submitted a 'bug' to Mozilla.

As some of you may know, in the next year, the new mass surveillance law in the Netherlands is going into effect.

Another fun fact is that the dutch security agencies/government have their own CA (Certificate Authority) for SSL/TLS certificates.

The new law says that the AIVD (dutch NSA/GCHQ equivilant) is allowed to hack into systems through obtained certificates and also that they're allowed to INTERCEPT TRAFFIC THROUGH OBTAINED PRIVATE SSL/TLS KEYS.

So someone actually had the fucking balls to submit a fucking issue to Mozilla saying that the Dutch State certs shouldn't be accepted anymore when the new mass surveillance law gets into place.

This person deservers a fucking medal if you ask me.

Took yesterday off to sort out a new passport.
Today on the stand:

Manager: "So we've been trying to get app X running on a dev environment for client X but we couldn't expose it to them"

Me: "Well yeah it's a dev environment if you want to give them one give them access to staging"

Manager: "Oh well we're still going to give them access to dev because they asked for it. It's due for 10am but we couldn't get it to run. You have to get it running since we edited the config files"

*accessing dev environment*
half of config files is missing, random files committed to the repo, SSL certs manually edited, eth0 down and found swan vpn installed.

never taking a day off again.

Following a conversation with a fellow devRanter this came to my mind ago, happened a year or two ago I think.

Was searching for an online note taking app which also provided open source end to end encryption.

After searching for a while I found something that looked alright (do not remember the URL/site too badly). They used pretty good open source JS crypto libraries so it seemed very good!

Then I noticed that the site itself did NOT ran SSL (putting the https:// in front of the site name resulted in site not found or something similar).

Went to the Q/A section because that's really weird.

Saw the answer to that question:

"Since the notes are end to end encrypted client side anyways, we don't see the point in adding SSL. It's secure enough this way".

😵

I emailed them right away explaing that any party inbetween their server(s) and the browser could do anything with the request (includingt the cryptographic JS code) so they should start going onto SSL very very fast.

Too badly I never received a reply.

People, if you ever work with client side crypto, ALWAYS use SSL. Also with valid certs!

The NSA for example has this thing known as the 'Quantum Insert' attack which they can deploy worldwide which basically is an attack where they detect requests being made to servers and reply quickly with their own version of that code which is very probably backdoored.

This attack cannot be performed if you use SSL! (of course only if they don't have your private keys but lets assume that for now)
Luckily Fox-IT (formerly Dutch cyber security company) wrote a Snort (Intrustion Detection System) module for detecting this attack.

Anyways, Always use SSL if you do anything at all with crypto/sensitive data! Actually, always use it but at the very LEAST really do it when you process the mentioned above!

Why the hell do people make websites with VALID SSL certs redirect BACK TO HTTP? What the fuck is wrong with them?!

What's up with almost every other site having invalid ssl certs, even though they are signed with a future date and by LetsEncrypt, did chrome again distrust a batch?

Hi.
Forgot to renew my expiring ssl cert of my smtp/imaps/pop3s on 12/31. Set that date to self-harm me for bad monitoring.

F**K F**K F**K F**K...

Why do I do that?
F******K!

Meh.

You shall have a happy new year... i will regen certs :D

i fucking hate trying to debug ssl certs

What disturbs me is when companies uses invalid ssl certs for internal services where you have to login with your company credentials.

Me and the dba are slowly migrating parts of our JVM stack into .NET AND even tho I love and will always love Java and its ecosystem....I am glad.

IIS as a server is something that I actually look forward to since deploying shit to it is always a breeze

Installing ssl certs is a breeze

Everything is a fucking breeze

Before any of you cocksuckers say anything: this is my opinion only

Maaaan, we all knew it was coming, we were warned, again and again, yet still, when Lets Encrypt's old root CA expired today, we found out a tool we were using to get new certs (Not cerbot, custom wrapper around acme-tiny) included the old root in the chain.

So... A few hours ago, some of our servers started having connection issues.

Great final 3 hours of today. Better luck next time I guess? Still, despite the little hickup, Lets Encrypt still remains as one of the biggest revolutions in the adoption of SSL, they're the good guys.

When I thought things couldn't get crazier that my vmware to win chrome mess.....

Doing an upgrade today when I have to VPN in from my mac to access a Web based secret server to get onto another VPN so I can RDP onto a Windows bastion host to then RDP to client windows servers within the RDP and from those hosts need to use putty to ssh into Linux servers to do the admin activities......

Now I'm obviously all for security but seriously VPN to RDP to RDP to ssh is just a bit mental......

But all of the SSL certs between each env is self signed anyhow......

FUCK MY MOTHERFUCKING LIFE! FOR GOOD THIS TIME!

I worked about 6 hours straight today to get SSL up and running, so you can include your own certs in my framework. This worked without any problem in Netty. Even forcing SSL was without any problem.

And then I tried to fucking show an image and this motherfucker won't load. I tried to copy code examples from fucking any source I could. As I gave up I tried to comment out a Netty decoder.... AND IT FUCKING WORKED!

FUCK YOU NETTY DOCUMENTATION!!!

FUCK NETTY, LONG LIVE NETTY!

I made a wordpress website to one of my friends long time back as he wants to teach online and sell his videos. (he is studying MBBS)
Yesterday suddenly he calls me and says our site has been compromised and its not longer secure.
Me: After seeing screenshot, no actually site doesn't have ssl and in recent chrome updates http site is being flagged.
He: Okay, I saw video on youtube how to buy ssl.
Me: its not just installing the certs, all the links and images has to be on https so it will take sometime for me.
He: Today, Website is no longer opening please help after putting ssl as per the video...
Me: What the hell? Who asked you to do that? Are you nuts?
He:................. Sorry, 😐

okay. Just had an interview for a web application engineer role. It was a catastrophe. Basically, they are taking care only of things I was never worked with, like certification management, ansible deployments, bash scripting. ?? What? Like, what the hell? Guys, I can make you a nice javascript game, or laravel website, eventually mount the routers and switches, configure and automate the networks, but certs... for me ssl is just an extra checkbox when I'm buying a new domain. I asked the recruiter like 5 times, please tell me what the hell is the role about, he doesn't knew... I think, I'll just give up this applying for a jobs stuff, and stay maintenance engineer, dig into plc-s and etherCat even more and forget the IT career completely...

SSL was a good idea terribly implemented. Relying only on big tech for valid certificates was the single most idiotic thing the web baboons could come up with.

Sure, you could always hack comodo (again) to issue yourself some LAN certs but come on. You either expose your server or pay half a kidney for a somewhat secure thing! Give me a break....

I know it's all for good reason, but man are there so many hoops to jump through to get a web server set up through HTTPS. registering the domain, getting the SSL certs, configuring the DNS, setting up the firewall rules.. what a pain

As i wrote A DR doc I suddenly thought that making a backup of our SSL certs is *probably* a good idea. Hello pfx 🔒

FML!!!

Nessus SSL authentication through Kali Linux is next to impossible. I generated certificates through terminal and I still get error "SSL received a record that exceeded the maximum permissable length" (in Iceweasel).

Tried importing certs into separate Firefox browser and now just SSL handshake errors.

What I need to do today:
* terraform init
* terraform plan
* terraform apply

What I'm doing today:
* Rebuilding a docker container, because our outdated version of Terraform doesn't run on M1 Macs natively.
* Fighting with corporate IT man-in-the-middle SSL certs, because those aren't trusted inside the Docker container. These are now applied to all internet traffic, not just traffic destined to the VPN. Terraform doesn't like it, so it won't download any modules.
* Waiting for a blazing fast 1.5 Mbps connection rate when connected to the VPN.
* Learning I can no longer turn off the VPN, as it's a forced policy on my laptop.

Not sure if I'd be more productive today fighting these issues, or just waiting around for days (weeks?) for IT to mail me an Intel mac.

working postman request with SSL , pfx cert against microservice

go to do the same thing against different microservice , SSL error , review config, looks like im supplying same certs, etc

FML

Using boot2docker behind a corporate proxy that fucks with your SSL certs will drive anyone insane!! 👹